Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6427.patch

    Annotation of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6427.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 486 - (hide annotations) (download)
    Wed Feb 13 00:09:39 2008 UTC (16 years, 4 months ago) by niro
    File size: 7342 byte(s) 
    -added several security fixes, a fix for compiz and openoffice
    1 niro 486 From d244c8272e0ac47c41a9416e37293903b842a78b Mon Sep 17 00:00:00 2001
    2     From: Matthieu Herrb <matthieu@bluenote.herrb.com>
    3     Date: Thu, 17 Jan 2008 15:27:34 +0100
    4     Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
    5    
    6     ---
    7     Xi/chgfctl.c | 7 +------
    8     Xi/chgkmap.c | 13 ++++++-------
    9     Xi/chgprop.c | 10 +++-------
    10     Xi/grabdev.c | 12 +++++-------
    11     Xi/grabdevb.c | 10 +++-------
    12     Xi/grabdevk.c | 9 ++-------
    13     Xi/selectev.c | 11 ++++-------
    14     Xi/sendexev.c | 14 ++++++++------
    15     8 files changed, 32 insertions(+), 54 deletions(-)
    16    
    17     diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
    18     index 2e0e13c..235d659 100644
    19     --- a/Xi/chgfctl.c
    20     +++ b/Xi/chgfctl.c
    21     @@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
    22     xStringFeedbackCtl * f)
    23     {
    24     char n;
    25     - long *p;
    26     int i, j;
    27     KeySym *syms, *sup_syms;
    28    
    29     syms = (KeySym *) (f + 1);
    30     if (client->swapped) {
    31     swaps(&f->length, n); /* swapped num_keysyms in calling proc */
    32     - p = (long *)(syms);
    33     - for (i = 0; i < f->num_keysyms; i++) {
    34     - swapl(p, n);
    35     - p++;
    36     - }
    37     + SwapLongs((CARD32 *) syms, f->num_keysyms);
    38     }
    39    
    40     if (f->num_keysyms > s->ctrl.max_symbols) {
    41     diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
    42     index eac520f..f8f85bc 100644
    43     --- a/Xi/chgkmap.c
    44     +++ b/Xi/chgkmap.c
    45     @@ -79,18 +79,14 @@ int
    46     SProcXChangeDeviceKeyMapping(ClientPtr client)
    47     {
    48     char n;
    49     - long *p;
    50     - int i, count;
    51     + unsigned int count;
    52    
    53     REQUEST(xChangeDeviceKeyMappingReq);
    54     swaps(&stuff->length, n);
    55     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
    56     - p = (long *)&stuff[1];
    57     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
    58     - for (i = 0; i < count; i++) {
    59     - swapl(p, n);
    60     - p++;
    61     - }
    62     + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
    63     + SwapLongs((CARD32 *) (&stuff[1]), count);
    64     return (ProcXChangeDeviceKeyMapping(client));
    65     }
    66    
    67     @@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
    68     int ret;
    69     unsigned len;
    70     DeviceIntPtr dev;
    71     + unsigned int count;
    72    
    73     REQUEST(xChangeDeviceKeyMappingReq);
    74     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
    75    
    76     + count = stuff->keyCodes * stuff->keySymsPerKeyCode;
    77     + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
    78     dev = LookupDeviceIntRec(stuff->deviceid);
    79     if (dev == NULL) {
    80     SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
    81     diff --git a/Xi/chgprop.c b/Xi/chgprop.c
    82     index 59a93c6..21bda5b 100644
    83     --- a/Xi/chgprop.c
    84     +++ b/Xi/chgprop.c
    85     @@ -81,19 +81,15 @@ int
    86     SProcXChangeDeviceDontPropagateList(ClientPtr client)
    87     {
    88     char n;
    89     - long *p;
    90     - int i;
    91    
    92     REQUEST(xChangeDeviceDontPropagateListReq);
    93     swaps(&stuff->length, n);
    94     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
    95     swapl(&stuff->window, n);
    96     swaps(&stuff->count, n);
    97     - p = (long *)&stuff[1];
    98     - for (i = 0; i < stuff->count; i++) {
    99     - swapl(p, n);
    100     - p++;
    101     - }
    102     + REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
    103     + stuff->count * sizeof(CARD32));
    104     + SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
    105     return (ProcXChangeDeviceDontPropagateList(client));
    106     }
    107    
    108     diff --git a/Xi/grabdev.c b/Xi/grabdev.c
    109     index e2809ef..d0b4ae7 100644
    110     --- a/Xi/grabdev.c
    111     +++ b/Xi/grabdev.c
    112     @@ -82,8 +82,6 @@ int
    113     SProcXGrabDevice(ClientPtr client)
    114     {
    115     char n;
    116     - long *p;
    117     - int i;
    118    
    119     REQUEST(xGrabDeviceReq);
    120     swaps(&stuff->length, n);
    121     @@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client)
    122     swapl(&stuff->grabWindow, n);
    123     swapl(&stuff->time, n);
    124     swaps(&stuff->event_count, n);
