diff options
8 files changed, 173 insertions, 24 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG index e9138747a..285ecb637 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG +++ b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG @@ -1,5 +1,15 @@ ChangeLog: +nxagent-3.1.0-7 + +- Imported patch fixing issues from X.Org security advisory, January + 17th, 2008: Multiple vulnerabilities in the X server. CVE IDs: + CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 + CVE-2007-6429 CVE-2008-0006. + +- Handled the case if nxagentCreateDrawableBitmap() fails to create + the pixmap intended to store the bitmap data. + nxagent-3.1.0-6 - Fixed a compile warning in Args.c. diff --git a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c index 1644d51a4..abc228e9c 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c @@ -2609,8 +2609,24 @@ void nxagentCreateDrawableBitmap(DrawablePtr pDrawable) goto nxagentCreateDrawableBitmapEnd; } + /* + * FIXME: A better way it would be create the bitmap + * with the same extents of the clipRegion. This + * requires to save the offset with respect to the + * drawable origin like in the backing store. + */ + pBitmap = nxagentCreatePixmap(pDrawable -> pScreen, pDrawable -> width, pDrawable -> height, pDrawable -> depth); + if (pBitmap == NULL) + { + #ifdef WARNING + fprintf(stderr, "nxagentCreateDrawableBitmap: Cannot create pixmap for the bitmap data.\n"); + #endif + + goto nxagentCreateDrawableBitmapEnd; + } + pGC = GetScratchGC(pBitmap -> drawable.depth, pBitmap -> drawable.pScreen); ValidateGC((DrawablePtr) pBitmap, pGC); diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c index 6dfff3776..b431796be 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c @@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original index 6dfff3776..b431796be 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original @@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original index 9de998417..2c5874e8d 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original @@ -336,6 +336,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c index 3aecaf229..e3e4f4b83 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c @@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original index 3aecaf229..e3e4f4b83 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original @@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original index 806008c60..e2cf8cd24 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original @@ -728,6 +728,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -737,11 +739,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -751,10 +760,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1052,6 +1069,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1060,11 +1079,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1074,10 +1100,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, |