ChangeLog | 205 +++++++++++++++++++++++++++++++++++++++++ debian/changelog | 10 ++ glx/glxcmds.c | 188 +++++++++++++++++++++++++++++++++++-- glx/glxcmdsswap.c | 171 ++++++++++++++++++++++++++++++++-- glx/xfont.c | 2 hw/xfree86/common/xf86Xinput.c | 8 - hw/xquartz/GL/Makefile.am | 2 os/utils.c | 4 8 files changed, 563 insertions(+), 27 deletions(-)
New commits: commit 869682effd2abbd48c47653e63d451e24666830a Author: Julien Cristau <[email protected]> Date: Sat Oct 29 18:54:27 2011 +0200 Upload to squeeze diff --git a/debian/changelog b/debian/changelog index 7c2935c..4d8d03c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -xorg-server (2:1.7.7-14) UNRELEASED; urgency=low +xorg-server (2:1.7.7-14) squeeze; urgency=low * GLX: add missing input sanitization (CVE-2010-4818). Also fix a couple swapping issues. @@ -6,7 +6,7 @@ xorg-server (2:1.7.7-14) UNRELEASED; urgency=low * File permission change vulnerability (CVE-2011-4029). * xf86ScaleAxis: support for high resolution devices. - -- Julien Cristau <[email protected]> Fri, 21 Oct 2011 20:56:40 +0200 + -- Julien Cristau <[email protected]> Sat, 29 Oct 2011 18:44:58 +0200 xorg-server (2:1.7.7-13) stable; urgency=low commit 7fb763b4b6150ceb37fbd209ee59498489db1afc Author: Julien Cristau <[email protected]> Date: Fri Oct 21 20:58:43 2011 +0200 Changelogs diff --git a/ChangeLog b/ChangeLog index b9683ab..f3261ee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,208 @@ +commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c +Author: Matthieu Herrb <[email protected]> +Date: Mon Oct 17 22:27:35 2011 +0200 + + Fix CVE-2011-4029: File permission change vulnerability. + + Use fchmod() to change permissions of the lock file instead + of chmod(), thus avoid the race that can be exploited to set + a symbolic link to any file or directory in the system. + + Signed-off-by: Matthieu Herrb <[email protected]> + Reviewed-by: Alan Coopersmith <[email protected]> + (cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4) + (cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c) + +commit 3394ae378da567025ac94a2c2ff04f2a0b113962 +Author: Matthieu Herrb <[email protected]> +Date: Mon Oct 17 22:26:12 2011 +0200 + + Fix CVE-2011-4028: File disclosure vulnerability. + + use O_NOFOLLOW to open the existing lock file, so symbolic links + aren't followed, thus avoid revealing if it point to an existing + file. + + Signed-off-by: Matthieu Herrb <[email protected]> + Reviewed-by: Alan Coopersmith <[email protected]> + (cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34) + (cherry picked from commit f80d23357874db19bc124dee70239fb182977883) + +commit 656307e93a7c72b147805e3741ebb02baf876150 +Author: Julien Cristau <[email protected]> +Date: Sun Jan 23 13:35:54 2011 +0100 + + glx: Work around wrong request lengths sent by mesa + + mesa used to send too long requests for GLXDestroyPixmap, + GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes + and GLXGetFBConfigsSGIX. + + Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 + X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324> + + Reported-by: [email protected] + Signed-off-by: Julien Cristau <[email protected]> + Reviewed-by: Adam Jackson <[email protected]> + (cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26) + +commit c821bd84e594e86d5dd766f680064e88a29a10d1 +Author: Julien Cristau <[email protected]> +Date: Wed Jan 26 13:06:53 2011 +0100 + + glx: fix BindTexImageEXT length check + + The request is followed by a list of attributes. + + X.Org bug#33449 + + Reported-and-tested-by: meng <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + Reviewed-by: Adam Jackson <[email protected]> + (cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334) + +commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21 +Author: Julien Cristau <[email protected]> +Date: Sun Jan 23 17:05:26 2011 +0100 + + glx: fix request length check for CreateGLXPbufferSGIX + + The request is followed by an attribute list. + + Signed-off-by: Julien Cristau <[email protected]> + Reviewed-by: Adam Jackson <[email protected]> + (cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234) + +commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8 +Author: Julien Cristau <[email protected]> +Date: Wed Nov 10 22:39:54 2010 +0100 + + glx: validate numAttribs field before using it + + Reviewed-by: Kristian Høgsberg <[email protected]> + Reviewed-by: Daniel Stone <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + (cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c) + +commit 4f6ee6177c76d480fe2c477b0ca19ad337928373 +Author: Julien Cristau <[email