Contents of /trunk/xorg-old/patches-6.8.2-r10/9995_all_CAN-2005-2495.patch
Parent Directory | Revision Log
Revision 167 -
(show annotations)
(download)
Tue May 8 20:58:51 2007 UTC (17 years, 4 months ago) by niro
File size: 7138 byte(s)
Tue May 8 20:58:51 2007 UTC (17 years, 4 months ago) by niro
File size: 7138 byte(s)
-import
1 | diff -urN xc.orig/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c |
2 | --- xc.orig/programs/Xserver/afb/afbpixmap.c 3 Jul 2005 07:01:14 -0000 1.5 |
3 | +++ xc/programs/Xserver/afb/afbpixmap.c 26 Aug 2005 19:58:29 -0000 |
4 | @@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, |
5 | int depth; |
6 | { |
7 | PixmapPtr pPixmap; |
8 | - int datasize; |
9 | - int paddedWidth; |
10 | + size_t datasize; |
11 | + size_t paddedWidth; |
12 | |
13 | paddedWidth = BitmapBytePad(width); |
14 | + |
15 | + if (paddedWidth > 32767 || height > 32767 || depth > 4) |
16 | + return NullPixmap; |
17 | + |
18 | datasize = height * paddedWidth * depth; |
19 | pPixmap = AllocatePixmap(pScreen, datasize); |
20 | if (!pPixmap) |
21 | diff -urN xc.orig/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c |
22 | --- xc.orig/programs/Xserver/cfb/cfbpixmap.c 3 Jul 2005 07:01:15 -0000 1.5 |
23 | +++ xc/programs/Xserver/cfb/cfbpixmap.c 26 Aug 2005 19:58:29 -0000 |
24 | @@ -72,10 +72,13 @@ cfbCreatePixmap (pScreen, width, height, |
25 | int depth; |
26 | { |
27 | PixmapPtr pPixmap; |
28 | - int datasize; |
29 | - int paddedWidth; |
30 | + size_t datasize; |
31 | + size_t paddedWidth; |
32 | |
33 | paddedWidth = PixmapBytePad(width, depth); |
34 | + |
35 | + if (paddedWidth / 4 > 32767 || height > 32767) |
36 | + return NullPixmap; |
37 | datasize = height * paddedWidth; |
38 | pPixmap = AllocatePixmap(pScreen, datasize); |
39 | if (!pPixmap) |
40 | diff -urN xc.orig/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c |
41 | --- xc.orig/programs/Xserver/dix/dispatch.c 16 Jul 2005 20:52:25 -0000 1.12 |
42 | +++ xc/programs/Xserver/dix/dispatch.c 26 Aug 2005 19:58:30 -0000 |
43 | @@ -1483,6 +1483,23 @@ ProcCreatePixmap(register ClientPtr clie |
44 | client->errorValue = 0; |
45 | return BadValue; |
46 | } |
47 | + if (stuff->width > 32767 || stuff->height > 32767) |
48 | + { |
49 | + /* It is allowed to try and allocate a pixmap which is larger than |
50 | + * 32767 in either dimension. However, all of the framebuffer code |
51 | + * is buggy and does not reliably draw to such big pixmaps, basically |
52 | + * because the Region data structure operates with signed shorts |
53 | + * for the rectangles in it. |
54 | + * |
55 | + * Furthermore, several places in the X server computes the |
56 | + * size in bytes of the pixmap and tries to store it in an |
57 | + * integer. This integer can overflow and cause the allocated size |
58 | + * to be much smaller. |
59 | + * |
60 | + * So, such big pixmaps are rejected here with a BadAlloc |
61 | + */ |
62 | + return BadAlloc; |
63 | + } |
64 | if (stuff->depth != 1) |
65 | { |
66 | pDepth = pDraw->pScreen->allowedDepths; |
67 | diff -urN xc.orig/programs/Xserver/dix/pixmap.c |
68 | --- xc.orig/programs/Xserver/dix/pixmap.c 3 Jul 2005 08:53:38 -0000 1.7 |
69 | +++ xc/programs/Xserver/dix/pixmap.c 26 Aug 2005 19:58:30 -0000 |
70 | @@ -118,6 +118,9 @@ AllocatePixmap(ScreenPtr pScreen, int pi |
71 | unsigned size; |
72 | int i; |
73 | |
74 | + if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize) |
75 | + return NullPixmap; |
76 | + |
77 | pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize); |
78 | if (!pPixmap) |
79 | return NullPixmap; |
80 | diff -urN xc.orig/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c |
81 | --- xc.orig/programs/Xserver/fb/fbpixmap.c 3 Jul 2005 07:01:23 -0000 1.5 |
82 | +++ xc/programs/Xserver/fb/fbpixmap.c 26 Aug 2005 19:58:30 -0000 |
83 | @@ -36,12 +36,14 @@ PixmapPtr |
84 | fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp) |
85 | { |
86 | PixmapPtr pPixmap; |
87 | - int datasize; |
88 | - int paddedWidth; |
89 | + size_t datasize; |
90 | + size_t paddedWidth; |
91 | int adjust; |
92 | int base; |
93 | |
