From 96efadac50bf40bc502680072570a2950f132fe3 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Sun, 26 Apr 2015 23:32:32 +0200 Subject: CVE patches were previously not included in release tarballs. Rename: - 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch => 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch - 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch => 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch => 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch - 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch => 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch - 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch => 1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch - 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch => 1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch - 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch => 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch - 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch => 1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch - 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch => 1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch - 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch => 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch - 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch => 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch - 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch => 1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch - 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch => 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch - 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch => 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch - 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch => 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch - 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch => 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch - 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch => 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch - 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch => 1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch => 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch - 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch => 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch - 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch => 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch - 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch => 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch - 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch => 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch - 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch => 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch - 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch => 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch => 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch - 1027-render-check-request-size-before-reading-it-CVE-2014.patch => 1027-render-check-request-size-before-reading-it-CVE.full.patch - 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch => 1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch - 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch => 1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch - 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch => 1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch - 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch => 1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch - 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch => 1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch - 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch => 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch - 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch => 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch - 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch => 1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch - 1036-glx-Integer-overflow-protection-for-non-generated-re.patch => 1036-glx-Integer-overflow-protection-for-non-generat.full.patch - 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch => 1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch - 1038-glx-Length-checking-for-non-generated-single-request.patch => 1038-glx-Length-checking-for-non-generated-single-re.full.patch - 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch => 1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch - 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch => 1040-glx-Pass-remaining-request-length-into-varsize-.full.patch - 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch => 1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch - 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch => 1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch - 1101-Coverity-844-845-846-Fix-memory-leaks.patch => 1101-Coverity-844-845-846-Fix-memory-leaks.full.patch - 1102-include-introduce-byte-counting-functions.patch => 1102-include-introduce-byte-counting-functions.full.patch - 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch => 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch - 1104-xkb-Check-strings-length-against-request-size.patch => 1104-xkb-Check-strings-length-against-request-size.full.patch --- debian/changelog | 94 ++++ ...ess-fix-for-CVE-2011-2895-From-xorg-.full.patch | 29 + ...ess-fix-for-CVE-2011-2895-From-xorg-lib-X.patch | 29 - ...1-4028-File-disclosure-vulnerability.-ups.patch | 29 - ...1-4028-File-disclosure-vulnerability.full.patch | 29 + ...fter-free-in-dix-dixfonts.c-doImageT.full.patch | 74 +++ ...fter-free-in-dix-dixfonts.c-doImageText-C.patch | 74 --- ...62-unlimited-sscanf-overflows-stack-.full.patch | 30 + ...62-unlimited-sscanf-overflows-stack-buffe.patch | 30 - ...09-integer-overflow-of-realloc-size-.full.patch | 43 ++ ...09-integer-overflow-of-realloc-size-in-Fo.patch | 43 -- ...09-integer-overflow-of-realloc-size-.full.patch | 46 ++ ...09-integer-overflow-of-realloc-size-in-le.patch | 46 -- ...10-unvalidated-length-in-_fs_recv_co.full.patch | 75 +++ ...10-unvalidated-length-in-_fs_recv_conn_se.patch | 75 --- ...-when-we-receive-an-FS_Error-from-th.full.patch | 27 + ...-when-we-receive-an-FS_Error-from-the-fon.patch | 27 - ...10-unvalidated-lengths-when-reading-.full.patch | 158 ++++++ ...10-unvalidated-lengths-when-reading-repli.patch | 158 ------ ...11-Integer-overflow-in-fs_get_reply-.full.patch | 65 +++ ...11-Integer-overflow-in-fs_get_reply-_fs_s.patch | 65 --- ...10-unvalidated-length-fields-in-fs_r.full.patch | 141 +++++ ...10-unvalidated-length-fields-in-fs_read_q.patch | 141 ----- ...11-integer-overflow-in-fs_read_exten.full.patch | 48 ++ ...11-integer-overflow-in-fs_read_extent_inf.patch | 48 -- ...11-integer-overflow-in-fs_alloc_glyp.full.patch | 34 ++ ...11-integer-overflow-in-fs_alloc_glyphs-fr.patch | 34 -- ...10-unvalidated-length-fields-in-fs_r.full.patch | 38 ++ ...10-unvalidated-length-fields-in-fs_read_e.patch | 38 -- ...10-unvalidated-length-fields-in-fs_r.full.patch | 75 +++ ...10-unvalidated-length-fields-in-fs_read_g.patch | 75 --- ...10-unvalidated-length-fields-in-fs_r.full.patch | 61 ++ ...10-unvalidated-length-fields-in-fs_read_l.patch | 61 -- ...10-unvalidated-length-fields-in-fs_r.full.patch | 112 ++++ ...10-unvalidated-length-fields-in-fs_read_l.patch | 112 ---- ...alloc-may-allow-unauthed-client-to-c.full.patch | 43 ++ ...alloc-may-allow-unauthed-client-to-crash-.patch | 43 -- ...-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 42 ++ ...-overflow-in-ProcPutImage-CVE-2014-8092-1.patch | 42 -- ...-overflow-in-GetHosts-CVE-2014-8092-.full.patch | 54 ++ ...er-overflow-in-GetHosts-CVE-2014-8092-2-4.patch | 54 -- ...-overflow-in-RegionSizeof-CVE-2014-8.full.patch | 205 +++++++ ...-overflow-in-RegionSizeof-CVE-2014-8092-3.patch | 205 ------- ...-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch | 46 ++ ...-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch | 46 -- ...ated-lengths-in-DbeSwapBuffers-calls-CVE-.patch | 80 --- ...ated-lengths-in-DbeSwapBuffers-calls.full.patch | 80 +++ ...ted-lengths-in-Xinput-extension-CVE-.full.patch | 114 ++++ ...ted-lengths-in-Xinput-extension-CVE-2014-.patch | 114 ---- ...lidated-length-in-SProcXCMiscGetXIDL.full.patch | 29 + ...lidated-length-in-SProcXCMiscGetXIDList-C.patch | 29 - ...ted-lengths-in-XVideo-extension-swap.full.patch | 184 ++++++ ...ted-lengths-in-XVideo-extension-swapped-p.patch | 184 ------ ...k-request-size-before-reading-it-CVE-2014.patch | 40 -- ...k-request-size-before-reading-it-CVE.full.patch | 40 ++ ...lidated-lengths-in-Render-extn.-swap.full.patch | 146 +++++ ...lidated-lengths-in-Render-extn.-swapped-p.patch | 146 ----- ...lidated-length-in-SProcXFixesSelectS.full.patch | 32 ++ ...lidated-length-in-SProcXFixesSelectSelect.patch | 32 -- ...idated-lengths-in-RandR-extension-sw.full.patch | 45 ++ ...idated-lengths-in-RandR-extension-swapped.patch | 45 -- ...-paranoid-about-variable-length-requ.full.patch | 76 +++ ...-paranoid-about-variable-length-requests-.patch | 76 --- ...-strict-about-rejecting-invalid-imag.full.patch | 163 ++++++ ...-strict-about-rejecting-invalid-image-siz.patch | 163 ------ ...nal-paranoia-in-__glXGetAnswerBuffer-__GL.patch | 41 -- ...nal-paranoia-in-__glXGetAnswerBuffer.full.patch | 41 ++ ...e_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch | 96 ++++ ...safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch | 96 ---- ...checking-for-GLXRender-requests-v2-C.full.patch | 132 +++++ ...checking-for-GLXRender-requests-v2-CVE-20.patch | 132 ----- ...-overflow-protection-for-non-generat.full.patch | 215 +++++++ ...-overflow-protection-for-non-generated-re.patch | 215 ------- ...el-length-checking-for-swapped-Vendo.full.patch | 53 ++ ...el-length-checking-for-swapped-VendorPriv.patch | 53 -- ...checking-for-non-generated-single-re.full.patch | 413 ++++++++++++++ ...checking-for-non-generated-single-request.patch | 413 -------------- ...checking-for-RenderLarge-requests-v2-CVE-.patch | 290 ---------- ...checking-for-RenderLarge-requests-v2.full.patch | 290 ++++++++++ ...maining-request-length-into-varsize-.full.patch | 622 +++++++++++++++++++++ ...maining-request-length-into-varsize-v2-CV.patch | 622 --------------------- ...font-fc-fserve.c-initialize-remainin.full.patch | 35 ++ ...font-fc-fserve.c-initialize-remaining-buf.patch | 35 -- ...nput-validation-to-fix-for-CVE-2011-.full.patch | 110 ++++ ...input-validation-to-fix-for-CVE-2011-2895.patch | 110 ---- ...overity-844-845-846-Fix-memory-leaks.full.patch | 63 +++ ...101-Coverity-844-845-846-Fix-memory-leaks.patch | 63 --- ...de-introduce-byte-counting-functions.full.patch | 70 +++ ...include-introduce-byte-counting-functions.patch | 70 --- ...wap-XkbSetGeometry-data-in-the-input-buff.patch | 115 ---- ...wap-XkbSetGeometry-data-in-the-input.full.patch | 115 ++++ ...-strings-length-against-request-size.full.patch | 148 +++++ ...Check-strings-length-against-request-size.patch | 148 ----- debian/patches/series | 92 +-- 94 files changed, 4927 insertions(+), 4833 deletions(-) create mode 100644 debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch delete mode 100644 debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch delete mode 100644 debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch create mode 100644 debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch create mode 100644 debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch delete mode 100644 debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch create mode 100644 debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch delete mode 100644 debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch create mode 100644 debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch delete mode 100644 debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch create mode 100644 debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch delete mode 100644 debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch create mode 100644 debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch delete mode 100644 debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch create mode 100644 debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch delete mode 100644 debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch create mode 100644 debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch delete mode 100644 debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch create mode 100644 debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch delete mode 100644 debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch create mode 100644 debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch delete mode 100644 debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch create mode 100644 debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch delete mode 100644 debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch create mode 100644 debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch delete mode 100644 debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch create mode 100644 debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch delete mode 100644 debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch create mode 100644 debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch delete mode 100644 debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch create mode 100644 debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch delete mode 100644 debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch create mode 100644 debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch delete mode 100644 debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch create mode 100644 debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch delete mode 100644 debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch create mode 100644 debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch delete mode 100644 debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch create mode 100644 debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch delete mode 100644 debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch create mode 100644 debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch delete mode 100644 debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch create mode 100644 debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch delete mode 100644 debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch delete mode 100644 debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch create mode 100644 debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch create mode 100644 debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch delete mode 100644 debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch create mode 100644 debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch delete mode 100644 debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch create mode 100644 debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch delete mode 100644 debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch delete mode 100644 debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch create mode 100644 debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch create mode 100644 debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch delete mode 100644 debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch create mode 100644 debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch delete mode 100644 debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch create mode 100644 debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch delete mode 100644 debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch create mode 100644 debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch delete mode 100644 debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch create mode 100644 debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch delete mode 100644 debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch delete mode 100644 debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch create mode 100644 debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch create mode 100644 debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch delete mode 100644 debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch create mode 100644 debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch delete mode 100644 debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch create mode 100644 debian/patches/1036-glx-Integer-overflow-protection-for-non-generat.full.patch delete mode 100644 debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch create mode 100644 debian/patches/1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch delete mode 100644 debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch create mode 100644 debian/patches/1038-glx-Length-checking-for-non-generated-single-re.full.patch delete mode 100644 debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch delete mode 100644 debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch create mode 100644 debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch create mode 100644 debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-.full.patch delete mode 100644 debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch create mode 100644 debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch delete mode 100644 debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch create mode 100644 debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch delete mode 100644 debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch create mode 100644 debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.full.patch delete mode 100644 debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.patch create mode 100644 debian/patches/1102-include-introduce-byte-counting-functions.full.patch delete mode 100644 debian/patches/1102-include-introduce-byte-counting-functions.patch delete mode 100644 debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch create mode 100644 debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch create mode 100644 debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch delete mode 100644 debian/patches/1104-xkb-Check-strings-length-against-request-size.patch diff --git a/debian/changelog b/debian/changelog index 079b2decb..09dca43f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -17,6 +17,100 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low * nx-X11: add more NULL guards to TEST and DEBUG sections of Render.c. Affects: - 0990_fix-DEBUG-and-TEST-builds.full.patch + * CVE patches were previously not included in release tarballs. + Rename: + - 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch => + 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch + - 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch => + 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch + - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch => + 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch + - 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch => + 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch + - 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch => + 1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch + - 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch => + 1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch + - 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch => + 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch + - 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch => + 1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch + - 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch => + 1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch + - 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch => + 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch + - 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch => + 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch + - 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch => + 1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch + - 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch => + 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch + - 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch => + 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch + - 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch => + 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch + - 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch => + 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch + - 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch => + 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch + - 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch => + 1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch + - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch => + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch + - 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch => + 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch + - 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch => + 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch + - 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch => + 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch + - 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch => + 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch + - 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch => + 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch + - 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch => + 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch + - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch => + 1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch + - 1027-render-check-request-size-before-reading-it-CVE-2014.patch => + 1027-render-check-request-size-before-reading-it-CVE.full.patch + - 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch => + 1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch + - 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch => + 1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch + - 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch => + 1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch + - 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch => + 1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch + - 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch => + 1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch + - 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch => + 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch + - 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch => + 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch + - 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch => + 1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch + - 1036-glx-Integer-overflow-protection-for-non-generated-re.patch => + 1036-glx-Integer-overflow-protection-for-non-generat.full.patch + - 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch => + 1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch + - 1038-glx-Length-checking-for-non-generated-single-request.patch => + 1038-glx-Length-checking-for-non-generated-single-re.full.patch + - 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch => + 1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch + - 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch => + 1040-glx-Pass-remaining-request-length-into-varsize-.full.patch + - 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch => + 1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch + - 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch => + 1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch + - 1101-Coverity-844-845-846-Fix-memory-leaks.patch => + 1101-Coverity-844-845-846-Fix-memory-leaks.full.patch + - 1102-include-introduce-byte-counting-functions.patch => + 1102-include-introduce-byte-counting-functions.full.patch + - 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch => + 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch + - 1104-xkb-Check-strings-length-against-request-size.patch => + 1104-xkb-Check-strings-length-against-request-size.full.patch [ Bernard Cafarelli ] * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'. diff --git a/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch b/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch new file mode 100644 index 000000000..162bb218b --- /dev/null +++ b/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch @@ -0,0 +1,29 @@ +From af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 19:15:20 -0500 +Subject: [PATCH 01/40] LZW decompress: fix for CVE-2011-2895 From + xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0 + + Specially crafted LZW stream can crash an application using libXfont + that is used to open untrusted font files. With X server, this may + allow privilege escalation when exploited +--- + nx-X11/lib/font/fontfile/decompress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c +index a4c5468..553b315 100644 +--- a/nx-X11/lib/font/fontfile/decompress.c ++++ b/nx-X11/lib/font/fontfile/decompress.c +@@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f) + */ + while ( code >= 256 ) + { ++ if (stackp - de_stack >= STACK_SIZE - 1) ++ return BUFFILEEOF; + *stackp++ = file->tab_suffix[code]; + code = file->tab_prefix[code]; + } +-- +2.1.4 + diff --git a/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch b/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch deleted file mode 100644 index 162bb218b..000000000 --- a/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch +++ /dev/null @@ -1,29 +0,0 @@ -From af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 19:15:20 -0500 -Subject: [PATCH 01/40] LZW decompress: fix for CVE-2011-2895 From - xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0 - - Specially crafted LZW stream can crash an application using libXfont - that is used to open untrusted font files. With X server, this may - allow privilege escalation when exploited ---- - nx-X11/lib/font/fontfile/decompress.