xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_1.patch

From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:28:42 +0100
Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.

---
 Xext/EVI.c       |   15 ++++++++++++++-
 Xext/sampleEVI.c |   29 ++++++++++++++++++++++++-----
 Xext/shm.c       |   46 ++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/Xext/EVI.c b/Xext/EVI.c
index 8fe3481..13bd32a 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "modinit.h"
+#include "scrnintstr.h"
 
 #if 0
 static unsigned char XEVIReqCode = 0;
@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
-    int n, n_conflict, n_info, sz_info, sz_conflict;
+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
+    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
+
+    /*
+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
+     * here that you don't have more than 2^32 visuals over all your screens;
+     * this seems like a safe assumption.
+     */
+    for (i = 0; i < screenInfo.numScreens; i++)
+	total_visuals += screenInfo.screens[i]->numVisuals;
+    if (stuff->n_visual > total_visuals)
+	return BadValue;
+
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static int sampleGetVisualInfo(
     VisualID32 *visual,
     int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
     VisualID32 **conflict_rn,
     int *n_conflict_rn)
 {
-    int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+    unsigned int max_sz_evi;
     VisualID32 *temp_conflict;
     xExtendedVisualInfo *evi;
-    int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+    unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
     register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
-    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-    if (!*evi_rn)
-         return BadAlloc;
+
+    if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
+	return BadAlloc;
+    max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+    
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         if (screenInfo.screens[scrI]->numVisuals > max_visuals)
             max_visuals = screenInfo.screens[scrI]->numVisuals;
     }
+
+    if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens 
+			       * max_visuals)) 
+	return BadAlloc;
     max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
+
+    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+    if (!*evi_rn)
+         return BadAlloc;
+
     temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
     if (!temp_conflict) {
         xfree(*evi_rn);
         return BadAlloc;
     }
+
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/Xext/shm.c b/Xext/shm.c
index ac587be..5633be9 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
     int i, j, result, rc;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
     PanoramiXRes *newPix;
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
 	return rc;
 
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
+
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
+    if (width > 32767 || height > 32767)
+        return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
         return BadValue;
     }
 CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
 	return BadAlloc;
@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
     register int i, rc;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
     client->errorValue = stuff->pid;
@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
 	return rc;
 
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
+    
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
+    if (width > 32767 || height > 32767)
+	return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
         return BadValue;
     }
 CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
 			    stuff->height, stuff->depth,
-- 
1.5.3.5

