/[gentoo-x86]/x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
Gentoo

Contents of /x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Mon Sep 28 07:41:03 2009 UTC (5 years, 2 months ago) by remi
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
x11-base/xorg-server: drop old ebuilds, prune ${FILESDIR}
(Portage version: 2.2_rc42/cvs/Linux i686)

1 Index: xorg-server-1.3.0.0/Xi/chgfctl.c
2 ===================================================================
3 --- xorg-server-1.3.0.0.orig/Xi/chgfctl.c
4 +++ xorg-server-1.3.0.0/Xi/chgfctl.c
5 @@ -451,18 +451,13 @@ ChangeStringFeedback(ClientPtr client, D
6 xStringFeedbackCtl * f)
7 {
8 register char n;
9 - register long *p;
10 int i, j;
11 KeySym *syms, *sup_syms;
12
13 syms = (KeySym *) (f + 1);
14 if (client->swapped) {
15 swaps(&f->length, n); /* swapped num_keysyms in calling proc */
16 - p = (long *)(syms);
17 - for (i = 0; i < f->num_keysyms; i++) {
18 - swapl(p, n);
19 - p++;
20 - }
21 + SwapLongs((CARD32 *) syms, f->num_keysyms);
22 }
23
24 if (f->num_keysyms > s->ctrl.max_symbols) {
25 Index: xorg-server-1.3.0.0/Xi/chgkmap.c
26 ===================================================================
27 --- xorg-server-1.3.0.0.orig/Xi/chgkmap.c
28 +++ xorg-server-1.3.0.0/Xi/chgkmap.c
29 @@ -79,18 +79,14 @@ int
30 SProcXChangeDeviceKeyMapping(register ClientPtr client)
31 {
32 register char n;
33 - register long *p;
34 - register int i, count;
35 + register unsigned int count;
36
37 REQUEST(xChangeDeviceKeyMappingReq);
38 swaps(&stuff->length, n);
39 REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
40 - p = (long *)&stuff[1];
41 count = stuff->keyCodes * stuff->keySymsPerKeyCode;
42 - for (i = 0; i < count; i++) {
43 - swapl(p, n);
44 - p++;
45 - }
46 + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
47 + SwapLongs((CARD32 *) (&stuff[1]), count);
48 return (ProcXChangeDeviceKeyMapping(client));
49 }
50
51 @@ -106,10 +102,14 @@ ProcXChangeDeviceKeyMapping(register Cli
52 int ret;
53 unsigned len;
54 DeviceIntPtr dev;
55 + unsigned int count;
56
57 REQUEST(xChangeDeviceKeyMappingReq);
58 REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
59
60 + count = stuff->keyCodes * stuff->keySymsPerKeyCode;
61 + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
62 +
63 dev = LookupDeviceIntRec(stuff->deviceid);
64 if (dev == NULL) {
65 SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
66 Index: xorg-server-1.3.0.0/Xi/chgprop.c
67 ===================================================================
68 --- xorg-server-1.3.0.0.orig/Xi/chgprop.c
69 +++ xorg-server-1.3.0.0/Xi/chgprop.c
70 @@ -81,19 +81,15 @@ int
71 SProcXChangeDeviceDontPropagateList(register ClientPtr client)
72 {
73 register char n;
74 - register long *p;
75 - register int i;
76
77 REQUEST(xChangeDeviceDontPropagateListReq);
78 swaps(&stuff->length, n);
79 REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
80 swapl(&stuff->window, n);
81 swaps(&stuff->count, n);
82 - p = (long *)&stuff[1];
83 - for (i = 0; i < stuff->count; i++) {
84 - swapl(p, n);
85 - p++;
86 - }
87 + REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
88 + stuff->count * sizeof(CARD32));
89 + SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
90 return (ProcXChangeDeviceDontPropagateList(client));
91 }
92
93 Index: xorg-server-1.3.0.0/Xi/grabdev.c
94 ===================================================================
95 --- xorg-server-1.3.0.0.orig/Xi/grabdev.c
96 +++ xorg-server-1.3.0.0/Xi/grabdev.c
97 @@ -82,8 +82,6 @@ int
98 SProcXGrabDevice(register ClientPtr client)
99 {
100 register char n;
101 - register long *p;
102 - register int i;
103
104 REQUEST(xGrabDeviceReq);
105 swaps(&stuff->length, n);
106 @@ -91,11 +89,11 @@ SProcXGrabDevice(register ClientPtr clie
107 swapl(&stuff->grabWindow, n);
108 swapl(&stuff->time, n);
109 swaps(&stuff->event_count, n);
110 - p = (long *)&stuff[1];
111 - for (i = 0; i < stuff->event_count; i++) {
112 - swapl(p, n);
113 - p++;
114 - }
115 +
116 + if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
117 + return BadLength;
118 +
119 + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
