Module Name: xsrc Committed By: bouyer Date: Wed Oct 5 09:50:10 UTC 2016
Modified Files: xsrc/xfree/xc/lib/X11 [netbsd-7]: FontNames.c GetImage.c ListExt.c ModMap.c Xlibint.h xsrc/xfree/xc/lib/Xi [netbsd-7]: XGMotion.c XGetBMap.c XGetDCtl.c XGetFCtl.c XGetKMap.c XGetMMap.c XOpenDev.c XQueryDv.c xsrc/xfree/xc/lib/Xrender [netbsd-7]: Filter.c Xrender.c xsrc/xfree/xc/lib/Xtst [netbsd-7]: XRecord.c xsrc/xfree/xc/lib/Xv [netbsd-7]: Xv.c xsrc/xfree/xc/programs/Xserver/include [netbsd-7]: dix.h Log Message: Apply patch, requested my mrg in ticket 1263: xsrc/xfree/xc/lib/X11/FontNames.c patch xsrc/xfree/xc/lib/X11/GetImage.c patch xsrc/xfree/xc/lib/X11/ListExt.c patch xsrc/xfree/xc/lib/X11/ModMap.c patch xsrc/xfree/xc/lib/X11/Xlibint.h patch xsrc/xfree/xc/lib/Xi/XGMotion.c patch xsrc/xfree/xc/lib/Xi/XGetBMap.c patch xsrc/xfree/xc/lib/Xi/XGetDCtl.c patch xsrc/xfree/xc/lib/Xi/XGetFCtl.c patch xsrc/xfree/xc/lib/Xi/XGetKMap.c patch xsrc/xfree/xc/lib/Xi/XGetMMap.c patch xsrc/xfree/xc/lib/Xi/XOpenDev.c patch xsrc/xfree/xc/lib/Xi/XQueryDv.c patch xsrc/xfree/xc/lib/Xrender/Filter.c patch xsrc/xfree/xc/lib/Xrender/Xrender.c patch xsrc/xfree/xc/lib/Xtst/XRecord.c patch xsrc/xfree/xc/lib/Xv/Xv.c patch xsrc/xfree/xc/programs/Xserver/include/dix.h patch Fix (backported from upstream) the following issues in X client libraries: libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Affected versions libX11 <= 1.6.3 libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. Affected versions : libXfixes <= 5.0.2 libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected versions libXi <= 1.7.6 libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. Affected versions: libXrandr <= 1.5.0 libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. Affected version: libXrender <= 0.9.9 XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected version libXtst <= 1.2.2 libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption. CVE-2016-5407 affected versions libXv <= 1.0.10 libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libXvMC <= 1.0.9 To generate a diff of this commit: cvs rdiff -u -r1.1.1.5 -r1.1.1.5.36.1 xsrc/xfree/xc/lib/X11/FontNames.c \ xsrc/xfree/xc/lib/X11/GetImage.c xsrc/xfree/xc/lib/X11/ModMap.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.38.1 xsrc/xfree/xc/lib/X11/ListExt.c cvs rdiff -u -r1.1.1.7.24.1 -r1.1.1.7.24.2 xsrc/xfree/xc/lib/X11/Xlibint.h cvs rdiff -u -r1.1.1.5 -r1.1.1.5.38.1 xsrc/xfree/xc/lib/Xi/XGMotion.c \ xsrc/xfree/xc/lib/Xi/XGetBMap.c xsrc/xfree/xc/lib/Xi/XGetDCtl.c \ xsrc/xfree/xc/lib/Xi/XGetFCtl.c xsrc/xfree/xc/lib/Xi/XGetMMap.c \ xsrc/xfree/xc/lib/Xi/XOpenDev.c xsrc/xfree/xc/lib/Xi/XQueryDv.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.36.1 xsrc/xfree/xc/lib/Xi/XGetKMap.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.38.1 xsrc/xfree/xc/lib/Xrender/Filter.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.38.1 xsrc/xfree/xc/lib/Xrender/Xrender.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 xsrc/xfree/xc/lib/Xtst/XRecord.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 xsrc/xfree/xc/lib/Xv/Xv.c cvs rdiff -u -r1.1.1.6.36.1 -r1.1.1.6.36.2 \ xsrc/xfree/xc/programs/Xserver/include/dix.