Annotation of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_1.patch
Parent Directory | Revision Log
Revision 486 -
(hide annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 6830 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 6830 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | niro | 486 | From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001 |
2 | From: Matthieu Herrb <matthieu@bluenote.herrb.com> | ||
3 | Date: Thu, 17 Jan 2008 15:28:42 +0100 | ||
4 | Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. | ||
5 | |||
6 | --- | ||
7 | Xext/EVI.c | 15 ++++++++++++++- | ||
8 | Xext/sampleEVI.c | 29 ++++++++++++++++++++++++----- | ||
9 | Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++-------- | ||
10 | 3 files changed, 76 insertions(+), 14 deletions(-) | ||
11 | |||
12 | diff --git a/Xext/EVI.c b/Xext/EVI.c | ||
13 | index 8fe3481..13bd32a 100644 | ||
14 | --- a/Xext/EVI.c | ||
15 | +++ b/Xext/EVI.c | ||
16 | @@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
17 | #include <X11/extensions/XEVIstr.h> | ||
18 | #include "EVIstruct.h" | ||
19 | #include "modinit.h" | ||
20 | +#include "scrnintstr.h" | ||
21 | |||
22 | #if 0 | ||
23 | static unsigned char XEVIReqCode = 0; | ||
24 | @@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) | ||
25 | { | ||
26 | REQUEST(xEVIGetVisualInfoReq); | ||
27 | xEVIGetVisualInfoReply rep; | ||
28 | - int n, n_conflict, n_info, sz_info, sz_conflict; | ||
29 | + int i, n, n_conflict, n_info, sz_info, sz_conflict; | ||
30 | VisualID32 *conflict; | ||
31 | + unsigned int total_visuals = 0; | ||
32 | xExtendedVisualInfo *eviInfo; | ||
33 | int status; | ||
34 | + | ||
35 | + /* | ||
36 | + * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume | ||
37 | + * here that you don't have more than 2^32 visuals over all your screens; | ||
38 | + * this seems like a safe assumption. | ||
39 | + */ | ||
40 | + for (i = 0; i < screenInfo.numScreens; i++) | ||
41 | + total_visuals += screenInfo.screens[i]->numVisuals; | ||
42 | + if (stuff->n_visual > total_visuals) | ||
43 | + return BadValue; | ||
44 | + | ||
45 | REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); | ||
46 | status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, | ||
47 | &eviInfo, &n_info, &conflict, &n_conflict); | ||
48 | diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c | ||
49 | index 7508aa7..b871bfd 100644 | ||
50 | --- a/Xext/sampleEVI.c | ||
51 | +++ b/Xext/sampleEVI.c | ||
52 | @@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
53 | #include <X11/extensions/XEVIstr.h> | ||
54 | #include "EVIstruct.h" | ||
55 | #include "scrnintstr.h" | ||
56 | + | ||
57 | +#if HAVE_STDINT_H | ||
58 | +#include <stdint.h> | ||
59 | +#elif !defined(UINT32_MAX) | ||
60 | +#define UINT32_MAX 0xffffffffU | ||
61 | +#endif | ||
62 | + | ||
63 | static int sampleGetVisualInfo( | ||
64 | VisualID32 *visual, | ||
65 | int n_visual, | ||
66 | @@ -42,24 +49,36 @@ static int sampleGetVisualInfo( | ||
67 | VisualID32 **conflict_rn, | ||
68 | int *n_conflict_rn) | ||
69 | { | ||
70 | - int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; | ||
71 | + unsigned int max_sz_evi; | ||
72 | VisualID32 *temp_conflict; | ||
73 | xExtendedVisualInfo *evi; | ||
74 | - int max_visuals = 0, max_sz_conflict, sz_conflict = 0; | ||
75 | + unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; | ||
76 | register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; | ||
77 | - *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); | ||
78 | - if (!*evi_rn) | ||
79 | - return BadAlloc; | ||
80 | + | ||
81 | + if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) | ||
82 | + return BadAlloc; | ||
83 | + max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; | ||
84 | + | ||
85 | for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { | ||
86 | if (screenInfo.screens[scrI]->numVisuals > max_visuals) | ||
87 | max_visuals = screenInfo.screens[scrI]->numVisuals; | ||
88 | } | ||
89 | + | ||
90 | + if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens | ||
91 | + * max_visuals)) | ||
92 | + return BadAlloc; | ||
93 | max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; | ||
94 | + | ||
95 | + *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); | ||
