Contents of /trunk/xorg-server/patches/xorg-server-1.4.0.90-CVE-2007-6429_2.patch
Parent Directory
| 
Revision Log
Revision 486 -
(show annotations)
(download)
Wed Feb 13 00:09:39 2008 UTC (16 years, 3 months ago) by niro
File size: 2594 byte(s)
Wed Feb 13 00:09:39 2008 UTC (16 years, 3 months ago) by niro
File size: 2594 byte(s)
-added several security fixes, a fix for compiz and openoffice
| 1 | From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001 |
| 2 | From: Adam Jackson <ajax@redhat.com> |
| 3 | Date: Fri, 18 Jan 2008 14:41:20 -0500 |
| 4 | Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. |
| 5 | |
| 6 | Move size validation after depth validation, and only validate size if |
| 7 | the bpp of the pixmap format is > 8. If bpp < 8 then we're already |
| 8 | protected from overflow by the width and height checks. |
| 9 | --- |
| 10 | Xext/shm.c | 36 ++++++++++++++++++++---------------- |
| 11 | 1 files changed, 20 insertions(+), 16 deletions(-) |
| 12 | |
| 13 | diff --git a/Xext/shm.c b/Xext/shm.c |
| 14 | index c545e49..e46f6fc 100644 |
| 15 | --- a/Xext/shm.c |
| 16 | +++ b/Xext/shm.c |
| 17 | @@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( |
| 18 | } |
| 19 | if (width > 32767 || height > 32767) |
| 20 | return BadAlloc; |
| 21 | - size = PixmapBytePad(width, depth) * height; |
| 22 | - if (sizeof(size) == 4) { |
| 23 | - if (size < width * height) |
| 24 | - return BadAlloc; |
| 25 | - /* thankfully, offset is unsigned */ |
| 26 | - if (stuff->offset + size < size) |
| 27 | - return BadAlloc; |
| 28 | - } |
| 29 | |
| 30 | if (stuff->depth != 1) |
| 31 | { |
| 32 | @@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( |
| 33 | client->errorValue = stuff->depth; |
| 34 | return BadValue; |
| 35 | } |
| 36 | + |
| 37 | CreatePmap: |
| 38 | + size = PixmapBytePad(width, depth) * height; |
| 39 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
| 40 | + if (size < width * height) |
| 41 | + return BadAlloc; |
| 42 | + /* thankfully, offset is unsigned */ |
| 43 | + if (stuff->offset + size < size) |
| 44 | + return BadAlloc; |
| 45 | + } |
| 46 | + |
| 47 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
| 48 | |
| 49 | if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) |
| 50 | @@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) |
| 51 | } |
| 52 | if (width > 32767 || height > 32767) |
| 53 | return BadAlloc; |
| 54 | - size = PixmapBytePad(width, depth) * height; |
| 55 | - if (sizeof(size) == 4) { |
| 56 | - if (size < width * height) |
| 57 | - return BadAlloc; |
| 58 | - /* thankfully, offset is unsigned */ |
| 59 | - if (stuff->offset + size < size) |
| 60 | - return BadAlloc; |
| 61 | - } |
| 62 | |
| 63 | if (stuff->depth != 1) |
| 64 | { |
| 65 | @@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) |
| 66 | client->errorValue = stuff->depth; |
| 67 | return BadValue; |
| 68 | } |
| 69 | + |
| 70 | CreatePmap: |
| 71 | + size = PixmapBytePad(width, depth) * height; |
| 72 | + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
| 73 | + if (size < width * height) |
| 74 | + return BadAlloc; |
| 75 | + /* thankfully, offset is unsigned */ |
| 76 | + if (stuff->offset + size < size) |
| 77 | + return BadAlloc; |
| 78 | + } |
| 79 | + |
| 80 | VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
| 81 | pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( |
| 82 | pDraw->pScreen, stuff->width, |
| 83 | -- |
| 84 | 1.5.3.8 |
| 85 |