diff options
author | Reinhard Tartler <siretart@tauware.de> | 2011-10-10 17:47:30 +0200 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2011-10-10 17:47:30 +0200 |
commit | 30463b084b2833193aa6fdc2ceafefc8a1c06fee (patch) | |
tree | fd062f7ac7b98d742a781d5f95e59cbb38fb81bc /nx-X11/programs/Xserver/Xext | |
parent | 713da22603c4abc7a97feddd931f29c507b7984b (diff) | |
download | nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.gz nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.bz2 nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.zip |
Imported nx-X11-3.2.0-2.tar.gznx-X11/3.2.0-2
Summary: Imported nx-X11-3.2.0-2.tar.gz
Keywords:
Imported nx-X11-3.2.0-2.tar.gz
into Git repository
Diffstat (limited to 'nx-X11/programs/Xserver/Xext')
-rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c | 10 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c.NX.original | 10 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c.X.original | 10 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/Xext/shm.c | 13 |
4 files changed, 32 insertions, 11 deletions
diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c +++ b/nx-X11/programs/Xserver/Xext/security.c @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.NX.original +++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original index 765769a7c..c6a516733 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.X.original +++ b/nx-X11/programs/Xserver/Xext/security.c.X.original @@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c index e2cf8cd24..f25bb9b5d 100644 --- a/nx-X11/programs/Xserver/Xext/shm.c +++ b/nx-X11/programs/Xserver/Xext/shm.c @@ -863,8 +863,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; |