Pullup ticket #2433 - requested by joerg Security patch for modular-xorg-server Revisions pulled up: - x11/modular-xorg-server/Makefile 1.30 via patch - x11/modular-xorg-server/distinfo 1.21 - x11/modular-xorg-server/patches/patch-ac 1.3 - x11/modular-xorg-server/patches/patch-ae 1.5 - x11/modular-xorg-server/patches/patch-da delete - x11/modular-xorg-server/patches/patch-ed 1.2 - x11/modular-xorg-server/patches/patch-ef 1.2 --- Module Name: pkgsrc Committed By: joerg Date: Fri Jun 20 13:34:40 UTC 2008 Modified Files: pkgsrc/x11/modular-xorg-server: Makefile distinfo pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef Added Files: pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae Removed Files: pkgsrc/x11/modular-xorg-server/patches: patch-da Log Message: modular-xorg-server-1.3.0.0nb9: Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and CVE-2008-2362 based on upstream patches.diff -r1.27 -r1.27.2.1 pkgsrc/x11/modular-xorg-server/Makefile
(tron)
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.27 2008/03/29 17:54:40 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.27.2.1 2008/06/25 10:20:58 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= xorg-server-1.3.0.0 | 3 | DISTNAME= xorg-server-1.3.0.0 | |
4 | PKGNAME= modular-${DISTNAME} | 4 | PKGNAME= modular-${DISTNAME} | |
5 | PKGREVISION= 7 | 5 | PKGREVISION= 9 | |
6 | CATEGORIES= x11 | 6 | CATEGORIES= x11 | |
7 | MASTER_SITES= http://xorg.freedesktop.org/releases/individual/xserver/ | 7 | MASTER_SITES= http://xorg.freedesktop.org/releases/individual/xserver/ | |
8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
9 | 9 | |||
10 | SPECIAL_PERMS+= bin/Xorg ${SETUID_ROOT_PERMS} | 10 | SPECIAL_PERMS+= bin/Xorg ${SETUID_ROOT_PERMS} | |
11 | PKG_DESTDIR_SUPPORT= user-destdir | 11 | PKG_DESTDIR_SUPPORT= user-destdir | |
12 | 12 | |||
13 | MAINTAINER= joerg@NetBSD.org | 13 | MAINTAINER= joerg@NetBSD.org | |
14 | COMMENT= Xorg X11 Server from modular X.org X11 | 14 | COMMENT= Xorg X11 Server from modular X.org X11 | |
15 | 15 | |||
16 | USE_LIBTOOL= YES | 16 | USE_LIBTOOL= YES | |
17 | GNU_CONFIGURE= YES | 17 | GNU_CONFIGURE= YES | |
18 | PKGCONFIG_OVERRIDE+= xorg-server.pc.in | 18 | PKGCONFIG_OVERRIDE+= xorg-server.pc.in |
@@ -1,38 +1,39 @@ | @@ -1,38 +1,39 @@ | |||
1 | $NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: distinfo,v 1.20.2.1 2008/06/25 10:20:58 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f | 3 | SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f | |
4 | RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3 | 4 | RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3 | |
5 | Size (MesaLib-6.5.2.tar.bz2) = 3295166 bytes | 5 | Size (MesaLib-6.5.2.tar.bz2) = 3295166 bytes | |
6 | SHA1 (xorg-server-1.3.0.0.tar.bz2) = 6f9645fe70da5b6a121f3e8fa6c2fc1e4307390c | 6 | SHA1 (xorg-server-1.3.0.0.tar.bz2) = 6f9645fe70da5b6a121f3e8fa6c2fc1e4307390c | |
7 | RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1 | 7 | RMD160 (xorg-server-1.3.0.0.tar.bz2) = 1a4fecd73aed0d5adabe84066c24ce69dc2c2dc1 | |
8 | Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes | 8 | Size (xorg-server-1.3.0.0.tar.bz2) = 5968263 bytes | |
9 | SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2 | 9 | SHA1 (patch-aa) = f72780165c9ecd3e9ab31d03c1b2d777290d09e2 | |
10 | SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58 | 10 | SHA1 (patch-ab) = d99c045eff730b3fbdc92938faaa75b653640c58 | |
11 | SHA1 (patch-ac) = 06b26c3f0658bc323363ec860063b7ffc636ac2e | |||
11 | SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064 | 12 | SHA1 (patch-ad) = 752235269f10daade0bf60665cccde39d1583064 | |
13 | SHA1 (patch-ae) = 53ce49bec7674be40b93de33bd8ec01942e18c9c | |||
12 | SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be | 14 | SHA1 (patch-af) = 6c58872798a30b31154dd7b167c84bf20ac417be | |
13 | SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a | 15 | SHA1 (patch-ag) = 222427db3e1bdbf977e992aa91aae5f16992345a | |
14 | SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810 | 16 | SHA1 (patch-ah) = 23767542ea672d590050e258317c0352bb321810 | |
15 | SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e | 17 | SHA1 (patch-aj) = 7a538538a04ff466595527b7a65a196fc06a625e | |
16 | SHA1 (patch-da) = 73faacda1088304025c5e05f3d58edaf9ae1145f | |||
17 | SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39 | 18 | SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39 | |
