From 30463b084b2833193aa6fdc2ceafefc8a1c06fee Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 10 Oct 2011 17:47:30 +0200 Subject: Imported nx-X11-3.2.0-2.tar.gz Summary: Imported nx-X11-3.2.0-2.tar.gz Keywords: Imported nx-X11-3.2.0-2.tar.gz into Git repository --- nx-X11/CHANGELOG | 7 +++++++ nx-X11/CHANGELOG.NX.original | 11 +++++++++++ nx-X11/programs/Xserver/Xext/security.c | 10 +++++++--- nx-X11/programs/Xserver/Xext/security.c.NX.original | 10 +++++++--- nx-X11/programs/Xserver/Xext/security.c.X.original | 10 +++++++--- nx-X11/programs/Xserver/Xext/shm.c | 13 +++++++++++-- nx-X11/programs/Xserver/record/record.c | 16 +++++++++++++--- nx-X11/programs/Xserver/render/glyph.c | 14 ++++++++++++-- nx-X11/programs/Xserver/render/render.c | 18 ++++++++++++++---- 9 files changed, 89 insertions(+), 20 deletions(-) diff --git a/nx-X11/CHANGELOG b/nx-X11/CHANGELOG index 7c8afedcd..60104c69e 100644 --- a/nx-X11/CHANGELOG +++ b/nx-X11/CHANGELOG @@ -1,5 +1,12 @@ ChangeLog: +nx-X11-3.2.0-2 + +- Imported patch fixing issues from X.Org security advisory, June + 11th, 2008: Multiple vulnerabilities in X server extensions. CVE + IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, + CVE-2008-2362. + nx-X11-3.2.0-1 - Opened the 3.2.0 branch based on nx-X11-3.1.0-6. diff --git a/nx-X11/CHANGELOG.NX.original b/nx-X11/CHANGELOG.NX.original index 822542897..60104c69e 100644 --- a/nx-X11/CHANGELOG.NX.original +++ b/nx-X11/CHANGELOG.NX.original @@ -1,5 +1,16 @@ ChangeLog: +nx-X11-3.2.0-2 + +- Imported patch fixing issues from X.Org security advisory, June + 11th, 2008: Multiple vulnerabilities in X server extensions. CVE + IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, + CVE-2008-2362. + +nx-X11-3.2.0-1 + +- Opened the 3.2.0 branch based on nx-X11-3.1.0-6. + nx-X11-3.1.0-6 - Modified Xserver Imakefile to link the Xfixes library. diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c +++ b/nx-X11/programs/Xserver/Xext/security.c @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.NX.original +++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original index 765769a7c..c6a516733 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.X.original +++ b/nx-X11/programs/Xserver/Xext/security.c.X.original @@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c index e2cf8cd24..f25bb9b5d 100644 --- a/nx-X11/programs/Xserver/Xext/shm.c +++ b/nx-X11/programs/Xserver/Xext/shm.c @@ -863,8 +863,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; diff --git a/nx-X11/programs/Xserver/record/record.c b/nx-X11/programs/Xserver/record/record.c index beea616c0..fd5e5db1d 100644 --- a/nx-X11/programs/Xserver/record/record.c +++ b/nx-X11/programs/Xserver/record/record.c @@ -2720,7 +2720,7 @@ SProcRecordQueryVersion(client) } /* SProcRecordQueryVersion */ -static void +static int SwapCreateRegister(xRecordRegisterClientsReq *stuff) { register char n; @@ -2731,11 +2731,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff) swapl(&stuff->nClients, n); swapl(&stuff->nRanges, n); pClientID = (XID *)&stuff[1]; + if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) + return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID, n); } + if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) + - stuff->nClients) + return BadLength; RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); + return Success; } /* SwapCreateRegister */ @@ -2744,11 +2750,13 @@ SProcRecordCreateContext(client) ClientPtr client; { REQUEST(xRecordCreateContextReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2758,11 +2766,13 @@ SProcRecordRegisterClients(client) ClientPtr client; { REQUEST(xRecordRegisterClientsReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */ diff --git a/nx-X11/programs/Xserver/render/glyph.c b/nx-X11/programs/Xserver/render/glyph.c index 45c5dd975..9f4d1c87b 100644 --- a/nx-X11/programs/Xserver/render/glyph.c +++ b/nx-X11/programs/Xserver/render/glyph.c @@ -43,6 +43,12 @@ #include "picturestr.h" #include "glyphstr.h" +#if HAVE_STDINT_H +#include +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + /* * From Knuth -- a good choice for hash/rehash values is p, p-2 where * p and p-2 are both prime. These tables are sized to have an extra 10% @@ -334,8 +340,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth) { int size; GlyphPtr glyph; - - size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); + size_t padded_width; + + padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); + if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) + return 0; + size = gi->height * padded_width; glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); if (!glyph) return 0; diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c index d2759ab10..d25d49756 100644 --- a/nx-X11/programs/Xserver/render/render.c +++ b/nx-X11/programs/Xserver/render/render.c @@ -1505,6 +1505,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); @@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2489,18 +2493,18 @@ SProcRenderCreateSolidFill(ClientPtr client) return (*ProcRenderVector[stuff->renderReqType]) (client); } -static void swapStops(void *stuff, int n) +static void swapStops(void *stuff, int num) { - int i; + int i, n; CARD32 *stops; CARD16 *colors; stops = (CARD32 *)(stuff); - for (i = 0; i < n; ++i) { + for (i = 0; i < num; ++i) { swapl(stops, n); ++stops; } colors = (CARD16 *)(stops); - for (i = 0; i < 4*n; ++i) { + for (i = 0; i < 4*num; ++i) { swaps(stops, n); ++stops; } @@ -2523,6 +2527,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2550,6 +2556,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2574,6 +2582,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; -- cgit v1.2.3