Pullup ticket #2433 - requested by joerg
Security patch for modular-xorg-server
Revisions pulled up:
- x11/modular-xorg-server/Makefile 1.30 via patch
- x11/modular-xorg-server/distinfo 1.21
- x11/modular-xorg-server/patches/patch-ac 1.3
- x11/modular-xorg-server/patches/patch-ae 1.5
- x11/modular-xorg-server/patches/patch-da delete
- x11/modular-xorg-server/patches/patch-ed 1.2
- x11/modular-xorg-server/patches/patch-ef 1.2
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jun 20 13:34:40 UTC 2008
Modified Files:
pkgsrc/x11/modular-xorg-server: Makefile distinfo
pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef
Added Files:
pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae
Removed Files:
pkgsrc/x11/modular-xorg-server/patches: patch-da
Log Message:
modular-xorg-server-1.3.0.0nb9:
Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and
CVE-2008-2362 based on upstream patches.
(tron)
diff -r1.27 -r1.27.2.1 pkgsrc/x11/modular-xorg-server/Makefile| @@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.27 2008/03/29 17:54:40 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.27.2.1 2008/06/25 10:20:58 tron Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= xorg-server-1.3.0.0 | 3 | DISTNAME= xorg-server-1.3.0.0 | |
| 4 | PKGNAME= modular-${DISTNAME} | 4 | PKGNAME= modular-${DISTNAME} | |
| 5 | PKGREVISION= 7 | 5 | PKGREVISION= 9 | |
| 6 | CATEGORIES= x11 | 6 | CATEGORIES= x11 | |
| 7 | MASTER_SITES= http://xorg.freedesktop.org/releases/individual/xserver/ | 7 | MASTER_SITES= http://xorg.freedesktop.org/releases/individual/xserver/ | |
| 8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
| 9 | 9 | |||
| 10 | SPECIAL_PERMS+= bin/Xorg ${SETUID_ROOT_PERMS} | 10 | SPECIAL_PERMS+= bin/Xorg ${SETUID_ROOT_PERMS} | |
| 11 | PKG_DESTDIR_SUPPORT= user-destdir | 11 | PKG_DESTDIR_SUPPORT= user-destdir | |
| 12 | 12 | |||
| 13 | MAINTAINER= joerg@NetBSD.org | 13 | MAINTAINER= joerg@NetBSD.org | |
| 14 | COMMENT= Xorg X11 Server from modular X.org X11 | 14 | COMMENT= Xorg X11 Server from modular X.org X11 | |
| 15 | 15 | |||
| 16 | USE_LIBTOOL= YES | 16 | USE_LIBTOOL= YES | |
| 17 | GNU_CONFIGURE= YES | 17 | GNU_CONFIGURE= YES | |
| 18 | PKGCONFIG_OVERRIDE+= xorg-server.pc.in | 18 | PKGCONFIG_OVERRIDE+= xorg-server.pc.in |
| @@ -1,38 +1,39 @@ | @@ -1,38 +1,39 @@ | |||
| 1 | $NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: distinfo,v 1.20.2.1 2008/06/25 10:20:58 tron Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f | 3 | SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f | |
| 4 | RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3 | 4 | RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3 | |
| 5 | Size (MesaLib-6.5.2.tar.bz2) = 3295166 bytes | 5 | Size (MesaLib-6.5.2.tar.bz2) = 3295166 bytes | |
| 6 | SHA1 (xorg-server-1.3.0.0.tar.bz2) = 6f9645fe70da5b6a121f3e8fa6c2fc1e4307390c | 6 | SHA1 (xorg-server-1.3.0.0.tar.bz2) = 6f9645fe70da5b6a121f3e8fa6c2fc1e4307390c | |
| 7 | RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1 | 7 | RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1 | |
| 8 | Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes | 8 | Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes | |
| 9 | SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2 | 9 | SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2 | |
| 10 | SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58 | 10 | SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58 | |
| 11 | SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e | |||
| 11 | SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064 | 12 | SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064 | |
| 13 | SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c | |||
| 12 | SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be | 14 | SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be | |
| 13 | SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a | 15 | SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a | |
| 14 | SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810 | 16 | SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810 | |
| 15 | SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e | 17 | SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e | |
| 16 | SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f | |||
| 17 | SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39 | 18 | SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39 | |