18 | SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853 | 19 | SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853 | |
19 | SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19 | 20 | SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19 | |
20 | SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18 | 21 | SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18 | |
21 | SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd | 22 | SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd | |
22 | SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87 | 23 | SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87 | |
23 | SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74 | 24 | SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74 | |
24 | SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2 | 25 | SHA1 (patch-ed) = 875ee1f03e94e709d878ccbbfc8f9a3ce924eac5 | |
25 | SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f | 26 | SHA1 (patch-ef) = 9edb141038c08417a0f06395e4cdff0de9e9fdcf | |
26 | SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb | 27 | SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb | |
27 | SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e | 28 | SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e | |
28 | SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3 | 29 | SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3 | |
29 | SHA1 (patch-ej) = 0719d0fa6fb55739a58b157e31f0ae442d57c211 | 30 | SHA1 (patch-ej) = 0719d0fa6fb55739a58b157e31f0ae442d57c211 | |
30 | SHA1 (patch-ek) = de8ee96433a65b9f59804c4e78d6b04496e30d37 | 31 | SHA1 (patch-ek) = de8ee96433a65b9f59804c4e78d6b04496e30d37 | |
31 | SHA1 (patch-el) = cc7f39c82d017657bb72ff332b65f797bdbdd6fc | 32 | SHA1 (patch-el) = cc7f39c82d017657bb72ff332b65f797bdbdd6fc | |
32 | SHA1 (patch-em) = 25ec7e56ceb87ea5bfc53f5734dab84ad15b88ca | 33 | SHA1 (patch-em) = 25ec7e56ceb87ea5bfc53f5734dab84ad15b88ca | |
33 | SHA1 (patch-en) = 447e7f996ab7e0179227676a9f7f2c4b51a69d62 | 34 | SHA1 (patch-en) = 447e7f996ab7e0179227676a9f7f2c4b51a69d62 | |
34 | SHA1 (patch-eo) = 499b6d47db383acb0e7fcb90faebf4ede1ccd2a9 | 35 | SHA1 (patch-eo) = 499b6d47db383acb0e7fcb90faebf4ede1ccd2a9 | |
35 | SHA1 (patch-ep) = 0beae9b5cbc5e87c757e22796aed82c1c4436f0e | 36 | SHA1 (patch-ep) = 0beae9b5cbc5e87c757e22796aed82c1c4436f0e | |
36 | SHA1 (patch-sa) = 5586e998e2239b6851291b5f79b2e6009c78b174 | 37 | SHA1 (patch-sa) = 5586e998e2239b6851291b5f79b2e6009c78b174 | |
37 | SHA1 (patch-sb) = b769780b446e4f10bc99ccd3373d666daf44f863 | 38 | SHA1 (patch-sb) = b769780b446e4f10bc99ccd3373d666daf44f863 | |
38 | SHA1 (patch-sc) = 33c4d4731e3732032f84946fc17e28d0cba389a6 | 39 | SHA1 (patch-sc) = 33c4d4731e3732032f84946fc17e28d0cba389a6 |
$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $
CVE-2008-2360
--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200
+++ render/glyph.c
@@ -42,6 +42,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
int size;
GlyphPtr glyph;
int i;
-
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;
$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $
CVE-2008-1377
--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200
+++ record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
@@ -1,25 +1,48 @@ | @@ -1,25 +1,48 @@ | |||
1 | $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ | |
2 | 2 | |||
3 | --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 | 3 | --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 | |
4 | +++ Xext/security.c | 4 | +++ Xext/security.c | |
5 | @@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void) | 5 | @@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( | |
6 | register char n; | |||
7 | CARD32 *values; | |||
8 | unsigned long nvalues; | |||
9 | + int values_offset; | |||
10 | ||||
11 | swaps(&stuff->length, n); | |||
12 | REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); | |||
13 | swaps(&stuff->nbytesAuthProto, n); | |||
14 | swaps(&stuff->nbytesAuthData, n); | |||
15 | swapl(&stuff->valueMask, n); | |||
16 | - values = (CARD32 *)(&stuff[1]) + | |||
17 | - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + | |||
18 | - ((stuff->nbytesAuthData + (unsigned)3) >> 2); | |||
19 | + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + | |||
20 | + ((stuff->nbytesAuthData + (unsigned)3) >> 2); | |||