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c -index a4c5468..553b315 100644 ---- a/nx-X11/lib/font/fontfile/decompress.c -+++ b/nx-X11/lib/font/fontfile/decompress.c -@@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f) - */ - while ( code >= 256 ) - { -+ if (stackp - de_stack >= STACK_SIZE - 1) -+ return BUFFILEEOF; - *stackp++ = file->tab_suffix[code]; - code = file->tab_prefix[code]; - } --- -2.1.4 - diff --git a/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch b/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch deleted file mode 100644 index a5437cacd..000000000 --- a/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch +++ /dev/null @@ -1,29 +0,0 @@ -From df4a3b7270539843ae76275485ca76efcdf361d9 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 19:16:38 -0500 -Subject: [PATCH 02/40] Fix CVE-2011-4028: File disclosure vulnerability. - upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 - -use O_NOFOLLOW to open the existing lock file, so symbolic links -aren't followed, thus avoid revealing if it point to an existing -file. ---- - nx-X11/programs/Xserver/os/utils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c -index 9b2431a..79e49d5 100644 ---- a/nx-X11/programs/Xserver/os/utils.c -+++ b/nx-X11/programs/Xserver/os/utils.c -@@ -483,7 +483,7 @@ LockServer(void) - /* - * Read the pid from the existing file - */ -- lfd = open(LockFile, O_RDONLY); -+ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); - if (lfd < 0) { - unlink(tmp); - FatalError("Can't read lock file %s\n", LockFile); --- -2.1.4 - diff --git a/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch b/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch new file mode 100644 index 000000000..a5437cacd --- /dev/null +++ b/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch @@ -0,0 +1,29 @@ +From df4a3b7270539843ae76275485ca76efcdf361d9 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 19:16:38 -0500 +Subject: [PATCH 02/40] Fix CVE-2011-4028: File disclosure vulnerability. + upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 + +use O_NOFOLLOW to open the existing lock file, so symbolic links +aren't followed, thus avoid revealing if it point to an existing +file. +--- + nx-X11/programs/Xserver/os/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c +index 9b2431a..79e49d5 100644 +--- a/nx-X11/programs/Xserver/os/utils.c ++++ b/nx-X11/programs/Xserver/os/utils.c +@@ -483,7 +483,7 @@ LockServer(void) + /* + * Read the pid from the existing file + */ +- lfd = open(LockFile, O_RDONLY); ++ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW); + if (lfd < 0) { + unlink(tmp); + FatalError("Can't read lock file %s\n", LockFile); +-- +2.1.4 + diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch new file mode 100644 index 000000000..8cb1d0d7b --- /dev/null +++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch @@ -0,0 +1,74 @@ +From 72790a55862f9a2232ba0cd7b072bbe3887cd820 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 20:01:27 -0500 +Subject: [PATCH 03/40] Avoid use-after-free in dix/dixfonts.c: doImageText() + [CVE-2013-4396] from xorg/Xserver + http://lists.x.org/archives/xorg-announce/2013-October/002332.html + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. +--- + nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c +index 193f555..42fd647 100644 +--- a/nx-X11/programs/Xserver/dix/dixfonts.c ++++ b/nx-X11/programs/Xserver/dix/dixfonts.c +@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1571,6 +1572,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1578,6 +1580,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1589,6 +1592,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1602,6 +1606,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +-- +2.1.4 + diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch deleted file mode 100644 index 8cb1d0d7b..000000000 --- a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 72790a55862f9a2232ba0cd7b072bbe3887cd820 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 20:01:27 -0500 -Subject: [PATCH 03/40] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] from xorg/Xserver - http://lists.x.org/archives/xorg-announce/2013-October/002332.html - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. ---- - nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c -index 193f555..42fd647 100644 ---- a/nx-X11/programs/Xserver/dix/dixfonts.c -+++ b/nx-X11/programs/Xserver/dix/dixfonts.c -@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1571,6 +1572,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - -@@ -1578,6 +1580,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) - if (!data) - { - xfree(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1589,6 +1592,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) - { - xfree(c->data); - xfree(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1602,6 +1606,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) - FreeScratchGC(pGC); - xfree(c->data); - xfree(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } --- -2.1.4 - diff --git a/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch b/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch new file mode 100644 index 000000000..1cc44d0d1 --- /dev/null +++ b/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch @@ -0,0 +1,30 @@ +From ac6694378e0ed4bdffa6e1318c9d4beda24a6b0e Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 20:12:25 -0500 +Subject: [PATCH 04/40] CVE-2013-6462: unlimited sscanf overflows stack buffer + in bdfReadCharacters() from xorg/lib/libXfont + http://lists.x.org/archives/xorg-announce/2014-January/002389.html + +Fixes cppcheck warning: + [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) + scanf without field width limits can crash with huge input data. +--- + nx-X11/lib/font/bitmap/bdfread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/bitmap/bdfread.c b/nx-X11/lib/font/bitmap/bdfread.c +index a6f0c1e..bccabd7 100644 +--- a/nx-X11/lib/font/bitmap/bdfread.c ++++ b/nx-X11/lib/font/bitmap/bdfread.c +@@ -344,7 +344,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + char charName[100]; + int ignore; + +- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { ++ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { + bdfError("bad character name in BDF file\n"); + goto BAILOUT; /* bottom of function, free and return error */ + } +-- +2.1.4 + diff --git a/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch b/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch deleted file mode 100644 index 1cc44d0d1..000000000 --- a/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ac6694378e0ed4bdffa6e1318c9d4beda24a6b0e Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 20:12:25 -0500 -Subject: [PATCH 04/40] CVE-2013-6462: unlimited sscanf overflows stack buffer - in bdfReadCharacters() from xorg/lib/libXfont - http://lists.x.org/archives/xorg-announce/2014-January/002389.html - -Fixes cppcheck warning: - [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) - scanf without field width limits can crash with huge input data. ---- - nx-X11/lib/font/bitmap/bdfread.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/bitmap/bdfread.c b/nx-X11/lib/font/bitmap/bdfread.c -index a6f0c1e..bccabd7 100644 ---- a/nx-X11/lib/font/bitmap/bdfread.c -+++ b/nx-X11/lib/font/bitmap/bdfread.c -@@ -344,7 +344,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - char charName[100]; - int ignore; - -- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { -+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { - bdfError("bad character name in BDF file\n"); - goto BAILOUT; /* bottom of function, free and return error */ - } --- -2.1.4 - diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch new file mode 100644 index 000000000..8097e3050 --- /dev/null +++ b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch @@ -0,0 +1,43 @@ +From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 20:28:30 -0500 +Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in + FontFileAddEntry() from xorg/lib/libXfont commit + 2f5e57317339c526e6eaee1010b0e2ab8089c42e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +FontFileReadDirectory() opens a fonts.dir file, and reads over every +line in an fscanf loop. For each successful entry read (font name, +file name) a call is made to FontFileAddFontFile(). + +FontFileAddFontFile() will add a font file entry (for the font name +and file) each time it’s called, by calling FontFileAddEntry(). +FontFileAddEntry() will do the actual adding. If the table it has +to add to is full, it will do a realloc, adding 100 more entries +to the table size without checking to see if that will overflow the +int used to store the size. +--- + nx-X11/lib/font/fontfile/fontdir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c +index 8f75d8b..899ff05 100644 +--- a/nx-X11/lib/font/fontfile/fontdir.c ++++ b/nx-X11/lib/font/fontfile/fontdir.c +@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) + if (table->sorted) + return (FontEntryPtr) 0; /* "cannot" happen */ + if (table->used == table->size) { ++ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) ++ /* If we've read so many entries we're going to ask for 2gb ++ or more of memory, something is so wrong with this font ++ directory that we should just give up before we overflow. */ ++ return NULL; + newsize = table->size + 100; + entry = (FontEntryPtr) xrealloc(table->entries, + newsize * sizeof(FontEntryRec)); +-- +2.1.4 + diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch deleted file mode 100644 index 8097e3050..000000000 --- a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 20:28:30 -0500 -Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in - FontFileAddEntry() from xorg/lib/libXfont commit - 2f5e57317339c526e6eaee1010b0e2ab8089c42e -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FontFileReadDirectory() opens a fonts.dir file, and reads over every -line in an fscanf loop. For each successful entry read (font name, -file name) a call is made to FontFileAddFontFile(). - -FontFileAddFontFile() will add a font file entry (for the font name -and file) each time it’s called, by calling FontFileAddEntry(). -FontFileAddEntry() will do the actual adding. If the table it has -to add to is full, it will do a realloc, adding 100 more entries -to the table size without checking to see if that will overflow the -int used to store the size. ---- - nx-X11/lib/font/fontfile/fontdir.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c -index 8f75d8b..899ff05 100644 ---- a/nx-X11/lib/font/fontfile/fontdir.c -+++ b/nx-X11/lib/font/fontfile/fontdir.c -@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) - if (table->sorted) - return (FontEntryPtr) 0; /* "cannot" happen */ - if (table->used == table->size) { -+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) -+ /* If we've read so many entries we're going to ask for 2gb -+ or more of memory, something is so wrong with this font -+ directory that we should just give up before we overflow. */ -+ return NULL; - newsize = table->size + 100; - entry = (FontEntryPtr) xrealloc(table->entries, - newsize * sizeof(FontEntryRec)); --- -2.1.4 - diff --git a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch new file mode 100644 index 000000000..522a96731 --- /dev/null +++ b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch @@ -0,0 +1,46 @@ +From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 20:53:14 -0500 +Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in + lexAlias() from xorg/lib/libXfont commit + 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc + +lexAlias() reads from a file in a loop. It does this by starting with a +64 byte buffer. If that size limit is hit, it does a realloc of the +buffer size << 1, basically doubling the needed length every time the +length limit is hit. + +Eventually, this will shift out to 0 (for a length of ~4gig), and that +length will be passed on to realloc(). A length of 0 (with a valid +pointer) causes realloc to free the buffer on most POSIX platforms, +but the caller will still have a pointer to it, leading to use after +free issues. +--- + nx-X11/lib/font/fontfile/dirfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nx-X11/lib/font/fontfile/dirfile.c b/nx-X11/lib/font/fontfile/dirfile.c +index f390391..3a2fead 100644 +--- a/nx-X11/lib/font/fontfile/dirfile.c ++++ b/nx-X11/lib/font/fontfile/dirfile.c +@@ -45,6 +45,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + + static Bool AddFileNameAliases ( FontDirectoryPtr dir ); + static int ReadFontAlias ( char *directory, Bool isFile, +@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken) + int nsize; + char *nbuf; + ++ if (tokenSize >= (INT_MAX >> 2)) ++ /* Stop before we overflow */ ++ return EALLOC; + nsize = tokenSize ? (tokenSize << 1) : 64; + nbuf = (char *) xrealloc(tokenBuf, nsize); + if (!nbuf) +-- +2.1.4 + diff --git a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch deleted file mode 100644 index 522a96731..000000000 --- a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 20:53:14 -0500 -Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in - lexAlias() from xorg/lib/libXfont commit - 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc - -lexAlias() reads from a file in a loop. It does this by starting with a -64 byte buffer. If that size limit is hit, it does a realloc of the -buffer size << 1, basically doubling the needed length every time the -length limit is hit. - -Eventually, this will shift out to 0 (for a length of ~4gig), and that -length will be passed on to realloc(). A length of 0 (with a valid -pointer) causes realloc to free the buffer on most POSIX platforms, -but the caller will still have a pointer to it, leading to use after -free issues. ---- - nx-X11/lib/font/fontfile/dirfile.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nx-X11/lib/font/fontfile/dirfile.c b/nx-X11/lib/font/fontfile/dirfile.c -index f390391..3a2fead 100644 ---- a/nx-X11/lib/font/fontfile/dirfile.c -+++ b/nx-X11/lib/font/fontfile/dirfile.c -@@ -45,6 +45,7 @@ in this Software without prior written authorization from The Open Group. - #include - #include - #include -+#include - - static Bool AddFileNameAliases ( FontDirectoryPtr dir ); - static int ReadFontAlias ( char *directory, Bool isFile, -@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken) - int nsize; - char *nbuf; - -+ if (tokenSize >= (INT_MAX >> 2)) -+ /* Stop before we overflow */ -+ return EALLOC; - nsize = tokenSize ? (tokenSize << 1) : 64; - nbuf = (char *) xrealloc(tokenBuf, nsize); - if (!nbuf) --- -2.1.4 - diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch new file mode 100644 index 000000000..2b2fa76c8 --- /dev/null +++ b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch @@ -0,0 +1,75 @@ +From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 21:03:33 -0500 +Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in + _fs_recv_conn_setup() from xorg/lib/libXfont commit + 891e084b26837162b12f841060086a105edde86d + +The connection setup reply from the font server can include a list +of alternate servers to contact if this font server stops working. + +The reply specifies a total size of all the font server names, and +then provides a list of names. _fs_recv_conn_setup() allocated the +specified total size for copying the names to, but didn't check to +make sure it wasn't copying more data to that buffer than the size +it had allocated. + +v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) +--- + nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 0d792c7..86b5753 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) + int ret; + fsConnSetup *setup; + FSFpeAltPtr alts; +- int i, alt_len; ++ unsigned int i, alt_len; + int setup_len; + char *alt_save, *alt_names; + +@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) + } + if (setup->num_alternates) + { ++ size_t alt_name_len = setup->alternate_len << 2; + alts = (FSFpeAltPtr) xalloc (setup->num_alternates * +- sizeof (FSFpeAltRec) + +- (setup->alternate_len << 2)); ++ sizeof (FSFpeAltRec) + alt_name_len); + if (alts) + { + alt_names = (char *) (setup + 1); +@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn) + { + alts[i].subset = alt_names[0]; + alt_len = alt_names[1]; ++ if (alt_len >= alt_name_len) { ++ /* ++ * Length is longer than setup->alternate_len ++ * told us to allocate room for, assume entire ++ * alternate list is corrupted. ++ */ ++#ifdef DEBUG ++ fprintf (stderr, ++ "invalid alt list (length %lx >= %lx)\n", ++ (long) alt_len, (long) alt_name_len); ++#endif ++ xfree(alts); ++ return FSIO_ERROR; ++ } + alts[i].name = alt_save; + memcpy (alt_save, alt_names + 2, alt_len); + alt_save[alt_len] = '\0'; + alt_save += alt_len + 1; ++ alt_name_len -= alt_len + 1; + alt_names += _fs_pad_length (alt_len + 2); + } + conn->numAlts = setup->num_alternates; +-- +2.1.4 + diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch deleted file mode 100644 index 2b2fa76c8..000000000 --- a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 21:03:33 -0500 -Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in - _fs_recv_conn_setup() from xorg/lib/libXfont commit - 891e084b26837162b12f841060086a105edde86d - -The connection setup reply from the font server can include a list -of alternate servers to contact if this font server stops working. - -The reply specifies a total size of all the font server names, and -then provides a list of names. _fs_recv_conn_setup() allocated the -specified total size for copying the names to, but didn't check to -make sure it wasn't copying more data to that buffer than the size -it had allocated. - -v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) ---- - nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 0d792c7..86b5753 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) - int ret; - fsConnSetup *setup; - FSFpeAltPtr alts; -- int i, alt_len; -+ unsigned int i, alt_len; - int setup_len; - char *alt_save, *alt_names; - -@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) - } - if (setup->num_alternates) - { -+ size_t alt_name_len = setup->alternate_len << 2; - alts = (FSFpeAltPtr) xalloc (setup->num_alternates * -- sizeof (FSFpeAltRec) + -- (setup->alternate_len << 2)); -+ sizeof (FSFpeAltRec) + alt_name_len); - if (alts) - { - alt_names = (char *) (setup + 1); -@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn) - { - alts[i].subset = alt_names[0]; - alt_len = alt_names[1]; -+ if (alt_len >= alt_name_len) { -+ /* -+ * Length is longer than setup->alternate_len -+ * told us to allocate room for, assume entire -+ * alternate list is corrupted. -+ */ -+#ifdef DEBUG -+ fprintf (stderr, -+ "invalid alt list (length %lx >= %lx)\n", -+ (long) alt_len, (long) alt_name_len); -+#endif -+ xfree(alts); -+ return FSIO_ERROR; -+ } - alts[i].name = alt_save; - memcpy (alt_save, alt_names + 2, alt_len); - alt_save[alt_len] = '\0'; - alt_save += alt_len + 1; -+ alt_name_len -= alt_len + 1; - alt_names += _fs_pad_length (alt_len + 2); - } - conn->numAlts = setup->num_alternates; --- -2.1.4 - diff --git a/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch b/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch new file mode 100644 index 000000000..8e303b353 --- /dev/null +++ b/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch @@ -0,0 +1,27 @@ +From a2c7cd9fef2d7d108e224ab47e77130dc98b249d Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 21:33:30 -0500 +Subject: [PATCH 08/40] Don't crash when we receive an FS_Error from the font + server (Guillem Jover). from xorg/lib/libXfont commit + bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d + +--- + nx-X11/lib/font/fc/fserve.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 0fdcc1d..c159b2b 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2366,7 +2366,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + _fs_free_props (&binfo->info); + + rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); +- if (rep == 0) ++ if (!rep || rep->type == FS_Error) + { + if (ret == FSIO_BLOCK) + return StillWorking; +-- +2.1.4 + diff --git a/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch b/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch deleted file mode 100644 index 8e303b353..000000000 --- a/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a2c7cd9fef2d7d108e224ab47e77130dc98b249d Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 21:33:30 -0500 -Subject: [PATCH 08/40] Don't crash when we receive an FS_Error from the font - server (Guillem Jover). from xorg/lib/libXfont commit - bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d - ---- - nx-X11/lib/font/fc/fserve.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 0fdcc1d..c159b2b 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2366,7 +2366,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_free_props (&binfo->info); - - rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); -- if (rep == 0) -+ if (!rep || rep->type == FS_Error) - { - if (ret == FSIO_BLOCK) - return StillWorking; --- -2.1.4 - diff --git a/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch b/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch new file mode 100644 index 000000000..6b06b8663 --- /dev/null +++ b/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch @@ -0,0 +1,158 @@ +From 50e80a06c84375e39af02b24f01a949cb565a49d Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 21:39:55 -0500 +Subject: [PATCH 09/40] CVE-2014-0210: unvalidated lengths when reading replies + from font server from xorg/lib/libXfont commit + cbb64aef35960b2882be721f4b8fbaa0fb649d12 + +Functions to handle replies to font server requests were casting replies +from the generic form to reply specific structs without first checking +that the reply was at least as long as the struct being cast to. +--- + nx-X11/lib/font/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 38 insertions(+), 6 deletions(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index c159b2b..ca10aa4 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -94,6 +94,12 @@ in this Software without prior written authorization from The Open Group. + (pci)->descent || \ + (pci)->characterWidth) + ++/* ++ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, ++ * so this converts for doing size comparisons. ++ */ ++#define LENGTHOF(r) (SIZEOF(r) >> 2) ++ + extern void ErrorF(const char *f, ...); + + static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); +@@ -209,9 +215,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep) + rep->sequenceNumber, + conn->reqbuffer[i].opcode); + } ++ ++#define _fs_reply_failed(rep, name, op) do { \ ++ if (rep) { \ ++ if (rep->type == FS_Error) \ ++ fprintf (stderr, "Error: %d Request: %s\n", \ ++ ((fsError *)rep)->request, #name); \ ++ else \ ++ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ ++ #name, rep->length, op, LENGTHOF(name)); \ ++ } \ ++} while (0) ++ + #else + #define _fs_add_req_log(conn,op) ((conn)->current_seq++) + #define _fs_add_rep_log(conn,rep) ++#define _fs_reply_failed(rep,name,op) + #endif + + static Bool +@@ -693,13 +712,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + int ret; + + rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); + return BadFontName; + } + +@@ -835,13 +856,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + int ret; + + rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXInfoReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); + return BadFontName; + } + +@@ -962,13 +985,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FontInfoRec *fi = &bfont->pfont->info; + + rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); + return BadFontName; + } + +@@ -1833,13 +1858,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + unsigned long minchar, maxchar; + + rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + err = AllocError; ++ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); + goto bail; + } + +@@ -2243,12 +2270,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + int err; + + rep = (fsListFontsReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsListFontsReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); ++ _fs_reply_failed (rep, fsListFontsReply, "<"); + return AllocError; + } + data = (char *) rep + SIZEOF (fsListFontsReply); +@@ -2366,12 +2395,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + _fs_free_props (&binfo->info); + + rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ ((rep->nameLength != 0) && ++ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + binfo->status = FS_LFWI_FINISHED; + err = AllocError; ++ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); + goto done; + } + /* +-- +2.1.4 + diff --git a/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch b/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch deleted file mode 100644 index 6b06b8663..000000000 --- a/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 50e80a06c84375e39af02b24f01a949cb565a49d Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 21:39:55 -0500 -Subject: [PATCH 09/40] CVE-2014-0210: unvalidated lengths when reading replies - from font server from xorg/lib/libXfont commit - cbb64aef35960b2882be721f4b8fbaa0fb649d12 - -Functions to handle replies to font server requests were casting replies -from the generic form to reply specific structs without first checking -that the reply was at least as long as the struct being cast to. ---- - nx-X11/lib/font/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 38 insertions(+), 6 deletions(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index c159b2b..ca10aa4 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -94,6 +94,12 @@ in this Software without prior written authorization from The Open Group. - (pci)->descent || \ - (pci)->characterWidth) - -+/* -+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, -+ * so this converts for doing size comparisons. -+ */ -+#define LENGTHOF(r) (SIZEOF(r) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -209,9 +215,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep) - rep->sequenceNumber, - conn->reqbuffer[i].opcode); - } -+ -+#define _fs_reply_failed(rep, name, op) do { \ -+ if (rep) { \ -+ if (rep->type == FS_Error) \ -+ fprintf (stderr, "Error: %d Request: %s\n", \ -+ ((fsError *)rep)->request, #name); \ -+ else \ -+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ -+ #name, rep->length, op, LENGTHOF(name)); \ -+ } \ -+} while (0) -+ - #else - #define _fs_add_req_log(conn,op) ((conn)->current_seq++) - #define _fs_add_rep_log(conn,rep) -+#define _fs_reply_failed(rep,name,op) - #endif - - static Bool -@@ -693,13 +712,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int ret; - - rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); - return BadFontName; - } - -@@ -835,13 +856,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int ret; - - rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXInfoReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); - return BadFontName; - } - -@@ -962,13 +985,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoRec *fi = &bfont->pfont->info; - - rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); - return BadFontName; - } - -@@ -1833,13 +1858,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - unsigned long minchar, maxchar; - - rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - err = AllocError; -+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); - goto bail; - } - -@@ -2243,12 +2270,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - int err; - - rep = (fsListFontsReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsListFontsReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); -+ _fs_reply_failed (rep, fsListFontsReply, "<"); - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -@@ -2366,12 +2395,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_free_props (&binfo->info); - - rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ ((rep->nameLength != 0) && -+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - binfo->status = FS_LFWI_FINISHED; - err = AllocError; -+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); - goto done; - } - /* --- -2.1.4 - diff --git a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch new file mode 100644 index 000000000..ba883427f --- /dev/null +++ b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch @@ -0,0 +1,65 @@ +From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 21:43:42 -0500 +Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in + fs_get_reply/_fs_start_read from xorg/lib/libXfont commit + 0f1a5d372c143f91a602bdf10c917d7eabaee09b + +fs_get_reply() would take any reply size, multiply it by 4 and pass to +_fs_start_read. If that size was bigger than the current reply buffer +size, _fs_start_read would add it to the existing buffer size plus the +buffer size increment constant and realloc the buffer to that result. + +This math could overflow, causing the code to allocate a smaller +buffer than the amount it was about to read into that buffer from +the network. It could also succeed, allowing the remote font server +to cause massive allocations in the X server, possibly using up all +the address space in a 32-bit X server, allowing the triggering of +other bugs in code that fails to handle malloc failure properly. + +This patch protects against both problems, by disconnecting any +font server trying to feed us more than (the somewhat arbitrary) +64 mb in a single reply. +--- + nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index ca10aa4..7762653 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group. + */ + #define LENGTHOF(r) (SIZEOF(r) >> 2) + ++/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ ++#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) ++ + extern void ErrorF(const char *f, ...); + + static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); +@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error) + + rep = (fsGenericReply *) buf; + ++ /* ++ * Refuse to accept replies longer than a maximum reasonable length, ++ * before we pass to _fs_start_read, since it will try to resize the ++ * incoming connection buffer to this size. Also avoids integer overflow ++ * on 32-bit systems. ++ */ ++ if (rep->length > MAX_REPLY_LENGTH) ++ { ++ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" ++ " from font server\n", rep->length); ++ _fs_connection_died (conn); ++ *error = FSIO_ERROR; ++ return 0; ++ } ++ + ret = _fs_start_read (conn, rep->length << 2, &buf); + if (ret != FSIO_READY) + { +-- +2.1.4 + diff --git a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch deleted file mode 100644 index ba883427f..000000000 --- a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 21:43:42 -0500 -Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in - fs_get_reply/_fs_start_read from xorg/lib/libXfont commit - 0f1a5d372c143f91a602bdf10c917d7eabaee09b - -fs_get_reply() would take any reply size, multiply it by 4 and pass to -_fs_start_read. If that size was bigger than the current reply buffer -size, _fs_start_read would add it to the existing buffer size plus the -buffer size increment constant and realloc the buffer to that result. - -This math could overflow, causing the code to allocate a smaller -buffer than the amount it was about to read into that buffer from -the network. It could also succeed, allowing the remote font server -to cause massive allocations in the X server, possibly using up all -the address space in a 32-bit X server, allowing the triggering of -other bugs in code that fails to handle malloc failure properly. - -This patch protects against both problems, by disconnecting any -font server trying to feed us more than (the somewhat arbitrary) -64 mb in a single reply. ---- - nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index ca10aa4..7762653 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group. - */ - #define LENGTHOF(r) (SIZEOF(r) >> 2) - -+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ -+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error) - - rep = (fsGenericReply *) buf; - -+ /* -+ * Refuse to accept replies longer than a maximum reasonable length, -+ * before we pass to _fs_start_read, since it will try to resize the -+ * incoming connection buffer to this size. Also avoids integer overflow -+ * on 32-bit systems. -+ */ -+ if (rep->length > MAX_REPLY_LENGTH) -+ { -+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" -+ " from font server\n", rep->length); -+ _fs_connection_died (conn); -+ *error = FSIO_ERROR; -+ return 0; -+ } -+ - ret = _fs_start_read (conn, rep->length << 2, &buf); - if (ret != FSIO_READY) - { --- -2.1.4 - diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..9d0f3f875 --- /dev/null +++ b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,141 @@ +From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:08:09 -0500 +Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in + fs_read_query_info() from xorg/lib/libXfont commit + 491291cabf78efdeec8f18b09e14726a9030cc8f + +fs_read_query_info() parses a reply from the font server. The reply +contains embedded length fields, none of which are validated. This +can cause out of bound reads in either fs_read_query_info() or in +_fs_convert_props() which it calls to parse the fsPropInfo in the reply. + +v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan) +--- + nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++----- + nx-X11/lib/font/fc/fserve.c | 43 +++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 54 insertions(+), 8 deletions(-) + +diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c +index 9a5e194..afa2c32 100644 +--- a/nx-X11/lib/font/fc/fsconvert.c ++++ b/nx-X11/lib/font/fc/fsconvert.c +@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, + for (i = 0; i < nprops; i++, dprop++, is_str++) + { + memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); ++ if ((local_off.name.position >= pi->data_len) || ++ (local_off.name.length > ++ (pi->data_len - local_off.name.position))) ++ goto bail; + dprop->name = MakeAtom(&pdc[local_off.name.position], + local_off.name.length, 1); + if (local_off.type != PropTypeString) { +@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, + dprop->value = local_off.value.position; + } else { + *is_str = TRUE; ++ if ((local_off.value.position >= pi->data_len) || ++ (local_off.value.length > ++ (pi->data_len - local_off.value.position))) ++ goto bail; + dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], + local_off.value.length, 1); + if (dprop->value == BAD_RESOURCE) + { +- xfree (pfi->props); +- pfi->nprops = 0; +- pfi->props = 0; +- pfi->isStringProp = 0; +- return -1; ++ bail: ++ xfree (pfi->props); ++ pfi->nprops = 0; ++ pfi->props = 0; ++ pfi->isStringProp = 0; ++ return -1; + } + } + off_adr += SIZEOF(fsPropOffset); +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 9e652d2..75cabdd 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FSFpePtr conn = (FSFpePtr) fpe->private; + fsQueryXInfoReply *rep; + char *buf; ++ long bufleft = 0; /* length of reply left to use */ + fsPropInfo *pi; + fsPropOffset *po; + pointer pd; +@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + + buf = (char *) rep; + buf += SIZEOF(fsQueryXInfoReply); +- ++ ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF(fsQueryXInfoReply); ++ + /* move the data over */ + fsUnpack_XFontInfoHeader(rep, pInfo); + +@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + _fs_init_fontinfo(conn, pInfo); + + /* Compute offsets into the reply */ ++ if (bufleft < SIZEOF(fsPropInfo)) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", ++ bufleft); ++#endif ++ goto bail; ++ } + pi = (fsPropInfo *) buf; + buf += SIZEOF (fsPropInfo); +- ++ bufleft -= SIZEOF (fsPropInfo); ++ ++ if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n", ++ bufleft / SIZEOF (fsPropOffset), pi->num_offsets); ++#endif ++ goto bail; ++ } + po = (fsPropOffset *) buf; + buf += pi->num_offsets * SIZEOF(fsPropOffset); ++ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); + ++ if (bufleft < pi->data_len) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", ++ bufleft, pi->data_len); ++#endif ++ goto bail; ++ } + pd = (pointer) buf; + buf += pi->data_len; ++ bufleft -= pi->data_len; + + /* convert the properties and step over the reply */ + ret = _fs_convert_props(pi, po, pd, pInfo); ++ bail: + _fs_done_read (conn, rep->length << 2); +- ++ + if (ret == -1) + { + fs_cleanup_bfont (bfont); +-- +2.1.4 + diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch deleted file mode 100644 index 9d0f3f875..000000000 --- a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch +++ /dev/null @@ -1,141 +0,0 @@ -From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:08:09 -0500 -Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in - fs_read_query_info() from xorg/lib/libXfont commit - 491291cabf78efdeec8f18b09e14726a9030cc8f - -fs_read_query_info() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. This -can cause out of bound reads in either fs_read_query_info() or in -_fs_convert_props() which it calls to parse the fsPropInfo in the reply. - -v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan) ---- - nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++----- - nx-X11/lib/font/fc/fserve.c | 43 +++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 54 insertions(+), 8 deletions(-) - -diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c -index 9a5e194..afa2c32 100644 ---- a/nx-X11/lib/font/fc/fsconvert.c -+++ b/nx-X11/lib/font/fc/fsconvert.c -@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - for (i = 0; i < nprops; i++, dprop++, is_str++) - { - memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->name = MakeAtom(&pdc[local_off.name.position], - local_off.name.length, 1); - if (local_off.type != PropTypeString) { -@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, - dprop->value = local_off.value.position; - } else { - *is_str = TRUE; -+ if ((local_off.value.position >= pi->data_len) || -+ (local_off.value.length > -+ (pi->data_len - local_off.value.position))) -+ goto bail; - dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], - local_off.value.length, 1); - if (dprop->value == BAD_RESOURCE) - { -- xfree (pfi->props); -- pfi->nprops = 0; -- pfi->props = 0; -- pfi->isStringProp = 0; -- return -1; -+ bail: -+ xfree (pfi->props); -+ pfi->nprops = 0; -+ pfi->props = 0; -+ pfi->isStringProp = 0; -+ return -1; - } - } - off_adr += SIZEOF(fsPropOffset); -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 9e652d2..75cabdd 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSFpePtr conn = (FSFpePtr) fpe->private; - fsQueryXInfoReply *rep; - char *buf; -+ long bufleft = 0; /* length of reply left to use */ - fsPropInfo *pi; - fsPropOffset *po; - pointer pd; -@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - - buf = (char *) rep; - buf += SIZEOF(fsQueryXInfoReply); -- -+ -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF(fsQueryXInfoReply); -+ - /* move the data over */ - fsUnpack_XFontInfoHeader(rep, pInfo); - -@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - _fs_init_fontinfo(conn, pInfo); - - /* Compute offsets into the reply */ -+ if (bufleft < SIZEOF(fsPropInfo)) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", -+ bufleft); -+#endif -+ goto bail; -+ } - pi = (fsPropInfo *) buf; - buf += SIZEOF (fsPropInfo); -- -+ bufleft -= SIZEOF (fsPropInfo); -+ -+ if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n", -+ bufleft / SIZEOF (fsPropOffset), pi->num_offsets); -+#endif -+ goto bail; -+ } - po = (fsPropOffset *) buf; - buf += pi->num_offsets * SIZEOF(fsPropOffset); -+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - -+ if (bufleft < pi->data_len) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", -+ bufleft, pi->data_len); -+#endif -+ goto bail; -+ } - pd = (pointer) buf; - buf += pi->data_len; -+ bufleft -= pi->data_len; - - /* convert the properties and step over the reply */ - ret = _fs_convert_props(pi, po, pd, pInfo); -+ bail: - _fs_done_read (conn, rep->length << 2); -- -+ - if (ret == -1) - { - fs_cleanup_bfont (bfont); --- -2.1.4 - diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch new file mode 100644 index 000000000..fc1dea6e3 --- /dev/null +++ b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch @@ -0,0 +1,48 @@ +From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:19:01 -0500 +Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in + fs_read_extent_info() from xorg/lib/libXfont commit + c578408c1fd4db09e4e3173f8a9e65c81cc187c1 + +fs_read_extent_info() parses a reply from the font server. +The reply contains a 32bit number of elements field which is used +to calculate a buffer length. There is an integer overflow in this +calculation which can lead to memory corruption. +--- + nx-X11/lib/font/fc/fserve.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 2a6f6c9..639964c 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group. + #include "fservestr.h" + #include + #include ++#include + + #include + #define Time_t time_t +@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + numInfos *= 2; + haveInk = TRUE; + } +- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos); ++ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXExtents16: numInfos (%d) >= %ld\n", ++ numInfos, (INT_MAX / sizeof(CharInfoRec))); ++#endif ++ pCI = NULL; ++ } ++ else ++ pCI = malloc(sizeof(CharInfoRec) * numInfos); + + if (!pCI) + { +-- +2.1.4 + diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch deleted file mode 100644 index fc1dea6e3..000000000 --- a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch +++ /dev/null @@ -1,48 +0,0 @@ -From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:19:01 -0500 -Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in - fs_read_extent_info() from xorg/lib/libXfont commit - c578408c1fd4db09e4e3173f8a9e65c81cc187c1 - -fs_read_extent_info() parses a reply from the font server. -The reply contains a 32bit number of elements field which is used -to calculate a buffer length. There is an integer overflow in this -calculation which can lead to memory corruption. ---- - nx-X11/lib/font/fc/fserve.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 2a6f6c9..639964c 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group. - #include "fservestr.h" - #include - #include -+#include - - #include - #define Time_t time_t -@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { --- -2.1.4 - diff --git a/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch new file mode 100644 index 000000000..63ba2b9ff --- /dev/null +++ b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch @@ -0,0 +1,34 @@ +From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:23:51 -0500 +Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs() + from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33 + +fs_alloc_glyphs() is a malloc wrapper used by the font code. +It contains a classic integer overflow in the malloc() call, +which can cause memory corruption. +--- + nx-X11/lib/font/fc/fsconvert.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c +index d41e0b8..afa2c32 100644 +--- a/nx-X11/lib/font/fc/fsconvert.c ++++ b/nx-X11/lib/font/fc/fsconvert.c +@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) + FSGlyphPtr glyphs; + FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; + +- glyphs = xalloc (sizeof (FSGlyphRec) + size); ++ if (size < (INT_MAX - sizeof (FSGlyphRec))) ++ glyphs = xalloc (sizeof (FSGlyphRec) + size); ++ else ++ glyphs = NULL; ++ if (glyphs == NULL) ++ return NULL; + glyphs->next = fsfont->glyphs; + fsfont->glyphs = glyphs; + return (pointer) (glyphs + 1); +-- +2.1.4 + diff --git a/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch deleted file mode 100644 index 63ba2b9ff..000000000 --- a/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:23:51 -0500 -Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs() - from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33 - -fs_alloc_glyphs() is a malloc wrapper used by the font code. -It contains a classic integer overflow in the malloc() call, -which can cause memory corruption. ---- - nx-X11/lib/font/fc/fsconvert.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c -index d41e0b8..afa2c32 100644 ---- a/nx-X11/lib/font/fc/fsconvert.c -+++ b/nx-X11/lib/font/fc/fsconvert.c -@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) - FSGlyphPtr glyphs; - FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - -- glyphs = xalloc (sizeof (FSGlyphRec) + size); -+ if (size < (INT_MAX - sizeof (FSGlyphRec))) -+ glyphs = xalloc (sizeof (FSGlyphRec) + size); -+ else -+ glyphs = NULL; -+ if (glyphs == NULL) -+ return NULL; - glyphs->next = fsfont->glyphs; - fsfont->glyphs = glyphs; - return (pointer) (glyphs + 1); --- -2.1.4 - diff --git a/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..9d65f8a45 --- /dev/null +++ b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,38 @@ +From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:26:16 -0500 +Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in + fs_read_extent_info() from xorg/lib/libXfont commit + a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 + +Looping over the extents in the reply could go past the end of the +reply buffer if the reply indicated more extents than could fit in +the specified reply length. +--- + nx-X11/lib/font/fc/fserve.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 639964c..79de4f3 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + #endif + pCI = NULL; + } ++ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) ++ / LENGTHOF(fsXCharInfo))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", ++ numExtents, rep->length, ++ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); ++#endif ++ pCI = NULL; ++ } + else + pCI = malloc(sizeof(CharInfoRec) * numInfos); + +-- +2.1.4 + diff --git a/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch deleted file mode 100644 index 9d65f8a45..000000000 --- a/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:26:16 -0500 -Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in - fs_read_extent_info() from xorg/lib/libXfont commit - a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 - -Looping over the extents in the reply could go past the end of the -reply buffer if the reply indicated more extents than could fit in -the specified reply length. ---- - nx-X11/lib/font/fc/fserve.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 639964c..79de4f3 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - #endif - pCI = NULL; - } -+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) -+ / LENGTHOF(fsXCharInfo))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", -+ numExtents, rep->length, -+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); -+#endif -+ pCI = NULL; -+ } - else - pCI = malloc(sizeof(CharInfoRec) * numInfos); - --- -2.1.4 - diff --git a/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..93e7d32da --- /dev/null +++ b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,75 @@ +From ece51493f1d970f45e53588e33a700464a42fbab Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:27:47 -0500 +Subject: [PATCH 15/40] CVE-2014-0210: unvalidated length fields in + fs_read_glyphs() from xorg/lib/libXfont commit + 520683652564c2a4e42328ae23eef9bb63271565 + +fs_read_glyphs() parses a reply from the font server. The reply +contains embedded length fields, none of which are validated. +This can cause out of bound reads when looping over the glyph +bitmaps in the reply. +--- + nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 79de4f3..26218e5 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FontInfoPtr pfi = &pfont->info; + fsQueryXBitmaps16Reply *rep; + char *buf; ++ long bufleft; /* length of reply left to use */ + fsOffset32 *ppbits; + fsOffset32 local_off; + char *off_adr; +@@ -1947,9 +1948,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + buf = (char *) rep; + buf += SIZEOF (fsQueryXBitmaps16Reply); + ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); ++ ++ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", ++ rep->num_chars, bufleft, SIZEOF (fsOffset32)); ++#endif ++ err = AllocError; ++ goto bail; ++ } + ppbits = (fsOffset32 *) buf; + buf += SIZEOF (fsOffset32) * (rep->num_chars); ++ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); + ++ if (bufleft < rep->nbytes) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", ++ rep->nbytes, bufleft); ++#endif ++ err = AllocError; ++ goto bail; ++ } + pbitmaps = (pointer ) buf; + + if (blockrec->type == FS_LOAD_GLYPHS) +@@ -2007,7 +2032,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + */ + if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) + { +- if (local_off.length) ++ if (local_off.length && ++ (local_off.position < rep->nbytes) && ++ (local_off.length <= (rep->nbytes - local_off.position))) + { + bits = allbits; + allbits += local_off.length; +-- +2.1.4 + diff --git a/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch deleted file mode 100644 index 93e7d32da..000000000 --- a/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch +++ /dev/null @@ -1,75 +0,0 @@ -From ece51493f1d970f45e53588e33a700464a42fbab Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:27:47 -0500 -Subject: [PATCH 15/40] CVE-2014-0210: unvalidated length fields in - fs_read_glyphs() from xorg/lib/libXfont commit - 520683652564c2a4e42328ae23eef9bb63271565 - -fs_read_glyphs() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. -This can cause out of bound reads when looping over the glyph -bitmaps in the reply. ---- - nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 79de4f3..26218e5 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -1947,9 +1948,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - buf = (char *) rep; - buf += SIZEOF (fsQueryXBitmaps16Reply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); -+ -+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", -+ rep->num_chars, bufleft, SIZEOF (fsOffset32)); -+#endif -+ err = AllocError; -+ goto bail; -+ } - ppbits = (fsOffset32 *) buf; - buf += SIZEOF (fsOffset32) * (rep->num_chars); -+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); - -+ if (bufleft < rep->nbytes) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", -+ rep->nbytes, bufleft); -+#endif -+ err = AllocError; -+ goto bail; -+ } - pbitmaps = (pointer ) buf; - - if (blockrec->type == FS_LOAD_GLYPHS) -@@ -2007,7 +2032,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) - { -- if (local_off.length) -+ if (local_off.length && -+ (local_off.position < rep->nbytes) && -+ (local_off.length <= (rep->nbytes - local_off.position))) - { - bits = allbits; - allbits += local_off.length; --- -2.1.4 - diff --git a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..b5bc8c582 --- /dev/null +++ b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,61 @@ +From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:35:21 -0500 +Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in + fs_read_list() from xorg/lib/libXfont commit + 5fa73ac18474be3032ee7af9c6e29deab163ea39 + +fs_read_list() parses a reply from the font server. The reply +contains a list of strings with embedded length fields, none of +which are validated. This can cause out of bound reads when looping +over the strings in the reply. +--- + nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 26218e5..60d9017 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; + fsListFontsReply *rep; + char *data; ++ long dataleft; /* length of reply left to use */ + int length, + i, + ret; +@@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + return AllocError; + } + data = (char *) rep + SIZEOF (fsListFontsReply); ++ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); + + err = Successful; + /* copy data into FontPathRecord */ + for (i = 0; i < rep->nFonts; i++) + { ++ if (dataleft < 1) ++ break; + length = *(unsigned char *)data++; ++ dataleft--; /* used length byte */ ++ if (length > dataleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFonts: name length (%d) > dataleft (%ld)\n", ++ length, dataleft); ++#endif ++ err = BadFontName; ++ break; ++ } + err = AddFontNamesName(blist->names, data, length); + if (err != Successful) + break; + data += length; ++ dataleft -= length; + } + _fs_done_read (conn, rep->length << 2); + return err; +-- +2.1.4 + diff --git a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch deleted file mode 100644 index b5bc8c582..000000000 --- a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +++ /dev/null @@ -1,61 +0,0 @@ -From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:35:21 -0500 -Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in - fs_read_list() from xorg/lib/libXfont commit - 5fa73ac18474be3032ee7af9c6e29deab163ea39 - -fs_read_list() parses a reply from the font server. The reply -contains a list of strings with embedded length fields, none of -which are validated. This can cause out of bound reads when looping -over the strings in the reply. ---- - nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 26218e5..60d9017 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; -@@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; --- -2.1.4 - diff --git a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..d92c4eece --- /dev/null +++ b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,112 @@ +From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo +Date: Sun, 8 Feb 2015 22:38:32 -0500 +Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in + fs_read_list_info() from xorg/lib/libXfont commit + d338f81df1e188eb16e1d6aeea7f4800f89c1218 + +fs_read_list_info() parses a reply from the font server. The reply +contains a number of additional data items with embedded length or +count