diff options
Diffstat (limited to 'nx-X11/programs/Xserver/hw/nxagent/X')
6 files changed, 147 insertions, 24 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c index 6dfff3776..b431796be 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c @@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original index 6dfff3776..b431796be 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original @@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original index 9de998417..2c5874e8d 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original @@ -336,6 +336,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c) err = BadFontName; goto bail; } + /* check values for firstCol, lastCol, firstRow, and lastRow */ + if (pfont->info.firstCol > pfont->info.lastCol || + pfont->info.firstRow > pfont->info.lastRow || + pfont->info.lastCol - pfont->info.firstCol > 255) { + err = AllocError; + goto bail; + } if (!pfont->fpe) pfont->fpe = fpe; pfont->refcnt++; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c index 3aecaf229..e3e4f4b83 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c @@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original index 3aecaf229..e3e4f4b83 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original @@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original index 806008c60..e2cf8cd24 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original @@ -728,6 +728,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@ -737,11 +739,18 @@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -751,10 +760,18 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@ -1052,6 +1069,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1060,11 +1079,18 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1074,10 +1100,18 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, |