/[gentoo-x86]/x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch
Gentoo

Contents of /x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Mon Sep 28 07:41:03 2009 UTC (4 years, 10 months ago) by remi
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
x11-base/xorg-server: drop old ebuilds, prune ${FILESDIR}
(Portage version: 2.2_rc42/cvs/Linux i686)

1 From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001
2 From: Matthieu Herrb <matthieu@bluenote.herrb.com>
3 Date: Thu, 17 Jan 2008 15:28:42 +0100
4 Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
5
6 ---
7 Xext/EVI.c | 15 ++++++++++++++-
8 Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
9 Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++--------
10 3 files changed, 76 insertions(+), 14 deletions(-)
11
12 diff --git a/Xext/EVI.c b/Xext/EVI.c
13 index 8fe3481..13bd32a 100644
14 --- a/Xext/EVI.c
15 +++ b/Xext/EVI.c
16 @@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <X11/extensions/XEVIstr.h>
18 #include "EVIstruct.h"
19 #include "modinit.h"
20 +#include "scrnintstr.h"
21
22 #if 0
23 static unsigned char XEVIReqCode = 0;
24 @@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
25 {
26 REQUEST(xEVIGetVisualInfoReq);
27 xEVIGetVisualInfoReply rep;
28 - int n, n_conflict, n_info, sz_info, sz_conflict;
29 + int i, n, n_conflict, n_info, sz_info, sz_conflict;
30 VisualID32 *conflict;
31 + unsigned int total_visuals = 0;
32 xExtendedVisualInfo *eviInfo;
33 int status;
34 +
35 + /*
36 + * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
37 + * here that you don't have more than 2^32 visuals over all your screens;
38 + * this seems like a safe assumption.
39 + */
40 + for (i = 0; i < screenInfo.numScreens; i++)
41 + total_visuals += screenInfo.screens[i]->numVisuals;
42 + if (stuff->n_visual > total_visuals)
43 + return BadValue;
44 +
45 REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
46 status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
47 &eviInfo, &n_info, &conflict, &n_conflict);
48 diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
49 index 7508aa7..b871bfd 100644
50 --- a/Xext/sampleEVI.c
51 +++ b/Xext/sampleEVI.c
52 @@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
53 #include <X11/extensions/XEVIstr.h>
54 #include "EVIstruct.h"
55 #include "scrnintstr.h"
56 +
57 +#if HAVE_STDINT_H
58 +#include <stdint.h>
59 +#elif !defined(UINT32_MAX)
60 +#define UINT32_MAX 0xffffffffU
61 +#endif
62 +
63 static int sampleGetVisualInfo(
64 VisualID32 *visual,
65 int n_visual,
66 @@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
67 VisualID32 **conflict_rn,
68 int *n_conflict_rn)
69 {
70 - int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
71 + unsigned int max_sz_evi;
72 VisualID32 *temp_conflict;
73 xExtendedVisualInfo *evi;
74 - int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
75 + unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
76 register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
77 - *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
78 - if (!*evi_rn)
79 - return BadAlloc;
80 +
81 + if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
82 + return BadAlloc;
83 + max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
84 +
85 for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
86 if (screenInfo.screens[scrI]->numVisuals > max_visuals)
87 max_visuals = screenInfo.screens[scrI]->numVisuals;
88 }
89 +
90 + if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
91 + * max_visuals))
92 + return BadAlloc;
93 max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
94 +
95 + *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
96 + if (!*evi_rn)
97 + return BadAlloc;
98 +
99 temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
100 if (!temp_conflict) {
101 xfree(*evi_rn);
102 return BadAlloc;
103 }
104 +
105 for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
106 for (visualI = 0; visualI < n_visual; visualI++) {
107 evi[sz_evi].core_visual_id = visual[visualI];
108 diff --git a/Xext/shm.c b/Xext/shm.c
109 index ac587be..5633be9 100644
110 --- a/Xext/shm.c
111 +++ b/Xext/shm.c
112 @@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
113 int i, j, result, rc;
114 ShmDescPtr shmdesc;
115 REQUEST(xShmCreatePixmapReq);
116 + unsigned int width, height, depth;
117 + unsigned long size;
118 PanoramiXRes *newPix;
119
120 REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
121 @@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
122 return rc;
123
124 VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
125 - if (!stuff->width || !stuff->height)
126 +
127 + width = stuff->width;
128 + height = stuff->height;
129 + depth = stuff->depth;
130 + if (!width || !height || !depth)
131 {
132 client->errorValue = 0;
133 return BadValue;
134 }
135 + if (width > 32767 || height > 32767)
136 + return BadAlloc;
137 + size = PixmapBytePad(width, depth) * height;
138 + if (sizeof(size) == 4) {
139 + if (size < width * height)
140 + return BadAlloc;
141 + /* thankfully, offset is unsigned */
142 + if (stuff->offset + size < size)
143 + return BadAlloc;
144 + }
145 +
146 if (stuff->depth != 1)
147 {
148 pDepth = pDraw->pScreen->allowedDepths;
149 @@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
150 return BadValue;
151 }
152 CreatePmap:
153 - VERIFY_SHMSIZE(shmdesc, stuff->offset,
154 - PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
155 - client);
156 + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
157
158 if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
159 return BadAlloc;
160 @@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
161 register int i, rc;
162 ShmDescPtr shmdesc;
163 REQUEST(xShmCreatePixmapReq);
164 + unsigned int width, height, depth;
165 + unsigned long size;
166
167 REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
168 client->errorValue = stuff->pid;
169 @@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
170 return rc;
171
172 VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
173 - if (!stuff->width || !stuff->height)
174 +
175 + width = stuff->width;
176 + height = stuff->height;
177 + depth = stuff->depth;
178 + if (!width || !height || !depth)
179 {
180 client->errorValue = 0;
181 return BadValue;
182 }
183 + if (width > 32767 || height > 32767)
184 + return BadAlloc;
185 + size = PixmapBytePad(width, depth) * height;
186 + if (sizeof(size) == 4) {
187 + if (size < width * height)
188 + return BadAlloc;
189 + /* thankfully, offset is unsigned */
190 + if (stuff->offset + size < size)
191 + return BadAlloc;
192 + }
193 +
194 if (stuff->depth != 1)
195 {
196 pDepth = pDraw->pScreen->allowedDepths;
197 @@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
198 return BadValue;
199 }
200 CreatePmap:
201 - VERIFY_SHMSIZE(shmdesc, stuff->offset,
202 - PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
203 - client);
204 + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
205 pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
206 pDraw->pScreen, stuff->width,
207 stuff->height, stuff->depth,
208 --
209 1.5.3.5

  ViewVC Help
Powered by ViewVC 1.1.20