21 | + if (values_offset > | |||
22 | + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) | |||
23 | + return BadLength; | |||
24 | + values = (CARD32 *)(&stuff[1]) + values_offset; | |||
25 | nvalues = (((CARD32 *)stuff) + stuff->length) - values; | |||
26 | SwapLongs(values, nvalues); | |||
27 | return ProcSecurityGenerateAuthorization(client); | |||
28 | @@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void) | |||
6 | return; | 29 | return; | |
7 | 30 | |||
8 | #ifndef __UNIXOS2__ | 31 | #ifndef __UNIXOS2__ | |
9 | - f = fopen(SecurityPolicyFile, "r"); | 32 | - f = fopen(SecurityPolicyFile, "r"); | |
10 | + f = Fopen(SecurityPolicyFile, "r"); | 33 | + f = Fopen(SecurityPolicyFile, "r"); | |
11 | #else | 34 | #else | |
12 | - f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | 35 | - f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | |
13 | + f = Fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | 36 | + f = Fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); | |
14 | #endif | 37 | #endif | |
15 | if (!f) | 38 | if (!f) | |
16 | { | 39 | { | |
17 | @@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void) | 40 | @@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void) | |
18 | } | 41 | } | |
19 | #endif /* PROPDEBUG */ | 42 | #endif /* PROPDEBUG */ | |
20 | 43 | |||
21 | - fclose(f); | 44 | - fclose(f); | |
22 | + Fclose(f); | 45 | + Fclose(f); | |
23 | } /* SecurityLoadPropertyAccessList */ | 46 | } /* SecurityLoadPropertyAccessList */ | |
24 | 47 | |||
25 | 48 |
@@ -1,17 +1,26 @@ | @@ -1,17 +1,26 @@ | |||
1 | $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ | 1 | $NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ | |
2 | 2 | |||
3 | --- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100 | 3 | --- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 | |
4 | +++ Xext/shm.c | 4 | +++ Xext/shm.c | |
5 | @@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi | |||
6 | } | |||
7 | ||||
8 | ||||
9 | -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) | |||
10 | +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) | |||
11 | #include <sys/signal.h> | |||
12 | ||||
13 | static Bool badSysCall = FALSE; | |||
5 | @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( | 14 | @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( | |
6 | int i, j, result; | 15 | int i, j, result; | |
7 | ShmDescPtr shmdesc; | 16 | ShmDescPtr shmdesc; | |
8 | REQUEST(xShmCreatePixmapReq); | 17 | REQUEST(xShmCreatePixmapReq); | |
9 | + unsigned int width, height, depth; | 18 | + unsigned int width, height, depth; | |
10 | + unsigned long size; | 19 | + unsigned long size; | |
11 | PanoramiXRes *newPix; | 20 | PanoramiXRes *newPix; | |
12 | 21 | |||
13 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | 22 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | |
14 | @@ -732,11 +734,26 @@ ProcPanoramiXShmCreatePixmap( | 23 | @@ -732,11 +734,26 @@ ProcPanoramiXShmCreatePixmap( | |
15 | LEGAL_NEW_RESOURCE(stuff->pid, client); | 24 | LEGAL_NEW_RESOURCE(stuff->pid, client); | |
16 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | 25 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | |
17 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | 26 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | |
@@ -40,36 +49,56 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | @@ -40,36 +49,56 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | |||
40 | { | 49 | { | |
41 | pDepth = pDraw->pScreen->allowedDepths; | 50 | pDepth = pDraw->pScreen->allowedDepths; | |
42 | @@ -747,9 +764,7 @@ ProcPanoramiXShmCreatePixmap( | 51 | @@ -747,9 +764,7 @@ ProcPanoramiXShmCreatePixmap( | |
43 | return BadValue; | 52 | return BadValue; | |
44 | } | 53 | } | |
45 | CreatePmap: | 54 | CreatePmap: | |
46 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | 55 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | |
47 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | 56 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | |
48 | - client); | 57 | - client); | |
49 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | 58 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | |
50 | 59 | |||
51 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | 60 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | |
52 | return BadAlloc; | 61 | return BadAlloc; | |
