Annotation of /trunk/xorg-old/patches-6.8.2-r10/9995_all_CAN-2005-2495.patch
Parent Directory | Revision Log
Revision 167 -
(hide annotations)
(download)
Tue May 8 20:58:51 2007 UTC (17 years, 4 months ago) by niro
File size: 7138 byte(s)
Tue May 8 20:58:51 2007 UTC (17 years, 4 months ago) by niro
File size: 7138 byte(s)
-import
1 | niro | 167 | diff -urN xc.orig/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c |
2 | --- xc.orig/programs/Xserver/afb/afbpixmap.c 3 Jul 2005 07:01:14 -0000 1.5 | ||
3 | +++ xc/programs/Xserver/afb/afbpixmap.c 26 Aug 2005 19:58:29 -0000 | ||
4 | @@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, | ||
5 | int depth; | ||
6 | { | ||
7 | PixmapPtr pPixmap; | ||
8 | - int datasize; | ||
9 | - int paddedWidth; | ||
10 | + size_t datasize; | ||
11 | + size_t paddedWidth; | ||
12 | |||
13 | paddedWidth = BitmapBytePad(width); | ||
14 | + | ||
15 | + if (paddedWidth > 32767 || height > 32767 || depth > 4) | ||
16 | + return NullPixmap; | ||
17 | + | ||
18 | datasize = height * paddedWidth * depth; | ||
19 | pPixmap = AllocatePixmap(pScreen, datasize); | ||
20 | if (!pPixmap) | ||
21 | diff -urN xc.orig/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c | ||
22 | --- xc.orig/programs/Xserver/cfb/cfbpixmap.c 3 Jul 2005 07:01:15 -0000 1.5 | ||
23 | +++ xc/programs/Xserver/cfb/cfbpixmap.c 26 Aug 2005 19:58:29 -0000 | ||
24 | @@ -72,10 +72,13 @@ cfbCreatePixmap (pScreen, width, height, | ||
25 | int depth; | ||
26 | { | ||
27 | PixmapPtr pPixmap; | ||
28 | - int datasize; | ||
29 | - int paddedWidth; | ||
30 | + size_t datasize; | ||
31 | + size_t paddedWidth; | ||
32 | |||
33 | paddedWidth = PixmapBytePad(width, depth); | ||
34 | + | ||
35 | + if (paddedWidth / 4 > 32767 || height > 32767) | ||
36 | + return NullPixmap; | ||
37 | datasize = height * paddedWidth; | ||
38 | pPixmap = AllocatePixmap(pScreen, datasize); | ||
39 | if (!pPixmap) | ||
40 | diff -urN xc.orig/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c | ||
41 | --- xc.orig/programs/Xserver/dix/dispatch.c 16 Jul 2005 20:52:25 -0000 1.12 | ||
42 | +++ xc/programs/Xserver/dix/dispatch.c 26 Aug 2005 19:58:30 -0000 | ||
43 | @@ -1483,6 +1483,23 @@ ProcCreatePixmap(register ClientPtr clie | ||
44 | client->errorValue = 0; | ||
45 | return BadValue; | ||
46 | } | ||
47 | + if (stuff->width > 32767 || stuff->height > 32767) | ||
48 | + { | ||
49 | + /* It is allowed to try and allocate a pixmap which is larger than | ||
50 | + * 32767 in either dimension. However, all of the framebuffer code | ||
51 | + * is buggy and does not reliably draw to such big pixmaps, basically | ||
52 | + * because the Region data structure operates with signed shorts | ||
53 | + * for the rectangles in it. | ||
54 | + * | ||
55 | + * Furthermore, several places in the X server computes the | ||
56 | + * size in bytes of the pixmap and tries to store it in an | ||
57 | + * integer. This integer can overflow and cause the allocated size | ||
58 | + * to be much smaller. | ||
59 | + * | ||
60 | + * So, such big pixmaps are rejected here with a BadAlloc | ||
61 | + */ | ||
62 | + return BadAlloc; | ||
63 | + } | ||
64 | if (stuff->depth != 1) | ||
65 | { | ||
66 | pDepth = pDraw->pScreen->allowedDepths; | ||
67 | diff -urN xc.orig/programs/Xserver/dix/pixmap.c | ||
68 | --- xc.orig/programs/Xserver/dix/pixmap.c 3 Jul 2005 08:53:38 -0000 1.7 | ||
69 | +++ xc/programs/Xserver/dix/pixmap.c 26 Aug 2005 19:58:30 -0000 | ||
70 | @@ -118,6 +118,9 @@ AllocatePixmap(ScreenPtr pScreen, int pi | ||
71 | unsigned size; | ||
72 | int i; | ||
73 | |||
74 | + if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize) | ||
75 | + return NullPixmap; | ||
76 | + | ||
77 | pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize); | ||
78 | if (!pPixmap) | ||
79 | return NullPixmap; | ||
80 | diff -urN xc.orig/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c | ||
81 | --- xc.orig/programs/Xserver/fb/fbpixmap.c 3 Jul 2005 07:01:23 -0000 1.5 | ||
82 | +++ xc/programs/Xserver/fb/fbpixmap.c 26 Aug 2005 19:58:30 -0000 | ||
83 | @@ -36,12 +36,14 @@ PixmapPtr | ||
84 | fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp) | ||
85 | { | ||
86 | PixmapPtr pPixmap; | ||
87 | - int datasize; | ||
88 | - int paddedWidth; | ||
89 | + size_t datasize; | ||
90 | + size_t paddedWidth; | ||
91 | int adjust; | ||
92 | int base; | ||
93 | |||
