Contents of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_2.patch
Parent Directory | Revision Log
Revision 486 -
(show annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 2594 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 7 months ago) by niro
File size: 2594 byte(s)
-added several security fixes, a fix for compiz and openoffice
1 | From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001 |
2 | From: Adam Jackson <ajax@redhat.com> |
3 | Date: Fri, 18 Jan 2008 14:41:20 -0500 |
4 | Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. |
5 | |
6 | Move size validation after depth validation, and only validate size if |
7 | the bpp of the pixmap format is > 8. If bpp < 8 then we're already |
8 | protected from overflow by the width and height checks. |
9 | --- |
10 | Xext/shm.c | 36 ++++++++++++++++++++---------------- |
11 | 1 files changed, 20 insertions(+), 16 deletions(-) |
12 | |
13 | diff --git a/Xext/shm.c b/Xext/shm.c |
14 | index c545e49..e46f6fc 100644 |
15 | --- a/Xext/shm.c |
16 | +++ b/Xext/shm.c |
17 | @@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( |
18 | } |
19 | if (width > 32767 || height > 32767) |
20 | return BadAlloc; |
21 | - size = PixmapBytePad(width, depth) * height; |
22 | - if (sizeof(size) == 4) { |
23 | - if (size < width * height) |
24 | - return BadAlloc; |
25 | - /* thankfully, offset is unsigned */ |
26 | - if (stuff->offset + size < size) |
27 | - return BadAlloc; |
28 | - } |
29 | |
30 | if (stuff->depth != 1) |
31 | { |
32 | @@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( |
33 | client->errorValue = stuff->depth; |
34 | return BadValue; |
35 | } |
36 | + |
37 | CreatePmap: |
38 | + size = PixmapBytePad(width, depth) * height; |
39 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
40 | + if (size < width * height) |
41 | + return BadAlloc; |
42 | + /* thankfully, offset is unsigned */ |
43 | + if (stuff->offset + size < size) |
44 | + return BadAlloc; |
45 | + } |
46 | + |
47 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
48 | |
49 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) |
50 | @@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) |
51 | } |
52 | if (width > 32767 || height > 32767) |
53 | return BadAlloc; |
54 | - size = PixmapBytePad(width, depth) * height; |
55 | - if (sizeof(size) == 4) { |
56 | - if (size < width * height) |
57 | - return BadAlloc; |
58 | - /* thankfully, offset is unsigned */ |
59 | - if (stuff->offset + size < size) |
60 | - return BadAlloc; |
61 | - } |
62 | |
63 | if (stuff->depth != 1) |
64 | { |
65 | @@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) |
66 | client->errorValue = stuff->depth; |
67 | return BadValue; |
68 | } |
69 | + |
70 | CreatePmap: |
71 | + size = PixmapBytePad(width, depth) * height; |
72 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
73 | + if (size < width * height) |
74 | + return BadAlloc; |
75 | + /* thankfully, offset is unsigned */ |
76 | + if (stuff->offset + size < size) |
77 | + return BadAlloc; |
78 | + } |
79 | + |
80 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
81 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( |
82 | pDraw->pScreen, stuff->width, |
83 | -- |
84 | 1.5.3.8 |
85 |