Module Name: xsrc
Committed By: snj
Date: Sat Jul 8 17:14:58 UTC 2017
Modified Files:
xsrc/external/mit/xorg-server/dist/Xi [netbsd-7-1]: sendexev.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-7-1]: events.c swapreq.c
xsrc/xfree/xc/programs/Xserver/Xi [netbsd-7-1]: sendexev.c
Log Message:
Apply patch (requested by mrg in ticket #1446):
Fix CVE-2017-10971 and CVE-2017-10972.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3.10.1 -r1.1.1.3.10.1.4.1 \
xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.8 -r1.1.1.8.8.1 \
xsrc/external/mit/xorg-server/dist/dix/events.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.14.1 \
xsrc/external/mit/xorg-server/dist/dix/swapreq.c
cvs rdiff -u -r1.1.1.4.38.1 -r1.1.1.4.38.1.4.1 \
xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.10.1 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.10.1.4.1
--- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.10.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c Sat Jul 8 17:14:58 2017
@@ -79,7 +79,7 @@ SProcXSendExtensionEvent(ClientPtr clien
char n;
CARD32 *p;
int i;
- xEvent eventT;
+ xEvent eventT = { .u.u.type = 0 };
xEvent *eventP;
EventSwapPtr proc;
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
+ if (eventP->u.u.type == GenericEvent) {
+ client->errorValue = eventP->u.u.type;
+ return BadValue;
+ }
+
proc = EventSwapVector[eventP->u.u.type & 0177];
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
+ /* no swapping proc; invalid event type? */
+ if (proc == NotImplemented) {
+ client->errorValue = eventP->u.u.type;
return BadValue;
+ }
(*proc) (eventP, &eventT);
*eventP = eventT;
}
@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien
int
ProcXSendExtensionEvent(ClientPtr client)
{
- int ret;
+ int ret, i;
DeviceIntPtr dev;
xEvent *first;
XEventClass *list;
@@ -140,10 +148,12 @@ ProcXSendExtensionEvent(ClientPtr client
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) & stuff[1]);
- if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
- (first->u.u.type < lastEvent))) {
- client->errorValue = first->u.u.type;
- return BadValue;
+ for (i = 0; i < stuff->num_events; i++) {
+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+ (first[i].u.u.type < lastEvent))) {
+ client->errorValue = first[i].u.u.type;
+ return BadValue;
+ }
}
list = (XEventClass *) (first + stuff->num_events);
Index: xsrc/external/mit/xorg-server/dist/dix/events.c
diff -u xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.8 xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.8.8.1
--- xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.8 Mon Jun 3 07:34:19 2013
+++ xsrc/external/mit/xorg-server/dist/dix/events.c Sat Jul 8 17:14:58 2017
@@ -5021,6 +5021,12 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
if (stuff->event.u.u.type == ClientMessage &&
stuff->event.u.u.detail != 8 &&
stuff->event.u.u.detail != 16 &&
Index: xsrc/external/mit/xorg-server/dist/dix/swapreq.c
diff -u xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2.14.1
--- xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2 Tue Nov 23 05:21:00 2010
+++ xsrc/external/mit/xorg-server/dist/dix/swapreq.c Sat Jul 8 17:14:58 2017
@@ -315,6 +315,13 @@ SProcSendEvent(ClientPtr client)
swapl(&stuff->destination, n);
swapl(&stuff->eventMask, n);
+ /* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+ if (stuff->event.u.u.type == GenericEvent) {
+ client->errorValue = stuff->event.u.u.type;
+ return BadValue;
+ }
+
/* Swap event */
proc = EventSwapVector[stuff->event.u.u.type & 0177];
if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */
Index: xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
diff -u xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.38.1 xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.38.1.4.1
--- xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.38.1 Thu Dec 11 13:33:15 2014
+++ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c Sat Jul 8 17:14:58 2017
@@ -89,6 +89,7 @@ SProcXSendExtensionEvent(client)
xEvent *eventP;
EventSwapPtr proc;
+ memset(&eventT, 0, sizeof eventT);
REQUEST(xSendExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
@@ -98,8 +99,11 @@ SProcXSendExtensionEvent(client)
for (i=0; i<stuff->num_events; i++,eventP++)
{
proc = EventSwapVector[eventP->u.u.type & 0177];
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
+ /* no swapping proc; invalid event type? */
+ if (proc == NotImplemented) {
+ client->errorValue = eventP->u.u.type;
return (BadValue);
+ }
(*proc)(eventP, &eventT);
*eventP = eventT;
}
@@ -124,7 +128,7 @@ int
ProcXSendExtensionEvent (client)
register ClientPtr client;
{
- int ret;
+ int ret, i;
DeviceIntPtr dev;
xEvent *first;
XEventClass *list;
@@ -155,14 +159,13 @@ ProcXSendExtensionEvent (client)
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
- if ( ! ((EXTENSION_EVENT_BASE <= first->u.u.type) &&
- (first->u.u.type < lastEvent)) )
- {
- client->errorValue = first->u.u.type;
- SendErrorToClient(client, IReqCode, X_SendExtensionEvent, 0,
- BadValue);
- return Success;
- }
+ for (i = 0; i < stuff->num_events; i++) {
+ if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+ (first[i].u.u.type < lastEvent))) {
+ client->errorValue = first[i].u.u.type;
+ return BadValue;
+ }
+ }
list = (XEventClass *) (first + stuff->num_events);
if ((ret = CreateMaskFromList (client, list, stuff->count, tmp, dev,
