Author: dnicholson Date: 2007-01-23 11:42:41 -0700 (Tue, 23 Jan 2007) New Revision: 1751
Added: trunk/xorg/xorg-server-1.1.1-security-1.patch Log: Rediffed xorg-server security patch against 1.1.1 Copied: trunk/xorg/xorg-server-1.1.1-security-1.patch (from rev 1749, trunk/xorg/xorg-server-1.1.0-security-1.patch) =================================================================== --- trunk/xorg/xorg-server-1.1.1-security-1.patch (rev 0) +++ trunk/xorg/xorg-server-1.1.1-security-1.patch 2007-01-23 18:42:41 UTC (rev 1751) @@ -0,0 +1,190 @@ +Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org> +Date: 2007-01-23 +Initial Package Version: 1.1.0 +Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ and +Upstream Status: Applied +Description: Fixes a security vulnerability in the X server. + See the following advisory: + http://lists.freedesktop.org/archives/xorg/2007-January/021054.html + +diff -pNur xorg-server-1.1.1.orig/dbe/dbe.c xorg-server-1.1.1/dbe/dbe.c +--- xorg-server-1.1.1.orig/dbe/dbe.c 2006-07-05 11:31:36.000000000 -0700 ++++ xorg-server-1.1.1/dbe/dbe.c 2007-01-18 21:46:13.000000000 -0800 +@@ -42,6 +42,11 @@ + #endif + + #include <string.h> ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif + + #include <X11/X.h> + #include <X11/Xproto.h> +@@ -716,11 +721,14 @@ ProcDbeSwapBuffers(ClientPtr client) + return(Success); + } + ++ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; + + /* Allocate array to record swap information. */ +- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); ++ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); + if (swapInfo == NULL) + { + return(BadAlloc); +@@ -735,14 +743,14 @@ ProcDbeSwapBuffers(ClientPtr client) + if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, + SecurityWriteAccess))) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadWindow); + } + + /* Each window must be double-buffered - BadMatch. */ + if (DBE_WINDOW_PRIV(pWin) == NULL) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + +@@ -751,7 +759,7 @@ ProcDbeSwapBuffers(ClientPtr client) + { + if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + } +@@ -762,7 +770,7 @@ ProcDbeSwapBuffers(ClientPtr client) + (dbeSwapInfo[i].swapAction != XdbeUntouched ) && + (dbeSwapInfo[i].swapAction != XdbeCopied )) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadValue); + } + +@@ -792,12 +800,12 @@ ProcDbeSwapBuffers(ClientPtr client) + error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); + if (error != Success) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(error); + } + } + +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(Success); + + } /* ProcDbeSwapBuffers() */ +@@ -879,10 +887,12 @@ ProcDbeGetVisualInfo(ClientPtr client) + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + ++ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) ++ return BadAlloc; + /* Make sure any specified drawables are valid. */ + if (stuff->n != 0) + { +- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * ++ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * + sizeof(DrawablePtr)))) + { + return(BadAlloc); +@@ -895,7 +905,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( + drawables[i], client, SecurityReadAccess))) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + return(BadDrawable); + } + } +@@ -907,7 +917,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + { + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -934,7 +944,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + /* Free pDrawables if we needed to allocate it above. */ + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -1015,7 +1025,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(client->noClientException); +diff -pNur xorg-server-1.1.1.orig/render/render.c xorg-server-1.1.1/render/render.c +--- xorg-server-1.1.1.orig/render/render.c 2006-07-05 11:31:44.000000000 -0700 ++++ xorg-server-1.1.1/render/render.c 2007-01-18 21:46:13.000000000 -0800 +@@ -49,6 +49,12 @@ + #include <X11/Xfuncproto.h> + #include "cursorstr.h" + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int ProcRenderQueryVersion (ClientPtr pClient); + static int ProcRenderQueryPictFormats (ClientPtr pClient); + static int ProcRenderQueryPictIndexValues (ClientPtr pClient); +@@ -1105,11 +1111,14 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + nglyphs = stuff->nglyphs; ++ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) ++ return BadAlloc; ++ + if (nglyphs <= NLOCALGLYPH) + glyphsBase = glyphsLocal; + else + { +- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); ++ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); + if (!glyphsBase) + return BadAlloc; + } +@@ -1166,7 +1175,7 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return client->noClientException; + bail: + while (glyphs != glyphsBase) +@@ -1175,7 +1184,7 @@ bail: + xfree (glyphs->glyph); + } + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return err; + } + -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