fields, none of which are validated. This can cause out of +bound reads when looping over these items in the reply. +--- + nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 60d9017..6ba3ad4 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; + fsListFontsWithXInfoReply *rep; + char *buf; ++ long bufleft; + FSFpePtr conn = (FSFpePtr) fpe->private; + fsPropInfo *pi; + fsPropOffset *po; +@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + } + + buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); +- ++ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); ++ + /* + * The original FS implementation didn't match + * the spec, version 1 was respecified to match the FS. +@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + */ + if (conn->fsMajorVersion <= 1) + { ++ if (rep->nameLength > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", ++ (int) rep->nameLength, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ + memcpy (binfo->name, buf, rep->nameLength); + buf += _fs_pad_length (rep->nameLength); ++ bufleft -= _fs_pad_length (rep->nameLength); + } + pi = (fsPropInfo *) buf; ++ if (SIZEOF (fsPropInfo) > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", ++ (int) SIZEOF (fsPropInfo), bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= SIZEOF (fsPropInfo); + buf += SIZEOF (fsPropInfo); + po = (fsPropOffset *) buf; ++ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", ++ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); + buf += pi->num_offsets * SIZEOF (fsPropOffset); + pd = (pointer) buf; ++ if (pi->data_len > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", ++ pi->data_len, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= pi->data_len; + buf += pi->data_len; + if (conn->fsMajorVersion > 1) + { ++ if (rep->nameLength > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", ++ (int) rep->nameLength, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ + memcpy (binfo->name, buf, rep->nameLength); + buf += _fs_pad_length (rep->nameLength); ++ bufleft -= _fs_pad_length (rep->nameLength); + } + + #ifdef DEBUG +-- +2.1.4 + diff --git a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch deleted file mode 100644 index d92c4eece..000000000 --- a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +++ /dev/null @@ -1,112 +0,0 @@ -From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo -Date: Sun, 8 Feb 2015 22:38:32 -0500 -Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in - fs_read_list_info() from xorg/lib/libXfont commit - d338f81df1e188eb16e1d6aeea7f4800f89c1218 - -fs_read_list_info() parses a reply from the font server. The reply -contains a number of additional data items with embedded length or -count fields, none of which are validated. This can cause out of -bound reads when looping over these items in the reply. ---- - nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 55 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 60d9017..6ba3ad4 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; - fsListFontsWithXInfoReply *rep; - char *buf; -+ long bufleft; - FSFpePtr conn = (FSFpePtr) fpe->private; - fsPropInfo *pi; - fsPropOffset *po; -@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - } - - buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); -- -+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); -+ - /* - * The original FS implementation didn't match - * the spec, version 1 was respecified to match the FS. -@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (conn->fsMajorVersion <= 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - pi = (fsPropInfo *) buf; -+ if (SIZEOF (fsPropInfo) > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", -+ (int) SIZEOF (fsPropInfo), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= SIZEOF (fsPropInfo); - buf += SIZEOF (fsPropInfo); - po = (fsPropOffset *) buf; -+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", -+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); - buf += pi->num_offsets * SIZEOF (fsPropOffset); - pd = (pointer) buf; -+ if (pi->data_len > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", -+ pi->data_len, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->data_len; - buf += pi->data_len; - if (conn->fsMajorVersion > 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - - #ifdef DEBUG --- -2.1.4 - diff --git a/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch b/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch new file mode 100644 index 000000000..3177ee906 --- /dev/null +++ b/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch @@ -0,0 +1,43 @@ +From 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 17 Jan 2014 18:54:03 -0800 +Subject: [PATCH 18/40] unchecked malloc may allow unauthed client to crash + Xserver [CVE-2014-8091] + +authdes_ezdecode() calls malloc() using a length provided by the +connection handshake sent by a newly connected client in order +to authenticate to the server, so should be treated as untrusted. + +It didn't check if malloc() failed before writing to the newly +allocated buffer, so could lead to a server crash if the server +fails to allocate memory (up to UINT16_MAX bytes, since the len +field is a CARD16 in the X protocol). + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + os/rpcauth.c +--- + nx-X11/programs/Xserver/os/rpcauth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c +index 3c5cb59..a12931e 100644 +--- a/nx-X11/programs/Xserver/os/rpcauth.c ++++ b/nx-X11/programs/Xserver/os/rpcauth.c +@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len) + SVCXPRT xprt; + + temp_inmsg = (char *) xalloc(len); ++ if (temp_inmsg == NULL) { ++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ ++ return NULL; ++ } + memmove(temp_inmsg, inmsg, len); + + memset((char *)&msg, 0, sizeof(msg)); +-- +2.1.4 + diff --git a/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch b/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch deleted file mode 100644 index 3177ee906..000000000 --- a/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 17 Jan 2014 18:54:03 -0800 -Subject: [PATCH 18/40] unchecked malloc may allow unauthed client to crash - Xserver [CVE-2014-8091] - -authdes_ezdecode() calls malloc() using a length provided by the -connection handshake sent by a newly connected client in order -to authenticate to the server, so should be treated as untrusted. - -It didn't check if malloc() failed before writing to the newly -allocated buffer, so could lead to a server crash if the server -fails to allocate memory (up to UINT16_MAX bytes, since the len -field is a CARD16 in the X protocol). - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - os/rpcauth.c ---- - nx-X11/programs/Xserver/os/rpcauth.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c -index 3c5cb59..a12931e 100644 ---- a/nx-X11/programs/Xserver/os/rpcauth.c -+++ b/nx-X11/programs/Xserver/os/rpcauth.c -@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len) - SVCXPRT xprt; - - temp_inmsg = (char *) xalloc(len); -+ if (temp_inmsg == NULL) { -+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ -+ return NULL; -+ } - memmove(temp_inmsg, inmsg, len); - - memset((char *)&msg, 0, sizeof(msg)); --- -2.1.4 - diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch new file mode 100644 index 000000000..05d491941 --- /dev/null +++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch @@ -0,0 +1,42 @@ +From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 21:11:16 -0800 +Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092 + 1/4] + +ProcPutImage() calculates a length field from a width, left pad and depth +specified by the client (if the specified format is XYPixmap). + +The calculations for the total amount of memory the server needs for the +pixmap can overflow a 32-bit number, causing out-of-bounds memory writes +on 32-bit systems (since the length is stored in a long int variable). + +v2: backport to nx-libs 3.6.x (Mike DePaulo) +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + dix/dispatch.c +--- + nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c +index 6941456..5ad2f5a 100644 +--- a/nx-X11/programs/Xserver/dix/dispatch.c ++++ b/nx-X11/programs/Xserver/dix/dispatch.c +@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) + + tmpImage = (char *)&stuff[1]; + lengthProto = length; +- ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + + (sizeof(xPutImageReq) >> 2)) != client->req_len) + return BadLength; +-- +2.1.4 + diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch deleted file mode 100644 index 05d491941..000000000 --- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 22 Jan 2014 21:11:16 -0800 -Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092 - 1/4] - -ProcPutImage() calculates a length field from a width, left pad and depth -specified by the client (if the specified format is XYPixmap). - -The calculations for the total amount of memory the server needs for the -pixmap can overflow a 32-bit number, causing out-of-bounds memory writes -on 32-bit systems (since the length is stored in a long int variable). - -v2: backport to nx-libs 3.6.x (Mike DePaulo) -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - dix/dispatch.c ---- - nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c -index 6941456..5ad2f5a 100644 ---- a/nx-X11/programs/Xserver/dix/dispatch.c -+++ b/nx-X11/programs/Xserver/dix/dispatch.c -@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) - - tmpImage = (char *)&stuff[1]; - lengthProto = length; -- -+ if (lengthProto >= (INT32_MAX / stuff->height)) -+ return BadLength; -+ - if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + - (sizeof(xPutImageReq) >> 2)) != client->req_len) - return BadLength; --- -2.1.4 - diff --git a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch new file mode 100644 index 000000000..1d880399f --- /dev/null +++ b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch @@ -0,0 +1,54 @@ +From b6b5b14e4190048fadbfbcf063d873d318127e81 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Mon, 6 Jan 2014 23:30:14 -0800 +Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] + +GetHosts() iterates over all the hosts it has in memory, and copies +them to a buffer. The buffer length is calculated by iterating over +all the hosts and adding up all of their combined length. There is a +potential integer overflow, if there are lots and lots of hosts (with +a combined length of > ~4 gig). This should be possible by repeatedly +calling ProcChangeHosts() on 64bit machines with enough memory. + +This patch caps the list at 1mb, because multi-megabyte hostname +lists for X access control are insane. + +v2: backport to nx-libs 3.6.x (Mike DePaulo) +v3: human-readable version of "1 MB" (Mihai Moldovan) +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + os/access.c +--- + nx-X11/programs/Xserver/os/access.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c +index b6a70a7..532a2f8 100644 +--- a/nx-X11/programs/Xserver/os/access.c ++++ b/nx-X11/programs/Xserver/os/access.c +@@ -1719,6 +1719,10 @@ GetHosts ( + { + nHosts++; + n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); ++ /* Could check for INT_MAX, but in reality having more than 1mb of ++ hostnames in the access list is ridiculous */ ++ if (n >= 1024*1024) ++ break; + } + if (n) + { +@@ -1730,6 +1734,8 @@ GetHosts ( + for (host = validhosts; host; host = host->next) + { + len = host->len; ++ if ((ptr + sizeof(xHostEntry) + len) > (data + n)) ++ break; + ((xHostEntry *)ptr)->family = host->family; + ((xHostEntry *)ptr)->length = len; + ptr += sizeof(xHostEntry); +-- +2.1.4 + diff --git a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch deleted file mode 100644 index 1d880399f..000000000 --- a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b6b5b14e4190048fadbfbcf063d873d318127e81 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Mon, 6 Jan 2014 23:30:14 -0800 -Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4] - -GetHosts() iterates over all the hosts it has in memory, and copies -them to a buffer. The buffer length is calculated by iterating over -all the hosts and adding up all of their combined length. There is a -potential integer overflow, if there are lots and lots of hosts (with -a combined length of > ~4 gig). This should be possible by repeatedly -calling ProcChangeHosts() on 64bit machines with enough memory. - -This patch caps the list at 1mb, because multi-megabyte hostname -lists for X access control are insane. - -v2: backport to nx-libs 3.6.x (Mike DePaulo) -v3: human-readable version of "1 MB" (Mihai Moldovan) -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - os/access.c ---- - nx-X11/programs/Xserver/os/access.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c -index b6a70a7..532a2f8 100644 ---- a/nx-X11/programs/Xserver/os/access.c -+++ b/nx-X11/programs/Xserver/os/access.c -@@ -1719,6 +1719,10 @@ GetHosts ( - { - nHosts++; - n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry); -+ /* Could check for INT_MAX, but in reality having more than 1mb of -+ hostnames in the access list is ridiculous */ -+ if (n >= 1024*1024) -+ break; - } - if (n) - { -@@ -1730,6 +1734,8 @@ GetHosts ( - for (host = validhosts; host; host = host->next) - { - len = host->len; -+ if ((ptr + sizeof(xHostEntry) + len) > (data + n)) -+ break; - ((xHostEntry *)ptr)->family = host->family; - ((xHostEntry *)ptr)->length = len; - ptr += sizeof(xHostEntry); --- -2.1.4 - diff --git a/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch b/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch new file mode 100644 index 000000000..a189cd537 --- /dev/null +++ b/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch @@ -0,0 +1,205 @@ +From ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 22:37:15 -0800 +Subject: [PATCH 21/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092 + 3/4] + +RegionSizeof contains several integer overflows if a large length +value is passed in. Once we fix it to return 0 on overflow, we +also have to fix the callers to handle this error condition + +v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. +v3: backport to nx-libs 3.6.x (Mike DePaulo) + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +Reviewed-by: Julien Cristau + +Conflicts: + dix/region.c + include/regionstr.h +--- + nx-X11/programs/Xserver/include/regionstr.h | 10 +++++--- + nx-X11/programs/Xserver/mi/miregion.c | 39 ++++++++++++++++++++--------- + 2 files changed, 34 insertions(+), 15 deletions(-) + +diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h +index 000bf3f..cf41170 100644 +--- a/nx-X11/programs/Xserver/include/regionstr.h ++++ b/nx-X11/programs/Xserver/include/regionstr.h +@@ -53,6 +53,9 @@ SOFTWARE. + + typedef struct _Region RegionRec, *RegionPtr; + ++#include ++#include ++ + #include "miscstruct.h" + + /* Return values from RectIn() */ +@@ -93,7 +96,7 @@ extern RegDataRec miBrokenData; + #define REGION_BOX(reg,i) (®ION_BOXPTR(reg)[i]) + #define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects) + #define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1) +-#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))) ++#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0) + + /* Keith recommends weaning the region code of pScreen argument */ + #define REG_pScreen screenInfo.screens[0] +@@ -257,9 +260,10 @@ extern RegDataRec miBrokenData; + } \ + else \ + { \ ++ size_t rgnSize; \ + (_pReg)->extents = miEmptyBox; \ +- if (((_size) > 1) && ((_pReg)->data = \ +- (RegDataPtr)xalloc(REGION_SZOF(_size)))) \ ++ if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \ ++ ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \ + { \ + (_pReg)->data->size = (_size); \ + (_pReg)->data->numRects = 0; \ +diff --git a/nx-X11/programs/Xserver/mi/miregion.c b/nx-X11/programs/Xserver/mi/miregion.c +index df33248..5ec4ec5 100644 +--- a/nx-X11/programs/Xserver/mi/miregion.c ++++ b/nx-X11/programs/Xserver/mi/miregion.c +@@ -172,7 +172,6 @@ Equipment Corporation. + ((r1)->y1 <= (r2)->y1) && \ + ((r1)->y2 >= (r2)->y2) ) + +-#define xallocData(n) (RegDataPtr)xalloc(REGION_SZOF(n)) + #define xfreeData(reg) if ((reg)->data && (reg)->data->size) xfree((reg)->data) + + #define RECTALLOC_BAIL(pReg,n,bail) \ +@@ -209,8 +208,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \ + #define DOWNSIZE(reg,numRects) \ + if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ + { \ +- RegDataPtr NewData; \ +- NewData = (RegDataPtr)xrealloc((reg)->data, REGION_SZOF(numRects)); \ ++ size_t NewSize = REGION_SZOF(numRects); \ ++ RegDataPtr NewData = \ ++ (NewSize > 0) ? (RegDataPtr)xrealloc((reg)->data, NewSize) : NULL; \ + if (NewData) \ + { \ + NewData->size = (numRects); \ +@@ -337,7 +337,7 @@ miRegionCreate(rect, size) + int size; + { + register RegionPtr pReg; +- ++ size_t newSize; + pReg = (RegionPtr)xalloc(sizeof(RegionRec)); + if (!pReg) + return &miBrokenRegion; +@@ -349,7 +349,9 @@ miRegionCreate(rect, size) + else + { + pReg->extents = miEmptyBox; +- if ((size > 1) && (pReg->data = xallocData(size))) ++ newSize = REGION_SZOF(size); ++ if ((size > 1) && (newSize > 0) && ++ (pReg->data = xalloc(newSize))) + { + pReg->data->size = size; + pReg->data->numRects = 0; +@@ -371,6 +373,8 @@ miRegionInit(pReg, rect, size) + BoxPtr rect; + int size; + { ++ size_t newSize; ++ + if (rect) + { + pReg->extents = *rect; +@@ -379,7 +383,9 @@ miRegionInit(pReg, rect, size) + else + { + pReg->extents = miEmptyBox; +- if ((size > 1) && (pReg->data = xallocData(size))) ++ newSize = REGION_SZOF(size); ++ if ((size > 1) && (newSize > 0) && ++ (pReg->data = xalloc(newSize))) + { + pReg->data->size = size; + pReg->data->numRects = 0; +@@ -423,11 +429,13 @@ miRectAlloc( + int n) + { + RegDataPtr data; ++ size_t rgnSize; + + if (!pRgn->data) + { + n++; +- pRgn->data = xallocData(n); ++ rgnSize = REGION_SZOF(n); ++ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL; + if (!pRgn->data) + return miRegionBreak (pRgn); + pRgn->data->numRects = 1; +@@ -435,7 +443,8 @@ miRectAlloc( + } + else if (!pRgn->data->size) + { +- pRgn->data = xallocData(n); ++ rgnSize = REGION_SZOF(n); ++ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL; + if (!pRgn->data) + return miRegionBreak (pRgn); + pRgn->data->numRects = 0; +@@ -449,7 +458,8 @@ miRectAlloc( + n = 250; + } + n += pRgn->data->numRects; +- data = (RegDataPtr)xrealloc(pRgn->data, REGION_SZOF(n)); ++ rgnSize = REGION_SZOF(n); ++ data = (rgnSize > 0) ? xrealloc(pRgn->data, rgnSize) : NULL; + if (!data) + return miRegionBreak (pRgn); + pRgn->data = data; +@@ -476,8 +486,10 @@ miRegionCopy(dst, src) + } + if (!dst->data || (dst->data->size < src->data->numRects)) + { ++ size_t newSize = REGION_SZOF(src->data->numRects); + xfreeData(dst); +- dst->data = xallocData(src->data->numRects); ++ ++ dst->data = newSize > 0 ? xalloc(newSize) : NULL; + if (!dst->data) + return miRegionBreak (dst); + dst->data->size = src->data->numRects; +@@ -1667,6 +1679,7 @@ miRectsToRegion(nrects, prect, ctype) + register BoxPtr pBox; + register int i; + int x1, y1, x2, y2; ++ size_t newSize; + + pRgn = miRegionCreate(NullBox, 0); + if (REGION_NAR (pRgn)) +@@ -1691,7 +1704,8 @@ miRectsToRegion(nrects, prect, ctype) + } + return pRgn; + } +- pData = xallocData(nrects); ++ newSize = REGION_SZOF(nrects); ++ pData = newSize > 0 ? xalloc(newSize) : NULL; + if (!pData) + { + miRegionBreak (pRgn); +@@ -2206,8 +2220,9 @@ miRegionDataCopy( + } + if (!dst->data || (dst->data->size < src->data->numRects)) + { ++ size_t newSize = REGION_SZOF(src->data->numRects); + xfreeData(dst); +- dst->data = xallocData(src->data->numRects); ++ dst->data = newSize > 0 ? xalloc(newSize) : NULL; + if (!dst->data) + return miRegionBreak (dst); + } +-- +2.1.4 + diff --git a/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch b/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch deleted file mode 100644 index a189cd537..000000000 --- a/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch +++ /dev/null @@ -1,205 +0,0 @@ -From ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 22 Jan 2014 22:37:15 -0800 -Subject: [PATCH 21/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092 - 3/4] - -RegionSizeof contains several integer overflows if a large length -value is passed in. Once we fix it to return 0 on overflow, we -also have to fix the callers to handle this error condition - -v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. -v3: backport to nx-libs 3.6.x (Mike DePaulo) - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer -Reviewed-by: Julien Cristau - -Conflicts: - dix/region.c - include/regionstr.h ---- - nx-X11/programs/Xserver/include/regionstr.h | 10 +++++--- - nx-X11/programs/Xserver/mi/miregion.c | 39 ++++++++++++++++++++--------- - 2 files changed, 34 insertions(+), 15 deletions(-) - -diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h -index 000bf3f..cf41170 100644 ---- a/nx-X11/programs/Xserver/include/regionstr.h -+++ b/nx-X11/programs/Xserver/include/regionstr.h -@@ -53,6 +53,9 @@ SOFTWARE. - - typedef struct _Region RegionRec, *RegionPtr; - -+#include -+#include -+ - #include "miscstruct.h" - - /* Return values from RectIn() */ -@@ -93,7 +96,7 @@ extern RegDataRec miBrokenData; - #define REGION_BOX(reg,i) (®ION_BOXPTR(reg)[i]) - #define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects) - #define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1) --#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))) -+#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0) - - /* Keith recommends weaning the region code of pScreen argument */ - #define REG_pScreen screenInfo.screens[0] -@@ -257,9 +260,10 @@ extern RegDataRec miBrokenData; - } \ - else \ - { \ -+ size_t rgnSize; \ - (_pReg)->extents = miEmptyBox; \ -- if (((_size) > 1) && ((_pReg)->data = \ -- (RegDataPtr)xalloc(REGION_SZOF(_size)))) \ -+ if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \ -+ ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \ - { \ - (_pReg)->data->size = (_size); \ - (_pReg)->data->numRects = 0; \ -diff --git a/nx-X11/programs/Xserver/mi/miregion.c b/nx-X11/programs/Xserver/mi/miregion.c -index df33248..5ec4ec5 100644 ---- a/nx-X11/programs/Xserver/mi/miregion.c -+++ b/nx-X11/programs/Xserver/mi/miregion.c -@@ -172,7 +172,6 @@ Equipment Corporation. - ((r1)->y1 <= (r2)->y1) && \ - ((r1)->y2 >= (r2)->y2) ) - --#define xallocData(n) (RegDataPtr)xalloc(REGION_SZOF(n)) - #define xfreeData(reg) if ((reg)->data && (reg)->data->size) xfree((reg)->data) - - #define RECTALLOC_BAIL(pReg,n,bail) \ -@@ -209,8 +208,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \ - #define DOWNSIZE(reg,numRects) \ - if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ - { \ -- RegDataPtr NewData; \ -- NewData = (RegDataPtr)xrealloc((reg)->data, REGION_SZOF(numRects)); \ -+ size_t NewSize = REGION_SZOF(numRects); \ -+ RegDataPtr NewData = \ -+ (NewSize > 0) ? (RegDataPtr)xrealloc((reg)->data, NewSize) : NULL; \ - if (NewData) \ - { \ - NewData->size = (numRects); \ -@@ -337,7 +337,7 @@ miRegionCreate(rect, size) - int size; - { - register RegionPtr pReg; -- -+ size_t newSize; - pReg = (RegionPtr)xalloc(sizeof(RegionRec)); - if (!pReg) - return &miBrokenRegion; -@@ -349,7 +349,9 @@ miRegionCreate(rect, size) - else - { - pReg->extents = miEmptyBox; -- if ((size > 1) && (pReg->data = xallocData(size))) -+ newSize = REGION_SZOF(size); -+ if ((size > 1) && (newSize > 0) && -+ (pReg->data = xalloc(newSize))) - { - pReg->data->size = size; - pReg->data->numRects = 0; -@@ -371,6 +373,8 @@ miRegionInit(pReg, rect, size) - BoxPtr rect; - int size; - { -+ size_t newSize; -+ - if (rect) - { - pReg->extents = *rect; -@@ -379,7 +383,9 @@ miRegionInit(pReg, rect, size) - else - { - pReg->extents = miEmptyBox; -- if ((size > 1) && (pReg->data = xallocData(size))) -+ newSize = REGION_SZOF(size); -+ if ((size > 1) && (newSize > 0) && -+ (pReg->data = xalloc(newSize))) - { - pReg->data->size = size; - pReg->data->numRects = 0; -@@ -423,11 +429,13 @@ miRectAlloc( - int n) - { - RegDataPtr data; -+ size_t rgnSize; - - if (!pRgn->data) - { - n++; -- pRgn->data = xallocData(n); -+ rgnSize = REGION_SZOF(n); -+ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL; - if (!pRgn->data) - return miRegionBreak (pRgn); - pRgn->data->numRects = 1; -@@ -435,7 +443,8 @@ miRectAlloc( - } - else if (!pRgn->data->size) - { -- pRgn->data = xallocData(n); -+ rgnSize = REGION_SZOF(n); -+ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL; - if (!pRgn->data) - return miRegionBreak (pRgn); - pRgn->data->numRects = 0; -@@ -449,7 +458,8 @@ miRectAlloc( - n = 250; - } - n += pRgn->data->numRects; -- data = (RegDataPtr)xrealloc(pRgn->data, REGION_SZOF(n)); -+ rgnSize = REGION_SZOF(n); -+ data = (rgnSize > 0) ? xrealloc(pRgn->data, rgnSize) : NULL; - if (!data) - return miRegionBreak (pRgn); - pRgn->data = data; -@@ -476,8 +486,10 @@ miRegionCopy(dst, src) - } - if (!dst->data || (dst->data->size < src->data->numRects)) - { -+ size_t newSize = REGION_SZOF(src->data->numRects); - xfreeData(dst); -- dst->data = xallocData(src->data->numRects); -+ -+ dst->data = newSize > 0 ? xalloc(newSize) : NULL; - if (!dst->data) - return miRegionBreak (dst); - dst->data->size = src->data->numRects; -@@ -1667,6 +1679,7 @@ miRectsToRegion(nrects, prect, ctype) - register BoxPtr pBox; - register int i; - int x1, y1, x2, y2; -+ size_t newSize; - - pRgn = miRegionCreate(NullBox, 0); - if (REGION_NAR (pRgn)) -@@ -1691,7 +1704,8 @@ miRectsToRegion(nrects, prect, ctype) - } - return pRgn; - } -- pData = xallocData(nrects); -+ newSize = REGION_SZOF(nrects); -+ pData = newSize > 0 ? xalloc(newSize) : NULL; - if (!pData) - { - miRegionBreak (pRgn); -@@ -2206,8 +2220,9 @@ miRegionDataCopy( - } - if (!dst->data || (dst->data->size < src->data->numRects)) - { -+ size_t newSize = REGION_SZOF(src->data->numRects); - xfreeData(dst); -- dst->data = xallocData(src->data->numRects); -+ dst->data = newSize > 0 ? xalloc(newSize) : NULL; - if (!dst->data) - return miRegionBreak (dst); - } --- -2.1.4 - diff --git a/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch b/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch new file mode 100644 index 000000000..3dddcb0f4 --- /dev/null +++ b/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch @@ -0,0 +1,46 @@ +From 82d7279ebfa04f319e68145b3adbf65716e59584 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 23:44:46 -0800 +Subject: [PATCH 22/40] dix: integer overflow in REQUEST_FIXED_SIZE() + [CVE-2014-8092 4/4] + +Force use of 64-bit integers when evaluating data provided by clients +in 32-bit fields which can overflow when added or multiplied during +checks. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +RHEL5: add #include for uint64_t +v3: backport to nx-libs 3.6.x (Mike DePaulo) +--- + nx-X11/programs/Xserver/include/dix.