Contents of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_1.patch
Parent Directory | Revision Log
Revision 486 -
(show annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 6830 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 6830 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001 |
2 | From: Matthieu Herrb <matthieu@bluenote.herrb.com> |
3 | Date: Thu, 17 Jan 2008 15:28:42 +0100 |
4 | Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. |
5 | |
6 | --- |
7 | Xext/EVI.c | 15 ++++++++++++++- |
8 | Xext/sampleEVI.c | 29 ++++++++++++++++++++++++----- |
9 | Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++-------- |
10 | 3 files changed, 76 insertions(+), 14 deletions(-) |
11 | |
12 | diff --git a/Xext/EVI.c b/Xext/EVI.c |
13 | index 8fe3481..13bd32a 100644 |
14 | --- a/Xext/EVI.c |
15 | +++ b/Xext/EVI.c |
16 | @@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | #include <X11/extensions/XEVIstr.h> |
18 | #include "EVIstruct.h" |
19 | #include "modinit.h" |
20 | +#include "scrnintstr.h" |
21 | |
22 | #if 0 |
23 | static unsigned char XEVIReqCode = 0; |
24 | @@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) |
25 | { |
26 | REQUEST(xEVIGetVisualInfoReq); |
27 | xEVIGetVisualInfoReply rep; |
28 | - int n, n_conflict, n_info, sz_info, sz_conflict; |
29 | + int i, n, n_conflict, n_info, sz_info, sz_conflict; |
30 | VisualID32 *conflict; |
31 | + unsigned int total_visuals = 0; |
32 | xExtendedVisualInfo *eviInfo; |
33 | int status; |
34 | + |
35 | + /* |
36 | + * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume |
37 | + * here that you don't have more than 2^32 visuals over all your screens; |
38 | + * this seems like a safe assumption. |
39 | + */ |
40 | + for (i = 0; i < screenInfo.numScreens; i++) |
41 | + total_visuals += screenInfo.screens[i]->numVisuals; |
42 | + if (stuff->n_visual > total_visuals) |
43 | + return BadValue; |
44 | + |
45 | REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); |
46 | status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, |
47 | &eviInfo, &n_info, &conflict, &n_conflict); |
48 | diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c |
49 | index 7508aa7..b871bfd 100644 |
50 | --- a/Xext/sampleEVI.c |
51 | +++ b/Xext/sampleEVI.c |
52 | @@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. |
53 | #include <X11/extensions/XEVIstr.h> |
54 | #include "EVIstruct.h" |
55 | #include "scrnintstr.h" |
56 | + |
57 | +#if HAVE_STDINT_H |
58 | +#include <stdint.h> |
59 | +#elif !defined(UINT32_MAX) |
60 | +#define UINT32_MAX 0xffffffffU |
61 | +#endif |
62 | + |
63 | static int sampleGetVisualInfo( |
64 | VisualID32 *visual, |
65 | int n_visual, |
66 | @@ -42,24 +49,36 @@ static int sampleGetVisualInfo( |
67 | VisualID32 **conflict_rn, |
68 | int *n_conflict_rn) |
69 | { |
70 | - int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; |
71 | + unsigned int max_sz_evi; |
72 | VisualID32 *temp_conflict; |
73 | xExtendedVisualInfo *evi; |
74 | - int max_visuals = 0, max_sz_conflict, sz_conflict = 0; |
75 | + unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; |
76 | register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; |
77 | - *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); |
78 | - if (!*evi_rn) |
79 | - return BadAlloc; |
80 | + |
81 | + if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) |
82 | + return BadAlloc; |
83 | + max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; |
84 | + |
85 | for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { |
86 | if (screenInfo.screens[scrI]->numVisuals > max_visuals) |
87 | max_visuals = screenInfo.screens[scrI]->numVisuals; |
88 | } |
89 | + |
90 | + if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens |
91 | + * max_visuals)) |
92 | + return BadAlloc; |
93 | max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; |
94 | + |
95 | + *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); |