protected]> +Date: Sun Aug 22 16:20:45 2010 +0100 + + glx: swap the request arrays entirely, not just half of them + + Various glx requests include a list of pairs of attributes. We were + only swapping the first half. + + Reviewed-by: Kristian Høgsberg <[email protected]> + Reviewed-by: Daniel Stone <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + (cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b) + +commit 00130263a222de904a4500c5410706aa5ec693dc +Author: Julien Cristau <[email protected]> +Date: Sun Aug 22 00:50:05 2010 +0100 + + glx: check request length before swapping + + Reviewed-by: Kristian Høgsberg <[email protected]> + Reviewed-by: Daniel Stone <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + (cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543) + +commit 6ff0bcfcc0eb02640456beacaaa93ee762c84507 +Author: Julien Cristau <[email protected]> +Date: Sat Jul 3 19:47:55 2010 +0100 + + glx: validate request lengths + + Reviewed-by: Adam Jackson <[email protected]> + Reviewed-by: Kristian Høgsberg <[email protected]> + Reviewed-by: Daniel Stone <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + (cherry-picked from commit ec9c97c6bf70b523bc500bd3adf62176f1bb33a4) + +commit 94458a6e09761e3b7937bb639ea4c12972328c7f +Author: Jeremy Huddleston <[email protected]> +Date: Sun Mar 13 15:10:00 2011 -0700 + + XQuartz GL: Add $(GL_CFLAGS) to CFLAGS + + This fixes a build failure I found on tinderbox. + + Signed-off-by: Jeremy Huddleston <[email protected]> + (cherry picked from commit f641e4b34aa91ecda29e546b8b975e72ce037ed0) + + Conflicts: + + hw/xquartz/GL/Makefile.am + + Signed-off-by: Jeremy Huddleston <[email protected]> + +commit ee8664ee8573d810a8768a2e10dd896b630697ff +Author: Benjamin Tissoires <[email protected]> +Date: Wed Apr 14 17:27:51 2010 +0200 + + xf86ScaleAxis: support for high resolution devices + + High resolution devices was generating integer overflow. + For instance the wacom Cintiq 21UX has an axis value up to + 87000. Thus the term (dSx * (Cx - Rxlow)) is greater than + MAX_INT32. + + Using 64bits integer avoids such problem. + + Signed-off-by: Philippe Ribet <[email protected]> + Signed-off-by: Benjamin Tissoires <[email protected]> + Reviewed-by: Keith Packard <[email protected]> + Signed-off-by: Peter Hutterer <[email protected]> + (cherry picked from commit a780e5b3638a0ff81301fc68aca15b47ba0befb7) + +commit 01bc98e313b8ee62c506d0f8f408d54b71d1dfa6 +Author: Julien Cristau <[email protected]> +Date: Sat Jul 3 19:42:26 2010 +0100 + + glx: make sure screen is non-negative in validGlxScreen + + Reviewed-by: Adam Jackson <[email protected]> + Reviewed-by: Kristian Høgsberg <[email protected]> + Reviewed-by: Daniel Stone <[email protected]> + Signed-off-by: Julien Cristau <[email protected]> + (cherry picked from commit 3f0d3f4d97bce75c1828635c322b6560a45a037f) + +commit d77ffa918b2aaa3ca1deb17ed0145199d0f863da +Author: Julien Cristau <[email protected]> +Date: Mon Jan 31 14:14:47 2011 +0100 + + Revert "randr: check for virtual size limits before set crtc" + + Apparently these checks break rotation with the nvidia drivers: + https://bbs.archlinux.org/viewtopic.php?pid=877761 + http://bugs.debian.org/611619 + Let's not do that in a stable branch. + + This reverts commit 6a6d907e77777057cadbd80572119c09732385cd. + + Signed-off-by: Julien Cristau <[email protected]> + +commit 5549d99acbc38c8a1f12d649c42f044392ec7af0 +Author: Peter Hutterer <[email protected]> +Date: Fri Sep 3 11:54:41 2010 +1000 + + mi: handle DGA subtypes when determining the master device. + + The subtype in the DGA event is the core type and all ET_ event types (where + applicable) are identical to the core types. Thus the switch statement below + will work as required and assign the right master device. + + Fixes a crasher bug on keyboard devices with valuators. If a device sends a + motion event while grabbed and a DGA client is active (but has not selected + input through DGA), the valuator event is posted through the VCK and + eventually results in a NULL-pointer dereference on dev->valuator. + + Signed-off-by: Peter Hutterer <[email protected]> + (cherry picked from commit 31ab9f8860848504df18a8be9d19b817b191e0df) + (cherry picked from commit faecab3b13bbaecf4f35f49b833d1b79a5fb647d) + commit 2fd67c34549f1703e8ca522f92be518b18f90e81 Author: Ville Syrjälä <[email protected]> Date: Thu Dec 16 18:22:13 2010 +0200 diff --git a/debian/changelog b/debian/changelog index ba68ab8..7c2935c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +xorg-server (2:1.7.7-14) UNRELEASED; urgency=low + + * GLX: add missing input sanitization (CVE-2010-4818). Also fix a couple + swapping issues. + * File disclosure vulnerability (CVE-2011-4028). + * File permission change vulnerability (CVE-2011-4029). + * xf86ScaleAxis: support for high resolution devices. + + -- Julien Cristau <[email protected]> Fri, 21 Oct 2011 20:56:40 +0200 + xorg-server (2:1.7.7-13) stable; urgency=low * bug script: Report KMS configuration files and their contents. commit 03ff880e8bf20cdecaf27f03391ea31545ecc22c Author: Matthieu Herrb <[email protected]> Date: Mon Oct 17 22:27:35 2011 +0200 Fix CVE-2011-4029: File permission change vulnerability. Use fchmod() to change permissions of the lock file instead of chmod(), thus avoid the race that can be exploited to set a symbolic link to any file or directory in the system. Signed-off-by: Matthieu Herrb <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> (cherry picked from commit b67581cf825940fdf52bf2e0af4330e695d724a4) (cherry picked from commit 12f65819ffb04103f170ecd7e281348de618fc4c) diff --git a/os/utils.c b/os/utils.c index 7032227..adc75bc 100644 --- a/os/utils.c +++ b/os/utils.c @@ -315,7 +315,7 @@ LockServer(void) FatalError("Could not create lock file in %s\n", tmp); (void) sprintf(pid_str, "%10ld\n", (long)getpid()); (void) write(lfd, pid_str, 11); - (void) chmod(tmp, 0444); + (void) fchmod(lfd, 0444); (void) close(lfd); /* commit 3394ae378da567025ac94a2c2ff04f2a0b113962 Author: Matthieu Herrb <[email protected]> Date: Mon Oct 17 22:26:12 2011 +0200 Fix CVE-2011-4028: File disclosure vulnerability. use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file. Signed-off-by: Matthieu Herrb <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> (cherry picked from commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34) (cherry picked from commit f80d23357874db19bc124dee70239fb182977883) diff --git a/os/utils.c b/os/utils.c index d7c8388..7032227 100644 --- a/os/utils.c +++ b/os/utils.c @@ -336,7 +336,7 @@ LockServer(void) /* * Read the pid from the existing file */ - lfd = open(LockFile, O_RDONLY); + lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); if (lfd < 0) { unlink(tmp); FatalError("Can't read lock file %s\n", LockFile); commit 656307e93a7c72b147805e3741ebb02baf876150 Author: Julien Cristau <[email protected]> Date: Sun Jan 23 13:35:54 2011 +0100 glx: Work around wrong request lengths sent by mesa mesa used to send too long requests for GLXDestroyPixmap, GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes and GLXGetFBConfigsSGIX. Fixes a regression introduced in ec9c97c6bf70b523bc500bd3adf62176f1bb33a4 X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324> Reported-by: [email protected] Signed-off-by: Julien Cristau <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 402b329c3aa8ddbebaa1f593306a02d4cd6fed26) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index f42cce8..ce6aeb3 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1122,7 +1122,8 @@ int __glXDisp_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + /* work around mesa bug, don't use REQUEST_SIZE_MATCH */ + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); return DoGetFBConfigs(cl, req->screen); } @@ -1346,7 +1347,9 @@ int __glXDisp_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXDestroyPixmapReq *req = (xGLXDestroyPixmapReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyPixmapReq); + /* should be REQUEST_SIZE_MATCH, but mesa's glXDestroyPixmap used to set + * length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyPixmapReq); return DoDestroyDrawable(cl, req->glxpixmap, GLX_DRAWABLE_PIXMAP); } @@ -1478,7 +1481,13 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) client->errorValue = req->numAttribs; return BadValue; } +#if 0 + /* mesa sends an additional 8 bytes */ REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); +#else + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; +#endif return DoChangeDrawableAttributes(cl->client, req->drawable, req->numAttribs, (CARD32 *) (req + 1)); @@ -1540,7 +1549,8 @@ int __glXDisp_DestroyWindow(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + /* mesa's glXDestroyWindow used to set length to 3 instead of 2 */ + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); return DoDestroyDrawable(cl, req->glxwindow, GLX_DRAWABLE_WINDOW); } @@ -1849,7 +1859,8 @@ int __glXDisp_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + /* this should be REQUEST_SIZE_MATCH, but mesa sends an additional 4 bytes */ + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); return DoGetDrawableAttributes(cl, req->drawable); } diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index