94 | paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits); |
95 | + if (paddedWidth / 4 > 32767 || height > 32767) |
96 | + return NullPixmap; |
97 | datasize = height * paddedWidth; |
98 | #ifdef PIXPRIV |
99 | base = pScreen->totalPixmapSize; |
100 | diff -urN xc.orig/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c |
101 | --- xc.orig/programs/Xserver/hw/xfree86/xaa/xaaInit.c 3 Jul 2005 08:53:49 -0000 1.7 |
102 | +++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c 26 Aug 2005 19:58:31 -0000 |
103 | @@ -502,6 +502,9 @@ XAACreatePixmap(ScreenPtr pScreen, int w |
104 | XAAPixmapPtr pPriv; |
105 | PixmapPtr pPix = NULL; |
106 | int size = w * h; |
107 | + |
108 | + if (w > 32767 || h > 32767) |
109 | + return NullPixmap; |
110 | |
111 | if (!infoRec->offscreenDepthsInitialized) |
112 | XAAInitializeOffscreenDepths (pScreen); |
113 | |
114 | diff -urN xc.orig/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c |
115 | --- xc.orig/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 3 Jul 2005 07:01:41 -0000 1.3 |
116 | +++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 26 Aug 2005 19:58:31 -0000 |
117 | @@ -89,7 +89,7 @@ xf4bppCreatePixmap( pScreen, width, heig |
118 | int depth ; |
119 | { |
120 | register PixmapPtr pPixmap = (PixmapPtr)NULL; |
121 | - int size ; |
122 | + size_t size ; |
123 | |
124 | TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ; |
125 | |
126 | @@ -97,6 +97,10 @@ xf4bppCreatePixmap( pScreen, width, heig |
127 | return (PixmapPtr) NULL ; |
128 | |
129 | size = PixmapBytePad(width, depth); |
130 | + |
131 | + if (size / 4 > 32767 || height > 32767) |
132 | + return (PixmapPtr) NULL ; |
133 | + |
134 | pPixmap = AllocatePixmap (pScreen, (height * size)); |
135 | |
136 | if ( !pPixmap ) |
137 | diff -urN xc.orig/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c |
138 | --- xc.orig/programs/Xserver/ilbm/ilbmpixmap.c 3 Jul 2005 07:01:44 -0000 1.4 |
139 | +++ xc/programs/Xserver/ilbm/ilbmpixmap.c 26 Aug 2005 19:58:31 -0000 |
140 | @@ -79,10 +79,12 @@ ilbmCreatePixmap(pScreen, width, height, |
141 | int depth; |
142 | { |
143 | PixmapPtr pPixmap; |
144 | - int datasize; |
145 | - int paddedWidth; |
146 | + size_t datasize; |
147 | + size_t paddedWidth; |
148 | |
149 | paddedWidth = BitmapBytePad(width); |
150 | + if (paddedWidth > 32767 || height > 32767 || depth > 4) |
151 | + return NullPixmap; |
152 | datasize = height * paddedWidth * depth; |
153 | pPixmap = AllocatePixmap(pScreen, datasize); |
154 | if (!pPixmap) |
155 | diff -urN xc.orig/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c |
156 | --- xc.orig/programs/Xserver/iplan2p4/iplpixmap.c 3 Jul 2005 07:01:46 -0000 1.4 |
157 | +++ xc/programs/Xserver/iplan2p4/iplpixmap.c 26 Aug 2005 19:58:31 -0000 |
158 | @@ -78,12 +78,14 @@ iplCreatePixmap (pScreen, width, height, |
159 | int depth; |
160 | { |
161 | PixmapPtr pPixmap; |
162 | - int datasize; |
163 | - int paddedWidth; |
164 | + size_t datasize; |
165 | + size_t paddedWidth; |
166 | int ipad=INTER_PLANES*2 - 1; |
167 | |
168 | paddedWidth = PixmapBytePad(width, depth); |
169 | paddedWidth = (paddedWidth + ipad) & ~ipad; |
170 | + if (paddedWidth / 4 > 32767 || height > 32767) |
171 | + return NullPixmap; |
172 | datasize = height * paddedWidth; |
173 | pPixmap = AllocatePixmap(pScreen, datasize); |
174 | if (!pPixmap) |
175 | diff -urN xc.orig/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c |
176 | --- xc.orig/programs/Xserver/mfb/mfbpixmap.c 3 Jul 2005 07:01:50 -0000 1.4 |
177 | +++ xc/programs/Xserver/mfb/mfbpixmap.c 26 Aug 2005 19:58:31 -0000 |
178 | @@ -75,12 +75,14 @@ mfbCreatePixmap (pScreen, width, height, |
179 | int depth; |
180 | { |
181 | PixmapPtr pPixmap; |
182 | - int datasize; |
183 | - int paddedWidth; |
184 | + size_t datasize; |
185 | + size_t paddedWidth; |
186 | |
187 | if (depth != 1) |
188 | return NullPixmap; |
189 | paddedWidth = BitmapBytePad(width); |
190 | + if (paddedWidth / 4 > 32767 || height > 32767) |
191 | + return NullPixmap; |
192 | datasize = height * paddedWidth; |
193 | pPixmap = AllocatePixmap(pScreen, datasize); |
194 | if (!pPixmap) |