Annotation of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6427.patch
Parent Directory | Revision Log
Revision 486 -
(hide annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 7342 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 7342 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | niro | 486 | From d244c8272e0ac47c41a9416e37293903b842a78b Mon Sep 17 00:00:00 2001 |
2 | From: Matthieu Herrb <matthieu@bluenote.herrb.com> | ||
3 | Date: Thu, 17 Jan 2008 15:27:34 +0100 | ||
4 | Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption. | ||
5 | |||
6 | --- | ||
7 | Xi/chgfctl.c | 7 +------ | ||
8 | Xi/chgkmap.c | 13 ++++++------- | ||
9 | Xi/chgprop.c | 10 +++------- | ||
10 | Xi/grabdev.c | 12 +++++------- | ||
11 | Xi/grabdevb.c | 10 +++------- | ||
12 | Xi/grabdevk.c | 9 ++------- | ||
13 | Xi/selectev.c | 11 ++++------- | ||
14 | Xi/sendexev.c | 14 ++++++++------ | ||
15 | 8 files changed, 32 insertions(+), 54 deletions(-) | ||
16 | |||
17 | diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c | ||
18 | index 2e0e13c..235d659 100644 | ||
19 | --- a/Xi/chgfctl.c | ||
20 | +++ b/Xi/chgfctl.c | ||
21 | @@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev, | ||
22 | xStringFeedbackCtl * f) | ||
23 | { | ||
24 | char n; | ||
25 | - long *p; | ||
26 | int i, j; | ||
27 | KeySym *syms, *sup_syms; | ||
28 | |||
29 | syms = (KeySym *) (f + 1); | ||
30 | if (client->swapped) { | ||
31 | swaps(&f->length, n); /* swapped num_keysyms in calling proc */ | ||
32 | - p = (long *)(syms); | ||
33 | - for (i = 0; i < f->num_keysyms; i++) { | ||
34 | - swapl(p, n); | ||
35 | - p++; | ||
36 | - } | ||
37 | + SwapLongs((CARD32 *) syms, f->num_keysyms); | ||
38 | } | ||
39 | |||
40 | if (f->num_keysyms > s->ctrl.max_symbols) { | ||
41 | diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c | ||
42 | index eac520f..f8f85bc 100644 | ||
43 | --- a/Xi/chgkmap.c | ||
44 | +++ b/Xi/chgkmap.c | ||
45 | @@ -79,18 +79,14 @@ int | ||
46 | SProcXChangeDeviceKeyMapping(ClientPtr client) | ||
47 | { | ||
48 | char n; | ||
49 | - long *p; | ||
50 | - int i, count; | ||
51 | + unsigned int count; | ||
52 | |||
53 | REQUEST(xChangeDeviceKeyMappingReq); | ||
54 | swaps(&stuff->length, n); | ||
55 | REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); | ||
56 | - p = (long *)&stuff[1]; | ||
57 | count = stuff->keyCodes * stuff->keySymsPerKeyCode; | ||
58 | - for (i = 0; i < count; i++) { | ||
59 | - swapl(p, n); | ||
60 | - p++; | ||
61 | - } | ||
62 | + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); | ||
63 | + SwapLongs((CARD32 *) (&stuff[1]), count); | ||
64 | return (ProcXChangeDeviceKeyMapping(client)); | ||
65 | } | ||
66 | |||
67 | @@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client) | ||
68 | int ret; | ||
69 | unsigned len; | ||
70 | DeviceIntPtr dev; | ||
71 | + unsigned int count; | ||
72 | |||
73 | REQUEST(xChangeDeviceKeyMappingReq); | ||
74 | REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); | ||
75 | |||
76 | + count = stuff->keyCodes * stuff->keySymsPerKeyCode; | ||
77 | + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); | ||
78 | dev = LookupDeviceIntRec(stuff->deviceid); | ||
79 | if (dev == NULL) { | ||
