/[gentoo-x86]/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff
Gentoo

Contents of /x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Mon Sep 28 07:41:03 2009 UTC (5 years, 2 months ago) by remi
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
File MIME type: text/plain
FILE REMOVED
x11-base/xorg-server: drop old ebuilds, prune ${FILESDIR}
(Portage version: 2.2_rc42/cvs/Linux i686)

1 diff --git a/Xext/security.c b/Xext/security.c
2 index ba057de..f34c463 100644
3 --- a/Xext/security.c
4 +++ b/Xext/security.c
5 @@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
6 register char n;
7 CARD32 *values;
8 unsigned long nvalues;
9 + int values_offset;
10
11 swaps(&stuff->length, n);
12 REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
13 swaps(&stuff->nbytesAuthProto, n);
14 swaps(&stuff->nbytesAuthData, n);
15 swapl(&stuff->valueMask, n);
16 - values = (CARD32 *)(&stuff[1]) +
17 - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
18 - ((stuff->nbytesAuthData + (unsigned)3) >> 2);
19 + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
20 + ((stuff->nbytesAuthData + (unsigned)3) >> 2);
21 + if (values_offset >
22 + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
23 + return BadLength;
24 + values = (CARD32 *)(&stuff[1]) + values_offset;
25 nvalues = (((CARD32 *)stuff) + stuff->length) - values;
26 SwapLongs(values, nvalues);
27 return ProcSecurityGenerateAuthorization(client);
28 diff --git a/record/record.c b/record/record.c
29 index 0ed8f84..9a166d6 100644
30 --- a/record/record.c
31 +++ b/record/record.c
32 @@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
33 } /* SProcRecordQueryVersion */
34
35
36 -static void
37 +static int
38 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
39 {
40 register char n;
41 @@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
42 swapl(&stuff->nClients, n);
43 swapl(&stuff->nRanges, n);
44 pClientID = (XID *)&stuff[1];
45 + if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
46 + return BadLength;
47 for (i = 0; i < stuff->nClients; i++, pClientID++)
48 {
49 swapl(pClientID, n);
50 }
51 + if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
52 + - stuff->nClients)
53 + return BadLength;
54 RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
55 + return Success;
56 } /* SwapCreateRegister */
57
58
59 @@ -2679,11 +2685,13 @@ static int
60 SProcRecordCreateContext(ClientPtr client)
61 {
62 REQUEST(xRecordCreateContextReq);
63 + int status;
64 register char n;
65
66 swaps(&stuff->length, n);
67 REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
68 - SwapCreateRegister((pointer)stuff);
69 + if ((status = SwapCreateRegister((pointer)stuff)) != Success)
70 + return status;
71 return ProcRecordCreateContext(client);
72 } /* SProcRecordCreateContext */
73
74 @@ -2692,11 +2700,13 @@ static int
75 SProcRecordRegisterClients(ClientPtr client)
76 {
77 REQUEST(xRecordRegisterClientsReq);
78 + int status;
79 register char n;
80
81 swaps(&stuff->length, n);
82 REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
83 - SwapCreateRegister((pointer)stuff);
84 + if ((status = SwapCreateRegister((pointer)stuff)) != Success)
85 + return status;
86 return ProcRecordRegisterClients(client);
87 } /* SProcRecordRegisterClients */
88

  ViewVC Help
Powered by ViewVC 1.1.20