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/xfree/xc/lib/X11/FontNames.c diff -u xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5 xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5.36.1 --- xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5 Fri Mar 5 14:24:07 2004 +++ xsrc/xfree/xc/lib/X11/FontNames.c Wed Oct 5 09:50:09 2016 @@ -29,6 +29,7 @@ in this Software without prior written a #define NEED_REPLIES #include "Xlibint.h" +#include <limits.h> char ** XListFonts( @@ -41,7 +42,9 @@ int *actualCount) /* RETURN */ register unsigned i; register int length; char **flist; - char *ch; + char *ch = NULL; + char *chend; + int count = 0; xListFontsReply rep; register xListFontsReq *req; register long rlen; @@ -63,9 +66,11 @@ int *actualCount) /* RETURN */ if (rep.nFonts) { flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); - rlen = rep.length << 2; - ch = (char *) Xmalloc((unsigned) (rlen + 1)); - /* +1 to leave room for last null-terminator */ + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = (char *) Xmalloc((unsigned) (rlen + 1)); + /* +1 to leave room for last null-terminator */ + } if ((! flist) || (! ch)) { if (flist) Xfree((char *) flist); @@ -81,17 +86,33 @@ int *actualCount) /* RETURN */ /* * unpack into null terminated strings. */ + chend = ch + (rlen + 1); length = *(unsigned char *)ch; *ch = 1; /* make sure it is non-zero for XFreeFontNames */ for (i = 0; i < rep.nFonts; i++) { - flist[i] = ch + 1; /* skip over length */ - ch += length + 1; /* find next length ... */ - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ + if (ch <= chend) { + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } } } else flist = (char **) NULL; - *actualCount = rep.nFonts; + *actualCount = count; UnlockDisplay(dpy); SyncHandle(); return (flist); Index: xsrc/xfree/xc/lib/X11/GetImage.c diff -u xsrc/xfree/xc/lib/X11/GetImage.c:1.1.1.5 xsrc/xfree/xc/lib/X11/GetImage.c:1.1.1.5.36.1 --- xsrc/xfree/xc/lib/X11/GetImage.c:1.1.1.5 Fri Mar 5 14:24:07 2004 +++ xsrc/xfree/xc/lib/X11/GetImage.c Wed Oct 5 09:50:09 2016 @@ -30,6 +30,7 @@ in this Software without prior written a #include "Xlibint.h" #include <X11/Xutil.h> /* for XDestroyImage */ #include "ImUtil.h" +#include <limits.h> #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) @@ -56,6 +57,7 @@ XImage *XGetImage (dpy, d, x, y, width, char *data; long nbytes; XImage *image; + int planes; LockDisplay(dpy); GetReq (GetImage, req); /* @@ -85,18 +87,28 @@ XImage *XGetImage (dpy, d, x, y, width, return (XImage *) NULL; } _XReadPad (dpy, data, nbytes); - if (format == XYPixmap) - image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), - Ones (plane_mask & - (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), - format, 0, data, width, height, dpy->bitmap_pad, 0); - else /* format == ZPixmap */ - image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), - rep.depth, ZPixmap, 0, data, width, height, - _XGetScanlinePad(dpy, (int) rep.depth), 0); + if (format == XYPixmap) { + image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), + Ones (plane_mask & + (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), + format, 0, data, width, height, dpy->bitmap_pad, 0); + planes = image->depth; + } else { /* format == ZPixmap */ + image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), + rep.depth, ZPixmap, 0, data, width, height, + _XGetScanlinePad(dpy, (int) rep.depth), 0); + planes = 1; + } if (!image) Xfree(data); + if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || + INT_MAX / image->height <= image->bytes_per_line || + INT_MAX / planes <= image->height * image->bytes_per_line || + nbytes < planes * image->height * image->bytes_per_line) { + XDestroyImage(image); + image = NULL; + } UnlockDisplay(dpy); SyncHandle(); return (image); Index: xsrc/xfree/xc/lib/X11/ModMap.c diff -u xsrc/xfree/xc/lib/X11/ModMap.c:1.1.1.5 xsrc/xfree/xc/lib/X11/ModMap.c:1.1.1.5.36.1 --- xsrc/xfree/xc/lib/X11/ModMap.c:1.1.1.5 Fri Mar 5 14:24:08 2004 +++ xsrc/xfree/xc/lib/X11/ModMap.c Wed Oct 5 09:50:09 2016 @@ -28,6 +28,7 @@ in this Software without prior written