Author: dnicholson Date: 2008-04-22 07:22:00 -0600 (Tue, 22 Apr 2008) New Revision: 1945
Added: trunk/libXfont/libXfont-1.2.8-pcf_parser-1.patch trunk/xorg-server/xorg-server-1.2.0-security-1.patch trunk/xorg/libXfont-1.2.8-pcf_parser-1.patch trunk/xorg/xorg-server-1.2.0-security-1.patch Log: Security patches for Xorg-7.2 Added: trunk/libXfont/libXfont-1.2.8-pcf_parser-1.patch =================================================================== --- trunk/libXfont/libXfont-1.2.8-pcf_parser-1.patch (rev 0) +++ trunk/libXfont/libXfont-1.2.8-pcf_parser-1.patch 2008-04-22 13:22:00 UTC (rev 1945) @@ -0,0 +1 @@ +link ../xorg/libXfont-1.2.8-pcf_parser-1.patch \ No newline at end of file Property changes on: trunk/libXfont/libXfont-1.2.8-pcf_parser-1.patch ___________________________________________________________________ Name: svn:special + * Added: trunk/xorg/libXfont-1.2.8-pcf_parser-1.patch =================================================================== --- trunk/xorg/libXfont-1.2.8-pcf_parser-1.patch (rev 0) +++ trunk/xorg/libXfont-1.2.8-pcf_parser-1.patch 2008-04-22 13:22:00 UTC (rev 1945) @@ -0,0 +1,31 @@ +Submitted By: Dan Nicholson <dnicholson AT linuxfromscratch DOT org> +Date: 2008-04-22 +Initial Package Version: 1.2.8 +Upstream Status: Applied (available in 1.3.2) +Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/ +Description: Fixes CVE-2008-0006 - PCF Font parser buffer overflow + http://lists.freedesktop.org/archives/xorg/2008-January/031918.html + +diff -pNur libXfont-1.2.8.orig/src/bitmap/pcfread.c libXfont-1.2.8/src/bitmap/pcfread.c +--- libXfont-1.2.8.orig/src/bitmap/pcfread.c 2006-08-29 19:15:50.000000000 -0700 ++++ libXfont-1.2.8/src/bitmap/pcfread.c 2008-04-21 20:15:16.000000000 -0700 +@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr f + pFont->info.lastRow = pcfGetINT16(file, format); + pFont->info.defaultCh = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (pFont->info.firstCol > pFont->info.lastCol || ++ pFont->info.firstRow > pFont->info.lastRow || ++ pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail; + + nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) * + (pFont->info.lastRow - pFont->info.firstRow + 1); +@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, F + pFontInfo->lastRow = pcfGetINT16(file, format); + pFontInfo->defaultCh = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (pFontInfo->firstCol > pFontInfo->lastCol || ++ pFontInfo->firstRow > pFontInfo->lastRow || ++ pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail; + + nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) * + (pFontInfo->lastRow - pFontInfo->firstRow + 1); Added: trunk/xorg/xorg-server-1.2.0-security-1.patch =================================================================== --- trunk/xorg/xorg-server-1.2.0-security-1.patch (rev 0) +++ trunk/xorg/xorg-server-1.2.0-security-1.patch 2008-04-22 13:22:00 UTC (rev 1945) @@ -0,0 +1,550 @@ +Submitted By: Dan Nicholson <dnicholson AT linuxfromscratch DOT org> +Date: 2008-04-22 +Initial Package Version: 1.2.0 +Upstream Status: Applied +Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/ + xorg-xserver-1.2.0-xcmisc.diff + xorg-xserver-1.2-multiple-overflows-v2.diff +Description: Fixes for CVE-2007-1003, CVE-2007-1351, CVE-2007-1352, + CVE-2007-1352, CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, + CVE-2007-6428, CVE-2007-6429, and CVE-2008-0006. + http://lists.freedesktop.org/archives/xorg-announce/2007-October/000416.html + http://lists.freedesktop.org/archives/xorg/2008-January/031918.html + +diff -pNur xorg-server-1.2.0.orig/dix/dixfonts.c xorg-server-1.2.0/dix/dixfonts.c +--- xorg-server-1.2.0.orig/dix/dixfonts.