80 | SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0, | ||
81 | diff --git a/Xi/chgprop.c b/Xi/chgprop.c | ||
82 | index 59a93c6..21bda5b 100644 | ||
83 | --- a/Xi/chgprop.c | ||
84 | +++ b/Xi/chgprop.c | ||
85 | @@ -81,19 +81,15 @@ int | ||
86 | SProcXChangeDeviceDontPropagateList(ClientPtr client) | ||
87 | { | ||
88 | char n; | ||
89 | - long *p; | ||
90 | - int i; | ||
91 | |||
92 | REQUEST(xChangeDeviceDontPropagateListReq); | ||
93 | swaps(&stuff->length, n); | ||
94 | REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); | ||
95 | swapl(&stuff->window, n); | ||
96 | swaps(&stuff->count, n); | ||
97 | - p = (long *)&stuff[1]; | ||
98 | - for (i = 0; i < stuff->count; i++) { | ||
99 | - swapl(p, n); | ||
100 | - p++; | ||
101 | - } | ||
102 | + REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq, | ||
103 | + stuff->count * sizeof(CARD32)); | ||
104 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); | ||
105 | return (ProcXChangeDeviceDontPropagateList(client)); | ||
106 | } | ||
107 | |||
108 | diff --git a/Xi/grabdev.c b/Xi/grabdev.c | ||
109 | index e2809ef..d0b4ae7 100644 | ||
110 | --- a/Xi/grabdev.c | ||
111 | +++ b/Xi/grabdev.c | ||
112 | @@ -82,8 +82,6 @@ int | ||
113 | SProcXGrabDevice(ClientPtr client) | ||
114 | { | ||
115 | char n; | ||
116 | - long *p; | ||
117 | - int i; | ||
118 | |||
119 | REQUEST(xGrabDeviceReq); | ||
120 | swaps(&stuff->length, n); | ||
121 | @@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client) | ||
122 | swapl(&stuff->grabWindow, n); | ||
123 | swapl(&stuff->time, n); | ||
124 | swaps(&stuff->event_count, n); | ||
125 | - p = (long *)&stuff[1]; | ||
126 | - for (i = 0; i < stuff->event_count; i++) { | ||
127 | - swapl(p, n); | ||
128 | - p++; | ||
129 | - } | ||
130 | + | ||
131 | + if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) | ||
132 | + return BadLength; | ||
133 | + | ||
134 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); | ||
135 | |||
136 | return (ProcXGrabDevice(client)); | ||
137 | } | ||
138 | diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c | ||
139 | index df62d0c..18db1f7 100644 | ||
140 | --- a/Xi/grabdevb.c | ||
141 | +++ b/Xi/grabdevb.c | ||
142 | @@ -80,8 +80,6 @@ int | ||
143 | SProcXGrabDeviceButton(ClientPtr client) | ||
144 | { | ||
145 | char n; | ||
146 | - long *p; | ||
147 | - int i; | ||
148 | |||
149 | REQUEST(xGrabDeviceButtonReq); | ||
150 | swaps(&stuff->length, n); | ||
151 | @@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client) | ||
152 | swapl(&stuff->grabWindow, n); | ||
153 | swaps(&stuff->modifiers, n); | ||
154 | swaps(&stuff->event_count, n); | ||
155 | - p = (long *)&stuff[1]; | ||
156 | - for (i = 0; i < stuff->event_count; i++) { | ||
157 | - swapl(p, n); | ||
158 | - p++; | ||
159 | - } | ||
160 | + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, | ||
161 | + stuff->event_count * sizeof(CARD32)); | ||
162 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); | ||
163 | |||
164 | return (ProcXGrabDeviceButton(client)); | ||
165 | } | ||
166 | diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c | ||
167 | index b74592f..429b2f7 100644 | ||
168 | --- a/Xi/grabdevk.c | ||
169 | +++ b/Xi/grabdevk.c | ||
170 | @@ -80,8 +80,6 @@ int | ||