a #define NEED_REPLIES #include "Xlibint.h" +#include <limits.h> XModifierKeymap * XGetModifierMapping(dpy) @@ -42,8 +43,13 @@ XGetModifierMapping(dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); + if (rep.length < (INT_MAX >> 2) && + (rep.length >> 1) == rep.numKeyPerModifier) { + nbytes = (unsigned long)rep.length << 2; + res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); + } else + res = NULL; + if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); if ((! res) || (! res->modifiermap)) { if (res) Xfree((char *) res); Index: xsrc/xfree/xc/lib/X11/ListExt.c diff -u xsrc/xfree/xc/lib/X11/ListExt.c:1.1.1.4 xsrc/xfree/xc/lib/X11/ListExt.c:1.1.1.4.38.1 --- xsrc/xfree/xc/lib/X11/ListExt.c:1.1.1.4 Sat Jan 19 14:55:27 2002 +++ xsrc/xfree/xc/lib/X11/ListExt.c Wed Oct 5 09:50:09 2016 @@ -28,6 +28,7 @@ in this Software without prior written a #define NEED_REPLIES #include "Xlibint.h" +#include <limits.h> char **XListExtensions(dpy, nextensions) register Display *dpy; @@ -35,7 +36,9 @@ int *nextensions; /* RETURN */ { xListExtensionsReply rep; char **list; - char *ch; + char *ch = NULL; + char *chend; + int count = 0; register unsigned i; register int length; register xReq *req; @@ -53,9 +56,11 @@ int *nextensions; /* RETURN */ if (rep.nExtensions) { list = (char **) Xmalloc ( (unsigned)(rep.nExtensions * sizeof (char *))); - rlen = rep.length << 2; - ch = (char *) Xmalloc ((unsigned) rlen + 1); - /* +1 to leave room for last null-terminator */ + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = (char *) Xmalloc ((unsigned) rlen + 1); + /* +1 to leave room for last null-terminator */ + } if ((!list) || (!ch)) { if (list) Xfree((char *) list); @@ -70,17 +75,26 @@ int *nextensions; /* RETURN */ /* * unpack into null terminated strings. */ + chend = ch + (rlen + 1); length = *ch; for (i = 0; i < rep.nExtensions; i++) { - list[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ + if (ch <= chend) { + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + list[i] = NULL; + } + } else + list[i] = NULL; } } else list = (char **) NULL; - *nextensions = rep.nExtensions; + *nextensions = count; UnlockDisplay(dpy); SyncHandle(); return (list); Index: xsrc/xfree/xc/lib/X11/Xlibint.h diff -u xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.24.1 xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.24.2 --- xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.24.1 Sun Apr 19 04:57:34 2015 +++ xsrc/xfree/xc/lib/X11/Xlibint.h Wed Oct 5 09:50:09 2016 @@ -542,7 +542,7 @@ extern LockInfoPtr _Xglobal_lock; unsigned long _BRlen = req->length - 1; \ req->length = 0; \ memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \ - memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ + memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ memcpy(((char *)req) + 4, _BRdat, 4); \ Data32(dpy, (long *)&_BRdat, 4); \ } Index: xsrc/xfree/xc/lib/Xi/XGMotion.c diff -u xsrc/xfree/xc/lib/Xi/XGMotion.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XGMotion.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XGMotion.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XGMotion.c Wed Oct 5 09:50:09 2016 @@ -59,6 +59,7 @@ SOFTWARE. #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" +#include <limits.h> XDeviceTimeCoord *XGetDeviceMotionEvents (dpy, dev, start, stop, nEvents, mode, axis_count) @@ -74,7 +75,7 @@ XDeviceTimeCoord xGetDeviceMotionEventsReply rep; XDeviceTimeCoord *tc; int *data, *bufp, *readp, *savp; - long size, size2; + long size; int i, j; XExtDisplayInfo *info = XInput_find_display (dpy); @@ -105,11 +106,23 @@ XDeviceTimeCoord SyncHandle(); return (NULL); } - size = rep.length << 2; - size2 = rep.nEvents * - (sizeof (XDeviceTimeCoord) + (rep.axes * sizeof (int))); - savp = readp = (int *) Xmalloc (size); - bufp = (int *) Xmalloc (size2); + if (rep.length < (INT_MAX >> 2)) { + size = rep.length << 2; + savp = readp = Xmalloc(size); + } else { + size = 0; + savp = readp = NULL; + } + /* rep.axes is a CARD8, so assume max number of axes for bounds check */ + if (rep.nEvents < + (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) && + rep.nEvents * (rep.axes + 1) <= rep.length) { + size_t bsize = rep.nEvents * + (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); + bufp = Xmalloc(bsize); + } else + bufp = NULL; + if (!bufp || !savp) { *nEvents = 0; Index: xsrc/xfree/xc/lib/Xi/XGetBMap.c diff -u xsrc/xfree/xc/lib/Xi/XGetBMap.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XGetBMap.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XGetBMap.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XGetBMap.c Wed Oct 5 09:50:09 2016 @@ -90,16 +90,20 @@ XGetDeviceButtonMapping (dpy, device, ma req->deviceid = device->device_id; status = _XReply (dpy, (xReply *)&rep, 0, xFalse); - if (status == 1) - { - nbytes = (long)rep.length << 2; - _XRead (dpy, (char *)mapping, nbytes); + if (status == 1) { + if (rep.length <= (sizeof(mapping) >> 2) && + rep.nElts <= (rep.length << 2)) { + nbytes = (long)rep.length << 2; + _XRead (dpy, (char *)mapping, nbytes); - /* don't return more data than the user asked for. */ - if (rep.nElts) - memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap)); - status = rep.nElts; + /* don't return more data than the user asked for. */ + if (rep.nElts) + memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap)); + status = rep.nElts; + } else { + status = 0; } + } else status = 0; UnlockDisplay(dpy); Index: xsrc/xfree/xc/lib/Xi/XGetDCtl.c diff -u xsrc/xfree/xc/lib/Xi/XGetDCtl.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XGetDCtl.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XGetDCtl.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XGetDCtl.c Wed Oct 5 09:50:09 2016 @@ -60,6 +60,7 @@ SOFTWARE. #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" +#include <limits.h> XDeviceControl *XGetDeviceControl (dpy, dev, control) @@ -95,8 +96,11 @@ XDeviceControl } if (rep.length > 0) { - nbytes = (long)rep.length << 2; - d = (xDeviceState *) Xmalloc((unsigned) nbytes); + if (rep.length < (INT_MAX >> 2) && + (rep.length << 2) >= sizeof(xDeviceState)) { + nbytes = (long)rep.length << 2; + d = (xDeviceState *) Xmalloc((unsigned) nbytes); + } if (!d) { _XEatData (dpy, (unsigned long) nbytes); @@ -112,10 +116,16 @@ XDeviceControl case DEVICE_RESOLUTION: { xDeviceResolutionState *r; + size_t val_size; r = (xDeviceResolutionState *) d; - size += sizeof (XDeviceResolutionState) + - (3 * sizeof(int) * r->num_valuators); + if (sizeof(xDeviceResolutionState) > nbytes || + r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) + goto out; + val_size = 3 * sizeof(int) * r->num_valuators; + if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) + goto out; + size = sizeof(XDeviceResolutionState) + val_size; break; } default: @@ -158,6 +168,7 @@ XDeviceControl default: break; } +out: XFree (sav); } Index: xsrc/xfree/xc/lib/Xi/XGetFCtl.c diff -u xsrc/xfree/xc/lib/Xi/XGetFCtl.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XGetFCtl.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XGetFCtl.