Annotation of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_2.patch
Parent Directory
| 
Revision Log
Revision 486 -
(hide annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 3 months ago) by niro
File size: 2594 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 3 months ago) by niro
File size: 2594 byte(s)
-added several security fixes, a fix for compiz and openoffice
| 1 | niro | 486 | From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001 |
| 2 | From: Adam Jackson <ajax@redhat.com> | ||
| 3 | Date: Fri, 18 Jan 2008 14:41:20 -0500 | ||
| 4 | Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. | ||
| 5 | |||
| 6 | Move size validation after depth validation, and only validate size if | ||
| 7 | the bpp of the pixmap format is > 8. If bpp < 8 then we're already | ||
| 8 | protected from overflow by the width and height checks. | ||
| 9 | --- | ||
| 10 | Xext/shm.c | 36 ++++++++++++++++++++---------------- | ||
| 11 | 1 files changed, 20 insertions(+), 16 deletions(-) | ||
| 12 | |||
| 13 | diff --git a/Xext/shm.c b/Xext/shm.c | ||
| 14 | index c545e49..e46f6fc 100644 | ||
| 15 | --- a/Xext/shm.c | ||
| 16 | +++ b/Xext/shm.c | ||
| 17 | @@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( | ||
| 18 | } | ||
| 19 | if (width > 32767 || height > 32767) | ||
| 20 | return BadAlloc; | ||
| 21 | - size = PixmapBytePad(width, depth) * height; | ||
| 22 | - if (sizeof(size) == 4) { | ||
| 23 | - if (size < width * height) | ||
| 24 | - return BadAlloc; | ||
| 25 | - /* thankfully, offset is unsigned */ | ||
| 26 | - if (stuff->offset + size < size) | ||
| 27 | - return BadAlloc; | ||
| 28 | - } | ||
| 29 | |||
| 30 | if (stuff->depth != 1) | ||
| 31 | { | ||
| 32 | @@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( | ||
| 33 | client->errorValue = stuff->depth; | ||
| 34 | return BadValue; | ||
| 35 | } | ||
| 36 | + | ||
| 37 | CreatePmap: | ||
| 38 | + size = PixmapBytePad(width, depth) * height; | ||
| 39 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { | ||
| 40 | + if (size < width * height) | ||
| 41 | + return BadAlloc; | ||
| 42 | + /* thankfully, offset is unsigned */ | ||
| 43 | + if (stuff->offset + size < size) | ||
| 44 | + return BadAlloc; | ||
| 45 | + } | ||
| 46 | + | ||
| 47 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
| 48 | |||
| 49 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) | ||
| 50 | @@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) | ||
| 51 | } | ||
| 52 | if (width > 32767 || height > 32767) | ||
| 53 | return BadAlloc; | ||
| 54 | - size = PixmapBytePad(width, depth) * height; | ||
| 55 | - if (sizeof(size) == 4) { | ||
| 56 | - if (size < width * height) | ||
| 57 | - return BadAlloc; | ||
| 58 | - /* thankfully, offset is unsigned */ | ||
| 59 | - if (stuff->offset + size < size) | ||
| 60 | - return BadAlloc; | ||
| 61 | - } | ||
| 62 | |||
| 63 | if (stuff->depth != 1) | ||
| 64 | { | ||
| 65 | @@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) | ||
| 66 | client->errorValue = stuff->depth; | ||
| 67 | return BadValue; | ||
| 68 | } | ||
| 69 | + | ||
| 70 | CreatePmap: | ||
| 71 | + size = PixmapBytePad(width, depth) * height; | ||
| 72 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { | ||
| 73 | + if (size < width * height) | ||
| 74 | + return BadAlloc; | ||
| 75 | + /* thankfully, offset is unsigned */ | ||
| 76 | + if (stuff->offset + size < size) | ||
| 77 | + return BadAlloc; | ||
| 78 | + } | ||
| 79 | + | ||
| 80 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); | ||
| 81 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( | ||
| 82 | pDraw->pScreen, stuff->width, | ||
| 83 | -- | ||
| 84 | 1.5.3.8 | ||
| 85 |