| 18 | SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853 | 19 | SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853 | |
| 19 | SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19 | 20 | SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19 | |
| 20 | SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18 | 21 | SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18 | |
| 21 | SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd | 22 | SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd | |
| 22 | SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87 | 23 | SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87 | |
| 23 | SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74 | 24 | SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74 | |
| 24 | SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2 | 25 | SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5 | |
| 25 | SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f | 26 | SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf | |
| 26 | SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb | 27 | SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb | |
| 27 | SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e | 28 | SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e | |
| 28 | SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3 | 29 | SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3 | |
| 29 | SHA1 (patch-ej) = 0719d0fa6fb55739a58b157e31f0ae442d57c211 | 30 | SHA1 (patch-ej) = 0719d0fa6fb55739a58b157e31f0ae442d57c211 | |
| 30 | SHA1 (patch-ek) = de8ee96433a65b9f59804c4e78d6b04496e30d37 | 31 | SHA1 (patch-ek) = de8ee96433a65b9f59804c4e78d6b04496e30d37 | |
| 31 | SHA1 (patch-el) = cc7f39c82d017657bb72ff332b65f797bdbdd6fc | 32 | SHA1 (patch-el) = cc7f39c82d017657bb72ff332b65f797bdbdd6fc | |
| 32 | SHA1 (patch-em) = 25ec7e56ceb87ea5bfc53f5734dab84ad15b88ca | 33 | SHA1 (patch-em) = 25ec7e56ceb87ea5bfc53f5734dab84ad15b88ca | |
| 33 | SHA1 (patch-en) = 447e7f996ab7e0179227676a9f7f2c4b51a69d62 | 34 | SHA1 (patch-en) = 447e7f996ab7e0179227676a9f7f2c4b51a69d62 | |
| 34 | SHA1 (patch-eo) = 499b6d47db383acb0e7fcb90faebf4ede1ccd2a9 | 35 | SHA1 (patch-eo) = 499b6d47db383acb0e7fcb90faebf4ede1ccd2a9 | |
| 35 | SHA1 (patch-ep) = 0beae9b5cbc5e87c757e22796aed82c1c4436f0e | 36 | SHA1 (patch-ep) = 0beae9b5cbc5e87c757e22796aed82c1c4436f0e | |
| 36 | SHA1 (patch-sa) = 5586e998e2239b6851291b5f79b2e6009c78b174 | 37 | SHA1 (patch-sa) = 5586e998e2239b6851291b5f79b2e6009c78b174 | |
| 37 | SHA1 (patch-sb) = b769780b446e4f10bc99ccd3373d666daf44f863 | 38 | SHA1 (patch-sb) = b769780b446e4f10bc99ccd3373d666daf44f863 | |
| 38 | SHA1 (patch-sc) = 33c4d4731e3732032f84946fc17e28d0cba389a6 | 39 | SHA1 (patch-sc) = 33c4d4731e3732032f84946fc17e28d0cba389a6 |
$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $
CVE-2008-2360
--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200
+++ render/glyph.c
@@ -42,6 +42,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
int size;
GlyphPtr glyph;
int i;
-
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;
$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $
CVE-2008-1377
--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200
+++ record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
| @@ -1,25 +1,48 @@ | @@ -1,25 +1,48 @@ | |||
| 1 | $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ | |
| 2 | 2 | |||
| 3 | --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 | 3 | --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 | |
| 4 | +++ Xext/security.c | 4 | +++ Xext/security.c | |
| 5 | @@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void) | 5 | @@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( | |
| 6 | register char n; | |||
| 7 | CARD32 *values; | |||
| 8 | unsigned long nvalues; | |||
| 9 | + int values_offset; | |||
| 10 | ||||
| 11 | swaps(&stuff->length, n); | |||
| 12 | REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); | |||
| 13 | swaps(&stuff->nbytesAuthProto, n); | |||
| 14 | swaps(&stuff->nbytesAuthData, n); | |||
| 15 | swapl(&stuff->valueMask, n); | |||
| 16 | - values = (CARD32 *)(&stuff[1]) + | |||
| 17 | - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + | |||
| 18 | - ((stuff->nbytesAuthData + (unsigned)3) >> 2); | |||
| 19 | + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + | |||
| 20 | + ((stuff->nbytesAuthData + (unsigned)3) >> 2); | |||
| 21 | + if (values_offset > | |||