    125     - p = (long *)&stuff[1];
    126     - for (i = 0; i < stuff->event_count; i++) {
    127     - swapl(p, n);
    128     - p++;
    129     - }
    130     +
    131     + if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
    132     + return BadLength;
    133     +
    134     + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
    135    
    136     return (ProcXGrabDevice(client));
    137     }
    138     diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
    139     index df62d0c..18db1f7 100644
    140     --- a/Xi/grabdevb.c
    141     +++ b/Xi/grabdevb.c
    142     @@ -80,8 +80,6 @@ int
    143     SProcXGrabDeviceButton(ClientPtr client)
    144     {
    145     char n;
    146     - long *p;
    147     - int i;
    148    
    149     REQUEST(xGrabDeviceButtonReq);
    150     swaps(&stuff->length, n);
    151     @@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client)
    152     swapl(&stuff->grabWindow, n);
    153     swaps(&stuff->modifiers, n);
    154     swaps(&stuff->event_count, n);
    155     - p = (long *)&stuff[1];
    156     - for (i = 0; i < stuff->event_count; i++) {
    157     - swapl(p, n);
    158     - p++;
    159     - }
    160     + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
    161     + stuff->event_count * sizeof(CARD32));
    162     + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
    163    
    164     return (ProcXGrabDeviceButton(client));
    165     }
    166     diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
    167     index b74592f..429b2f7 100644
    168     --- a/Xi/grabdevk.c
    169     +++ b/Xi/grabdevk.c
    170     @@ -80,8 +80,6 @@ int
    171     SProcXGrabDeviceKey(ClientPtr client)
    172     {
    173     char n;
    174     - long *p;
    175     - int i;
    176    
    177     REQUEST(xGrabDeviceKeyReq);
    178     swaps(&stuff->length, n);
    179     @@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client)
    180     swapl(&stuff->grabWindow, n);
    181     swaps(&stuff->modifiers, n);
    182     swaps(&stuff->event_count, n);
    183     - p = (long *)&stuff[1];
    184     - for (i = 0; i < stuff->event_count; i++) {
    185     - swapl(p, n);
    186     - p++;
    187     - }
    188     + REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
    189     + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
    190     return (ProcXGrabDeviceKey(client));
    191     }
    192    
    193     diff --git a/Xi/selectev.c b/Xi/selectev.c
    194     index d52db1b..19415c5 100644
    195     --- a/Xi/selectev.c
    196     +++ b/Xi/selectev.c
    197     @@ -131,19 +131,16 @@ int
    198     SProcXSelectExtensionEvent(ClientPtr client)
    199     {
    200     char n;
    201     - long *p;
    202     - int i;
    203    
    204     REQUEST(xSelectExtensionEventReq);
    205     swaps(&stuff->length, n);
    206     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
    207     swapl(&stuff->window, n);
    208     swaps(&stuff->count, n);
    209     - p = (long *)&stuff[1];
    210     - for (i = 0; i < stuff->count; i++) {
    211     - swapl(p, n);
    212     - p++;
    213     - }
    214     + REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
    215     + stuff->count * sizeof(CARD32));
    216     + SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
    217     +
    218     return (ProcXSelectExtensionEvent(client));
    219     }
    220    
    221     diff --git a/Xi/sendexev.c b/Xi/sendexev.c
    222     index eac9abe..9803cf3 100644
    223     --- a/Xi/sendexev.c
    224     +++ b/Xi/sendexev.c
    225     @@ -83,7 +83,7 @@ int
    226     SProcXSendExtensionEvent(ClientPtr client)
    227     {
    228     char n;
    229     - long *p;
    230     + CARD32 *p;
    231     int i;
    232     xEvent eventT;
    233     xEvent *eventP;
    234     @@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client)
    235     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
    236     swapl(&stuff->destination, n);
    237     swaps(&stuff->count, n);
    238     +
    239     + if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
    240     + (stuff->num_events * (sizeof(xEvent) >> 2)))
    241     + return BadLength;
    242     +
    243     eventP = (xEvent *) & stuff[1];
    244     for (i = 0; i < stuff->num_events; i++, eventP++) {
    245     proc = EventSwapVector[eventP->u.u.type & 0177];
    246     @@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client)
    247     *eventP = eventT;
    248     }
    249    
    250     - p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
    251     - for (i = 0; i < stuff->count; i++) {
    252     - swapl(p, n);
    253     - p++;
    254     - }
    255     + p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
    256     + SwapLongs(p, stuff->count);
    257     return (ProcXSendExtensionEvent(client));
    258     }
    259    
    260     --
    261     1.5.3.5
    262