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/dix/dixfonts.c 2008-04-22 06:02:52.000000000 -0700 +@@ -329,6 +329,13 @@ doOpenFont(ClientPtr client, OFclosurePt + err = BadFontName; + goto bail; + } ++ /* check values for firstCol, lastCol, firstRow, and lastRow */ ++ if (pfont->info.firstCol > pfont->info.lastCol || ++ pfont->info.firstRow > pfont->info.lastRow || ++ pfont->info.lastCol - pfont->info.firstCol > 255) { ++ err = AllocError; ++ goto bail; ++ } + if (!pfont->fpe) + pfont->fpe = fpe; + pfont->refcnt++; +diff -pNur xorg-server-1.2.0.orig/hw/xfree86/common/xf86MiscExt.c xorg-server-1.2.0/hw/xfree86/common/xf86MiscExt.c +--- xorg-server-1.2.0.orig/hw/xfree86/common/xf86MiscExt.c 2007-01-22 21:39:16.000000000 -0800 ++++ xorg-server-1.2.0/hw/xfree86/common/xf86MiscExt.c 2008-04-22 06:02:52.000000000 -0700 +@@ -640,6 +640,10 @@ MiscExtPassMessage(int scrnIndex, const + + DEBUG_P("MiscExtPassMessage"); + ++ /* should check this in the protocol, but xf86NumScreens isn't exported */ ++ if (scrnIndex >= xf86NumScreens) ++ return BadValue; ++ + if (*pScr->HandleMessage == NULL) + return BadImplementation; + return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr); +diff -pNur xorg-server-1.2.0.orig/Xext/cup.c xorg-server-1.2.0/Xext/cup.c +--- xorg-server-1.2.0.orig/Xext/cup.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/cup.c 2008-04-22 06:02:52.000000000 -0700 +@@ -196,6 +196,9 @@ int ProcGetReservedColormapEntries( + + REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq); + ++ if (stuff->screen >= screenInfo.numScreens) ++ return BadValue; ++ + #ifndef HAVE_SPECIAL_DESKTOP_COLORS + citems[CUP_BLACK_PIXEL].pixel = + screenInfo.screens[stuff->screen]->blackPixel; +diff -pNur xorg-server-1.2.0.orig/Xext/EVI.c xorg-server-1.2.0/Xext/EVI.c +--- xorg-server-1.2.0.orig/Xext/EVI.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/EVI.c 2008-04-22 06:02:52.000000000 -0700 +@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include <X11/extensions/XEVIstr.h> + #include "EVIstruct.h" + #include "modinit.h" ++#include "scrnintstr.h" + + #if 0 + static unsigned char XEVIReqCode = 0; +@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) + { + REQUEST(xEVIGetVisualInfoReq); + xEVIGetVisualInfoReply rep; +- int n, n_conflict, n_info, sz_info, sz_conflict; ++ int i, n, n_conflict, n_info, sz_info, sz_conflict; + VisualID32 *conflict; ++ unsigned int total_visuals = 0; + xExtendedVisualInfo *eviInfo; + int status; ++ ++ /* ++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume ++ * here that you don't have more than 2^32 visuals over all your screens; ++ * this seems like a safe assumption. ++ */ ++ for (i = 0; i < screenInfo.numScreens; i++) ++ total_visuals += screenInfo.screens[i]->numVisuals; ++ if (stuff->n_visual > total_visuals) ++ return BadValue; ++ + REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); + status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, + &eviInfo, &n_info, &conflict, &n_conflict); +diff -pNur xorg-server-1.2.0.orig/Xext/sampleEVI.c xorg-server-1.2.0/Xext/sampleEVI.c +--- xorg-server-1.2.0.orig/Xext/sampleEVI.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/sampleEVI.c 2008-04-22 06:02:52.000000000 -0700 +@@ -35,6 +35,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. + #include <X11/extensions/XEVIstr.h> + #include "EVIstruct.h" + #include "scrnintstr.h" ++ ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int sampleGetVisualInfo( + VisualID32 *visual, + int n_visual, +@@ -43,24 +50,36 @@ static int sampleGetVisualInfo( + VisualID32 **conflict_rn, + int *n_conflict_rn) + { +- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; ++ unsigned int max_sz_evi; + VisualID32 *temp_conflict; + xExtendedVisualInfo *evi; +- int max_visuals = 0, max_sz_conflict, sz_conflict = 0; ++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; + register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; +- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); +- if (!*evi_rn) +- return BadAlloc; ++ ++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) ++ return BadAlloc; ++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; ++ + for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { + if (screenInfo.screens[scrI]->numVisuals > max_visuals) + max_visuals = screenInfo.screens[scrI]->numVisuals; + } ++ ++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens ++ * max_visuals)) ++ return BadAlloc; + max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; ++ ++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); ++ if (!