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XGetFCtl.c Wed Oct 5 09:50:09 2016 @@ -60,6 +60,7 @@ SOFTWARE. #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" +#include <limits.h> XFeedbackState *XGetFeedbackControl (dpy, dev, num_feedbacks) @@ -73,6 +74,7 @@ XFeedbackState XFeedbackState *Sav = NULL; xFeedbackState *f = NULL; xFeedbackState *sav = NULL; + char *end = NULL; xGetFeedbackControlReq *req; xGetFeedbackControlReply rep; XExtDisplayInfo *info = XInput_find_display (dpy); @@ -95,8 +97,11 @@ XFeedbackState if (rep.length > 0) { *num_feedbacks = rep.num_feedbacks; - nbytes = (long)rep.length << 2; - f = (xFeedbackState *) Xmalloc((unsigned) nbytes); + + if (rep.length < (INT_MAX >> 2)) { + nbytes = (long)rep.length << 2; + f = (xFeedbackState *) Xmalloc((unsigned) nbytes); + } if (!f) { _XEatData (dpy, (unsigned long) nbytes); @@ -105,10 +110,14 @@ XFeedbackState return (XFeedbackState *) NULL; } sav = f; + end = (char *)f + nbytes; _XRead (dpy, (char *) f, nbytes); for (i=0; i<*num_feedbacks; i++) { + if ((char *)f + sizeof(*f) > end || + f->length == 0 || f->length > nbytes) + goto out; switch (f->class) { case KbdFeedbackClass: @@ -258,6 +267,7 @@ XFeedbackState f = (xFeedbackState *) ((char *) f + f->length); Feedback = (XFeedbackState *) ((char *) Feedback+Feedback->length); } +out: XFree ((char *)sav); } Index: xsrc/xfree/xc/lib/Xi/XGetMMap.c diff -u xsrc/xfree/xc/lib/Xi/XGetMMap.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XGetMMap.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XGetMMap.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XGetMMap.c Wed Oct 5 09:50:09 2016 @@ -53,6 +53,7 @@ SOFTWARE. * */ +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -86,8 +87,14 @@ XModifierKeymap SyncHandle(); return (XModifierKeymap *) NULL; } - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); + if (rep.length < (INT_MAX >> 2) && + rep.numKeyPerModifier == rep.length >> 1) { + nbytes = (unsigned long)rep.length << 2; + res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); + } else { + nbytes = 0; + res = NULL; + } if (res) { res->modifiermap = (KeyCode *) Xmalloc (nbytes); Index: xsrc/xfree/xc/lib/Xi/XOpenDev.c diff -u xsrc/xfree/xc/lib/Xi/XOpenDev.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XOpenDev.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XOpenDev.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XOpenDev.c Wed Oct 5 09:50:09 2016 @@ -53,6 +53,7 @@ SOFTWARE. * */ +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -87,9 +88,15 @@ XDevice return (XDevice *) NULL; } - rlen = rep.length << 2; - dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes * - sizeof (XInputClassInfo)); + if (rep.length < INT_MAX >> 2 && + (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) { + rlen = rep.length << 2; + dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes * + sizeof (XInputClassInfo)); + } else { + rlen = 0; + dev = NULL; + } if (dev) { int dlen; /* data length */ Index: xsrc/xfree/xc/lib/Xi/XQueryDv.c diff -u xsrc/xfree/xc/lib/Xi/XQueryDv.c:1.1.1.5 xsrc/xfree/xc/lib/Xi/XQueryDv.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xi/XQueryDv.c:1.1.1.5 Fri Feb 28 13:18:51 2003 +++ xsrc/xfree/xc/lib/Xi/XQueryDv.c Wed Oct 5 09:50:09 2016 @@ -59,6 +59,7 @@ SOFTWARE. #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" +#include <limits.h> XDeviceState *XQueryDeviceState (dpy, dev) @@ -66,13 +67,13 @@ XDeviceState XDevice *dev; { int i,j; - int rlen; + int rlen = 0; int size = 0; xQueryDeviceStateReq *req; xQueryDeviceStateReply rep; XDeviceState *state = NULL; XInputClass *any, *Any; - char *data; + char *data = NULL, *end = NULL; XExtDisplayInfo *info = XInput_find_display (dpy); LockDisplay (dpy); @@ -91,10 +92,12 @@ XDeviceState return (XDeviceState *) NULL; } - rlen = rep.length << 2; - if (rlen > 0) - { - data = Xmalloc (rlen); + if (rep.length > 0) { + if (rep.length < (INT_MAX >> 2)) { + rlen = (unsigned long) rep.length << 2; + data = Xmalloc(rlen); + end = data + rlen; + } if (!data) { _XEatData (dpy, (unsigned long) rlen); @@ -102,10 +105,14 @@ XDeviceState SyncHandle(); return ((XDeviceState *) NULL); } + end = data + rlen; _XRead (dpy, data, rlen); for (i=0, any=(XInputClass *) data; i<(int)rep.num_classes; i++) { + if ((char *)any + sizeof(XInputClass) > end || + any->length == 0 || any->length > rlen) + goto out; switch (any->class) { case KeyClass: @@ -117,6 +124,8 @@ XDeviceState case ValuatorClass: { xValuatorState *v = (xValuatorState *) any; + if ((char *)any + sizeof(xValuatorState) > end) + goto out; size += (sizeof (XValuatorState) + (v->num_valuators * sizeof(int))); } @@ -186,6 +195,7 @@ XDeviceState Xfree(data); } +out: UnlockDisplay(dpy); SyncHandle(); return (state); Index: xsrc/xfree/xc/lib/Xi/XGetKMap.c diff -u xsrc/xfree/xc/lib/Xi/XGetKMap.c:1.1.1.6 xsrc/xfree/xc/lib/Xi/XGetKMap.c:1.1.1.6.36.1 --- xsrc/xfree/xc/lib/Xi/XGetKMap.c:1.1.1.6 Fri Mar 5 14:24:25 2004 +++ xsrc/xfree/xc/lib/Xi/XGetKMap.c Wed Oct 5 09:50:09 2016 @@ -53,6 +53,7 @@ SOFTWARE. * */ +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -96,9 +97,16 @@ XGetDeviceKeyMapping ( return (KeySym *) NULL; } if (rep.length > 0) { - *syms_per_code = rep.keySymsPerKeyCode; - nbytes = (long)rep.length << 2; - mapping = (KeySym *) Xmalloc((unsigned) nbytes); + if (rep.length < INT_MAX >> 2 && + rep.length == rep.keySymsPerKeyCode * keycount) { + *syms_per_code = rep.keySymsPerKeyCode; + nbytes = (long)rep.length << 2; + mapping = (KeySym *) Xmalloc((unsigned) nbytes); + } else { + *syms_per_code = 0; + nbytes = 0; + mapping = NULL; + } if (mapping) _XRead (dpy, (char *)mapping, nbytes); else Index: xsrc/xfree/xc/lib/Xrender/Filter.c diff -u xsrc/xfree/xc/lib/Xrender/Filter.c:1.1.1.1 xsrc/xfree/xc/lib/Xrender/Filter.c:1.1.1.1.38.1 --- xsrc/xfree/xc/lib/Xrender/Filter.c:1.1.1.1 Fri Feb 28 13:18:52 2003 +++ xsrc/xfree/xc/lib/Xrender/Filter.c Wed Oct 5 09:50:09 2016 @@ -35,7 +35,7 @@ XRenderQueryFilters (Display *dpy, Drawa char *name; char len; int i; - long nbytes, nbytesAlias, nbytesName; + long nbytes, nbytesAlias, nbytesName, reply_left; if (!XextHasExtension (info)) return 0; @@ -101,6 +101,7 @@ XRenderQueryFilters (Display *dpy, Drawa * Read the filter aliases */ _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); + reply_left = 8 + rep.length - 2 * rep.numAliases;; /* * Read the filter names @@ -109,9 +110,18 @@ XRenderQueryFilters (Display *dpy, Drawa { int l; _XRead (dpy, &len, 1); + reply_left--; l = len & 0xff; + if ((unsigned long)l + 1 > nbytesName) { + Xfree(filters); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + nbytesName -= l + 1; filters->filter[i] = name; _XRead (dpy, name, l); + reply_left -= l; name[l] = '\0'; name += l + 1; } Index: xsrc/xfree/xc/lib/Xrender/Xrender.c diff -u xsrc/xfree/xc/lib/Xrender/Xrender.c:1.1.1.5 xsrc/xfree/xc/lib/Xrender/Xrender.c:1.1.1.5.38.1 --- xsrc/xfree/xc/lib/Xrender/Xrender.c:1.1.1.5 Fri Feb 28 13:18:52 2003 +++ xsrc/xfree/xc/lib/Xrender/Xrender.c Wed Oct 5 09:50:09 2016 @@ -289,12 +289,28 @@ XRenderQueryFormats (Display *dpy) screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); screen->subpixel = SubPixelUnknown; xDepth = (xPictDepth *) (xScreen + 1); + if (screen->ndepths > rep.numDepths) { + Xfree (xri); + Xfree (xData); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numDepths -= screen->ndepths; for (nd = 0; nd < screen->ndepths; nd++) { depth->depth = xDepth->depth; depth->nvisuals = xDepth->nPictVisuals; depth->visuals = visual; xVisual = (xPictVisual *) (xDepth + 1); + if (depth->nvisuals > rep.numVisuals) { + Xfree (xri); + Xfree (xData); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numVisuals -= depth->nvisuals; for (nv = 0; nv < depth->nvisuals; nv++) { visual->visual = _XRenderFindVisual (dpy, xVisual->visual); Index: xsrc/xfree/xc/lib/Xtst/XRecord.c diff -u xsrc/xfree/xc/lib/Xtst/XRecord.c:1.1.1.6 xsrc/xfree/xc/lib/Xtst/XRecord.c:1.1.1.6.24.1 --- xsrc/xfree/xc/lib/Xtst/XRecord.c:1.1.1.6 Fri Mar 18 13:04:54 2005 +++ xsrc/xfree/xc/lib/Xtst/XRecord.c Wed Oct 5 09:50:09 2016 @@ -51,6 +51,7 @@ from The Open Group. /* $XFree86: xc/lib/Xtst/XRecord.c,v 1.8 2005/01/27 02:28:59 dawes Exp $ */ #include <stdio.h> +#include <limits.h> #include <assert.h> #define NEED_EVENTS #define NEED_REPLIES @@ -728,15 +729,23 @@ parse_reply_call_callback(Display *dpy, switch (rep->category) { case XRecordFromServer: if (rep->elementHeader&XRecordFromServerTime) { + if (current_index + 4 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index, data->server_time); current_index += 4; } + if (current_index + 1 > rep->length << 2) + return Error; switch (reply->buf[current_index]) { case X_Reply: /* reply */ + if (current_index + 8 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index+4, datum_bytes); + if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8)) + return Error; datum_bytes = (datum_bytes+8) << 2; break; default: /* error or event */ @@ -745,52 +754,73 @@ parse_reply_call_callback(Display *dpy, break; case XRecordFromClient: if (rep->elementHeader&XRecordFromClientTime) { + if (current_index + 4 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index, data->server_time); current_index += 4; } if (rep->elementHeader&XRecordFromClientSequence) { + if (current_index + 4 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index, data->client_seq); current_index += 4; } + if (current_index + 4 > rep->length<<2) + return Error; if (reply->buf[current_index+2] == 0 && reply->buf[current_index+3] == 0) /* needn't swap 0 */ { /* BIG-REQUESTS */ + if (current_index + 8 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index+4, datum_bytes); } else { EXTRACT_CARD16(rep->clientSwapped, reply->buf+current_index+2, datum_bytes); } + if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2) + return Error; datum_bytes <<= 2; break; case XRecordClientStarted: + if (current_index + 8 > rep->length << 2) + return Error; EXTRACT_CARD16(rep->clientSwapped, reply->buf+current_index+6, datum_bytes); datum_bytes = (datum_bytes+2) << 2; break; case XRecordClientDied: if (rep->elementHeader&XRecordFromClientSequence) { + if (current_index + 4 > rep->length << 2) + return Error; EXTRACT_CARD32(rep->clientSwapped, reply->buf+current_index, data->client_seq); current_index += 4; - } - /* fall through */ + } else if (current_index < rep->length << 2) + return Error; + datum_bytes = 0; + break; case XRecordStartOfData: case XRecordEndOfData: + if (current_index < rep->length << 2) + return Error; datum_bytes = 0; + break; } if (datum_bytes > 0) { - if (current_index + datum_bytes > rep->length << 2) + if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) { fprintf(stderr, "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", - (long)rep->length << 2, current_index + datum_bytes, + (unsigned long)rep->length << 2, current_index + datum_bytes, dpy->last_request_read); + return Error; + } /* * This assignment (and indeed the whole buffer sharing * scheme) assumes arbitrary 4-byte boundaries are @@ -842,6 +872,12 @@ XRecordEnableContext(Display *dpy, XReco return 0; } + if (rep.length > INT_MAX >> 2) { + UnlockDisplay(dpy); + SyncHandle(); + return 