| 22 | + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) | |||
| 23 | + return BadLength; | |||
| 24 | + values = (CARD32 *)(&stuff[1]) + values_offset; | |||
| 25 | nvalues = (((CARD32 *)stuff) + stuff->length) - values; | |||
| 26 | SwapLongs(values, nvalues); | |||
| 27 | return ProcSecurityGenerateAuthorization(client); | |||
| 28 | @@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void) | |||
| 6 | return; | 29 | return; | |
| 7 | 30 | |||
| 8 | #ifndef __UNIXOS2__ | 31 | #ifndef __UNIXOS2__ | |
| 9 | - f = fopen(SecurityPolicyFile, "r"); | 32 | - f = fopen(SecurityPolicyFile, "r"); | |
| 10 | + f = Fopen(SecurityPolicyFile, "r"); | 33 | + f = Fopen(SecurityPolicyFile, "r"); | |
| 11 | #else | 34 | #else | |
| 12 | - f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | 35 | - f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | |
| 13 | + f = Fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | 36 | + f = Fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | |
| 14 | #endif | 37 | #endif | |
| 15 | if (!f) | 38 | if (!f) | |
| 16 | { | 39 | { | |
| 17 | @@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void) | 40 | @@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void) | |
| 18 | } | 41 | } | |
| 19 | #endif /* PROPDEBUG */ | 42 | #endif /* PROPDEBUG */ | |
| 20 | 43 | |||
| 21 | - fclose(f); | 44 | - fclose(f); | |
| 22 | + Fclose(f); | 45 | + Fclose(f); | |
| 23 | } /* SecurityLoadPropertyAccessList */ | 46 | } /* SecurityLoadPropertyAccessList */ | |
| 24 | 47 | |||
| 25 | 48 |
| @@ -1,17 +1,26 @@ | @@ -1,17 +1,26 @@ | |||
| 1 | $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ | |
| 2 | 2 | |||
| 3 | --- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100 | 3 | --- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 | |
| 4 | +++ Xext/shm.c | 4 | +++ Xext/shm.c | |
| 5 | @@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi | |||
| 6 | } | |||
| 7 | ||||
| 8 | ||||
| 9 | -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) | |||
| 10 | +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) | |||
| 11 | #include <sys/signal.h> | |||
| 12 | ||||
| 13 | static Bool badSysCall = FALSE; | |||
| 5 | @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( | 14 | @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( | |
| 6 | int i, j, result; | 15 | int i, j, result; | |
| 7 | ShmDescPtr shmdesc; | 16 | ShmDescPtr shmdesc; | |
| 8 | REQUEST(xShmCreatePixmapReq); | 17 | REQUEST(xShmCreatePixmapReq); | |
| 9 | + unsigned int width, height, depth; | 18 | + unsigned int width, height, depth; | |
| 10 | + unsigned long size; | 19 | + unsigned long size; | |
| 11 | PanoramiXRes *newPix; | 20 | PanoramiXRes *newPix; | |
| 12 | 21 | |||
| 13 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | 22 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | |
| 14 | @@ -732,11 +734,26 @@ ProcPanoramiXShmCreatePixmap( | 23 | @@ -732,11 +734,26 @@ ProcPanoramiXShmCreatePixmap( | |
| 15 | LEGAL_NEW_RESOURCE(stuff->pid, client); | 24 | LEGAL_NEW_RESOURCE(stuff->pid, client); | |
| 16 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | 25 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | |
| 17 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | 26 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | |
| @@ -40,36 +49,56 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | @@ -40,36 +49,56 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | |||
| 40 | { | 49 | { | |
| 41 | pDepth = pDraw->pScreen->allowedDepths; | 50 | pDepth = pDraw->pScreen->allowedDepths; | |
| 42 | @@ -747,9 +764,7 @@ ProcPanoramiXShmCreatePixmap( | 51 | @@ -747,9 +764,7 @@ ProcPanoramiXShmCreatePixmap( | |
| 43 | return BadValue; | 52 | return BadValue; | |
| 44 | } | 53 | } | |
| 45 | CreatePmap: | 54 | CreatePmap: | |
| 46 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | 55 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | |
| 47 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | 56 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | |
| 48 | - client); | 57 | - client); | |
| 49 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | 58 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | |
| 50 | 59 | |||
| 51 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | 60 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | |
| 52 | return BadAlloc; | 61 | return BadAlloc; | |