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h +index 1b8fc42..d82979c 100644 +--- a/nx-X11/programs/Xserver/include/dix.h ++++ b/nx-X11/programs/Xserver/include/dix.h +@@ -50,6 +50,8 @@ SOFTWARE. + #ifndef DIX_H + #define DIX_H + ++#include ++ + #include "gc.h" + #include "window.h" + #include "input.h" +@@ -73,7 +75,8 @@ SOFTWARE. + + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ +- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ ++ ((n >> 2) >= client->req_len) || \ ++ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ + return(BadLength) + + #define LEGAL_NEW_RESOURCE(id,client)\ +-- +2.1.4 + diff --git a/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch b/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch deleted file mode 100644 index 3dddcb0f4..000000000 --- a/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 82d7279ebfa04f319e68145b3adbf65716e59584 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 22 Jan 2014 23:44:46 -0800 -Subject: [PATCH 22/40] dix: integer overflow in REQUEST_FIXED_SIZE() - [CVE-2014-8092 4/4] - -Force use of 64-bit integers when evaluating data provided by clients -in 32-bit fields which can overflow when added or multiplied during -checks. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -RHEL5: add #include for uint64_t -v3: backport to nx-libs 3.6.x (Mike DePaulo) ---- - nx-X11/programs/Xserver/include/dix.h | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h -index 1b8fc42..d82979c 100644 ---- a/nx-X11/programs/Xserver/include/dix.h -+++ b/nx-X11/programs/Xserver/include/dix.h -@@ -50,6 +50,8 @@ SOFTWARE. - #ifndef DIX_H - #define DIX_H - -+#include -+ - #include "gc.h" - #include "window.h" - #include "input.h" -@@ -73,7 +75,8 @@ SOFTWARE. - - #define REQUEST_FIXED_SIZE(req, n)\ - if (((sizeof(req) >> 2) > client->req_len) || \ -- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ -+ ((n >> 2) >= client->req_len) || \ -+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ - return(BadLength) - - #define LEGAL_NEW_RESOURCE(id,client)\ --- -2.1.4 - diff --git a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch deleted file mode 100644 index 5b9beb1c1..000000000 --- a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 22 Jan 2014 23:12:04 -0800 -Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls - [CVE-2014-8097] - -ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read -from a buffer. The length is never validated, which can lead to out of -bound reads, and possibly returning the data read from out of bounds to -the misbehaving client via an X Error packet. - -SProcDbeSwapBuffers() swaps data (for correct endianness) before -handing it off to the real proc. While doing the swapping, the -length field is not validated, which can cause memory corruption. - -v2: reorder checks to avoid compilers optimizing out checks for overflow -that happen after we'd already have done the overflowing multiplications. -v3: backport to nx-libs 3.6.x (Mike DePaulo) - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - dbe/dbe.c ---- - nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c -index c0d6131..5a1e9b0 100644 ---- a/nx-X11/programs/Xserver/dbe/dbe.c -+++ b/nx-X11/programs/Xserver/dbe/dbe.c -@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client) - DbeSwapInfoPtr swapInfo; - xDbeSwapInfo *dbeSwapInfo; - int error; -- register int i, j; -- int nStuff; -+ unsigned int i, j; -+ unsigned int nStuff; - - - REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); -@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client) - - if (nStuff == 0) - { -+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); - return(Success); - } - - if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) - return BadAlloc; -+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); - - /* Get to the swap info appended to the end of the request. */ - dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; -@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client) - ClientPtr client; - { - REQUEST(xDbeSwapBuffersReq); -- register int i, n; -+ unsigned int i, n; - xDbeSwapInfo *pSwapInfo; - - -@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client) - REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); - - swapl(&stuff->n, n); -+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) -+ return BadAlloc; -+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); - - if (stuff->n != 0) - { --- -2.1.4 - diff --git a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch new file mode 100644 index 000000000..5b9beb1c1 --- /dev/null +++ b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch @@ -0,0 +1,80 @@ +From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 23:12:04 -0800 +Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls + [CVE-2014-8097] + +ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read +from a buffer. The length is never validated, which can lead to out of +bound reads, and possibly returning the data read from out of bounds to +the misbehaving client via an X Error packet. + +SProcDbeSwapBuffers() swaps data (for correct endianness) before +handing it off to the real proc. While doing the swapping, the +length field is not validated, which can cause memory corruption. + +v2: reorder checks to avoid compilers optimizing out checks for overflow +that happen after we'd already have done the overflowing multiplications. +v3: backport to nx-libs 3.6.x (Mike DePaulo) + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + dbe/dbe.c +--- + nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c +index c0d6131..5a1e9b0 100644 +--- a/nx-X11/programs/Xserver/dbe/dbe.c ++++ b/nx-X11/programs/Xserver/dbe/dbe.c +@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); +@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client) + + if (nStuff == 0) + { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return(Success); + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; +@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client) + ClientPtr client; + { + REQUEST(xDbeSwapBuffersReq); +- register int i, n; ++ unsigned int i, n; + xDbeSwapInfo *pSwapInfo; + + +@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client) + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n, n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) + { +-- +2.1.4 + diff --git a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch new file mode 100644 index 000000000..884fa435c --- /dev/null +++ b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch @@ -0,0 +1,114 @@ +From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 10:54:41 -0800 +Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension + [CVE-2014-8095] + +Multiple functions in the Xinput extension handling of requests from +clients failed to check that the length of the request sent by the +client was large enough to perform all the required operations and +thus could read or write to memory outside the bounds of the request +buffer. + +This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE +macro in include/dix.h for the common case of needing to ensure a +request is large enough to include both the request itself and a +minimum amount of extra data following the request header. + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + Xi/chgdctl.c + Xi/chgfctl.c + Xi/xiallowev.c + Xi/xichangecursor.c + Xi/xichangehierarchy.c + Xi/xigetclientpointer.c + Xi/xigrabdev.c + Xi/xipassivegrab.c + Xi/xiproperty.c + Xi/xiquerydevice.c + Xi/xiquerypointer.c + Xi/xiselectev.c + Xi/xisetclientpointer.c + Xi/xisetdevfocus.c + Xi/xiwarppointer.c + +[RHEL5: Xi/xi* files are XI2 ] +--- + nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++-- + nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++ + nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++ + nx-X11/programs/Xserver/include/dix.h | 4 ++++ + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c +index 63a3c9c..144a51e 100644 +--- a/nx-X11/programs/Xserver/Xi/chgdctl.c ++++ b/nx-X11/programs/Xserver/Xi/chgdctl.c +@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client) + + REQUEST(xChangeDeviceControlReq); + swaps(&stuff->length, n); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + swaps(&stuff->control, n); + return(ProcXChangeDeviceControl(client)); + } +@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client) + CARD32 *resolution; + + REQUEST(xChangeDeviceControlReq); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + + len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2); + dev = LookupDeviceIntRec (stuff->deviceid); +diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c +index fe8bd1f..3ffac39 100644 +--- a/nx-X11/programs/Xserver/Xi/chgfctl.c ++++ b/nx-X11/programs/Xserver/Xi/chgfctl.c +@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client) + xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) + { ++ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2) ++ return BadLength; + swaps(&f->num_keysyms,n); + } + if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms)) +diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c +index 9b441f2..0b2a701 100644 +--- a/nx-X11/programs/Xserver/Xi/sendexev.c ++++ b/nx-X11/programs/Xserver/Xi/sendexev.c +@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client) + return Success; + } + ++ if (stuff->num_events == 0) ++ return ret; ++ + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); +diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h +index d82979c..9fe575e 100644 +--- a/nx-X11/programs/Xserver/include/dix.h ++++ b/nx-X11/programs/Xserver/include/dix.h +@@ -73,6 +73,10 @@ SOFTWARE. + if ((sizeof(req) >> 2) > client->req_len )\ + return(BadLength) + ++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ ++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ ++ return(BadLength) ++ + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ + ((n >> 2) >= client->req_len) || \ +-- +2.1.4 + diff --git a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch deleted file mode 100644 index 884fa435c..000000000 --- a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch +++ /dev/null @@ -1,114 +0,0 @@ -From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 10:54:41 -0800 -Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension - [CVE-2014-8095] - -Multiple functions in the Xinput extension handling of requests from -clients failed to check that the length of the request sent by the -client was large enough to perform all the required operations and -thus could read or write to memory outside the bounds of the request -buffer. - -This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE -macro in include/dix.h for the common case of needing to ensure a -request is large enough to include both the request itself and a -minimum amount of extra data following the request header. - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - Xi/chgdctl.c - Xi/chgfctl.c - Xi/xiallowev.c - Xi/xichangecursor.c - Xi/xichangehierarchy.c - Xi/xigetclientpointer.c - Xi/xigrabdev.c - Xi/xipassivegrab.c - Xi/xiproperty.c - Xi/xiquerydevice.c - Xi/xiquerypointer.c - Xi/xiselectev.c - Xi/xisetclientpointer.c - Xi/xisetdevfocus.c - Xi/xiwarppointer.c - -[RHEL5: Xi/xi* files are XI2 ] ---- - nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++-- - nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++ - nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++ - nx-X11/programs/Xserver/include/dix.h | 4 ++++ - 4 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c -index 63a3c9c..144a51e 100644 ---- a/nx-X11/programs/Xserver/Xi/chgdctl.c -+++ b/nx-X11/programs/Xserver/Xi/chgdctl.c -@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client) - - REQUEST(xChangeDeviceControlReq); - swaps(&stuff->length, n); -- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); -+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); - swaps(&stuff->control, n); - return(ProcXChangeDeviceControl(client)); - } -@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client) - CARD32 *resolution; - - REQUEST(xChangeDeviceControlReq); -- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); -+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); - - len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2); - dev = LookupDeviceIntRec (stuff->deviceid); -diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c -index fe8bd1f..3ffac39 100644 ---- a/nx-X11/programs/Xserver/Xi/chgfctl.c -+++ b/nx-X11/programs/Xserver/Xi/chgfctl.c -@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client) - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); - if (client->swapped) - { -+ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2) -+ return BadLength; - swaps(&f->num_keysyms,n); - } - if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms)) -diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c -index 9b441f2..0b2a701 100644 ---- a/nx-X11/programs/Xserver/Xi/sendexev.c -+++ b/nx-X11/programs/Xserver/Xi/sendexev.c -@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client) - return Success; - } - -+ if (stuff->num_events == 0) -+ return ret; -+ - /* The client's event type must be one defined by an extension. */ - - first = ((xEvent *) &stuff[1]); -diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h -index d82979c..9fe575e 100644 ---- a/nx-X11/programs/Xserver/include/dix.h -+++ b/nx-X11/programs/Xserver/include/dix.h -@@ -73,6 +73,10 @@ SOFTWARE. - if ((sizeof(req) >> 2) > client->req_len )\ - return(BadLength) - -+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ -+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ -+ return(BadLength) -+ - #define REQUEST_FIXED_SIZE(req, n)\ - if (((sizeof(req) >> 2) > client->req_len) || \ - ((n >> 2) >= client->req_len) || \ --- -2.1.4 - diff --git a/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch b/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch new file mode 100644 index 000000000..342728ef6 --- /dev/null +++ b/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch @@ -0,0 +1,29 @@ +From 0d53194f7ef5980a7cd78950a4f3eb2b56e65746 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 17:18:54 -0800 +Subject: [PATCH 25/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList() + [CVE-2014-8096] + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- + nx-X11/programs/Xserver/Xext/xcmisc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nx-X11/programs/Xserver/Xext/xcmisc.c b/nx-X11/programs/Xserver/Xext/xcmisc.c +index c7bb72d..0a9a090 100644 +--- a/nx-X11/programs/Xserver/Xext/xcmisc.c ++++ b/nx-X11/programs/Xserver/Xext/xcmisc.c +@@ -228,6 +228,7 @@ SProcXCMiscGetXIDList(client) + { + register int n; + REQUEST(xXCMiscGetXIDListReq); ++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + + swaps(&stuff->length, n); + swapl(&stuff->count, n); +-- +2.1.4 + diff --git a/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch b/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch deleted file mode 100644 index 342728ef6..000000000 --- a/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0d53194f7ef5980a7cd78950a4f3eb2b56e65746 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 17:18:54 -0800 -Subject: [PATCH 25/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList() - [CVE-2014-8096] - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - nx-X11/programs/Xserver/Xext/xcmisc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/nx-X11/programs/Xserver/Xext/xcmisc.c b/nx-X11/programs/Xserver/Xext/xcmisc.c -index c7bb72d..0a9a090 100644 ---- a/nx-X11/programs/Xserver/Xext/xcmisc.c -+++ b/nx-X11/programs/Xserver/Xext/xcmisc.c -@@ -228,6 +228,7 @@ SProcXCMiscGetXIDList(client) - { - register int n; - REQUEST(xXCMiscGetXIDListReq); -+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); - - swaps(&stuff->length, n); - swapl(&stuff->count, n); --- -2.1.4 - diff --git a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch new file mode 100644 index 000000000..1d458a7fe --- /dev/null +++ b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch @@ -0,0 +1,184 @@ +From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 19:23:17 -0800 +Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped + procs [CVE-2014-8099] + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + Xext/xvdisp.c +--- + nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c +index 21ab0b6..b361c0f 100644 +--- a/nx-X11/programs/Xserver/Xext/xvdisp.c ++++ b/nx-X11/programs/Xserver/Xext/xvdisp.c +@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client) + { + register char n; + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length, n); + return ProcXvQueryExtension(client); + } +@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client) + { + register char n; + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + return ProcXvQueryAdaptors(client); +@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client) + { + register char n; + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryEncodings(client); +@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client) + { + register char n; + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client) + { + register char n; + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->time, n); +@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client) + { + register char n; + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client) + { + register char n; + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client) + { + register char n; + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client) + { + register char n; + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client) + { + register char n; + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client) + { + register char n; + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->drawable, n); + return ProcXvSelectVideoNotify(client); +@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client) + { + register char n; + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvSelectPortNotify(client); +@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client) + { + register char n; + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->drawable, n); +@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client) + { + register char n; + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swapl(&stuff->attribute, n); +@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client) + { + register char n; + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + swaps(&stuff->vid_w, n); +@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvQueryPortAttributes(client); +@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client) + { + register char n; + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length, n); + swapl(&stuff->id, n); + swaps(&stuff->width, n); +@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client) + { + register char n; + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length, n); + swapl(&stuff->port, n); + return ProcXvListImageFormats(client); +-- +2.1.4 + diff --git a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch deleted file mode 100644 index 1d458a7fe..000000000 --- a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 19:23:17 -0800 -Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped - procs [CVE-2014-8099] - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - Xext/xvdisp.c ---- - nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c -index 21ab0b6..b361c0f 100644 ---- a/nx-X11/programs/Xserver/Xext/xvdisp.c -+++ b/nx-X11/programs/Xserver/Xext/xvdisp.c -@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client) - { - register char n; - REQUEST(xvQueryExtensionReq); -+ REQUEST_SIZE_MATCH(xvQueryExtensionReq); - swaps(&stuff->length, n); - return ProcXvQueryExtension(client); - } -@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client) - { - register char n; - REQUEST(xvQueryAdaptorsReq); -+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); - swaps(&stuff->length, n); - swapl(&stuff->window, n); - return ProcXvQueryAdaptors(client); -@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client) - { - register char n; - REQUEST(xvQueryEncodingsReq); -+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - return ProcXvQueryEncodings(client); -@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client) - { - register char n; - REQUEST(xvGrabPortReq); -+ REQUEST_SIZE_MATCH(xvGrabPortReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->time, n); -@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client) - { - register char n; - REQUEST(xvUngrabPortReq); -+ REQUEST_SIZE_MATCH(xvUngrabPortReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->time, n); -@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client) - { - register char n; - REQUEST(xvPutVideoReq); -+ REQUEST_SIZE_MATCH(xvPutVideoReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client) - { - register char n; - REQUEST(xvPutStillReq); -+ REQUEST_SIZE_MATCH(xvPutStillReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client) - { - register char n; - REQUEST(xvGetVideoReq); -+ REQUEST_SIZE_MATCH(xvGetVideoReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client) - { - register char n; - REQUEST(xvGetStillReq); -+ REQUEST_SIZE_MATCH(xvGetStillReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client) - { - register char n; - REQUEST(xvPutImageReq); -+ REQUEST_AT_LEAST_SIZE(xvPutImageReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client) - { - register char n; - REQUEST(xvShmPutImageReq); -+ REQUEST_SIZE_MATCH(xvShmPutImageReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client) - { - register char n; - REQUEST(xvSelectVideoNotifyReq); -+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); - swaps(&stuff->length, n); - swapl(&stuff->drawable, n); - return ProcXvSelectVideoNotify(client); -@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client) - { - register char n; - REQUEST(xvSelectPortNotifyReq); -+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - return ProcXvSelectPortNotify(client); -@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client) - { - register char n; - REQUEST(xvStopVideoReq); -+ REQUEST_SIZE_MATCH(xvStopVideoReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->drawable, n); -@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client) - { - register char n; - REQUEST(xvSetPortAttributeReq); -+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->attribute, n); -@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client) - { - register char n; - REQUEST(xvGetPortAttributeReq); -+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swapl(&stuff->attribute, n); -@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client) - { - register char n; - REQUEST(xvQueryBestSizeReq); -+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - swaps(&stuff->vid_w, n); -@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client) - { - register char n; - REQUEST(xvQueryPortAttributesReq); -+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - return ProcXvQueryPortAttributes(client); -@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client) - { - register char n; - REQUEST(xvQueryImageAttributesReq); -+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); - swaps(&stuff->length, n); - swapl(&stuff->id, n); - swaps(&stuff->width, n); -@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client) - { - register char n; - REQUEST(xvListImageFormatsReq); -+ REQUEST_SIZE_MATCH(xvListImageFormatsReq); - swaps(&stuff->length, n); - swapl(&stuff->port, n); - return ProcXvListImageFormats(client); --- -2.1.4 - diff --git a/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch b/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch deleted file mode 100644 index 9540ddeda..000000000 --- a/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001 -From: Julien Cristau -Date: Tue, 28 Oct 2014 10:30:04 +0100 -Subject: [PATCH 27/40] render: check request size before reading it - [CVE-2014-8100 1/2] - -Otherwise we may be reading outside of the client request. - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Julien Cristau -Reviewed-by: Alan Coopersmith -Signed-off-by: Alan Coopersmith - -Conflicts: - render/render.c ---- - nx-X11/programs/Xserver/render/render.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c -index d25d497..ebbce81 100644 ---- a/nx-X11/programs/Xserver/render/render.c -+++ b/nx-X11/programs/Xserver/render/render.c -@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client) - register int n; - REQUEST(xRenderQueryVersionReq); - -+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); -+ - pRenderClient->major_version = stuff->majorVersion; - pRenderClient->minor_version = stuff->minorVersion; - -- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); - rep.type = X_Reply; - rep.length = 0; - rep.sequenceNumber = client->sequence; --- -2.1.4 - diff --git a/debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch b/debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch new file mode 100644 index 000000000..9540ddeda --- /dev/null +++ b/debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch @@ -0,0 +1,40 @@ +From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Tue, 28 Oct 2014 10:30:04 +0100 +Subject: [PATCH 27/40] render: check request size before reading it + [CVE-2014-8100 1/2] + +Otherwise we may be reading outside of the client request. + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Julien Cristau +Reviewed-by: Alan Coopersmith +Signed-off-by: Alan Coopersmith + +Conflicts: + render/render.c +--- + nx-X11/programs/Xserver/render/render.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c +index d25d497..ebbce81 100644 +--- a/nx-X11/programs/Xserver/render/render.c ++++ b/nx-X11/programs/Xserver/render/render.c +@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client) + register int n; + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + rep.type = X_Reply; + rep.length = 0; + rep.sequenceNumber = client->sequence; +-- +2.1.4 + diff --git a/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch b/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch new file mode 100644 index 000000000..b90b03c87 --- /dev/null +++ b/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch @@ -0,0 +1,146 @@ +From 9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 19:51:29 -0800 +Subject: [PATCH 28/40] render: unvalidated lengths in Render extn. swapped + procs [CVE-2014-8100 2/2] + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +Conflicts: + render/render.c +--- + nx-X11/programs/Xserver/render/render.