96 | + if (!*evi_rn) |
97 | + return BadAlloc; |
98 | + |
99 | temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); |
100 | if (!temp_conflict) { |
101 | xfree(*evi_rn); |
102 | return BadAlloc; |
103 | } |
104 | + |
105 | for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { |
106 | for (visualI = 0; visualI < n_visual; visualI++) { |
107 | evi[sz_evi].core_visual_id = visual[visualI]; |
108 | diff --git a/Xext/shm.c b/Xext/shm.c |
109 | index ac587be..5633be9 100644 |
110 | --- a/Xext/shm.c |
111 | +++ b/Xext/shm.c |
112 | @@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap( |
113 | int i, j, result, rc; |
114 | ShmDescPtr shmdesc; |
115 | REQUEST(xShmCreatePixmapReq); |
116 | + unsigned int width, height, depth; |
117 | + unsigned long size; |
118 | PanoramiXRes *newPix; |
119 | |
120 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); |
121 | @@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap( |
122 | return rc; |
123 | |
124 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); |
125 | - if (!stuff->width || !stuff->height) |
126 | + |
127 | + width = stuff->width; |
128 | + height = stuff->height; |
129 | + depth = stuff->depth; |
130 | + if (!width || !height || !depth) |
131 | { |
132 | client->errorValue = 0; |
133 | return BadValue; |
134 | } |
135 | + if (width > 32767 || height > 32767) |
136 | + return BadAlloc; |
137 | + size = PixmapBytePad(width, depth) * height; |
138 | + if (sizeof(size) == 4) { |
139 | + if (size < width * height) |
140 | + return BadAlloc; |
141 | + /* thankfully, offset is unsigned */ |
142 | + if (stuff->offset + size < size) |
143 | + return BadAlloc; |
144 | + } |
145 | + |
146 | if (stuff->depth != 1) |
147 | { |
148 | pDepth = pDraw->pScreen->allowedDepths; |
149 | @@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap( |
150 | return BadValue; |
151 | } |
152 | CreatePmap: |
153 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, |
154 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, |
155 | - client); |
156 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
157 | |
158 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) |
159 | return BadAlloc; |
160 | @@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client) |
161 | register int i, rc; |
162 | ShmDescPtr shmdesc; |
163 | REQUEST(xShmCreatePixmapReq); |
164 | + unsigned int width, height, depth; |
165 | + unsigned long size; |
166 | |
167 | REQUEST_SIZE_MATCH(xShmCreatePixmapReq); |
168 | client->errorValue = stuff->pid; |
169 | @@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client) |
170 | return rc; |
171 | |
172 | VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); |
173 | - if (!stuff->width || !stuff->height) |
174 | + |
175 | + width = stuff->width; |
176 | + height = stuff->height; |
177 | + depth = stuff->depth; |
178 | + if (!width || !height || !depth) |
179 | { |
180 | client->errorValue = 0; |
181 | return BadValue; |
182 | } |
183 | + if (width > 32767 || height > 32767) |
184 | + return BadAlloc; |
185 | + size = PixmapBytePad(width, depth) * height; |
186 | + if (sizeof(size) == 4) { |
187 | + if (size < width * height) |
188 | + return BadAlloc; |
189 | + /* thankfully, offset is unsigned */ |
190 | + if (stuff->offset + size < size) |
191 | + return BadAlloc; |
192 | + } |
193 | + |
194 | if (stuff->depth != 1) |
195 | { |
196 | pDepth = pDraw->pScreen->allowedDepths; |
197 | @@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client) |
198 | return BadValue; |
199 | } |
200 | CreatePmap: |
201 | - VERIFY_SHMSIZE(shmdesc, stuff->offset, |
202 | - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, |
203 | - client); |
204 | + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
205 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( |
206 | pDraw->pScreen, stuff->width, |
207 | stuff->height, stuff->depth, |
208 | -- |
209 | 1.5.3.5 |
210 |