171 | SProcXGrabDeviceKey(ClientPtr client) | ||
172 | { | ||
173 | char n; | ||
174 | - long *p; | ||
175 | - int i; | ||
176 | |||
177 | REQUEST(xGrabDeviceKeyReq); | ||
178 | swaps(&stuff->length, n); | ||
179 | @@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client) | ||
180 | swapl(&stuff->grabWindow, n); | ||
181 | swaps(&stuff->modifiers, n); | ||
182 | swaps(&stuff->event_count, n); | ||
183 | - p = (long *)&stuff[1]; | ||
184 | - for (i = 0; i < stuff->event_count; i++) { | ||
185 | - swapl(p, n); | ||
186 | - p++; | ||
187 | - } | ||
188 | + REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); | ||
189 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); | ||
190 | return (ProcXGrabDeviceKey(client)); | ||
191 | } | ||
192 | |||
193 | diff --git a/Xi/selectev.c b/Xi/selectev.c | ||
194 | index d52db1b..19415c5 100644 | ||
195 | --- a/Xi/selectev.c | ||
196 | +++ b/Xi/selectev.c | ||
197 | @@ -131,19 +131,16 @@ int | ||
198 | SProcXSelectExtensionEvent(ClientPtr client) | ||
199 | { | ||
200 | char n; | ||
201 | - long *p; | ||
202 | - int i; | ||
203 | |||
204 | REQUEST(xSelectExtensionEventReq); | ||
205 | swaps(&stuff->length, n); | ||
206 | REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); | ||
207 | swapl(&stuff->window, n); | ||
208 | swaps(&stuff->count, n); | ||
209 | - p = (long *)&stuff[1]; | ||
210 | - for (i = 0; i < stuff->count; i++) { | ||
211 | - swapl(p, n); | ||
212 | - p++; | ||
213 | - } | ||
214 | + REQUEST_FIXED_SIZE(xSelectExtensionEventReq, | ||
215 | + stuff->count * sizeof(CARD32)); | ||
216 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); | ||
217 | + | ||
218 | return (ProcXSelectExtensionEvent(client)); | ||
219 | } | ||
220 | |||
221 | diff --git a/Xi/sendexev.c b/Xi/sendexev.c | ||
222 | index eac9abe..9803cf3 100644 | ||
223 | --- a/Xi/sendexev.c | ||
224 | +++ b/Xi/sendexev.c | ||
225 | @@ -83,7 +83,7 @@ int | ||
226 | SProcXSendExtensionEvent(ClientPtr client) | ||
227 | { | ||
228 | char n; | ||
229 | - long *p; | ||
230 | + CARD32 *p; | ||
231 | int i; | ||
232 | xEvent eventT; | ||
233 | xEvent *eventP; | ||
234 | @@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client) | ||
235 | REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); | ||
236 | swapl(&stuff->destination, n); | ||
237 | swaps(&stuff->count, n); | ||
238 | + | ||
239 | + if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + | ||
240 | + (stuff->num_events * (sizeof(xEvent) >> 2))) | ||
241 | + return BadLength; | ||
242 | + | ||
243 | eventP = (xEvent *) & stuff[1]; | ||
244 | for (i = 0; i < stuff->num_events; i++, eventP++) { | ||
245 | proc = EventSwapVector[eventP->u.u.type & 0177]; | ||
246 | @@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client) | ||
247 | *eventP = eventT; | ||
248 | } | ||
249 | |||
250 | - p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); | ||
251 | - for (i = 0; i < stuff->count; i++) { | ||
252 | - swapl(p, n); | ||
253 | - p++; | ||
254 | - } | ||
255 | + p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); | ||
256 | + SwapLongs(p, stuff->count); | ||
257 | return (ProcXSendExtensionEvent(client)); | ||
258 | } | ||
259 | |||
260 | -- | ||
261 | 1.5.3.5 | ||
262 |