120
121 return (ProcXGrabDevice(client));
122 }
123 Index: xorg-server-1.3.0.0/Xi/grabdevb.c
124 ===================================================================
125 --- xorg-server-1.3.0.0.orig/Xi/grabdevb.c
126 +++ xorg-server-1.3.0.0/Xi/grabdevb.c
127 @@ -80,8 +80,6 @@ int
128 SProcXGrabDeviceButton(register ClientPtr client)
129 {
130 register char n;
131 - register long *p;
132 - register int i;
133
134 REQUEST(xGrabDeviceButtonReq);
135 swaps(&stuff->length, n);
136 @@ -89,11 +87,9 @@ SProcXGrabDeviceButton(register ClientPt
137 swapl(&stuff->grabWindow, n);
138 swaps(&stuff->modifiers, n);
139 swaps(&stuff->event_count, n);
140 - p = (long *)&stuff[1];
141 - for (i = 0; i < stuff->event_count; i++) {
142 - swapl(p, n);
143 - p++;
144 - }
145 + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
146 + stuff->event_count * sizeof(CARD32));
147 + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
148
149 return (ProcXGrabDeviceButton(client));
150 }
151 Index: xorg-server-1.3.0.0/Xi/grabdevk.c
152 ===================================================================
153 --- xorg-server-1.3.0.0.orig/Xi/grabdevk.c
154 +++ xorg-server-1.3.0.0/Xi/grabdevk.c
155 @@ -80,8 +80,6 @@ int
156 SProcXGrabDeviceKey(register ClientPtr client)
157 {
158 register char n;
159 - register long *p;
160 - register int i;
161
162 REQUEST(xGrabDeviceKeyReq);
163 swaps(&stuff->length, n);
164 @@ -89,11 +87,8 @@ SProcXGrabDeviceKey(register ClientPtr c
165 swapl(&stuff->grabWindow, n);
166 swaps(&stuff->modifiers, n);
167 swaps(&stuff->event_count, n);
168 - p = (long *)&stuff[1];
169 - for (i = 0; i < stuff->event_count; i++) {
170 - swapl(p, n);
171 - p++;
172 - }
173 + REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
174 + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
175 return (ProcXGrabDeviceKey(client));
176 }
177
178 Index: xorg-server-1.3.0.0/Xi/selectev.c
179 ===================================================================
180 --- xorg-server-1.3.0.0.orig/Xi/selectev.c
181 +++ xorg-server-1.3.0.0/Xi/selectev.c
182 @@ -84,19 +84,16 @@ int
183 SProcXSelectExtensionEvent(register ClientPtr client)
184 {
185 register char n;
186 - register long *p;
187 - register int i;
188
189 REQUEST(xSelectExtensionEventReq);
190 swaps(&stuff->length, n);
191 REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
192 swapl(&stuff->window, n);
193 swaps(&stuff->count, n);
194 - p = (long *)&stuff[1];
195 - for (i = 0; i < stuff->count; i++) {
196 - swapl(p, n);
197 - p++;
198 - }
199 + REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
200 + stuff->count * sizeof(CARD32));
201 + SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
202 +
203 return (ProcXSelectExtensionEvent(client));
204 }
205
206 Index: xorg-server-1.3.0.0/Xi/sendexev.c
207 ===================================================================
208 --- xorg-server-1.3.0.0.orig/Xi/sendexev.c
209 +++ xorg-server-1.3.0.0/Xi/sendexev.c
210 @@ -83,7 +83,7 @@ int
211 SProcXSendExtensionEvent(register ClientPtr client)
212 {
213 register char n;
214 - register long *p;
215 + register CARD32 *p;
216 register int i;
217 xEvent eventT;
218 xEvent *eventP;
219 @@ -94,6 +94,11 @@ SProcXSendExtensionEvent(register Client
220 REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
221 swapl(&stuff->destination, n);
222 swaps(&stuff->count, n);
223 +
224 + if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
225 + (stuff->num_events * (sizeof(xEvent) >> 2)))
226 + return BadLength;
227 +
228 eventP = (xEvent *) & stuff[1];
229 for (i = 0; i < stuff->num_events; i++, eventP++) {
230 proc = EventSwapVector[eventP->u.u.type & 0177];
231 @@ -103,11 +108,8 @@ SProcXSendExtensionEvent(register Client
232 *eventP = eventT;
233 }
234
235 - p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
236 - for (i = 0; i < stuff->count; i++) {
237 - swapl(p, n);
238 - p++;
239 - }
240 + p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
241 + SwapLongs(p, stuff->count);
242 return (ProcXSendExtensionEvent(client));
243 }
244

  ViewVC Help
Powered by ViewVC 1.1.20