94 | paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits); | ||
95 | + if (paddedWidth / 4 > 32767 || height > 32767) | ||
96 | + return NullPixmap; | ||
97 | datasize = height * paddedWidth; | ||
98 | #ifdef PIXPRIV | ||
99 | base = pScreen->totalPixmapSize; | ||
100 | diff -urN xc.orig/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c | ||
101 | --- xc.orig/programs/Xserver/hw/xfree86/xaa/xaaInit.c 3 Jul 2005 08:53:49 -0000 1.7 | ||
102 | +++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c 26 Aug 2005 19:58:31 -0000 | ||
103 | @@ -502,6 +502,9 @@ XAACreatePixmap(ScreenPtr pScreen, int w | ||
104 | XAAPixmapPtr pPriv; | ||
105 | PixmapPtr pPix = NULL; | ||
106 | int size = w * h; | ||
107 | + | ||
108 | + if (w > 32767 || h > 32767) | ||
109 | + return NullPixmap; | ||
110 | |||
111 | if (!infoRec->offscreenDepthsInitialized) | ||
112 | XAAInitializeOffscreenDepths (pScreen); | ||
113 | |||
114 | diff -urN xc.orig/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c | ||
115 | --- xc.orig/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 3 Jul 2005 07:01:41 -0000 1.3 | ||
116 | +++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 26 Aug 2005 19:58:31 -0000 | ||
117 | @@ -89,7 +89,7 @@ xf4bppCreatePixmap( pScreen, width, heig | ||
118 | int depth ; | ||
119 | { | ||
120 | register PixmapPtr pPixmap = (PixmapPtr)NULL; | ||
121 | - int size ; | ||
122 | + size_t size ; | ||
123 | |||
124 | TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ; | ||
125 | |||
126 | @@ -97,6 +97,10 @@ xf4bppCreatePixmap( pScreen, width, heig | ||
127 | return (PixmapPtr) NULL ; | ||
128 | |||
129 | size = PixmapBytePad(width, depth); | ||
130 | + | ||
131 | + if (size / 4 > 32767 || height > 32767) | ||
132 | + return (PixmapPtr) NULL ; | ||
133 | + | ||
134 | pPixmap = AllocatePixmap (pScreen, (height * size)); | ||
135 | |||
136 | if ( !pPixmap ) | ||
137 | diff -urN xc.orig/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c | ||
138 | --- xc.orig/programs/Xserver/ilbm/ilbmpixmap.c 3 Jul 2005 07:01:44 -0000 1.4 | ||
139 | +++ xc/programs/Xserver/ilbm/ilbmpixmap.c 26 Aug 2005 19:58:31 -0000 | ||
140 | @@ -79,10 +79,12 @@ ilbmCreatePixmap(pScreen, width, height, | ||
141 | int depth; | ||
142 | { | ||
143 | PixmapPtr pPixmap; | ||
144 | - int datasize; | ||
145 | - int paddedWidth; | ||
146 | + size_t datasize; | ||
147 | + size_t paddedWidth; | ||
148 | |||
149 | paddedWidth = BitmapBytePad(width); | ||
150 | + if (paddedWidth > 32767 || height > 32767 || depth > 4) | ||
151 | + return NullPixmap; | ||
152 | datasize = height * paddedWidth * depth; | ||
153 | pPixmap = AllocatePixmap(pScreen, datasize); | ||
154 | if (!pPixmap) | ||
155 | diff -urN xc.orig/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c | ||
156 | --- xc.orig/programs/Xserver/iplan2p4/iplpixmap.c 3 Jul 2005 07:01:46 -0000 1.4 | ||
157 | +++ xc/programs/Xserver/iplan2p4/iplpixmap.c 26 Aug 2005 19:58:31 -0000 | ||
158 | @@ -78,12 +78,14 @@ iplCreatePixmap (pScreen, width, height, | ||
159 | int depth; | ||
160 | { | ||
161 | PixmapPtr pPixmap; | ||
162 | - int datasize; | ||
163 | - int paddedWidth; | ||
164 | + size_t datasize; | ||
165 | + size_t paddedWidth; | ||
166 | int ipad=INTER_PLANES*2 - 1; | ||
167 | |||
168 | paddedWidth = PixmapBytePad(width, depth); | ||
169 | paddedWidth = (paddedWidth + ipad) & ~ipad; | ||
170 | + if (paddedWidth / 4 > 32767 || height > 32767) | ||
171 | + return NullPixmap; | ||
172 | datasize = height * paddedWidth; | ||
173 | pPixmap = AllocatePixmap(pScreen, datasize); | ||
174 | if (!pPixmap) | ||
175 | diff -urN xc.orig/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c | ||
176 | --- xc.orig/programs/Xserver/mfb/mfbpixmap.c 3 Jul 2005 07:01:50 -0000 1.4 | ||
177 | +++ xc/programs/Xserver/mfb/mfbpixmap.c 26 Aug 2005 19:58:31 -0000 | ||
178 | @@ -75,12 +75,14 @@ mfbCreatePixmap (pScreen, width, height, | ||
179 | int depth; | ||
180 | { | ||
181 | PixmapPtr pPixmap; | ||
182 | - int datasize; | ||
183 | - int paddedWidth; | ||
184 | + size_t datasize; | ||
185 | + size_t paddedWidth; | ||
186 | |||
187 | if (depth != 1) | ||
188 | return NullPixmap; | ||
189 | paddedWidth = BitmapBytePad(width); | ||
190 | + if (paddedWidth / 4 > 32767 || height > 32767) | ||
191 | + return NullPixmap; | ||
192 | datasize = height * paddedWidth; | ||
193 | pPixmap = AllocatePixmap(pScreen, datasize); | ||
194 | if (!pPixmap) |