Contents of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6427.patch
Parent Directory | Revision Log
Revision 486 -
(show annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 7342 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 7342 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | From d244c8272e0ac47c41a9416e37293903b842a78b Mon Sep 17 00:00:00 2001 |
2 | From: Matthieu Herrb <matthieu@bluenote.herrb.com> |
3 | Date: Thu, 17 Jan 2008 15:27:34 +0100 |
4 | Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption. |
5 | |
6 | --- |
7 | Xi/chgfctl.c | 7 +------ |
8 | Xi/chgkmap.c | 13 ++++++------- |
9 | Xi/chgprop.c | 10 +++------- |
10 | Xi/grabdev.c | 12 +++++------- |
11 | Xi/grabdevb.c | 10 +++------- |
12 | Xi/grabdevk.c | 9 ++------- |
13 | Xi/selectev.c | 11 ++++------- |
14 | Xi/sendexev.c | 14 ++++++++------ |
15 | 8 files changed, 32 insertions(+), 54 deletions(-) |
16 | |
17 | diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c |
18 | index 2e0e13c..235d659 100644 |
19 | --- a/Xi/chgfctl.c |
20 | +++ b/Xi/chgfctl.c |
21 | @@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev, |
22 | xStringFeedbackCtl * f) |
23 | { |
24 | char n; |
25 | - long *p; |
26 | int i, j; |
27 | KeySym *syms, *sup_syms; |
28 | |
29 | syms = (KeySym *) (f + 1); |
30 | if (client->swapped) { |
31 | swaps(&f->length, n); /* swapped num_keysyms in calling proc */ |
32 | - p = (long *)(syms); |
33 | - for (i = 0; i < f->num_keysyms; i++) { |
34 | - swapl(p, n); |
35 | - p++; |
36 | - } |
37 | + SwapLongs((CARD32 *) syms, f->num_keysyms); |
38 | } |
39 | |
40 | if (f->num_keysyms > s->ctrl.max_symbols) { |
41 | diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c |
42 | index eac520f..f8f85bc 100644 |
43 | --- a/Xi/chgkmap.c |
44 | +++ b/Xi/chgkmap.c |
45 | @@ -79,18 +79,14 @@ int |
46 | SProcXChangeDeviceKeyMapping(ClientPtr client) |
47 | { |
48 | char n; |
49 | - long *p; |
50 | - int i, count; |
51 | + unsigned int count; |
52 | |
53 | REQUEST(xChangeDeviceKeyMappingReq); |
54 | swaps(&stuff->length, n); |
55 | REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); |
56 | - p = (long *)&stuff[1]; |
57 | count = stuff->keyCodes * stuff->keySymsPerKeyCode; |
58 | - for (i = 0; i < count; i++) { |
59 | - swapl(p, n); |
60 | - p++; |
61 | - } |
62 | + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); |
63 | + SwapLongs((CARD32 *) (&stuff[1]), count); |
64 | return (ProcXChangeDeviceKeyMapping(client)); |
65 | } |
66 | |
67 | @@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client) |
68 | int ret; |
69 | unsigned len; |
70 | DeviceIntPtr dev; |
71 | + unsigned int count; |
72 | |
73 | REQUEST(xChangeDeviceKeyMappingReq); |
74 | REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); |
75 | |
76 | + count = stuff->keyCodes * stuff->keySymsPerKeyCode; |
77 | + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); |
78 | dev = LookupDeviceIntRec(stuff->deviceid); |
79 | if (dev == NULL) { |
80 | SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0, |
81 | diff --git a/Xi/chgprop.c b/Xi/chgprop.c |
82 | index 59a93c6..21bda5b 100644 |
83 | --- a/Xi/chgprop.c |
84 | +++ b/Xi/chgprop.c |
85 | @@ -81,19 +81,15 @@ int |
86 | SProcXChangeDeviceDontPropagateList(ClientPtr client) |
87 | { |
88 | char n; |
89 | - long *p; |
90 | - int i; |
91 | |
92 | REQUEST(xChangeDeviceDontPropagateListReq); |
93 | swaps(&stuff->length, n); |
94 | REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); |
95 | swapl(&stuff->window, n); |
96 | swaps(&stuff->count, n); |
97 | - p = (long *)&stuff[1]; |
98 | - for (i = 0; i < stuff->count; i++) { |
99 | - swapl(p, n); |
100 | - p++; |
101 | - } |
102 | + REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq, |
103 | + stuff->count * sizeof(CARD32)); |
104 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); |
105 | return (ProcXChangeDeviceDontPropagateList(client)); |
106 | } |
107 | |
108 | diff --git a/Xi/grabdev.c b/Xi/grabdev.c |
109 | index e2809ef..d0b4ae7 100644 |
110 | --- a/Xi/grabdev.c |
111 | +++ b/Xi/grabdev.c |
112 | @@ -82,8 +82,6 @@ int |
113 | SProcXGrabDevice(ClientPtr client) |
114 | { |
115 | char n; |
116 | - long *p; |
117 | - int i; |
118 | |
119 | REQUEST(xGrabDeviceReq); |
120 | swaps(&stuff->length, n); |
121 | @@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client) |
122 | swapl(&stuff->grabWindow, n); |
123 | swapl(&stuff->time, n); |
124 | swaps(&stuff->event_count, n); |