*evi_rn) ++ return BadAlloc; ++ + temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); + if (!temp_conflict) { + xfree(*evi_rn); + return BadAlloc; + } ++ + for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { + for (visualI = 0; visualI < n_visual; visualI++) { + evi[sz_evi].core_visual_id = visual[visualI]; +diff -pNur xorg-server-1.2.0.orig/Xext/security.c xorg-server-1.2.0/Xext/security.c +--- xorg-server-1.2.0.orig/Xext/security.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/security.c 2008-04-22 06:02:52.000000000 -0700 +@@ -1567,7 +1567,7 @@ SecurityLoadPropertyAccessList(void) + return; + + #ifndef __UNIXOS2__ +- f = fopen(SecurityPolicyFile, "r"); ++ f = Fopen(SecurityPolicyFile, "r"); + #else + f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r"); + #endif +@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void) + } + #endif /* PROPDEBUG */ + +- fclose(f); ++ Fclose(f); + } /* SecurityLoadPropertyAccessList */ + + +diff -pNur xorg-server-1.2.0.orig/Xext/shm.c xorg-server-1.2.0/Xext/shm.c +--- xorg-server-1.2.0.orig/Xext/shm.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/shm.c 2008-04-22 06:02:52.000000000 -0700 +@@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( + int i, j, result; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + PanoramiXRes *newPix; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); +@@ -732,11 +734,18 @@ ProcPanoramiXShmCreatePixmap( + LEGAL_NEW_RESOURCE(stuff->pid, client); + VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -746,10 +755,18 @@ ProcPanoramiXShmCreatePixmap( + client->errorValue = stuff->depth; + return BadValue; + } ++ + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + + if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) + return BadAlloc; +@@ -1047,6 +1064,8 @@ ProcShmCreatePixmap(client) + register int i; + ShmDescPtr shmdesc; + REQUEST(xShmCreatePixmapReq); ++ unsigned int width, height, depth; ++ unsigned long size; + + REQUEST_SIZE_MATCH(xShmCreatePixmapReq); + client->errorValue = stuff->pid; +@@ -1055,11 +1074,18 @@ ProcShmCreatePixmap(client) + LEGAL_NEW_RESOURCE(stuff->pid, client); + VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); + VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); +- if (!stuff->width || !stuff->height) ++ ++ width = stuff->width; ++ height = stuff->height; ++ depth = stuff->depth; ++ if (!width || !height || !depth) + { + client->errorValue = 0; + return BadValue; + } ++ if (width > 32767 || height > 32767) ++ return BadAlloc; ++ + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +@@ -1069,10 +1095,18 @@ ProcShmCreatePixmap(client) + client->errorValue = stuff->depth; + return BadValue; + } ++ + CreatePmap: +- VERIFY_SHMSIZE(shmdesc, stuff->offset, +- PixmapBytePad(stuff->width, stuff->depth) * stuff->height, +- client); ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ ++ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( + pDraw->pScreen, stuff->width, + stuff->height, stuff->depth, +diff -pNur xorg-server-1.2.0.orig/Xext/xcmisc.c xorg-server-1.2.0/Xext/xcmisc.c +--- xorg-server-1.2.0.orig/Xext/xcmisc.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xext/xcmisc.c 2008-04-22 06:09:46.000000000 -0700 +@@ -42,6 +42,12 @@ from The Open Group. + #include <X11/extensions/xcmiscstr.h> + #include "modinit.h" + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + #if 0 + static unsigned char XCMiscCode; + #endif +@@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client) + + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + +- pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID)); ++ if (stuff->count > UINT32_MAX / sizeof(XID)) ++ return BadAlloc; ++ ++ pids = (XID *)Xalloc(stuff->count * sizeof(XID)); + if (!pids) + { + return BadAlloc; +@@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client) + client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write; + WriteSwappedDataToClient(client, count * sizeof(XID), pids); + } +- DEALLOCATE_LOCAL(pids); ++ Xfree(pids); + return(client->noClientException); + } + +diff -pNur xorg-server-1.2.0.orig/Xi/chgfctl.c xorg-server-1.2.0/Xi/chgfctl.c +--- xorg-server-1.2.0.orig/Xi/chgfctl.