Annotation of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_2.patch
Parent Directory | Revision Log
Revision 486 -
(hide annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 2594 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 2594 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | niro | 486 | From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> | ||
3 | Date: Fri, 18 Jan 2008 14:41:20 -0500 | ||
4 | Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. | ||
5 | |||
6 | Move size validation after depth validation, and only validate size if | ||
7 | the bpp of the pixmap format is > 8. If bpp < 8 then we're already | ||
8 | protected from overflow by the width and height checks. | ||
9 | --- | ||
10 | Xext/shm.c | 36 ++++++++++++++++++++---------------- | ||
11 | 1 files changed, 20 insertions(+), 16 deletions(-) | ||
12 | |||
13 | diff --git a/Xext/shm.c b/Xext/shm.c | ||
14 | index c545e49..e46f6fc 100644 | ||
15 | --- a/Xext/shm.c | ||
16 | +++ b/Xext/shm.c | ||
17 | @@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( | ||
18 | } | ||
19 | if (width > 32767 || height > 32767) | ||
20 | return BadAlloc; | ||
21 | - size = PixmapBytePad(width, depth) * height; | ||
22 | - if (sizeof(size) == 4) { | ||
23 | - if (size < width * height) | ||
24 | - return BadAlloc; | ||
25 | - /* thankfully, offset is unsigned */ | ||
26 | - if (stuff->offset + size < size) | ||
27 | - return BadAlloc; | ||
28 | - } | ||
29 | |||
30 | if (stuff->depth != 1) | ||
31 | { | ||
32 | @@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( | ||
33 | client->errorValue = stuff->depth; | ||
34 | return BadValue; | ||
35 | } | ||
36 | + | ||
37 | CreatePmap: | ||
38 | + size = PixmapBytePad(width, depth) * height; | ||
39 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { | ||
40 | + if (size < width * height) | ||
41 | + return BadAlloc; | ||
42 | + /* thankfully, offset is unsigned */ | ||
43 | + if (stuff->offset + size < size) | ||
44 | + return BadAlloc; | ||
45 | + } | ||
46 | + | ||
47 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
48 | |||
49 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | ||
50 | @@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) | ||
51 | } | ||
52 | if (width > 32767 || height > 32767) | ||
53 | return BadAlloc; | ||
54 | - size = PixmapBytePad(width, depth) * height; | ||
55 | - if (sizeof(size) == 4) { | ||
56 | - if (size < width * height) | ||
57 | - return BadAlloc; | ||
58 | - /* thankfully, offset is unsigned */ | ||
59 | - if (stuff->offset + size < size) | ||
60 | - return BadAlloc; | ||
61 | - } | ||
62 | |||
63 | if (stuff->depth != 1) | ||
64 | { | ||
65 | @@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) | ||
66 | client->errorValue = stuff->depth; | ||
67 | return BadValue; | ||
68 | } | ||
69 | + | ||
70 | CreatePmap: | ||
71 | + size = PixmapBytePad(width, depth) * height; | ||
72 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { | ||
73 | + if (size < width * height) | ||
74 | + return BadAlloc; | ||
75 | + /* thankfully, offset is unsigned */ | ||
76 | + if (stuff->offset + size < size) | ||
77 | + return BadAlloc; | ||
78 | + } | ||
79 | + | ||
80 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
81 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | ||
82 | pDraw->pScreen, stuff->width, | ||
83 | -- | ||
84 | 1.5.3.8 | ||
85 |