1	niro	486	From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001
2			From: Matthieu Herrb <matthieu@bluenote.herrb.com>
3			Date: Thu, 17 Jan 2008 15:28:42 +0100
4			Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
5
6			---
7			Xext/EVI.c \| 15 ++++++++++++++-
8			Xext/sampleEVI.c \| 29 ++++++++++++++++++++++++-----
9			Xext/shm.c \| 46 ++++++++++++++++++++++++++++++++++++++--------
10			3 files changed, 76 insertions(+), 14 deletions(-)
11
12			diff --git a/Xext/EVI.c b/Xext/EVI.c
13			index 8fe3481..13bd32a 100644
14			--- a/Xext/EVI.c
15			+++ b/Xext/EVI.c
16			@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
17			#include <X11/extensions/XEVIstr.h>
18			#include "EVIstruct.h"
19			#include "modinit.h"
20			+#include "scrnintstr.h"
21
22			#if 0
23			static unsigned char XEVIReqCode = 0;
24			@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
25			{
26			REQUEST(xEVIGetVisualInfoReq);
27			xEVIGetVisualInfoReply rep;
28			- int n, n_conflict, n_info, sz_info, sz_conflict;
29			+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
30			VisualID32 *conflict;
31			+ unsigned int total_visuals = 0;
32			xExtendedVisualInfo *eviInfo;
33			int status;
34			+
35			+ /*
36			+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
37			+ * here that you don't have more than 2^32 visuals over all your screens;
38			+ * this seems like a safe assumption.
39			+ */
40			+ for (i = 0; i < screenInfo.numScreens; i++)
41			+ total_visuals += screenInfo.screens[i]->numVisuals;
42			+ if (stuff->n_visual > total_visuals)
43			+ return BadValue;
44			+
45			REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
46			status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
47			&eviInfo, &n_info, &conflict, &n_conflict);
48			diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
49			index 7508aa7..b871bfd 100644
50			--- a/Xext/sampleEVI.c
51			+++ b/Xext/sampleEVI.c
52			@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
53			#include <X11/extensions/XEVIstr.h>
54			#include "EVIstruct.h"
55			#include "scrnintstr.h"
56			+
57			+#if HAVE_STDINT_H
58			+#include <stdint.h>
59			+#elif !defined(UINT32_MAX)
60			+#define UINT32_MAX 0xffffffffU
61			+#endif
62			+
63			static int sampleGetVisualInfo(
64			VisualID32 *visual,
65			int n_visual,
66			@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
67			VisualID32 **conflict_rn,
68			int *n_conflict_rn)
69			{
70			- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
71			+ unsigned int max_sz_evi;
72			VisualID32 *temp_conflict;
73			xExtendedVisualInfo *evi;
74			- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
75			+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
76			register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
77			- evi_rn = evi = (xExtendedVisualInfo )xalloc(max_sz_evi);
78			- if (!*evi_rn)
79			- return BadAlloc;
80			+
81			+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
82			+ return BadAlloc;
83			+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
84			+
85			for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
86			if (screenInfo.screens[scrI]->numVisuals > max_visuals)
87			max_visuals = screenInfo.screens[scrI]->numVisuals;
88			}
89			+
90			+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
91			+ * max_visuals))
92			+ return BadAlloc;
93			max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
94			+
95			+ evi_rn = evi = (xExtendedVisualInfo )xalloc(max_sz_evi);
96			+ if (!*evi_rn)
97			+ return BadAlloc;
98			+
99			temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
100			if (!temp_conflict) {
101			xfree(*evi_rn);
102			return BadAlloc;
103			}
104			+
105			for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
106			for (visualI = 0; visualI < n_visual; visualI++) {
107			evi[sz_evi].core_visual_id = visual[visualI];
108			diff --git a/Xext/shm.c b/Xext/shm.c
109			index ac587be..5633be9 100644
110			--- a/Xext/shm.c
111			+++ b/Xext/shm.c
112			@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
113			int i, j, result, rc;
114			ShmDescPtr shmdesc;
115			REQUEST(xShmCreatePixmapReq);
116			+ unsigned int width, height, depth;
117			+ unsigned long size;
118			PanoramiXRes *newPix;
119
120			REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
121			@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
122			return rc;
123
124			VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
125			- if (!stuff->width \|\| !stuff->height)
126			+
127			+ width = stuff->width;
128			+ height = stuff->height;
129			+ depth = stuff->depth;
130			+ if (!width \|\| !height \|\| !depth)
131			{
132			client->errorValue = 0;
133			return BadValue;
134			}
135			+ if (width > 32767 \|\| height > 32767)
136			+ return BadAlloc;
137			+ size = PixmapBytePad(width, depth) * height;
138			+ if (sizeof(size) == 4) {
139			+ if (size < width * height)
140			+ return BadAlloc;
141			+ /* thankfully, offset is unsigned */
142			+ if (stuff->offset + size < size)
143			+ return BadAlloc;
144			+ }
145			+
146			if (stuff->depth != 1)
147			{
148			pDepth = pDraw->pScreen->allowedDepths;
149			@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
150			return BadValue;
151			}
152			CreatePmap:
153			- VERIFY_SHMSIZE(shmdesc, stuff->offset,
154			- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
155			- client);
156			+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
157
158			if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
159			return BadAlloc;
160			@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
161			register int i, rc;
162			ShmDescPtr shmdesc;
163			REQUEST(xShmCreatePixmapReq);
164			+ unsigned int width, height, depth;
165			+ unsigned long size;
166
167			REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
168			client->errorValue = stuff->pid;
169			@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
170			return rc;
171
172			VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
173			- if (!stuff->width \|\| !stuff->height)
174			+
175			+ width = stuff->width;
176			+ height = stuff->height;
177			+ depth = stuff->depth;
178			+ if (!width \|\| !height \|\| !depth)
179			{
180			client->errorValue = 0;
181			return BadValue;
182			}
183			+ if (width > 32767 \|\| height > 32767)
184			+ return BadAlloc;
185			+ size = PixmapBytePad(width, depth) * height;
186			+ if (sizeof(size) == 4) {
187			+ if (size < width * height)
188			+ return BadAlloc;
189			+ /* thankfully, offset is unsigned */
190			+ if (stuff->offset + size < size)
191			+ return BadAlloc;
192			+ }
193			+
194			if (stuff->depth != 1)
195			{
196			pDepth = pDraw->pScreen->allowedDepths;
197			@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
198			return BadValue;
199			}
200			CreatePmap:
201			- VERIFY_SHMSIZE(shmdesc, stuff->offset,
202			- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
203			- client);
204			+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
205			pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
206			pDraw->pScreen, stuff->width,
207			stuff->height, stuff->depth,
208			--
209			1.5.3.5
210