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c +index ebbce81..eee21db 100644 +--- a/nx-X11/programs/Xserver/render/render.c ++++ b/nx-X11/programs/Xserver/render/render.c +@@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr client) + { + register int n; + REQUEST(xRenderQueryVersionReq); ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + + swaps(&stuff->length, n); + swapl(&stuff->majorVersion, n); +@@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr client) + { + register int n; + REQUEST(xRenderQueryPictFormatsReq); ++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); + swaps(&stuff->length, n); + return (*ProcRenderVector[stuff->renderReqType]) (client); + } +@@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client) + { + register int n; + REQUEST(xRenderQueryPictIndexValuesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); + swaps(&stuff->length, n); + swapl(&stuff->format, n); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr client) + { + register int n; + REQUEST(xRenderCreatePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); + swaps(&stuff->length, n); + swapl(&stuff->pid, n); + swapl(&stuff->drawable, n); +@@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr client) + { + register int n; + REQUEST(xRenderChangePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); + swaps(&stuff->length, n); + swapl(&stuff->picture, n); + swapl(&stuff->mask, n); +@@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client) + { + register int n; + REQUEST(xRenderSetPictureClipRectanglesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); + swaps(&stuff->length, n); + swapl(&stuff->picture, n); + SwapRestS(stuff); +@@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client) + { + register int n; + REQUEST(xRenderFreePictureReq); ++ REQUEST_SIZE_MATCH(xRenderFreePictureReq); + swaps(&stuff->length, n); + swapl(&stuff->picture, n); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client) + { + register int n; + REQUEST(xRenderCompositeReq); ++ REQUEST_SIZE_MATCH(xRenderCompositeReq); + swaps(&stuff->length, n); + swapl(&stuff->src, n); + swapl(&stuff->mask, n); +@@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client) + { + register int n; + REQUEST(xRenderScaleReq); ++ REQUEST_SIZE_MATCH(xRenderScaleReq); + swaps(&stuff->length, n); + swapl(&stuff->src, n); + swapl(&stuff->dst, n); +@@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr client) + { + register int n; + REQUEST(xRenderCreateGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); + swaps(&stuff->length, n); + swapl(&stuff->gsid, n); + swapl(&stuff->format, n); +@@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client) + { + register int n; + REQUEST(xRenderReferenceGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); + swaps(&stuff->length, n); + swapl(&stuff->gsid, n); + swapl(&stuff->existing, n); +@@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr client) + { + register int n; + REQUEST(xRenderFreeGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); + swaps(&stuff->length, n); + swapl(&stuff->glyphset, n); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client) + void *end; + xGlyphInfo *gi; + REQUEST(xRenderAddGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); + swaps(&stuff->length, n); + swapl(&stuff->glyphset, n); + swapl(&stuff->nglyphs, n); +@@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client) + { + register int n; + REQUEST(xRenderFreeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); + swaps(&stuff->length, n); + swapl(&stuff->glyphset, n); + SwapRestL(stuff); +@@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr client) + int size; + + REQUEST(xRenderCompositeGlyphsReq); +- ++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); ++ + switch (stuff->renderReqType) { + default: size = 1; break; + case X_RenderCompositeGlyphs16: size = 2; break; +-- +2.1.4 + diff --git a/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch b/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch deleted file mode 100644 index b90b03c87..000000000 --- a/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 19:51:29 -0800 -Subject: [PATCH 28/40] render: unvalidated lengths in Render extn. swapped - procs [CVE-2014-8100 2/2] - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -Conflicts: - render/render.c ---- - nx-X11/programs/Xserver/render/render.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c -index ebbce81..eee21db 100644 ---- a/nx-X11/programs/Xserver/render/render.c -+++ b/nx-X11/programs/Xserver/render/render.c -@@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr client) - { - register int n; - REQUEST(xRenderQueryVersionReq); -+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); - - swaps(&stuff->length, n); - swapl(&stuff->majorVersion, n); -@@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr client) - { - register int n; - REQUEST(xRenderQueryPictFormatsReq); -+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); - swaps(&stuff->length, n); - return (*ProcRenderVector[stuff->renderReqType]) (client); - } -@@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client) - { - register int n; - REQUEST(xRenderQueryPictIndexValuesReq); -+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); - swaps(&stuff->length, n); - swapl(&stuff->format, n); - return (*ProcRenderVector[stuff->renderReqType]) (client); -@@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr client) - { - register int n; - REQUEST(xRenderCreatePictureReq); -+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); - swaps(&stuff->length, n); - swapl(&stuff->pid, n); - swapl(&stuff->drawable, n); -@@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr client) - { - register int n; - REQUEST(xRenderChangePictureReq); -+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); - swaps(&stuff->length, n); - swapl(&stuff->picture, n); - swapl(&stuff->mask, n); -@@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client) - { - register int n; - REQUEST(xRenderSetPictureClipRectanglesReq); -+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); - swaps(&stuff->length, n); - swapl(&stuff->picture, n); - SwapRestS(stuff); -@@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client) - { - register int n; - REQUEST(xRenderFreePictureReq); -+ REQUEST_SIZE_MATCH(xRenderFreePictureReq); - swaps(&stuff->length, n); - swapl(&stuff->picture, n); - return (*ProcRenderVector[stuff->renderReqType]) (client); -@@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client) - { - register int n; - REQUEST(xRenderCompositeReq); -+ REQUEST_SIZE_MATCH(xRenderCompositeReq); - swaps(&stuff->length, n); - swapl(&stuff->src, n); - swapl(&stuff->mask, n); -@@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client) - { - register int n; - REQUEST(xRenderScaleReq); -+ REQUEST_SIZE_MATCH(xRenderScaleReq); - swaps(&stuff->length, n); - swapl(&stuff->src, n); - swapl(&stuff->dst, n); -@@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr client) - { - register int n; - REQUEST(xRenderCreateGlyphSetReq); -+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); - swaps(&stuff->length, n); - swapl(&stuff->gsid, n); - swapl(&stuff->format, n); -@@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client) - { - register int n; - REQUEST(xRenderReferenceGlyphSetReq); -+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); - swaps(&stuff->length, n); - swapl(&stuff->gsid, n); - swapl(&stuff->existing, n); -@@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr client) - { - register int n; - REQUEST(xRenderFreeGlyphSetReq); -+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); - swaps(&stuff->length, n); - swapl(&stuff->glyphset, n); - return (*ProcRenderVector[stuff->renderReqType]) (client); -@@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client) - void *end; - xGlyphInfo *gi; - REQUEST(xRenderAddGlyphsReq); -+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); - swaps(&stuff->length, n); - swapl(&stuff->glyphset, n); - swapl(&stuff->nglyphs, n); -@@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client) - { - register int n; - REQUEST(xRenderFreeGlyphsReq); -+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); - swaps(&stuff->length, n); - swapl(&stuff->glyphset, n); - SwapRestL(stuff); -@@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr client) - int size; - - REQUEST(xRenderCompositeGlyphsReq); -- -+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); -+ - switch (stuff->renderReqType) { - default: size = 1; break; - case X_RenderCompositeGlyphs16: size = 2; break; --- -2.1.4 - diff --git a/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch b/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch new file mode 100644 index 000000000..90bc32431 --- /dev/null +++ b/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch @@ -0,0 +1,32 @@ +From c12a473f29cfadb62d38b0fffc36762d8e626676 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 20:02:20 -0800 +Subject: [PATCH 29/40] xfixes: unvalidated length in + SProcXFixesSelectSelectionInput [CVE-2014-8102] + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Conflicts: + xfixes/select.c +--- + nx-X11/programs/Xserver/xfixes/select.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nx-X11/programs/Xserver/xfixes/select.c b/nx-X11/programs/Xserver/xfixes/select.c +index c72e19e..4b8bd01 100755 +--- a/nx-X11/programs/Xserver/xfixes/select.c ++++ b/nx-X11/programs/Xserver/xfixes/select.c +@@ -216,6 +216,7 @@ SProcXFixesSelectSelectionInput (ClientPtr client) + register int n; + REQUEST(xXFixesSelectSelectionInputReq); + ++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + swapl(&stuff->selection, n); +-- +2.1.4 + diff --git a/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch b/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch deleted file mode 100644 index 90bc32431..000000000 --- a/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch +++ /dev/null @@ -1,32 +0,0 @@ -From c12a473f29cfadb62d38b0fffc36762d8e626676 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 20:02:20 -0800 -Subject: [PATCH 29/40] xfixes: unvalidated length in - SProcXFixesSelectSelectionInput [CVE-2014-8102] - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Conflicts: - xfixes/select.c ---- - nx-X11/programs/Xserver/xfixes/select.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/nx-X11/programs/Xserver/xfixes/select.c b/nx-X11/programs/Xserver/xfixes/select.c -index c72e19e..4b8bd01 100755 ---- a/nx-X11/programs/Xserver/xfixes/select.c -+++ b/nx-X11/programs/Xserver/xfixes/select.c -@@ -216,6 +216,7 @@ SProcXFixesSelectSelectionInput (ClientPtr client) - register int n; - REQUEST(xXFixesSelectSelectionInputReq); - -+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); - swaps(&stuff->length, n); - swapl(&stuff->window, n); - swapl(&stuff->selection, n); --- -2.1.4 - diff --git a/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch b/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch new file mode 100644 index 000000000..6a1757d3c --- /dev/null +++ b/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch @@ -0,0 +1,45 @@ +From cea44678dd6a9418460ead314fb2106924b081f7 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 26 Jan 2014 19:38:09 -0800 +Subject: [PATCH 30/40] randr: unvalidated lengths in RandR extension swapped + procs [CVE-2014-8101] + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- + nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c +index 80d16b7..c4425ec 100644 +--- a/nx-X11/programs/Xserver/randr/rrsdispatch.c ++++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c +@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client) + register int n; + REQUEST(xRRQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRRQueryVersionReq); + swaps(&stuff->length, n); + swapl(&stuff->majorVersion, n); + swapl(&stuff->minorVersion, n); +@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client) + register int n; + REQUEST(xRRGetScreenInfoReq); + ++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + return (*ProcRandrVector[stuff->randrReqType]) (client); +@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client) + register int n; + REQUEST(xRRSelectInputReq); + ++ REQUEST_SIZE_MATCH(xRRSelectInputReq); + swaps(&stuff->length, n); + swapl(&stuff->window, n); + swaps(&stuff->enable, n); +-- +2.1.4 + diff --git a/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch b/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch deleted file mode 100644 index 6a1757d3c..000000000 --- a/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch +++ /dev/null @@ -1,45 +0,0 @@ -From cea44678dd6a9418460ead314fb2106924b081f7 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sun, 26 Jan 2014 19:38:09 -0800 -Subject: [PATCH 30/40] randr: unvalidated lengths in RandR extension swapped - procs [CVE-2014-8101] - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c -index 80d16b7..c4425ec 100644 ---- a/nx-X11/programs/Xserver/randr/rrsdispatch.c -+++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c -@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client) - register int n; - REQUEST(xRRQueryVersionReq); - -+ REQUEST_SIZE_MATCH(xRRQueryVersionReq); - swaps(&stuff->length, n); - swapl(&stuff->majorVersion, n); - swapl(&stuff->minorVersion, n); -@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client) - register int n; - REQUEST(xRRGetScreenInfoReq); - -+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); - swaps(&stuff->length, n); - swapl(&stuff->window, n); - return (*ProcRandrVector[stuff->randrReqType]) (client); -@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client) - register int n; - REQUEST(xRRSelectInputReq); - -+ REQUEST_SIZE_MATCH(xRRSelectInputReq); - swaps(&stuff->length, n); - swapl(&stuff->window, n); - swaps(&stuff->enable, n); --- -2.1.4 - diff --git a/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch b/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch new file mode 100644 index 000000000..6d16d2ec4 --- /dev/null +++ b/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch @@ -0,0 +1,76 @@ +From 5c43bb2484414b37115dac56dc76f1ecf4c05837 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:36 -0500 +Subject: [PATCH 31/40] glx: Be more paranoid about variable-length requests + [CVE-2014-8093 1/6] (v2) + +If the size computation routine returns -1 we should just reject the +request outright. Clamping it to zero could give an attacker the +opportunity to also mangle cmdlen in such a way that the subsequent +length check passes, and the request would get executed, thus passing +data we wanted to reject to the renderer. + +v3: backport to nx-libs 3.6.x (Mike DePaulo) +v2: backport to RHEL5 - fix swap paths +Reviewed-by: Keith Packard +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie + +fixup swaps +--- + nx-X11/programs/Xserver/GL/glx/glxcmds.c | 4 ++-- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +index ca5eee8..02f3ba7 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +@@ -1484,7 +1484,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + /* variable size command */ + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + if (cmdlen != __GLX_PAD(entry->bytes + extra)) { + return BadLength; +@@ -1601,7 +1601,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + */ + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + /* large command's header is 4 bytes longer, so add 4 */ + if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 595e814..027cba7 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -535,7 +535,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + /* variable size command */ + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + if (cmdlen != __GLX_PAD(entry->bytes + extra)) { + return BadLength; +@@ -659,7 +659,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + */ + extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); + if (extra < 0) { +- extra = 0; ++ return BadLength; + } + /* large command's header is 4 bytes longer, so add 4 */ + if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { +-- +2.1.4 + diff --git a/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch b/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch deleted file mode 100644 index 6d16d2ec4..000000000 --- a/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 5c43bb2484414b37115dac56dc76f1ecf4c05837 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:36 -0500 -Subject: [PATCH 31/40] glx: Be more paranoid about variable-length requests - [CVE-2014-8093 1/6] (v2) - -If the size computation routine returns -1 we should just reject the -request outright. Clamping it to zero could give an attacker the -opportunity to also mangle cmdlen in such a way that the subsequent -length check passes, and the request would get executed, thus passing -data we wanted to reject to the renderer. - -v3: backport to nx-libs 3.6.x (Mike DePaulo) -v2: backport to RHEL5 - fix swap paths -Reviewed-by: Keith Packard -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie - -fixup swaps ---- - nx-X11/programs/Xserver/GL/glx/glxcmds.c | 4 ++-- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -index ca5eee8..02f3ba7 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -@@ -1484,7 +1484,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); - if (extra < 0) { -- extra = 0; -+ return BadLength; - } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; -@@ -1601,7 +1601,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); - if (extra < 0) { -- extra = 0; -+ return BadLength; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 595e814..027cba7 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -535,7 +535,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); - if (extra < 0) { -- extra = 0; -+ return BadLength; - } - if (cmdlen != __GLX_PAD(entry->bytes + extra)) { - return BadLength; -@@ -659,7 +659,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - */ - extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); - if (extra < 0) { -- extra = 0; -+ return BadLength; - } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { --- -2.1.4 - diff --git a/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch b/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch new file mode 100644 index 000000000..af577aaa9 --- /dev/null +++ b/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch @@ -0,0 +1,163 @@ +From cdf0c3e65670c797a4fd0617d44d2bdff4011815 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:37 -0500 +Subject: [PATCH 32/40] glx: Be more strict about rejecting invalid image sizes + [CVE-2014-8093 2/6] + +Before this we'd just clamp the image size to 0, which was just +hideously stupid; if the parameters were such that they'd overflow an +integer, you'd allocate a small buffer, then pass huge values into (say) +ReadPixels, and now you're scribbling over arbitrary server memory. + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Keith Packard +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/singlepix.c | 14 +++++++------- + nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 14 +++++++------- + 2 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c +index 845c46a..be804d8 100644 +--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c ++++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c +@@ -70,7 +70,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc) + swapBytes = *(GLboolean *)(pc + 24); + lsbFirst = *(GLboolean *)(pc + 25); + compsize = __glReadPixels_size(format,type,width,height); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); +@@ -130,7 +130,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width, height, and depth would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -227,7 +227,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); + compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); + +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + if (compsize2 < 0) compsize2 = 0; + compsize = __GLX_PAD(compsize); + compsize2 = __GLX_PAD(compsize2); +@@ -291,7 +291,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width and height would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,height,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -346,7 +346,7 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -389,7 +389,7 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc) + reset = *(GLboolean *)(pc + 13); + + compsize = __glGetTexImage_size(target,1,format,type,2,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -436,7 +436,7 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c +index ff68ece..cdc6f16 100644 +--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c +@@ -79,7 +79,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc) + swapBytes = *(GLboolean *)(pc + 24); + lsbFirst = *(GLboolean *)(pc + 25); + compsize = __glReadPixels_size(format,type,width,height); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); +@@ -148,7 +148,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width, height, and depth would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -257,7 +257,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); + compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); + +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + if (compsize2 < 0) compsize2 = 0; + compsize = __GLX_PAD(compsize); + compsize2 = __GLX_PAD(compsize2); +@@ -328,7 +328,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width and height would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,height,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -390,7 +390,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -439,7 +439,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc) + reset = *(GLboolean *)(pc + 13); + + compsize = __glGetTexImage_size(target,1,format,type,2,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +@@ -491,7 +491,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc) + * are illegal, but then width would still be zero anyway. + */ + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); +- if (compsize < 0) compsize = 0; ++ if (compsize < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); + __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); +-- +2.1.4 + diff --git a/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch b/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch deleted file mode 100644 index af577aaa9..000000000 --- a/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch +++ /dev/null @@ -1,163 +0,0 @@ -From cdf0c3e65670c797a4fd0617d44d2bdff4011815 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:37 -0500 -Subject: [PATCH 32/40] glx: Be more strict about rejecting invalid image sizes - [CVE-2014-8093 2/6] - -Before this we'd just clamp the image size to 0, which was just -hideously stupid; if the parameters were such that they'd overflow an -integer, you'd allocate a small buffer, then pass huge values into (say) -ReadPixels, and now you're scribbling over arbitrary server memory. - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Keith Packard -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/singlepix.c | 14 +++++++------- - nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 14 +++++++------- - 2 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c -index 845c46a..be804d8 100644 ---- a/nx-X11/programs/Xserver/GL/glx/singlepix.c -+++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c -@@ -70,7 +70,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc) - swapBytes = *(GLboolean *)(pc + 24); - lsbFirst = *(GLboolean *)(pc + 25); - compsize = __glReadPixels_size(format,type,width,height); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); -@@ -130,7 +130,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width, height, and depth would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -227,7 +227,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); -@@ -291,7 +291,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width and height would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,height,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -346,7 +346,7 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -389,7 +389,7 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc) - reset = *(GLboolean *)(pc + 13); - - compsize = __glGetTexImage_size(target,1,format,type,2,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -436,7 +436,7 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -index ff68ece..cdc6f16 100644 ---- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -@@ -79,7 +79,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc) - swapBytes = *(GLboolean *)(pc + 24); - lsbFirst = *(GLboolean *)(pc + 25); - compsize = __glReadPixels_size(format,type,width,height); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst); -@@ -148,7 +148,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width, height, and depth would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,level,format,type,width,height,depth); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -257,7 +257,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - if (compsize2 < 0) compsize2 = 0; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); -@@ -328,7 +328,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width and height would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,height,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -390,7 +390,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -439,7 +439,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc) - reset = *(GLboolean *)(pc + 13); - - compsize = __glGetTexImage_size(target,1,format,type,2,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); -@@ -491,7 +491,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc) - * are illegal, but then width would still be zero anyway. - */ - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); -- if (compsize < 0) compsize = 0; -+ if (compsize < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); - __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1); --- -2.1.4 - diff --git a/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch b/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch deleted file mode 100644 index a043d2104..000000000 --- a/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:38 -0500 -Subject: [PATCH 33/40] glx: Additional paranoia in __glXGetAnswerBuffer / - __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] - -If the computed reply size is negative, something went wrong, treat it -as an error. - -v2: Be more careful about size_t being unsigned (Matthieu Herrb) -v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/unpack.