96 | + if (!*evi_rn) | ||
97 | + return BadAlloc; | ||
98 | + | ||
99 | temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); | ||
100 | if (!temp_conflict) { | ||
101 | xfree(*evi_rn); | ||
102 | return BadAlloc; | ||
103 | } | ||
104 | + | ||
105 | for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { | ||
106 | for (visualI = 0; visualI < n_visual; visualI++) { | ||
107 | evi[sz_evi].core_visual_id = visual[visualI]; | ||
108 | diff --git a/Xext/shm.c b/Xext/shm.c | ||
109 | index ac587be..5633be9 100644 | ||
110 | --- a/Xext/shm.c | ||
111 | +++ b/Xext/shm.c | ||
112 | @@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap( | ||
113 | int i, j, result, rc; | ||
114 | ShmDescPtr shmdesc; | ||
115 | REQUEST(xShmCreatePixmapReq); | ||
116 | + unsigned int width, height, depth; | ||
117 | + unsigned long size; | ||
118 | PanoramiXRes *newPix; | ||
119 | |||
120 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | ||
121 | @@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap( | ||
122 | return rc; | ||
123 | |||
124 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | ||
125 | - if (!stuff->width || !stuff->height) | ||
126 | + | ||
127 | + width = stuff->width; | ||
128 | + height = stuff->height; | ||
129 | + depth = stuff->depth; | ||
130 | + if (!width || !height || !depth) | ||
131 | { | ||
132 | client->errorValue = 0; | ||
133 | return BadValue; | ||
134 | } | ||
135 | + if (width > 32767 || height > 32767) | ||
136 | + return BadAlloc; | ||
137 | + size = PixmapBytePad(width, depth) * height; | ||
138 | + if (sizeof(size) == 4) { | ||
139 | + if (size < width * height) | ||
140 | + return BadAlloc; | ||
141 | + /* thankfully, offset is unsigned */ | ||
142 | + if (stuff->offset + size < size) | ||
143 | + return BadAlloc; | ||
144 | + } | ||
145 | + | ||
146 | if (stuff->depth != 1) | ||
147 | { | ||
148 | pDepth = pDraw->pScreen->allowedDepths; | ||
149 | @@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap( | ||
150 | return BadValue; | ||
151 | } | ||
152 | CreatePmap: | ||
153 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | ||
154 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | ||
155 | - client); | ||
156 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
157 | |||
158 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | ||
159 | return BadAlloc; | ||
160 | @@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client) | ||
161 | register int i, rc; | ||
162 | ShmDescPtr shmdesc; | ||
163 | REQUEST(xShmCreatePixmapReq); | ||
164 | + unsigned int width, height, depth; | ||
165 | + unsigned long size; | ||
166 | |||
167 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); | ||
168 | client->errorValue = stuff->pid; | ||
169 | @@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client) | ||
170 | return rc; | ||
171 | |||
172 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); | ||
173 | - if (!stuff->width || !stuff->height) | ||
174 | + | ||
175 | + width = stuff->width; | ||
176 | + height = stuff->height; | ||
177 | + depth = stuff->depth; | ||
178 | + if (!width || !height || !depth) | ||
179 | { | ||
180 | client->errorValue = 0; | ||
181 | return BadValue; | ||
182 | } | ||
183 | + if (width > 32767 || height > 32767) | ||
184 | + return BadAlloc; | ||
185 | + size = PixmapBytePad(width, depth) * height; | ||
186 | + if (sizeof(size) == 4) { | ||
187 | + if (size < width * height) | ||
188 | + return BadAlloc; | ||
189 | + /* thankfully, offset is unsigned */ | ||
190 | + if (stuff->offset + size < size) | ||
191 | + return BadAlloc; | ||
192 | + } | ||
193 | + | ||
194 | if (stuff->depth != 1) | ||
195 | { | ||
196 | pDepth = pDraw->pScreen->allowedDepths; | ||
197 | @@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client) | ||
198 | return BadValue; | ||
199 | } | ||
200 | CreatePmap: | ||
201 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, | ||
202 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, | ||
203 | - client); | ||
204 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
205 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | ||
206 | pDraw->pScreen, stuff->width, | ||
207 | stuff->height, stuff->depth, | ||
208 | -- | ||
209 | 1.5.3.5 | ||
210 |