53 | @@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client) | 62 | @@ -841,8 +856,17 @@ ProcShmPutImage(client) | |
63 | return BadValue; | |||
64 | } | |||
65 | ||||
66 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, | |||
67 | - client); | |||
68 | + /* | |||
69 | + * There's a potential integer overflow in this check: | |||
70 | + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, | |||
71 | + * client); | |||
72 | + * the version below ought to avoid it | |||
73 | + */ | |||
74 | + if (stuff->totalHeight != 0 && | |||
75 | + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { | |||
76 | + client->errorValue = stuff->totalWidth; | |||
77 | + return BadValue; | |||
78 | + } | |||
79 | if (stuff->srcX > stuff->totalWidth) | |||
80 | { | |||
81 | client->errorValue = stuff->srcX; | |||
82 | @@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client) | |||
54 | register int i; | 83 | register int i; | |
55 | ShmDescPtr shmdesc; | 84 | ShmDescPtr shmdesc; | |
56 | REQUEST(xShmCreatePixmapReq); | 85 | REQUEST(xShmCreatePixmapReq); | |
57 | + unsigned int width, height, depth; | 86 | + unsigned int width, height, depth; | |
58 | + unsigned long size; | 87 | + unsigned long size; | |
59 | 88 | |||
60 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | 89 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | |
61 | client->errorValue = stuff->pid; | 90 | client->errorValue = stuff->pid; | |
62 | @@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client) | 91 | @@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client) | |
63 | LEGAL_NEW_RESOURCE(stuff->pid, client); | 92 | LEGAL_NEW_RESOURCE(stuff->pid, client); | |
64 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | 93 | VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); | |
65 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | 94 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | |
66 | - if (!stuff->width || !stuff->height) | 95 | - if (!stuff->width || !stuff->height) | |
67 | + | 96 | + | |
68 | + width = stuff->width; | 97 | + width = stuff->width; | |
69 | + height = stuff->height; | 98 | + height = stuff->height; | |
70 | + depth = stuff->depth; | 99 | + depth = stuff->depth; | |
71 | + if (!width || !height || !depth) | 100 | + if (!width || !height || !depth) | |
72 | { | 101 | { | |
73 | client->errorValue = 0; | 102 | client->errorValue = 0; | |
74 | return BadValue; | 103 | return BadValue; | |
75 | } | 104 | } | |
@@ -77,24 +106,24 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | @@ -77,24 +106,24 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39 | |||
77 | + return BadAlloc; | 106 | + return BadAlloc; | |
78 | + size = PixmapBytePad(width, depth) * height; | 107 | + size = PixmapBytePad(width, depth) * height; | |
79 | + if (sizeof(size) == 4) { | 108 | + if (sizeof(size) == 4) { | |
80 | + if (size < width * height) | 109 | + if (size < width * height) | |
81 | + return BadAlloc; | 110 | + return BadAlloc; | |
82 | + /* thankfully, offset is unsigned */ | 111 | + /* thankfully, offset is unsigned */ | |
83 | + if (stuff->offset + size < size) | 112 | + if (stuff->offset + size < size) | |
84 | + return BadAlloc; | 113 | + return BadAlloc; | |
85 | + } | 114 | + } | |
86 | + | 115 | + | |
87 | if (stuff->depth != 1) | 116 | if (stuff->depth != 1) | |
88 | { | 117 | { | |
89 | pDepth = pDraw->pScreen->allowedDepths; | 118 | pDepth = pDraw->pScreen->allowedDepths; | |
90 | @@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client) | 119 | @@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client) | |
91 | return BadValue; | 120 | return BadValue; | |
92 | } | 121 | } | |
93 | CreatePmap: | 122 | CreatePmap: | |
94 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | 123 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | |
95 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | 124 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | |
96 | - client); | 125 | - client); | |
97 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | 126 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | |
98 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | 127 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | |
99 | pDraw->pScreen, stuff->width, | 128 | pDraw->pScreen, stuff->width, | |
100 | stuff->height, stuff->depth, | 129 | stuff->height, stuff->depth, |