aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/CHANGELOG10
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/Drawable.c16
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c7
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original7
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original7
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c50
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original50
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original50
8 files changed, 173 insertions, 24 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
index e9138747a..285ecb637 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
+++ b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
@@ -1,5 +1,15 @@
ChangeLog:
+nxagent-3.1.0-7
+
+- Imported patch fixing issues from X.Org security advisory, January
+ 17th, 2008: Multiple vulnerabilities in the X server. CVE IDs:
+ CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428
+ CVE-2007-6429 CVE-2008-0006.
+
+- Handled the case if nxagentCreateDrawableBitmap() fails to create
+ the pixmap intended to store the bitmap data.
+
nxagent-3.1.0-6
- Fixed a compile warning in Args.c.
diff --git a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
index 1644d51a4..abc228e9c 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
@@ -2609,8 +2609,24 @@ void nxagentCreateDrawableBitmap(DrawablePtr pDrawable)
goto nxagentCreateDrawableBitmapEnd;
}
+ /*
+ * FIXME: A better way it would be create the bitmap
+ * with the same extents of the clipRegion. This
+ * requires to save the offset with respect to the
+ * drawable origin like in the backing store.
+ */
+
pBitmap = nxagentCreatePixmap(pDrawable -> pScreen, pDrawable -> width, pDrawable -> height, pDrawable -> depth);
+ if (pBitmap == NULL)
+ {
+ #ifdef WARNING
+ fprintf(stderr, "nxagentCreateDrawableBitmap: Cannot create pixmap for the bitmap data.\n");
+ #endif
+
+ goto nxagentCreateDrawableBitmapEnd;
+ }
+
pGC = GetScratchGC(pBitmap -> drawable.depth, pBitmap -> drawable.pScreen);
ValidateGC((DrawablePtr) pBitmap, pGC);
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
index 6dfff3776..b431796be 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
@@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
index 6dfff3776..b431796be 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
@@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
index 9de998417..2c5874e8d 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
@@ -336,6 +336,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
index 3aecaf229..e3e4f4b83 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
@@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
index 3aecaf229..e3e4f4b83 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
@@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
index 806008c60..e2cf8cd24 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
@@ -728,6 +728,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -737,11 +739,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -751,10 +760,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1052,6 +1069,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1060,11 +1079,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1074,10 +1100,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,