125 | - p = (long *)&stuff[1]; |
126 | - for (i = 0; i < stuff->event_count; i++) { |
127 | - swapl(p, n); |
128 | - p++; |
129 | - } |
130 | + |
131 | + if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) |
132 | + return BadLength; |
133 | + |
134 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); |
135 | |
136 | return (ProcXGrabDevice(client)); |
137 | } |
138 | diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c |
139 | index df62d0c..18db1f7 100644 |
140 | --- a/Xi/grabdevb.c |
141 | +++ b/Xi/grabdevb.c |
142 | @@ -80,8 +80,6 @@ int |
143 | SProcXGrabDeviceButton(ClientPtr client) |
144 | { |
145 | char n; |
146 | - long *p; |
147 | - int i; |
148 | |
149 | REQUEST(xGrabDeviceButtonReq); |
150 | swaps(&stuff->length, n); |
151 | @@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client) |
152 | swapl(&stuff->grabWindow, n); |
153 | swaps(&stuff->modifiers, n); |
154 | swaps(&stuff->event_count, n); |
155 | - p = (long *)&stuff[1]; |
156 | - for (i = 0; i < stuff->event_count; i++) { |
157 | - swapl(p, n); |
158 | - p++; |
159 | - } |
160 | + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, |
161 | + stuff->event_count * sizeof(CARD32)); |
162 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); |
163 | |
164 | return (ProcXGrabDeviceButton(client)); |
165 | } |
166 | diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c |
167 | index b74592f..429b2f7 100644 |
168 | --- a/Xi/grabdevk.c |
169 | +++ b/Xi/grabdevk.c |
170 | @@ -80,8 +80,6 @@ int |
171 | SProcXGrabDeviceKey(ClientPtr client) |
172 | { |
173 | char n; |
174 | - long *p; |
175 | - int i; |
176 | |
177 | REQUEST(xGrabDeviceKeyReq); |
178 | swaps(&stuff->length, n); |
179 | @@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client) |
180 | swapl(&stuff->grabWindow, n); |
181 | swaps(&stuff->modifiers, n); |
182 | swaps(&stuff->event_count, n); |
183 | - p = (long *)&stuff[1]; |
184 | - for (i = 0; i < stuff->event_count; i++) { |
185 | - swapl(p, n); |
186 | - p++; |
187 | - } |
188 | + REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); |
189 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); |
190 | return (ProcXGrabDeviceKey(client)); |
191 | } |
192 | |
193 | diff --git a/Xi/selectev.c b/Xi/selectev.c |
194 | index d52db1b..19415c5 100644 |
195 | --- a/Xi/selectev.c |
196 | +++ b/Xi/selectev.c |
197 | @@ -131,19 +131,16 @@ int |
198 | SProcXSelectExtensionEvent(ClientPtr client) |
199 | { |
200 | char n; |
201 | - long *p; |
202 | - int i; |
203 | |
204 | REQUEST(xSelectExtensionEventReq); |
205 | swaps(&stuff->length, n); |
206 | REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); |
207 | swapl(&stuff->window, n); |
208 | swaps(&stuff->count, n); |
209 | - p = (long *)&stuff[1]; |
210 | - for (i = 0; i < stuff->count; i++) { |
211 | - swapl(p, n); |
212 | - p++; |
213 | - } |
214 | + REQUEST_FIXED_SIZE(xSelectExtensionEventReq, |
215 | + stuff->count * sizeof(CARD32)); |
216 | + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); |
217 | + |
218 | return (ProcXSelectExtensionEvent(client)); |
219 | } |
220 | |
221 | diff --git a/Xi/sendexev.c b/Xi/sendexev.c |
222 | index eac9abe..9803cf3 100644 |
223 | --- a/Xi/sendexev.c |
224 | +++ b/Xi/sendexev.c |
225 | @@ -83,7 +83,7 @@ int |
226 | SProcXSendExtensionEvent(ClientPtr client) |
227 | { |
228 | char n; |
229 | - long *p; |
230 | + CARD32 *p; |
231 | int i; |
232 | xEvent eventT; |
233 | xEvent *eventP; |
234 | @@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client) |
235 | REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); |
236 | swapl(&stuff->destination, n); |
237 | swaps(&stuff->count, n); |
238 | + |
239 | + if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + |
240 | + (stuff->num_events * (sizeof(xEvent) >> 2))) |
241 | + return BadLength; |
242 | + |
243 | eventP = (xEvent *) & stuff[1]; |
244 | for (i = 0; i < stuff->num_events; i++, eventP++) { |
245 | proc = EventSwapVector[eventP->u.u.type & 0177]; |
246 | @@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client) |
247 | *eventP = eventT; |
248 | } |
249 | |
250 | - p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); |
251 | - for (i = 0; i < stuff->count; i++) { |
252 | - swapl(p, n); |
253 | - p++; |
254 | - } |
255 | + p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); |
256 | + SwapLongs(p, stuff->count); |
257 | return (ProcXSendExtensionEvent(client)); |
258 | } |
259 | |
260 | -- |
261 | 1.5.3.5 |
262 |