0; + } + if (rep.length > 0) { reply = alloc_reply_buffer(info, rep.length<<2); if (!reply) { Index: xsrc/xfree/xc/lib/Xv/Xv.c diff -u xsrc/xfree/xc/lib/Xv/Xv.c:1.1.1.6 xsrc/xfree/xc/lib/Xv/Xv.c:1.1.1.6.24.1 --- xsrc/xfree/xc/lib/Xv/Xv.c:1.1.1.6 Fri Mar 18 13:04:54 2005 +++ xsrc/xfree/xc/lib/Xv/Xv.c Wed Oct 5 09:50:09 2016 @@ -150,9 +150,11 @@ XvQueryAdaptors( xvQueryAdaptorsReply rep; int size,ii,jj; char *name; + char *end; XvAdaptorInfo *pas, *pa; XvFormat *pfs, *pf; char *buffer; + int status; union { char *buffer; @@ -177,14 +179,17 @@ XvQueryAdaptors( } size = rep.length << 2; - if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { + if (size > 0) { + if ((buffer = Xmalloc(size)) == NULL) { UnlockDisplay(dpy); SyncHandle(); return(XvBadAlloc); + } + _XRead(dpy, buffer, (long) size); } - _XRead (dpy, buffer, size); u.buffer = buffer; + end = buffer + size; /* GET INPUT ADAPTORS */ @@ -212,6 +217,10 @@ XvQueryAdaptors( pa = pas; for (ii=0; ii<rep.num_adaptors; ii++) { + if (u.buffer + sz_xvAdaptorInfo > end) { + status = XvBadReply; + goto out; + } pa->type = u.pa->type; pa->base_id = u.pa->base_id; pa->num_ports = u.pa->num_ports; @@ -223,6 +232,11 @@ XvQueryAdaptors( size = u.pa->name_size; u.buffer += (sz_xvAdaptorInfo + 3) & ~3; + if (u.buffer + size > end) { + status = XvBadReply; + goto out; + } + if ( (name = (char *)Xmalloc(size+1)) == NULL) { XvFreeAdaptorInfo(pas); @@ -250,6 +264,11 @@ XvQueryAdaptors( pf = pfs; for (jj=0; jj<pa->num_formats; jj++) { + if (u.buffer + sz_xvFormat > end) { + Xfree(pfs); + status = XvBadReply; + goto out; + } pf->depth = u.pf->depth; pf->visual_id = u.pf->visual; pf++; @@ -266,11 +285,14 @@ XvQueryAdaptors( *p_nAdaptors = rep.num_adaptors; *p_pAdaptors = pas; + status = Success; + +out: Xfree(buffer); UnlockDisplay(dpy); SyncHandle(); - return (Success); + return (status); } @@ -312,6 +334,8 @@ XvQueryEncodings( xvQueryEncodingsReply rep; int size, jj; char *name; + char *end; + int status; XvEncodingInfo *pes, *pe; char *buffer; union @@ -337,14 +361,17 @@ XvQueryEncodings( } size = rep.length << 2; - if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { + if (size > 0) { + if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { UnlockDisplay(dpy); SyncHandle(); return(XvBadAlloc); + } + _XRead (dpy, buffer, size); } - _XRead (dpy, buffer, size); u.buffer = buffer; + end = buffer + size; /* GET ENCODINGS */ @@ -367,6 +394,10 @@ XvQueryEncodings( pe = pes; for (jj=0; jj<rep.num_encodings; jj++) { + if (u.buffer + sz_xvEncodingInfo > end) { + status = XvBadReply; + goto out; + } pe->encoding_id = u.pe->encoding; pe->width = u.pe->width; pe->height = u.pe->height; @@ -377,6 +408,10 @@ XvQueryEncodings( size = u.pe->name_size; u.buffer += (sz_xvEncodingInfo + 3) & ~3; + if (u.buffer + size > end) { + status = XvBadReply; + goto out; + } if ( (name = (char *)Xmalloc(size+1)) == NULL) { Xfree(buffer); UnlockDisplay(dpy); @@ -394,11 +429,14 @@ XvQueryEncodings( *p_nEncodings = rep.num_encodings; *p_pEncodings = pes; + status = Success; + +out: Xfree(buffer); UnlockDisplay(dpy); SyncHandle(); - return (Success); + return (status); } void Index: xsrc/xfree/xc/programs/Xserver/include/dix.h diff -u xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6.36.1 xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6.36.2 --- xsrc/xfree/xc/programs/Xserver/include/dix.h:1.1.1.6.36.1 Thu Dec 11 13:33:15 2014 +++ xsrc/xfree/xc/programs/Xserver/include/dix.h Wed Oct 5 09:50:10 2016 @@ -53,6 +53,7 @@ SOFTWARE. #include "gc.h" #include "window.h" #include "input.h" +#include <stdint.h> #define EARLIER -1 #define SAMETIME 0