c200244..5947e64 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -280,7 +280,7 @@ int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXGetFBConfigsSGIXReq); __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); @@ -369,7 +369,7 @@ int __glXDispSwap_DestroyPixmap(__GLXclientState *cl, GLbyte *pc) xGLXDestroyGLXPixmapReq *req = (xGLXDestroyGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyGLXPixmapReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyGLXPixmapReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->glxpixmap); @@ -477,7 +477,9 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) client->errorValue = req->numAttribs; return BadValue; } - REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); + if (((sizeof(xGLXChangeDrawableAttributesReq) + (req->numAttribs << 3)) >> 2) < client->req_len) + return BadLength; + attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -543,7 +545,7 @@ int __glXDispSwap_DestroyWindow(__GLXclientState *cl, GLbyte *pc) xGLXDestroyWindowReq *req = (xGLXDestroyWindowReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXDestroyWindowReq); + REQUEST_AT_LEAST_SIZE(xGLXDestroyWindowReq); __GLX_SWAP_INT(&req->glxwindow); @@ -743,7 +745,7 @@ int __glXDispSwap_GetDrawableAttributes(__GLXclientState *cl, GLbyte *pc) xGLXGetDrawableAttributesReq *req = (xGLXGetDrawableAttributesReq *)pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXGetDrawableAttributesReq); + REQUEST_AT_LEAST_SIZE(xGLXGetDrawableAttributesReq); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); commit c821bd84e594e86d5dd766f680064e88a29a10d1 Author: Julien Cristau <[email protected]> Date: Wed Jan 26 13:06:53 2011 +0100 glx: fix BindTexImageEXT length check The request is followed by a list of attributes. X.Org bug#33449 Reported-and-tested-by: meng <[email protected]> Signed-off-by: Julien Cristau <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 1137c11be0f82049d28024eaf963c6f76e0d4334) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index ff1249f..f42cce8 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1674,13 +1674,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) GLXDrawable drawId; int buffer; int error; + CARD32 num_attribs; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = *((CARD32 *) (pc)); buffer = *((INT32 *) (pc + 4)); + num_attribs = *((CARD32 *) (pc + 8)); + if (num_attribs > (UINT32_MAX >> 3)) { + client->errorValue = num_attribs; + return BadValue; + } + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3)); if (buffer != GLX_FRONT_LEFT_EXT) return __glXError(GLXBadPixmap); diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 1155b23..c200244 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -649,19 +649,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc) xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc; GLXDrawable *drawId; int *buffer; + CARD32 *num_attribs; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8); + if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len) + return BadLength; pc += __GLX_VENDPRIV_HDR_SIZE; drawId = ((GLXDrawable *) (pc)); buffer = ((int *) (pc + 4)); + num_attribs = ((CARD32 *) (pc + 8)); __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); __GLX_SWAP_INT(drawId); __GLX_SWAP_INT(buffer); + __GLX_SWAP_INT(num_attribs); return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc); } commit 5b76d710d3cebbfb8a5f02eaa7920f73deadff21 Author: Julien Cristau <[email protected]> Date: Sun Jan 23 17:05:26 2011 +0100 glx: fix request length check for CreateGLXPbufferSGIX The request is followed by an attribute list. Signed-off-by: Julien Cristau <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit a883cf1545abd89bb2cadfa659718884b56fd234) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 83469a5..ff1249f 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1416,7 +1416,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) ClientPtr client = cl->client; xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); return DoCreatePbuffer(cl->client, req->screen, req->fbconfig, req->width, req->height, req->pbuffer); diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index a0e0882..1155b23 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -422,7 +422,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc) xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; - REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq); + REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->fbconfig); commit 7ed56f793fe9bfe1fd2b70157523952cf6070fd8 Author: Julien Cristau <[email protected]> Date: Wed Nov 10 22:39:54 