Author: archaic Date: 2007-04-28 20:32:38 -0600 (Sat, 28 Apr 2007) New Revision: 1803
Added: trunk/xorg/libX11-1.1.1-xinitimage-1.patch trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch Log: Added some upstream patches for xorg-7.2. Added: trunk/xorg/libX11-1.1.1-xinitimage-1.patch =================================================================== --- trunk/xorg/libX11-1.1.1-xinitimage-1.patch (rev 0) +++ trunk/xorg/libX11-1.1.1-xinitimage-1.patch 2007-04-29 02:32:38 UTC (rev 1803) @@ -0,0 +1,94 @@ +Submitted By: Archaic <archaic AT linuxfromscratch DOT org> +Date: 2007-04-28 +Initial Package Version: 1.1.1 +Upstream Status: Applied +Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/ +Description: Fixes possible memory corruption from specially crafted images. +http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html + +diff -Naur libX11-1.1.1.orig/src/ImUtil.c libX11-1.1.1/src/ImUtil.c +--- libX11-1.1.1.orig/src/ImUtil.c 2006-09-25 10:57:47.000000000 +0000 ++++ libX11-1.1.1/src/ImUtil.c 2007-04-29 01:48:51.000000000 +0000 +@@ -327,12 +327,13 @@ + { + register XImage *image; + int bits_per_pixel = 1; ++ int min_bytes_per_line; + + if (depth == 0 || depth > 32 || + (format != XYBitmap && format != XYPixmap && format != ZPixmap) || + (format == XYBitmap && depth != 1) || + (xpad != 8 && xpad != 16 && xpad != 32) || +- offset < 0 || image_bytes_per_line < 0) ++ offset < 0) + return (XImage *) NULL; + if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) + return (XImage *) NULL; +@@ -363,16 +364,21 @@ + /* + * compute per line accelerator. + */ +- if (image_bytes_per_line == 0) + { + if (format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((width + offset), image->bitmap_pad); + } +- else image->bytes_per_line = image_bytes_per_line; ++ if (image_bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image_bytes_per_line < min_bytes_per_line) { ++ return 0; ++ } else { ++ image->bytes_per_line = image_bytes_per_line; ++ } + + image->bits_per_pixel = bits_per_pixel; + image->obdata = NULL; +@@ -384,7 +390,11 @@ + Status XInitImage (image) + XImage *image; + { ++ int min_bytes_per_line; ++ + if (image->depth == 0 || image->depth > 32 || ++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 || ++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 || + (image->format != XYBitmap && + image->format != XYPixmap && + image->format != ZPixmap) || +@@ -392,21 +402,24 @@ + (image->bitmap_pad != 8 && + image->bitmap_pad != 16 && + image->bitmap_pad != 32) || +- image->xoffset < 0 || image->bytes_per_line < 0) ++ image->xoffset < 0) + return 0; + + /* + * compute per line accelerator. + */ +- if (image->bytes_per_line == 0) +- { + if (image->format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->bits_per_pixel * image->width), + image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->width + image->xoffset), image->bitmap_pad); ++ ++ if (image->bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image->bytes_per_line < min_bytes_per_line) { ++ return 0; + } + + _XInitImageFuncPtrs (image); Added: trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch =================================================================== --- trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch (rev 0) +++ trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch 2007-04-29 02:32:38 UTC (rev 1803) @@ -0,0 +1,58 @@ +Submitted By: Archaic <archaic AT linuxfromscratch DOT org> +Date: 2007-04-28 +Initial Package Version: 1.2.7 +Upstream Status: Applied +Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/ +Description: Fixes possible memory corruption from specially crafted images and +a file parsing integer overflow. +http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html + +diff -Naur libXfont-1.2.7.orig/src/bitmap/bdfread.c libXfont-1.2.7/src/bitmap/bdfread.c +--- libXfont-1.2.7.orig/src/bitmap/bdfread.c 2006-07-04 18:55:31.000000000 +0000 ++++ libXfont-1.2.7/src/bitmap/bdfread.c 2007-04-29 02:05:54.000000000 +0000 +@@ -65,6 +65,12 @@ + #include <X11/fonts/bitmap.h> + #include <X11/fonts/bdfint.h> + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(INT32_MAX) ++#define INT32_MAX 0x7fffffff ++#endif ++ + #define INDICES 256 + #define MAXENCODING 0xFFFF + #define BDFLINELEN 1024 +@@ -288,6 +294,11 @@ + bdfError("invalid number of CHARS in BDF file\n"); + return (FALSE); + } ++ if (nchars > INT32_MAX / sizeof(CharInfoRec)) { ++ bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, ++ sizeof(CharInfoRec)); ++ goto BAILOUT; ++ } + ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); + if (!ci) { + bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, +diff -Naur libXfont-1.2.7.orig/src/fontfile/fontdir.c libXfont-1.2.7/src/fontfile/fontdir.c +--- libXfont-1.2.7.orig/src/fontfile/fontdir.c 2006-07-04 18:55:31.000000000 +0000 ++++ libXfont-1.2.7/src/fontfile/fontdir.c 2007-04-29 02:05:54.000000000 +0000 +@@ -38,9 +38,17 @@ + #include <X11/fonts/fntfilst.h> + #include <X11/keysym.h> + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(INT32_MAX) ++#define INT32_MAX 0x7fffffff ++#endif ++ + Bool + FontFileInitTable (FontTablePtr table, int size) + { ++ if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) ++ return FALSE; + if (size) + { + table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size); Added: trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch =================================================================== --- trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch (rev 0) +++ trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch 2007-04-29 02:32:38 UTC (rev 1803) @@ -0,0 +1,45 @@ +Submitted By: Archaic <archaic AT linuxfromscratch DOT org> +Date: 2007-04-28 +Initial Package Version: 1.2.0 +Upstream Status: Applied +Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/ +Description: Fixes possible integer overflow in XC-MISC extension. +http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html + +diff -Naur xorg-server-1.2.0.orig/Xext/xcmisc.c xorg-server-1.2.0/Xext/xcmisc.c +--- xorg-server-1.2.0.orig/Xext/xcmisc.c 2007-01-23 05:39:15.000000000 +0000 ++++ xorg-server-1.2.0/Xext/xcmisc.c 2007-04-29 02:18:13.000000000 +0000 +@@ -42,6 +42,12 @@ + #include <X11/extensions/xcmiscstr.h> + #include "modinit.h" + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + #if 0 + static unsigned char XCMiscCode; + #endif +@@ -143,7 +149,10 @@ + + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + +- pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID)); ++ if (stuff->count > UINT32_MAX / sizeof(XID)) ++ return BadAlloc; ++ ++ pids = (XID *)Xalloc(stuff->count * sizeof(XID)); + if (!pids) + { + return BadAlloc; +@@ -164,7 +173,7 @@ + client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write; + WriteSwappedDataToClient(client, count * sizeof(XID), pids); + } +- DEALLOCATE_LOCAL(pids); ++ Xfree(pids); + return(client->noClientException); + } + -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
