Imported nx-X11-3.2.0-2.tar.gznx-X11/3.2.0-2

Summary: Imported nx-X11-3.2.0-2.tar.gz Keywords: Imported nx-X11-3.2.0-2.tar.gz into Git repository
author: Reinhard Tartler <siretart@tauware.de> 2011-10-10 17:47:30 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2011-10-10 17:47:30 +0200
commit: 30463b084b2833193aa6fdc2ceafefc8a1c06fee (patch)
tree: fd062f7ac7b98d742a781d5f95e59cbb38fb81bc /nx-X11/programs/Xserver/Xext
parent: 713da22603c4abc7a97feddd931f29c507b7984b (diff)
download: nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.gz
nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.bz2
nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.zip
4 files changed, 32 insertions, 11 deletions
diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c
index cee89354a..e3cca43eb 100644
--- a/nx-X11/programs/Xserver/Xext/security.c
+++ b/nx-X11/programs/Xserver/Xext/security.c
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original
index cee89354a..e3cca43eb 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.NX.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original
index 765769a7c..c6a516733 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.X.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.X.original
@@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c
index e2cf8cd24..f25bb9b5d 100644
--- a/nx-X11/programs/Xserver/Xext/shm.c
+++ b/nx-X11/programs/Xserver/Xext/shm.c
@@ -863,8 +863,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
author	Reinhard Tartler <siretart@tauware.de>	2011-10-10 17:47:30 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2011-10-10 17:47:30 +0200
commit	30463b084b2833193aa6fdc2ceafefc8a1c06fee (patch)
tree	fd062f7ac7b98d742a781d5f95e59cbb38fb81bc /nx-X11/programs/Xserver/Xext
parent	713da22603c4abc7a97feddd931f29c507b7984b (diff)
download	nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.gz nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.bz2 nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.zip