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/chgfctl.c 2008-04-22 06:02:52.000000000 -0700 +@@ -451,18 +451,13 @@ ChangeStringFeedback(ClientPtr client, D + xStringFeedbackCtl * f) + { + register char n; +- register long *p; + int i, j; + KeySym *syms, *sup_syms; + + syms = (KeySym *) (f + 1); + if (client->swapped) { + swaps(&f->length, n); /* swapped num_keysyms in calling proc */ +- p = (long *)(syms); +- for (i = 0; i < f->num_keysyms; i++) { +- swapl(p, n); +- p++; +- } ++ SwapLongs((CARD32 *) syms, f->num_keysyms); + } + + if (f->num_keysyms > s->ctrl.max_symbols) { +diff -pNur xorg-server-1.2.0.orig/Xi/chgkmap.c xorg-server-1.2.0/Xi/chgkmap.c +--- xorg-server-1.2.0.orig/Xi/chgkmap.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/chgkmap.c 2008-04-22 06:02:52.000000000 -0700 +@@ -79,18 +79,14 @@ int + SProcXChangeDeviceKeyMapping(register ClientPtr client) + { + register char n; +- register long *p; +- register int i, count; ++ unsigned int count; + + REQUEST(xChangeDeviceKeyMappingReq); + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); +- p = (long *)&stuff[1]; + count = stuff->keyCodes * stuff->keySymsPerKeyCode; +- for (i = 0; i < count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), count); + return (ProcXChangeDeviceKeyMapping(client)); + } + +@@ -106,10 +102,14 @@ ProcXChangeDeviceKeyMapping(register Cli + int ret; + unsigned len; + DeviceIntPtr dev; ++ unsigned int count; + + REQUEST(xChangeDeviceKeyMappingReq); + REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); + ++ count = stuff->keyCodes * stuff->keySymsPerKeyCode; ++ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); ++ + dev = LookupDeviceIntRec(stuff->deviceid); + if (dev == NULL) { + SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0, +diff -pNur xorg-server-1.2.0.orig/Xi/chgprop.c xorg-server-1.2.0/Xi/chgprop.c +--- xorg-server-1.2.0.orig/Xi/chgprop.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/chgprop.c 2008-04-22 06:02:52.000000000 -0700 +@@ -81,19 +81,15 @@ int + SProcXChangeDeviceDontPropagateList(register ClientPtr client) + { + register char n; +- register long *p; +- register int i; + + REQUEST(xChangeDeviceDontPropagateListReq); + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); + swapl(&stuff->window, n); + swaps(&stuff->count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq, ++ stuff->count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count); + return (ProcXChangeDeviceDontPropagateList(client)); + } + +diff -pNur xorg-server-1.2.0.orig/Xi/grabdevb.c xorg-server-1.2.0/Xi/grabdevb.c +--- xorg-server-1.2.0.orig/Xi/grabdevb.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/grabdevb.c 2008-04-22 06:02:52.000000000 -0700 +@@ -80,8 +80,6 @@ int + SProcXGrabDeviceButton(register ClientPtr client) + { + register char n; +- register long *p; +- register int i; + + REQUEST(xGrabDeviceButtonReq); + swaps(&stuff->length, n); +@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(register ClientPt + swapl(&stuff->grabWindow, n); + swaps(&stuff->modifiers, n); + swaps(&stuff->event_count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->event_count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, ++ stuff->event_count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); + + return (ProcXGrabDeviceButton(client)); + } +diff -pNur xorg-server-1.2.0.orig/Xi/grabdev.c xorg-server-1.2.0/Xi/grabdev.c +--- xorg-server-1.2.0.orig/Xi/grabdev.