diff options
Diffstat (limited to 'x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch')
-rw-r--r-- | x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch b/x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch new file mode 100644 index 0000000..ac66b4d --- /dev/null +++ b/x11-base/xorg-server/files/1.4-0004-Fix-for-CVE-2007-6429-MIT-SHM-and-EVI-extensions-i.patch @@ -0,0 +1,210 @@ +From 8b14f7b74284900b95a319ec80c4333e63af2296 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@bluenote.herrb.com> +Date: Thu, 17 Jan 2008 15:28:42 +0100 +Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows. + +--- + Xext/EVI.c | 15 ++++++++++++++- + Xext/sampleEVI.c | 29 ++++++++++++++++++++++++----- + Xext/shm.c | 46 ++++++++++++++++++++++++++++++++++++++-------- + 3 files changed, 76 insertions(+), 14 deletions(-) + +diff --git a/Xext/EVI.c b/Xext/EVI.c +index 8fe3481..13bd32a 100644 +--- a/Xext/EVI.c ++++ b/Xext/EVI.c +@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include <X11/extensions/XEVIstr.h> + #include "EVIstruct.h" + #include "modinit.h" ++#include "scrnintstr.h" + + #if 0 + static unsigned char XEVIReqCode = 0; +@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) + { + REQUEST(xEVIGetVisualInfoReq); + xEVIGetVisualInfoReply rep; +- int n, n_conflict, n_info, sz_info, sz_conflict; ++ int i, n, n_conflict, n_info, sz_info, sz_conflict; + VisualID32 *conflict; ++ unsigned int total_visuals = 0; + xExtendedVisualInfo *eviInfo; + int status; ++ ++ /* ++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume ++ * here that you don't have more than 2^32 visuals over all your screens; ++ * this seems like a safe assumption. ++ */ ++ for (i = 0; i < screenInfo.numScreens; i++) ++ total_visuals += screenInfo.screens[i]->numVisuals; ++ if (stuff->n_visual > total_visuals) ++ return BadValue; ++ + REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); + status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, + &eviInfo, &n_info, &conflict, &n_conflict); +diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c +index 7508aa7..b871bfd 100644 +--- a/Xext/sampleEVI.c ++++ b/Xext/sampleEVI.c +@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include <X11/extensions/XEVIstr.h> + #include "EVIstruct.h" + #include "scrnintstr.h" ++ ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int sampleGetVisualInfo( + VisualID32 *visual, + int n_visual, +@@ -42,24 +49,36 @@ static int sampleGetVisualInfo( + VisualID32 **conflict_rn, + int *n_conflict_rn) + { +- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; ++ unsigned int max_sz_evi; + VisualID32 *temp_conflict; + xExtendedVisualInfo *evi; +- int max_visuals = 0, max_sz_conflict, sz_conflict = 0; ++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; + register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; +- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); +- if (!*evi_rn) +- return BadAlloc; ++ ++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) ++ return BadAlloc; ++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; ++ + for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { + if (screenInfo.screens[scrI]->numVisuals > max_visuals) + max_visuals = screenInfo.screens[scrI]->numVisuals; + } ++ ++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens ++ * max_visuals)) ++ return BadAlloc; + max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; ++ ++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); ++ if (!*evi_rn) ++ return BadAlloc; ++ + temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); + if (!temp_conflict) { + xfree(*evi_rn); + return BadAlloc; + } ++ + for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { + for (visualI = 0; visualI < n_visual; visualI++) { + evi[sz_evi].core_visual_id = visual[visualI]; +diff --git a/Xext/shm.c b/Xext/shm.c +index ac587be..5633be9 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap( + int i, j, result, rc; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + PanoramiXRes *newPix; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); +@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap( + return rc; + + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap( + return BadValue; + } + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + + if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) + return BadAlloc; +@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client) + register int i, rc; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); + client->errorValue = stuff->pid; +@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client) + return rc; + + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client) + return BadValue; + } + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( + pDraw->pScreen, stuff->width, + stuff->height, stuff->depth, +-- +1.5.3.5 + |