| 53 | @@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client) | 62 | @@ -841,8 +856,17 @@ ProcShmPutImage(client) | |
| 63 | return BadValue; | |||
| 64 | } | |||
| 65 | ||||
| 66 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, | |||
| 67 | - client); | |||
| 68 | + /* | |||
| 69 | + * There's a potential integer overflow in this check: | |||
| 70 | + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, | |||
| 71 | + * client); | |||
| 72 | + * the version below ought to avoid it | |||
| 73 | + */ | |||
| 74 | + if (stuff->totalHeight != 0 && | |||
| 75 | + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { | |||
| 76 | + client->errorValue = stuff->totalWidth; | |||
| 77 | + return BadValue; | |||
| 78 | + } | |||
| 79 | if (stuff->srcX > stuff->totalWidth) | |||
| 80 | { | |||
| 81 | client->errorValue = stuff->srcX; | |||
| 82 | @@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client) | |||
| 54 | register int i; | 83 | register int i; | |
| 55 | ShmDescPtr shmdesc; | 84 | ShmDescPtr shmdesc; | |
| 56 | REQUEST(xShmCreatePixmapReq); | 85 | REQUEST(xShmCreatePixmapReq); | |
| 57 | + unsigned int width, height, depth; | 86 | + unsigned int width, height, depth; | |
| 58 | + unsigned long size; | 87 | + unsigned long size; | |
| 59 | 88 | |||
| 60 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | 89 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | |
| 61 | client->errorValue = stuff->pid; | 90 | client->errorValue = stuff->pid; | |
| 62 | @@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client) | 91 | @@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client) | |
| 63 | LEGAL_NEW_RESOURCE(stuff->pid, client); | 92 | LEGAL_NEW_RESOURCE(stuff->pid, client); | |
| 64 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | 93 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | |
| 65 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | 94 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | |
| 66 | - if (!stuff->width || !stuff->height) | 95 | - if (!stuff->width || !stuff->height) | |
| 67 | + | 96 | + | |
| 68 | + width = stuff->width; | 97 | + width = stuff->width; | |
| 69 | + height = stuff->height; | 98 | + height = stuff->height; | |
| 70 | + depth = stuff->depth; | 99 | + depth = stuff->depth; | |
| 71 | + if (!width || !height || !depth) | 100 | + if (!width || !height || !depth) | |
| 72 | { | 101 | { | |
| 73 | client->errorValue = 0; | 102 | client->errorValue = 0; | |
| 74 | return BadValue; | 103 | return BadValue; | |
| 75 | } | 104 | } | |
| @@ -77,24 +106,24 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | @@ -77,24 +106,24 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | |||
| 77 | + return BadAlloc; | 106 | + return BadAlloc; | |
| 78 | + size = PixmapBytePad(width, depth) * height; | 107 | + size = PixmapBytePad(width, depth) * height; | |
| 79 | + if (sizeof(size) == 4) { | 108 | + if (sizeof(size) == 4) { | |
| 80 | + if (size < width * height) | 109 | + if (size < width * height) | |
| 81 | + return BadAlloc; | 110 | + return BadAlloc; | |
| 82 | + /* thankfully, offset is unsigned */ | 111 | + /* thankfully, offset is unsigned */ | |
| 83 | + if (stuff->offset + size < size) | 112 | + if (stuff->offset + size < size) | |
| 84 | + return BadAlloc; | 113 | + return BadAlloc; | |
| 85 | + } | 114 | + } | |
| 86 | + | 115 | + | |
| 87 | if (stuff->depth != 1) | 116 | if (stuff->depth != 1) | |
| 88 | { | 117 | { | |
| 89 | pDepth = pDraw->pScreen->allowedDepths; | 118 | pDepth = pDraw->pScreen->allowedDepths; | |
| 90 | @@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client) | 119 | @@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client) | |
| 91 | return BadValue; | 120 | return BadValue; | |
| 92 | } | 121 | } | |
| 93 | CreatePmap: | 122 | CreatePmap: | |
| 94 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | 123 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | |
| 95 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | 124 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | |
| 96 | - client); | 125 | - client); | |
| 97 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | 126 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | |
| 98 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | 127 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | |
| 99 | pDraw->pScreen, stuff->width, | 128 | pDraw->pScreen, stuff->width, | |
| 100 | stuff->height, stuff->depth, | 129 | stuff->height, stuff->depth, |