2010 +0100 glx: validate numAttribs field before using it Reviewed-by: Kristian Høgsberg <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Signed-off-by: Julien Cristau <[email protected]> (cherry picked from commit d9225b9602c85603ae616a7381c784f5cf5e811c) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index b8ee546..83469a5 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1273,6 +1273,11 @@ int __glXDisp_CreatePixmap(__GLXclientState *cl, GLbyte *pc) __GLXscreen *pGlxScreen; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreatePixmapReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); if (!validGlxScreen(cl->client, req->screen, &pGlxScreen, &err)) @@ -1376,6 +1381,11 @@ int __glXDisp_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) CARD32 *attrs; int width, height, i; + REQUEST_AT_LEAST_SIZE(xGLXCreatePbufferReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attrs = (CARD32 *) (req + 1); @@ -1463,6 +1473,11 @@ int __glXDisp_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) xGLXChangeDrawableAttributesReq *req = (xGLXChangeDrawableAttributesReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1475,6 +1490,11 @@ int __glXDisp_ChangeDrawableAttributesSGIX(__GLXclientState *cl, GLbyte *pc) xGLXChangeDrawableAttributesSGIXReq *req = (xGLXChangeDrawableAttributesSGIXReq *)pc; + REQUEST_AT_LEAST_SIZE(xGLXChangeDrawableAttributesSGIXReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); return DoChangeDrawableAttributes(cl->client, req->drawable, @@ -1490,6 +1510,11 @@ int __glXDisp_CreateWindow(__GLXclientState *cl, GLbyte *pc) DrawablePtr pDraw; int err; + REQUEST_AT_LEAST_SIZE(xGLXCreateWindowReq); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); if (!validGlxScreen(client, req->screen, &pGlxScreen, &err)) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index cbd9b88..a0e0882 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -320,6 +320,10 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxpixmap); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -401,6 +405,10 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->pbuffer); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -465,6 +473,10 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -487,6 +499,10 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); @@ -510,6 +526,10 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) __GLX_SWAP_INT(&req->glxwindow); __GLX_SWAP_INT(&req->numAttribs); + if (req->numAttribs > (UINT32_MAX >> 3)) { + client->errorValue = req->numAttribs; + return BadValue; + } REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); commit 4f6ee6177c76d480fe2c477b0ca19ad337928373 Author: Julien Cristau <[email protected]> Date: Sun Aug 22 16:20:45 2010 +0100 glx: swap the request arrays entirely, not just half of them Various glx requests include a list of pairs of attributes. We were only swapping the first half. Reviewed-by: Kristian Høgsberg <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Signed-off-by: Julien Cristau <[email protected]> (cherry picked from commit 62319e8381ebd645ae36b25e5fc3c0e9b098387b) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index cca9843..cbd9b88 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -322,7 +322,7 @@ int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePixmap(cl, pc); } @@ -403,7 +403,7 @@ int __glXDispSwap_CreatePbuffer(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreatePbuffer(cl, pc); } @@ -467,7 +467,7 @@ int __glXDispSwap_ChangeDrawableAttributes(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributes(cl, pc); } @@ -489,7 +489,7 @@ int __glXDispSwap_ChangeDrawableAttributesSGIX(__GLXclientState *cl, REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc); } @@ -512,7 +512,7 @@ int __glXDispSwap_CreateWindow(__GLXclientState *cl, GLbyte *pc) REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3); attribs = (CARD32*)(req + 1); - __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs); + __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1); return __glXDisp_CreateWindow(cl, pc); } commit 00130263a222de904a4500c5410706aa5ec693dc Author: Julien Cristau <[email protected]> Date: Sun Aug 22 00:50:05 2010 +0100 glx: check request length before swapping Reviewed-by: Kristian Høgsberg <[email protected]> Reviewed-by: Daniel Stone <[email protected]> Signed-off-by: Julien Cristau <[email protected]> (cherry picked from commit 6c69235a9dfc52e4b4e47630ff4bab1a820eb543) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index c414dc8..cca9843 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -61,9 +61,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextReq *req = (xGLXCreateContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->visual); @@ -75,9 +78,12 @@ int __glXDispSwap_CreateContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateNewContextReq *req = (xGLXCreateNewContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateNewContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -90,10 +96,13 @@ int __glXDispSwap_CreateNewContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateContextWithConfigSGIXReq *req = (xGLXCreateContextWithConfigSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateContextWithConfigSGIXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); __GLX_SWAP_INT(&req->fbconfig); @@ -106,9 +115,12 @@ int __glXDispSwap_CreateContextWithConfigSGIX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXDestroyContextReq *req = (xGLXDestroyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXDestroyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -117,9 +129,12 @@ int __glXDispSwap_DestroyContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReq *req = (xGLXMakeCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->context); @@ -130,9 +145,12 @@ int __glXDispSwap_MakeCurrent(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeContextCurrentReq *req = (xGLXMakeContextCurrentReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeContextCurrentReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readdrawable); @@ -144,9 +162,12 @@ int __glXDispSwap_MakeContextCurrent(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXMakeCurrentReadSGIReq *req = (xGLXMakeCurrentReadSGIReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXMakeCurrentReadSGIReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->drawable); __GLX_SWAP_INT(&req->readable); @@ -158,9 +179,12 @@ int __glXDispSwap_MakeCurrentReadSGI(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXIsDirectReq *req = (xGLXIsDirectReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXIsDirectReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->context); @@ -169,9 +193,12 @@ int __glXDispSwap_IsDirect(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXQueryVersionReq *req = (xGLXQueryVersionReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXQueryVersionReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->majorVersion); __GLX_SWAP_INT(&req->minorVersion); @@ -181,9 +208,12 @@ int __glXDispSwap_QueryVersion(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitGLReq *req = (xGLXWaitGLReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitGLReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -192,9 +222,12 @@ int __glXDispSwap_WaitGL(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXWaitXReq *req = (xGLXWaitXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXWaitXReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->contextTag); @@ -203,9 +236,12 @@ int __glXDispSwap_WaitX(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCopyContextReq *req = (xGLXCopyContextReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCopyContextReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->source); __GLX_SWAP_INT(&req->dest); @@ -216,36 +252,48 @@ int __glXDispSwap_CopyContext(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_GetVisualConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetVisualConfigsReq *req = (xGLXGetVisualConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetVisualConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetVisualConfigs(cl, pc); } int __glXDispSwap_GetFBConfigs(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsReq *req = (xGLXGetFBConfigsReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigs(cl, pc); } int __glXDispSwap_GetFBConfigsSGIX(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXGetFBConfigsSGIXReq *req = (xGLXGetFBConfigsSGIXReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXGetFBConfigsSGIXReq); + __GLX_SWAP_INT(&req->screen); return __glXDisp_GetFBConfigsSGIX(cl, pc); } int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreateGLXPixmapReq *req = (xGLXCreateGLXPixmapReq *) pc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXCreateGLXPixmapReq); + __GLX_SWAP_SHORT(&req->length); __GLX_SWAP_INT(&req->screen); __GLX_SWAP_INT(&req->visual); @@ -257,17 +305,22 @@ int __glXDispSwap_CreateGLXPixmap(__GLXclientState *cl, GLbyte *pc) int __glXDispSwap_CreatePixmap(__GLXclientState *cl, GLbyte *pc) { + ClientPtr client = cl->client; xGLXCreatePixmapReq *req = (xGLXCreatePixmapReq *) pc; CARD32 *attribs; -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