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/grabdev.c 2008-04-22 06:02:52.000000000 -0700 +@@ -82,8 +82,6 @@ int + SProcXGrabDevice(register ClientPtr client) + { + register char n; +- register long *p; +- register int i; + + REQUEST(xGrabDeviceReq); + swaps(&stuff->length, n); +@@ -91,11 +89,11 @@ SProcXGrabDevice(register ClientPtr clie + swapl(&stuff->grabWindow, n); + swapl(&stuff->time, n); + swaps(&stuff->event_count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->event_count; i++) { +- swapl(p, n); +- p++; +- } ++ ++ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) ++ return BadLength; ++ ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); + + return (ProcXGrabDevice(client)); + } +diff -pNur xorg-server-1.2.0.orig/Xi/grabdevk.c xorg-server-1.2.0/Xi/grabdevk.c +--- xorg-server-1.2.0.orig/Xi/grabdevk.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/grabdevk.c 2008-04-22 06:02:52.000000000 -0700 +@@ -80,8 +80,6 @@ int + SProcXGrabDeviceKey(register ClientPtr client) + { + register char n; +- register long *p; +- register int i; + + REQUEST(xGrabDeviceKeyReq); + swaps(&stuff->length, n); +@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(register ClientPtr c + swapl(&stuff->grabWindow, n); + swaps(&stuff->modifiers, n); + swaps(&stuff->event_count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->event_count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); + return (ProcXGrabDeviceKey(client)); + } + +diff -pNur xorg-server-1.2.0.orig/Xi/selectev.c xorg-server-1.2.0/Xi/selectev.c +--- xorg-server-1.2.0.orig/Xi/selectev.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/selectev.c 2008-04-22 06:02:52.000000000 -0700 +@@ -84,19 +84,16 @@ int + SProcXSelectExtensionEvent(register ClientPtr client) + { + register char n; +- register long *p; +- register int i; + + REQUEST(xSelectExtensionEventReq); + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); + swapl(&stuff->window, n); + swaps(&stuff->count, n); +- p = (long *)&stuff[1]; +- for (i = 0; i < stuff->count; i++) { +- swapl(p, n); +- p++; +- } ++ REQUEST_FIXED_SIZE(xSelectExtensionEventReq, ++ stuff->count * sizeof(CARD32)); ++ SwapLongs((CARD32 *) (&stuff[1]), stuff->count); ++ + return (ProcXSelectExtensionEvent(client)); + } + +diff -pNur xorg-server-1.2.0.orig/Xi/sendexev.c xorg-server-1.2.0/Xi/sendexev.c +--- xorg-server-1.2.0.orig/Xi/sendexev.c 2007-01-22 21:39:15.000000000 -0800 ++++ xorg-server-1.2.0/Xi/sendexev.c 2008-04-22 06:02:52.000000000 -0700 +@@ -83,7 +83,7 @@ int + SProcXSendExtensionEvent(register ClientPtr client) + { + register char n; +- register long *p; ++ CARD32 *p; + register int i; + xEvent eventT; + xEvent *eventP; +@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(register Client + REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); + swapl(&stuff->destination, n); + swaps(&stuff->count, n); ++ ++ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + ++ (stuff->num_events * (sizeof(xEvent) >> 2))) ++ return BadLength; ++ + eventP = (xEvent *) & stuff[1]; + for (i = 0; i < stuff->num_events; i++, eventP++) { + proc = EventSwapVector[eventP->u.u.type & 0177]; +@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(register Client + *eventP = eventT; + } + +- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); +- for (i = 0; i < stuff->count; i++) { +- swapl(p, n); +- p++; +- } ++ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); ++ SwapLongs(p, stuff->count); + return (ProcXSendExtensionEvent(client)); + } + Added: trunk/xorg-server/xorg-server-1.2.0-security-1.patch =================================================================== --- trunk/xorg-server/xorg-server-1.2.0-security-1.patch (rev 0) +++ trunk/xorg-server/xorg-server-1.2.0-security-1.patch 2008-04-22 13:22:00 UTC (rev 1945) @@ -0,0 +1 @@ +link ../xorg/xorg-server-1.2.0-security-1.patch \ No newline at end of file Property changes on: trunk/xorg-server/xorg-server-1.2.0-security-1.patch ___________________________________________________________________ Name: svn:special + * -- http://linuxfromscratch.org/mailman/listinfo/patches FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