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/unpack.h b/nx-X11/programs/Xserver/GL/glx/unpack.h -index 723fb85..94bdae8 100644 ---- a/nx-X11/programs/Xserver/GL/glx/unpack.h -+++ b/nx-X11/programs/Xserver/GL/glx/unpack.h -@@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply; - ** pointer. - */ - #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ -- if ((size) > sizeof(answerBuffer)) { \ -+ if (size < 0) return BadLength; \ -+ else if ((size) > sizeof(answerBuffer)) { \ - int bump; \ - if ((cl)->returnBufSize < (size)+(align)) { \ - (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \ --- -2.1.4 - diff --git a/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch b/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch new file mode 100644 index 000000000..a043d2104 --- /dev/null +++ b/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch @@ -0,0 +1,41 @@ +From d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:38 -0500 +Subject: [PATCH 33/40] glx: Additional paranoia in __glXGetAnswerBuffer / + __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6] + +If the computed reply size is negative, something went wrong, treat it +as an error. + +v2: Be more careful about size_t being unsigned (Matthieu Herrb) +v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/unpack.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/unpack.h b/nx-X11/programs/Xserver/GL/glx/unpack.h +index 723fb85..94bdae8 100644 +--- a/nx-X11/programs/Xserver/GL/glx/unpack.h ++++ b/nx-X11/programs/Xserver/GL/glx/unpack.h +@@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \ +-- +2.1.4 + diff --git a/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch b/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch new file mode 100644 index 000000000..3fe45a9bb --- /dev/null +++ b/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch @@ -0,0 +1,96 @@ +From 1a9f23118787be611b6db51e4eac864c43c702d9 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:40 -0500 +Subject: [PATCH 34/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] + (v4) + +These are paranoid about integer overflow, and will return -1 if their +operation would overflow a (signed) integer or if either argument is +negative. + +Note that RenderLarge requests are sized with a uint32_t so in principle +this could be sketchy there, but dix limits bigreqs to 128M so you +shouldn't ever notice, and honestly if you're sending more than 2G of +rendering commands you're already doing something very wrong. + +v2: Use INT_MAX for consistency with the rest of the server (jcristau) +v3: Reject negative arguments (anholt) + +v4: RHEL5: add limits.h, use inline + +v5: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Keith Packard +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/glxserver.h | 41 ++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h +index e8449b2..4047574 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h ++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h +@@ -54,6 +54,7 @@ + #include "GL/glx_ansic.h" + + ++#include + /* + ** The X header misc.h defines these math functions. + */ +@@ -223,6 +224,46 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, + /* + * Routines for computing the size of variably-sized rendering commands. + */ ++static __inline__ int ++safe_add(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (INT_MAX - a < b) ++ return -1; ++ ++ return a + b; ++} ++ ++static __inline__ int ++safe_mul(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (a == 0 || b == 0) ++ return 0; ++ ++ if (a > INT_MAX / b) ++ return -1; ++ ++ return a * b; ++} ++ ++static __inline__ int ++safe_pad(int a) ++{ ++ int ret; ++ ++ if (a < 0) ++ return -1; ++ ++ if ((ret = safe_add(a, 3)) < 0) ++ return -1; ++ ++ return ret & (GLuint)~3; ++} + + extern int __glXTypeSize(GLenum enm); + extern int __glXImageSize(GLenum format, GLenum type, +-- +2.1.4 + diff --git a/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch b/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch deleted file mode 100644 index 3fe45a9bb..000000000 --- a/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 1a9f23118787be611b6db51e4eac864c43c702d9 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:40 -0500 -Subject: [PATCH 34/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] - (v4) - -These are paranoid about integer overflow, and will return -1 if their -operation would overflow a (signed) integer or if either argument is -negative. - -Note that RenderLarge requests are sized with a uint32_t so in principle -this could be sketchy there, but dix limits bigreqs to 128M so you -shouldn't ever notice, and honestly if you're sending more than 2G of -rendering commands you're already doing something very wrong. - -v2: Use INT_MAX for consistency with the rest of the server (jcristau) -v3: Reject negative arguments (anholt) - -v4: RHEL5: add limits.h, use inline - -v5: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Keith Packard -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/glxserver.h | 41 ++++++++++++++++++++++++++++++ - 1 file changed, 41 insertions(+) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h -index e8449b2..4047574 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxserver.h -+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h -@@ -54,6 +54,7 @@ - #include "GL/glx_ansic.h" - - -+#include - /* - ** The X header misc.h defines these math functions. - */ -@@ -223,6 +224,46 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, - /* - * Routines for computing the size of variably-sized rendering commands. - */ -+static __inline__ int -+safe_add(int a, int b) -+{ -+ if (a < 0 || b < 0) -+ return -1; -+ -+ if (INT_MAX - a < b) -+ return -1; -+ -+ return a + b; -+} -+ -+static __inline__ int -+safe_mul(int a, int b) -+{ -+ if (a < 0 || b < 0) -+ return -1; -+ -+ if (a == 0 || b == 0) -+ return 0; -+ -+ if (a > INT_MAX / b) -+ return -1; -+ -+ return a * b; -+} -+ -+static __inline__ int -+safe_pad(int a) -+{ -+ int ret; -+ -+ if (a < 0) -+ return -1; -+ -+ if ((ret = safe_add(a, 3)) < 0) -+ return -1; -+ -+ return ret & (GLuint)~3; -+} - - extern int __glXTypeSize(GLenum enm); - extern int __glXImageSize(GLenum format, GLenum type, --- -2.1.4 - diff --git a/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch b/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch new file mode 100644 index 000000000..17afae92f --- /dev/null +++ b/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch @@ -0,0 +1,132 @@ +From 78b38a8a37e6105360c82a710ef62c92643ea4c1 Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Mon, 10 Nov 2014 12:13:41 -0500 +Subject: [PATCH 35/40] glx: Length checking for GLXRender requests (v2) + [CVE-2014-8098 2/8] (v3) + +v2: +Remove can't-happen comparison for cmdlen < 0 (Michal Srb) + +v3: backport to RHEL5 hit old paths + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Adam Jackson +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Julien Cristau +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/glxcmds.c | 20 ++++++++++---------- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 20 ++++++++++---------- + 2 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +index 02f3ba7..831c65b 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +@@ -1443,7 +1443,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + left = (req->length << 2) - sz_xGLXRenderReq; + while (left > 0) { + __GLXrenderSizeData *entry; +- int extra; ++ int extra = 0; + void (* proc)(GLbyte *); + + /* +@@ -1454,6 +1454,9 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + cmdlen = hdr->length; + opcode = hdr->opcode; + ++ if (left < cmdlen) ++ return BadLength; ++ + /* + ** Check for core opcodes and grab entry data. + */ +@@ -1480,22 +1483,19 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + client->errorValue = commandsDone; + return __glXBadRenderRequest; + } ++ ++ if (cmdlen < entry->bytes) { ++ return BadLength; ++ } ++ + if (entry->varsize) { + /* variable size command */ + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); + if (extra < 0) { + return BadLength; + } +- if (cmdlen != __GLX_PAD(entry->bytes + extra)) { +- return BadLength; +- } +- } else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry->bytes)) { +- return BadLength; +- } + } +- if (left < cmdlen) { ++ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { + return BadLength; + } + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 027cba7..7174fda 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -498,7 +498,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + left = (req->length << 2) - sz_xGLXRenderReq; + while (left > 0) { + __GLXrenderSizeData *entry; +- int extra; ++ int extra = 0; + void (* proc)(GLbyte *); + + /* +@@ -511,6 +511,9 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + cmdlen = hdr->length; + opcode = hdr->opcode; + ++ if (left < cmdlen) ++ return BadLength; ++ + if ( (opcode >= __GLX_MIN_RENDER_OPCODE) && + (opcode <= __GLX_MAX_RENDER_OPCODE) ) { + entry = &__glXRenderSizeTable[opcode]; +@@ -531,22 +534,19 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + client->errorValue = commandsDone; + return __glXBadRenderRequest; + } ++ ++ if (cmdlen < entry->bytes) { ++ return BadLength; ++ } ++ + if (entry->varsize) { + /* variable size command */ + extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); + if (extra < 0) { + return BadLength; + } +- if (cmdlen != __GLX_PAD(entry->bytes + extra)) { +- return BadLength; +- } +- } else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry->bytes)) { +- return BadLength; +- } + } +- if (left < cmdlen) { ++ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { + return BadLength; + } + +-- +2.1.4 + diff --git a/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch b/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch deleted file mode 100644 index 17afae92f..000000000 --- a/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 78b38a8a37e6105360c82a710ef62c92643ea4c1 Mon Sep 17 00:00:00 2001 -From: Julien Cristau -Date: Mon, 10 Nov 2014 12:13:41 -0500 -Subject: [PATCH 35/40] glx: Length checking for GLXRender requests (v2) - [CVE-2014-8098 2/8] (v3) - -v2: -Remove can't-happen comparison for cmdlen < 0 (Michal Srb) - -v3: backport to RHEL5 hit old paths - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Adam Jackson -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Julien Cristau -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/glxcmds.c | 20 ++++++++++---------- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 20 ++++++++++---------- - 2 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -index 02f3ba7..831c65b 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -@@ -1443,7 +1443,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - left = (req->length << 2) - sz_xGLXRenderReq; - while (left > 0) { - __GLXrenderSizeData *entry; -- int extra; -+ int extra = 0; - void (* proc)(GLbyte *); - - /* -@@ -1454,6 +1454,9 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - cmdlen = hdr->length; - opcode = hdr->opcode; - -+ if (left < cmdlen) -+ return BadLength; -+ - /* - ** Check for core opcodes and grab entry data. - */ -@@ -1480,22 +1483,19 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - client->errorValue = commandsDone; - return __glXBadRenderRequest; - } -+ -+ if (cmdlen < entry->bytes) { -+ return BadLength; -+ } -+ - if (entry->varsize) { - /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); - if (extra < 0) { - return BadLength; - } -- if (cmdlen != __GLX_PAD(entry->bytes + extra)) { -- return BadLength; -- } -- } else { -- /* constant size command */ -- if (cmdlen != __GLX_PAD(entry->bytes)) { -- return BadLength; -- } - } -- if (left < cmdlen) { -+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { - return BadLength; - } - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 027cba7..7174fda 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -498,7 +498,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - left = (req->length << 2) - sz_xGLXRenderReq; - while (left > 0) { - __GLXrenderSizeData *entry; -- int extra; -+ int extra = 0; - void (* proc)(GLbyte *); - - /* -@@ -511,6 +511,9 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - cmdlen = hdr->length; - opcode = hdr->opcode; - -+ if (left < cmdlen) -+ return BadLength; -+ - if ( (opcode >= __GLX_MIN_RENDER_OPCODE) && - (opcode <= __GLX_MAX_RENDER_OPCODE) ) { - entry = &__glXRenderSizeTable[opcode]; -@@ -531,22 +534,19 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - client->errorValue = commandsDone; - return __glXBadRenderRequest; - } -+ -+ if (cmdlen < entry->bytes) { -+ return BadLength; -+ } -+ - if (entry->varsize) { - /* variable size command */ - extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); - if (extra < 0) { - return BadLength; - } -- if (cmdlen != __GLX_PAD(entry->bytes + extra)) { -- return BadLength; -- } -- } else { -- /* constant size command */ -- if (cmdlen != __GLX_PAD(entry->bytes)) { -- return BadLength; -- } - } -- if (left < cmdlen) { -+ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) { - return BadLength; - } - --- -2.1.4 - diff --git a/debian/patches/1036-glx-Integer-overflow-protection-for-non-generat.full.patch b/debian/patches/1036-glx-Integer-overflow-protection-for-non-generat.full.patch new file mode 100644 index 000000000..742a8bdb4 --- /dev/null +++ b/debian/patches/1036-glx-Integer-overflow-protection-for-non-generat.full.patch @@ -0,0 +1,215 @@ +From ddb1235bc621d06bf28309be70c173ae06131edf Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:42 -0500 +Subject: [PATCH 36/40] glx: Integer overflow protection for non-generated + render requests (v3) [CVE-2014-8093 5/6] + +v2: +Fix constants in __glXMap2fReqSize (Michal Srb) +Validate w/h/d for proxy targets too (Keith Packard) + +v3: +Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Keith Packard +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/rensize.c | 68 +++++++++++++++++--------------- + 1 file changed, 37 insertions(+), 31 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c +index 7ab02d2..9bf0d00 100644 +--- a/nx-X11/programs/Xserver/GL/glx/rensize.c ++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c +@@ -167,16 +167,10 @@ int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) + return __glXTexEnvfvReqSize( pc, swap ); + } + +-static int Map1Size( GLint k, GLint order) +-{ +- if (order <= 0 || k < 0) return -1; +- return k * order; +-} +- + int __glXMap1dReqSize(GLbyte *pc, Bool swap ) + { + GLenum target; +- GLint order, k; ++ GLint order; + + target = *(GLenum*) (pc + 16); + order = *(GLint*) (pc + 20); +@@ -184,14 +178,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) + target = SWAPL( target ); + order = SWAPL( order ); + } +- k = __glMap1d_size( target ); +- return 8 * Map1Size( k, order ); ++ if (order < 1) ++ return -1; ++ return safe_mul(8, safe_mul(__glMap1d_size(target), order)); + } + + int __glXMap1fReqSize(GLbyte *pc, Bool swap ) + { + GLenum target; +- GLint order, k; ++ GLint order; + + target = *(GLenum *)(pc + 0); + order = *(GLint *)(pc + 12); +@@ -199,20 +194,21 @@ int __glXMap1fReqSize(GLbyte *pc, Bool swap ) + target = SWAPL( target ); + order = SWAPL( order ); + } +- k = __glMap1f_size(target); +- return 4 * Map1Size(k, order); ++ if (order < 1) ++ return -1; ++ return safe_mul(4, safe_mul(__glMap1f_size(target), order)); + } + + static int Map2Size(int k, int majorOrder, int minorOrder) + { +- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1; +- return k * majorOrder * minorOrder; ++ if (majorOrder < 1 || minorOrder < 1) return -1; ++ return safe_mul(k, safe_mul(majorOrder, minorOrder)); + } + + int __glXMap2dReqSize(GLbyte *pc, Bool swap ) + { + GLenum target; +- GLint uorder, vorder, k; ++ GLint uorder, vorder; + + target = *(GLenum *)(pc + 32); + uorder = *(GLint *)(pc + 36); +@@ -222,14 +218,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) + uorder = SWAPL( uorder ); + vorder = SWAPL( vorder ); + } +- k = __glMap2d_size( target ); +- return 8 * Map2Size( k, uorder, vorder ); ++ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); + } + + int __glXMap2fReqSize(GLbyte *pc, Bool swap ) + { + GLenum target; +- GLint uorder, vorder, k; ++ GLint uorder, vorder; + + target = *(GLenum *)(pc + 0); + uorder = *(GLint *)(pc + 12); +@@ -239,8 +234,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) + uorder = SWAPL( uorder ); + vorder = SWAPL( vorder ); + } +- k = __glMap2f_size( target ); +- return 4 * Map2Size( k, uorder, vorder ); ++ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); + } + + int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) +@@ -315,13 +309,16 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + GLint bytesPerElement, elementsPerGroup, groupsPerRow; + GLint groupSize, rowSize, padding, imageSize; + ++ if (w == 0 || h == 0 || d == 0) ++ return 0; ++ + if (w < 0 || h < 0 || d < 0 || + (type == GL_BITMAP && + (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { + return -1; + } +- if (w==0 || h==0 || d == 0) return 0; + ++ /* proxy targets have no data */ + switch( target ) { + case GL_PROXY_TEXTURE_1D: + case GL_PROXY_TEXTURE_2D: +@@ -338,6 +335,12 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + return 0; + } + ++ /* real data has to have real sizes */ ++ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) ++ return -1; ++ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) ++ return -1; ++ + if (type == GL_BITMAP) { + if (rowLength > 0) { + groupsPerRow = rowLength; +@@ -345,11 +348,13 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + groupsPerRow = w; + } + rowSize = (groupsPerRow + 7) >> 3; ++ if (rowSize < 0) ++ return -1; + padding = (rowSize % alignment); + if (padding) { + rowSize += alignment - padding; + } +- return ((h + skipRows) * rowSize); ++ return safe_mul(safe_add(h, skipRows), rowSize); + } else { + switch(format) { + case GL_COLOR_INDEX: +@@ -430,23 +435,25 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + default: + return -1; + } ++ /* known safe by the switches above, not checked */ + groupSize = bytesPerElement * elementsPerGroup; + if (rowLength > 0) { + groupsPerRow = rowLength; + } else { + groupsPerRow = w; + } +- rowSize = groupsPerRow * groupSize; ++ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) ++ return -1; + padding = (rowSize % alignment); + if (padding) { + rowSize += alignment - padding; + } +- if (imageHeight > 0) { +- imageSize = (imageHeight + skipRows) * rowSize; +- } else { +- imageSize = (h + skipRows) * rowSize; +- } +- return ((d + skipImages) * imageSize); ++ if (imageHeight > 0) ++ h = imageHeight; ++ h = safe_add(h, skipRows); ++ ++ imageSize = safe_mul(h, rowSize); ++ return safe_mul(safe_add(d, skipImages), imageSize); + } + } + +@@ -873,10 +880,9 @@ int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) + /* XXX Should rowLength be used for either or both image? */ + image1size = __glXImageSize( format, type, 0, w, 1, 1, + 0, rowLength, 0, 0, alignment ); +- image1size = __GLX_PAD(image1size); + image2size = __glXImageSize( format, type, 0, h, 1, 1, + 0, rowLength, 0, 0, alignment ); +- return image1size + image2size; ++ return safe_add(safe_pad(image1size), image2size); + + } + +-- +2.1.4 + diff --git a/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch b/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch deleted file mode 100644 index 742a8bdb4..000000000 --- a/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch +++ /dev/null @@ -1,215 +0,0 @@ -From ddb1235bc621d06bf28309be70c173ae06131edf Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:42 -0500 -Subject: [PATCH 36/40] glx: Integer overflow protection for non-generated - render requests (v3) [CVE-2014-8093 5/6] - -v2: -Fix constants in __glXMap2fReqSize (Michal Srb) -Validate w/h/d for proxy targets too (Keith Packard) - -v3: -Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Keith Packard -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/rensize.c | 68 +++++++++++++++++--------------- - 1 file changed, 37 insertions(+), 31 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c -index 7ab02d2..9bf0d00 100644 ---- a/nx-X11/programs/Xserver/GL/glx/rensize.c -+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c -@@ -167,16 +167,10 @@ int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) - return __glXTexEnvfvReqSize( pc, swap ); - } - --static int Map1Size( GLint k, GLint order) --{ -- if (order <= 0 || k < 0) return -1; -- return k * order; --} -- - int __glXMap1dReqSize(GLbyte *pc, Bool swap ) - { - GLenum target; -- GLint order, k; -+ GLint order; - - target = *(GLenum*) (pc + 16); - order = *(GLint*) (pc + 20); -@@ -184,14 +178,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) - target = SWAPL( target ); - order = SWAPL( order ); - } -- k = __glMap1d_size( target ); -- return 8 * Map1Size( k, order ); -+ if (order < 1) -+ return -1; -+ return safe_mul(8, safe_mul(__glMap1d_size(target), order)); - } - - int __glXMap1fReqSize(GLbyte *pc, Bool swap ) - { - GLenum target; -- GLint order, k; -+ GLint order; - - target = *(GLenum *)(pc + 0); - order = *(GLint *)(pc + 12); -@@ -199,20 +194,21 @@ int __glXMap1fReqSize(GLbyte *pc, Bool swap ) - target = SWAPL( target ); - order = SWAPL( order ); - } -- k = __glMap1f_size(target); -- return 4 * Map1Size(k, order); -+ if (order < 1) -+ return -1; -+ return safe_mul(4, safe_mul(__glMap1f_size(target), order)); - } - - static int Map2Size(int k, int majorOrder, int minorOrder) - { -- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1; -- return k * majorOrder * minorOrder; -+ if (majorOrder < 1 || minorOrder < 1) return -1; -+ return safe_mul(k, safe_mul(majorOrder, minorOrder)); - } - - int __glXMap2dReqSize(GLbyte *pc, Bool swap ) - { - GLenum target; -- GLint uorder, vorder, k; -+ GLint uorder, vorder; - - target = *(GLenum *)(pc + 32); - uorder = *(GLint *)(pc + 36); -@@ -222,14 +218,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) - uorder = SWAPL( uorder ); - vorder = SWAPL( vorder ); - } -- k = __glMap2d_size( target ); -- return 8 * Map2Size( k, uorder, vorder ); -+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); - } - - int __glXMap2fReqSize(GLbyte *pc, Bool swap ) - { - GLenum target; -- GLint uorder, vorder, k; -+ GLint uorder, vorder; - - target = *(GLenum *)(pc + 0); - uorder = *(GLint *)(pc + 12); -@@ -239,8 +234,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) - uorder = SWAPL( uorder ); - vorder = SWAPL( vorder ); - } -- k = __glMap2f_size( target ); -- return 4 * Map2Size( k, uorder, vorder ); -+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); - } - - int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) -@@ -315,13 +309,16 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - GLint bytesPerElement, elementsPerGroup, groupsPerRow; - GLint groupSize, rowSize, padding, imageSize; - -+ if (w == 0 || h == 0 || d == 0) -+ return 0; -+ - if (w < 0 || h < 0 || d < 0 || - (type == GL_BITMAP && - (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { - return -1; - } -- if (w==0 || h==0 || d == 0) return 0; - -+ /* proxy targets have no data */ - switch( target ) { - case GL_PROXY_TEXTURE_1D: - case GL_PROXY_TEXTURE_2D: -@@ -338,6 +335,12 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - return 0; - } - -+ /* real data has to have real sizes */ -+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) -+ return -1; -+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) -+ return -1; -+ - if (type == GL_BITMAP) { - if (rowLength > 0) { - groupsPerRow = rowLength; -@@ -345,11 +348,13 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - groupsPerRow = w; - } - rowSize = (groupsPerRow + 7) >> 3; -+ if (rowSize < 0) -+ return -1; - padding = (rowSize % alignment); - if (padding) { - rowSize += alignment - padding; - } -- return ((h + skipRows) * rowSize); -+ return safe_mul(safe_add(h, skipRows), rowSize); - } else { - switch(format) { - case GL_COLOR_INDEX: -@@ -430,23 +435,25 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - default: - return -1; - } -+ /* known safe by the switches above, not checked */ - groupSize = bytesPerElement * elementsPerGroup; - if (rowLength > 0) { - groupsPerRow = rowLength; - } else { - groupsPerRow = w; - } -- rowSize = groupsPerRow * groupSize; -+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) -+ return -1; - padding = (rowSize % alignment); - if (padding) { - rowSize += alignment - padding; - } -- if (imageHeight > 0) { -- imageSize = (imageHeight + skipRows) * rowSize; -- } else { -- imageSize = (h + skipRows) * rowSize; -- } -- return ((d + skipImages) * imageSize); -+ if (imageHeight > 0) -+ h = imageHeight; -+ h = safe_add(h, skipRows); -+ -+ imageSize = safe_mul(h, rowSize); -+ return safe_mul(safe_add(d, skipImages), imageSize); - } - } - -@@ -873,10 +880,9 @@ int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) - /* XXX Should rowLength be used for either or both image? */ - image1size = __glXImageSize( format, type, 0, w, 1, 1, - 0, rowLength, 0, 0, alignment ); -- image1size = __GLX_PAD(image1size); - image2size = __glXImageSize( format, type, 0, h, 1, 1, - 0, rowLength, 0, 0, alignment ); -- return image1size + image2size; -+ return safe_add(safe_pad(image1size), image2size); - - } - --- -2.1.4 - diff --git a/debian/patches/1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch b/debian/patches/1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch new file mode 100644 index 000000000..7934b4713 --- /dev/null +++ b/debian/patches/1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch @@ -0,0 +1,53 @@ +From ad29acd7697e18333e164b1746f61c5a9e29a436 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:44 -0500 +Subject: [PATCH 37/40] glx: Top-level length checking for swapped + VendorPrivate requests [CVE-2014-8098 4/8] + +v2: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Keith Packard +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 7174fda..2685355 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -797,10 +797,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + + int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateReq *req; + GLint vendorcode; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); + + req = (xGLXVendorPrivateReq *) pc; + __GLX_SWAP_SHORT(&req->length); +@@ -835,10 +837,12 @@ int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc) + + int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateWithReplyReq *req; + GLint vendorcode; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); + + req = (xGLXVendorPrivateWithReplyReq *) pc; + __GLX_SWAP_SHORT(&req->length); +-- +2.1.4 + diff --git a/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch b/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch deleted file mode 100644 index 7934b4713..000000000 --- a/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch +++ /dev/null @@ -1,53 +0,0 @@ -From ad29acd7697e18333e164b1746f61c5a9e29a436 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:44 -0500 -Subject: [PATCH 37/40] glx: Top-level length checking for swapped - VendorPrivate requests [CVE-2014-8098 4/8] - -v2: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Keith Packard -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 7174fda..2685355 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -797,10 +797,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - - int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - xGLXVendorPrivateReq *req; - GLint vendorcode; - - __GLX_DECLARE_SWAP_VARIABLES; -+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); - - req = (xGLXVendorPrivateReq *) pc; - __GLX_SWAP_SHORT(&req->length); -@@ -835,10 +837,12 @@ int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc) - - int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - xGLXVendorPrivateWithReplyReq *req; - GLint vendorcode; - - __GLX_DECLARE_SWAP_VARIABLES; -+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); - - req = (xGLXVendorPrivateWithReplyReq *) pc; - __GLX_SWAP_SHORT(&req->length); --- -2.1.4 - diff --git a/debian/patches/1038-glx-Length-checking-for-non-generated-single-re.full.patch b/debian/patches/1038-glx-Length-checking-for-non-generated-single-re.full.patch new file mode 100644 index 000000000..5db4682df --- /dev/null +++ b/debian/patches/1038-glx-Length-checking-for-non-generated-single-re.full.patch @@ -0,0 +1,413 @@ +From 8931066077a04999d973932e04da577bd6906c82 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:47 -0500 +Subject: [PATCH 38/40] glx: Length checking for non-generated single requests + (v2) [CVE-2014-8098 7/8] + +v2: +Fix single versus vendor-private length checking for ARB_imaging subset +extensions. (Julien Cristau) + +v3: +Fix single versus vendor-private length checking for ARB_imaging subset +extensions. (Julien Cristau) + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Julien Cristau +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie + +fix safe_Add +--- + nx-X11/programs/Xserver/GL/glx/single2.c | 21 +++++++++++++++------ + nx-X11/programs/Xserver/GL/glx/single2swap.c | 15 +++++++++++---- + nx-X11/programs/Xserver/GL/glx/singlepix.c | 19 ++++++++++++++----- + nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 17 ++++++++++++----- + 4 files changed, 52 insertions(+), 20 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/single2.c b/nx-X11/programs/Xserver/GL/glx/single2.c +index 9fee5ff..10152c3 100644 +--- a/nx-X11/programs/Xserver/GL/glx/single2.c ++++ b/nx-X11/programs/Xserver/GL/glx/single2.c +@@ -48,11 +48,14 @@ + + int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -78,10 +81,12 @@ int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) + + int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -106,7 +111,7 @@ int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) + + int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + xGLXRenderModeReply reply; + __GLXcontext *cx; + GLint nitems=0, retBytes=0, retval, newModeCheck; +@@ -114,6 +119,8 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) + GLenum newMode; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -188,7 +195,6 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -204,9 +210,11 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) + + int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -219,10 +227,11 @@ int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) + + int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -233,7 +242,6 @@ int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) + __GLX_NOTE_FLUSHED_CMDS(cx); + + /* Send empty reply packet to indicate finish is finished */ +- client = cl->client; + __GLX_BEGIN_REPLY(0); + __GLX_SEND_HEADER(); + return Success; +@@ -302,7 +310,7 @@ char *__glXcombine_strings(const char *cext_string, const char *sext_string) + + int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLenum name; + const char *string; +@@ -311,6 +319,8 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) + char *buf = NULL, *buf1 = NULL; + GLint length = 0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + /* If the client has the opposite byte order, swap the contextTag and + * the name. + */ +@@ -327,7 +337,6 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) + pc += __GLX_SINGLE_HDR_SIZE; + name = *(GLenum *)(pc + 0); + string = (const char *)glGetString(name); +- client = cl->client; + + /* + ** Restrict extensions to those that are supported by both the +diff --git a/nx-X11/programs/Xserver/GL/glx/single2swap.c b/nx-X11/programs/Xserver/GL/glx/single2swap.c +index dab98ad..4b8541b 100644 +--- a/nx-X11/programs/Xserver/GL/glx/single2swap.c ++++ b/nx-X11/programs/Xserver/GL/glx/single2swap.c +@@ -48,12 +48,14 @@ + + int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + __GLX_DECLARE_SWAP_VARIABLES; + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -82,11 +84,13 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) + + int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + __GLX_DECLARE_SWAP_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -113,7 +117,7 @@ int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) + + int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + xGLXRenderModeReply reply; + GLint nitems=0, retBytes=0, retval, newModeCheck; +@@ -123,6 +127,8 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) + __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -201,7 +207,6 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -222,10 +227,12 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) + + int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -239,11 +246,12 @@ int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) + + int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -255,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) + __GLX_NOTE_FLUSHED_CMDS(cx); + + /* Send empty reply packet to indicate finish is finished */ +- client = cl->client; + __GLX_BEGIN_REPLY(0); + __GLX_PUT_RETVAL(0); + __GLX_SWAP_REPLY_HEADER(); +diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c +index be804d8..a156db5 100644 +--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c ++++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c +@@ -57,6 +57,8 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc) + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -108,6 +110,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0, depth=1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -204,6 +207,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -227,13 +231,11 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); + compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); + +- if (compsize < 0) return BadLength; +- if (compsize2 < 0) compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); ++ if ((compsize = safe_pad(compsize)) < 0) return BadLength; ++ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); +- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); ++ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1); + __glXClearErrorOccured(); + glGetSeparableFilter( + *(GLenum *)(pc + 0), +@@ -269,6 +271,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -328,6 +331,8 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -376,6 +381,8 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc) + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -419,6 +426,8 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c +index cdc6f16..24f2e76 100644 +--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c +@@ -58,6 +58,8 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc) + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -120,6 +122,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0, depth=1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 24); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -190,6 +193,7 @@ int __glXDispSwap_GetPolygonStipple(__GLXclientState *cl, GLbyte *pc) + char *answer; + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -230,6 +234,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -257,13 +262,11 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) + compsize = __glGetTexImage_size(target,1,format,type,width,1,1); + compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); + +- if (compsize < 0) return BadLength; +- if (compsize2 < 0) compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); ++ if ((compsize = safe_pad(compsize)) < 0) return BadLength; ++ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; + + glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); +- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); ++ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1); + __glXClearErrorOccured(); + glGetSeparableFilter( + *(GLenum *)(pc + 0), +@@ -302,6 +305,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0, height=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -368,6 +372,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -422,6 +427,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc) + __GLX_DECLARE_SWAP_VARIABLES; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -470,6 +476,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc) + char *answer, answerBuffer[200]; + GLint width=0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +-- +2.1.4 + diff --git a/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch b/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch deleted file mode 100644 index 5db4682df..000000000 --- a/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch +++ /dev/null @@ -1,413 +0,0 @@ -From 8931066077a04999d973932e04da577bd6906c82 Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:47 -0500 -Subject: [PATCH 38/40] glx: Length checking for non-generated single requests - (v2) [CVE-2014-8098 7/8] - -v2: -Fix single versus vendor-private length checking for ARB_imaging subset -extensions. (Julien Cristau) - -v3: -Fix single versus vendor-private length checking for ARB_imaging subset -extensions. (Julien Cristau) - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Julien Cristau -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie - -fix safe_Add ---- - nx-X11/programs/Xserver/GL/glx/single2.c | 21 +++++++++++++++------ - nx-X11/programs/Xserver/GL/glx/single2swap.c | 15 +++++++++++---- - nx-X11/programs/Xserver/GL/glx/singlepix.c | 19 ++++++++++++++----- - nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 17 ++++++++++++----- - 4 files changed, 52 insertions(+), 20 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/single2.c b/nx-X11/programs/Xserver/GL/glx/single2.c -index 9fee5ff..10152c3 100644 ---- a/nx-X11/programs/Xserver/GL/glx/single2.c -+++ b/nx-X11/programs/Xserver/GL/glx/single2.c -@@ -48,11 +48,14 @@ - - int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - GLsizei size; - GLenum type; - __GLXcontext *cx; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -78,10 +81,12 @@ int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) - - int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; - GLsizei size; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -106,7 +111,7 @@ int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc) - - int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) - { -- ClientPtr client; -+ ClientPtr client = cl->client; - xGLXRenderModeReply reply; - __GLXcontext *cx; - GLint nitems=0, retBytes=0, retval, newModeCheck; -@@ -114,6 +119,8 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) - GLenum newMode; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -188,7 +195,6 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) - ** selection array, as per the API for glRenderMode itself. - */ - noChangeAllowed:; -- client = cl->client; - reply.length = nitems; - reply.type = X_Reply; - reply.sequenceNumber = client->sequence; -@@ -204,9 +210,11 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc) - - int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; - int error; - -+ REQUEST_SIZE_MATCH(xGLXSingleReq); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -219,10 +227,11 @@ int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc) - - int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; -- ClientPtr client; - int error; - -+ REQUEST_SIZE_MATCH(xGLXSingleReq); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -233,7 +242,6 @@ int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc) - __GLX_NOTE_FLUSHED_CMDS(cx); - - /* Send empty reply packet to indicate finish is finished */ -- client = cl->client; - __GLX_BEGIN_REPLY(0); - __GLX_SEND_HEADER(); - return Success; -@@ -302,7 +310,7 @@ char *__glXcombine_strings(const char *cext_string, const char *sext_string) - - int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) - { -- ClientPtr client; -+ ClientPtr client = cl->client; - __GLXcontext *cx; - GLenum name; - const char *string; -@@ -311,6 +319,8 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) - char *buf = NULL, *buf1 = NULL; - GLint length = 0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); -+ - /* If the client has the opposite byte order, swap the contextTag and - * the name. - */ -@@ -327,7 +337,6 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap) - pc += __GLX_SINGLE_HDR_SIZE; - name = *(GLenum *)(pc + 0); - string = (const char *)glGetString(name); -- client = cl->client; - - /* - ** Restrict extensions to those that are supported by both the -diff --git a/nx-X11/programs/Xserver/GL/glx/single2swap.c b/nx-X11/programs/Xserver/GL/glx/single2swap.c -index dab98ad..4b8541b 100644 ---- a/nx-X11/programs/Xserver/GL/glx/single2swap.c -+++ b/nx-X11/programs/Xserver/GL/glx/single2swap.c -@@ -48,12 +48,14 @@ - - int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - GLsizei size; - GLenum type; - __GLX_DECLARE_SWAP_VARIABLES; - __GLXcontext *cx; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -82,11 +84,13 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) - - int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; - GLsizei size; - __GLX_DECLARE_SWAP_VARIABLES; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -113,7 +117,7 @@ int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc) - - int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) - { -- ClientPtr client; -+ ClientPtr client = cl->client; - __GLXcontext *cx; - xGLXRenderModeReply reply; - GLint nitems=0, retBytes=0, retval, newModeCheck; -@@ -123,6 +127,8 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) - __GLX_DECLARE_SWAP_ARRAY_VARIABLES; - int error; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); -+ - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -201,7 +207,6 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) - ** selection array, as per the API for glRenderMode itself. - */ - noChangeAllowed:; -- client = cl->client; - reply.length = nitems; - reply.type = X_Reply; - reply.sequenceNumber = client->sequence; -@@ -222,10 +227,12 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc) - - int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; - int error; - __GLX_DECLARE_SWAP_VARIABLES; - -+ REQUEST_SIZE_MATCH(xGLXSingleReq); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -239,11 +246,12 @@ int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc) - - int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) - { -+ ClientPtr client = cl->client; - __GLXcontext *cx; -- ClientPtr client; - int error; - __GLX_DECLARE_SWAP_VARIABLES; - -+ REQUEST_SIZE_MATCH(xGLXSingleReq); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -255,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc) - __GLX_NOTE_FLUSHED_CMDS(cx); - - /* Send empty reply packet to indicate finish is finished */ -- client = cl->client; - __GLX_BEGIN_REPLY(0); - __GLX_PUT_RETVAL(0); - __GLX_SWAP_REPLY_HEADER(); -diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c -index be804d8..a156db5 100644 ---- a/nx-X11/programs/Xserver/GL/glx/singlepix.c -+++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c -@@ -57,6 +57,8 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc) - int error; - char *answer, answerBuffer[200]; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -108,6 +110,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0, depth=1; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -204,6 +207,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -227,13 +231,11 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - -- if (compsize < 0) return BadLength; -- if (compsize2 < 0) compsize2 = 0; -- compsize = __GLX_PAD(compsize); -- compsize2 = __GLX_PAD(compsize2); -+ if ((compsize = safe_pad(compsize)) < 0) return BadLength; -+ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes); -- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); -+ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1); - __glXClearErrorOccured(); - glGetSeparableFilter( - *(GLenum *)(pc + 0), -@@ -269,6 +271,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -328,6 +331,8 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -376,6 +381,8 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc) - int error; - char *answer, answerBuffer[200]; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -419,6 +426,8 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); -+ - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -index cdc6f16..24f2e76 100644 ---- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c -@@ -58,6 +58,8 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc) - int error; - char *answer, answerBuffer[200]; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); -+ - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -120,6 +122,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0, depth=1; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 24); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -190,6 +193,7 @@ int __glXDispSwap_GetPolygonStipple(__GLXclientState *cl, GLbyte *pc) - char *answer; - __GLX_DECLARE_SWAP_VARIABLES; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); - __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { -@@ -230,6 +234,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -257,13 +262,11 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc) - compsize = __glGetTexImage_size(target,1,format,type,width,1,1); - compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1); - -- if (compsize < 0) return BadLength; -- if (compsize2 < 0) compsize2 = 0; -- compsize = __GLX_PAD(compsize); -- compsize2 = __GLX_PAD(compsize2); -+ if ((compsize = safe_pad(compsize)) < 0) return BadLength; -+ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - - glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes); -- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1); -+ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1); - __glXClearErrorOccured(); - glGetSeparableFilter( - *(GLenum *)(pc + 0), -@@ -302,6 +305,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0, height=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -368,6 +372,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -422,6 +427,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc) - __GLX_DECLARE_SWAP_VARIABLES; - char *answer, answerBuffer[200]; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; -@@ -470,6 +476,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc) - char *answer, answerBuffer[200]; - GLint width=0; - -+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); - cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); - if (!cx) { - return error; --- -2.1.4 - diff --git a/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch b/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch deleted file mode 100644 index 91433b6e8..000000000 --- a/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch +++ /dev/null @@ -1,290 +0,0 @@ -From 9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:43 -0500 -Subject: [PATCH 39/40] glx: Length checking for RenderLarge requests (v2) - [CVE-2014-8098 3/8] (v3) - -This is a half-measure until we start passing request length into the -varsize function, but it's better than the nothing we had before. - -v2: Verify that there's at least a large render header's worth of -dataBytes (Julien Cristau) - -v3: backport to RHEL5 - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie - -fixup swap ---- - nx-X11/programs/Xserver/GL/glx/glxcmds.c | 58 ++++++++++++++++----------- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 59 +++++++++++++++++----------- - 2 files changed, 71 insertions(+), 46 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -index 831c65b..20c12f3 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -@@ -1535,6 +1535,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** duplicated there. - */ - -+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); -+ - req = (xGLXRenderLargeReq *) pc; - glxc = __glXForceCurrent(cl, req->contextTag, &error); - if (!glxc) { -@@ -1542,12 +1544,15 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - __glXResetLargeCommandStatus(cl); - return error; - } -+ if (safe_pad(req->dataBytes) < 0) -+ return BadLength; -+ - dataBytes = req->dataBytes; - - /* - ** Check the request length. - */ -- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { -+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { - client->errorValue = req->length; - /* Reset in case this isn't 1st request. */ - __glXResetLargeCommandStatus(cl); -@@ -1557,7 +1562,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; -- int extra, cmdlen; -+ int extra = 0, cmdlen; - /* - ** This is the first request of a multi request command. - ** Make enough space in the buffer, then copy the entire request. -@@ -1567,9 +1572,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - return __glXBadLargeRequest; - } - -+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) -+ return BadLength; -+ - hdr = (__GLXrenderLargeHeader *) pc; -- cmdlen = hdr->length; - opcode = hdr->opcode; -+ if ((cmdlen = safe_pad(hdr->length)) < 0) -+ return BadLength; - - /* - ** Check for core opcodes and grab entry data. -@@ -1603,16 +1612,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (extra < 0) { - return BadLength; - } -- /* large command's header is 4 bytes longer, so add 4 */ -- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { -- return BadLength; -- } -- } else { -- /* constant size command */ -- if (cmdlen != __GLX_PAD(entry->bytes + 4)) { -- return BadLength; -- } - } -+ -+ /* the +4 is safe because we know entry.bytes is small */ -+ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { -+ return BadLength; -+ } -+ - /* - ** Make enough space in the buffer, then copy the entire request. - */ -@@ -1641,6 +1647,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** We are receiving subsequent (i.e. not the first) requests of a - ** multi request command. - */ -+ int bytesSoFar; /* including this packet */ - - /* - ** Check the request number and the total request count. -@@ -1659,7 +1666,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - /* - ** Check that we didn't get too much data. - */ -- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { -+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { -+ client->errorValue = dataBytes; -+ __glXResetLargeCommandStatus(cl); -+ return __glXBadLargeRequest; -+ } -+ -+ if (bytesSoFar > cl->largeCmdBytesTotal) { - client->errorValue = dataBytes; - __glXResetLargeCommandStatus(cl); - return __glXBadLargeRequest; -@@ -1673,17 +1686,16 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** This is the last request; it must have enough bytes to complete - ** the command. - */ -- /* NOTE: the two pad macros have been added below; they are needed -- ** because the client library pads the total byte count, but not -- ** the per-request byte counts. The Protocol Encoding says the -- ** total byte count should not be padded, so a proposal will be -- ** made to the ARB to relax the padding constraint on the total -- ** byte count, thus preserving backward compatibility. Meanwhile, -- ** the padding done below fixes a bug that did not allow -- ** large commands of odd sizes to be accepted by the server. -+ /* NOTE: the pad macro below is needed because the client library -+ ** pads the total byte count, but not the per-request byte counts. -+ ** The Protocol Encoding says the total byte count should not be -+ ** padded, so a proposal will be made to the ARB to relax the -+ ** padding constraint on the total byte count, thus preserving -+ ** backward compatibility. Meanwhile, the padding done below -+ ** fixes a bug that did not allow large commands of odd sizes to -+ ** be accepted by the server. - */ -- if (__GLX_PAD(cl->largeCmdBytesSoFar) != -- __GLX_PAD(cl->largeCmdBytesTotal)) { -+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { - client->errorValue = dataBytes; - __glXResetLargeCommandStatus(cl); - return __glXBadLargeRequest; -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 2685355..2e228c0 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -587,6 +587,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** duplicated there. - */ - -+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); -+ - req = (xGLXRenderLargeReq *) pc; - __GLX_SWAP_SHORT(&req->length); - __GLX_SWAP_INT(&req->contextTag); -@@ -599,12 +601,15 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - __glXResetLargeCommandStatus(cl); - return error; - } -+ if (safe_pad(req->dataBytes) < 0) -+ return BadLength; -+ - dataBytes = req->dataBytes; - - /* - ** Check the request length. - */ -- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { -+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { - client->errorValue = req->length; - /* Reset in case this isn't 1st request. */ - __glXResetLargeCommandStatus(cl); -@@ -614,7 +619,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; -- int extra; -+ int extra = 0; - size_t cmdlen; - /* - ** This is the first request of a multi request command. -@@ -624,12 +629,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - client->errorValue = req->requestNumber; - return __glXBadLargeRequest; - } -+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) -+ return BadLength; -+ - hdr = (__GLXrenderLargeHeader *) pc; - __GLX_SWAP_INT(&hdr->length); - __GLX_SWAP_INT(&hdr->opcode); -- cmdlen = hdr->length; - opcode = hdr->opcode; - -+ if ((cmdlen = safe_pad(hdr->length)) < 0) -+ return BadLength; -+ - if ( (opcode >= __GLX_MIN_RENDER_OPCODE) && - (opcode <= __GLX_MAX_RENDER_OPCODE) ) { - entry = &__glXRenderSizeTable[opcode]; -@@ -661,16 +671,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (extra < 0) { - return BadLength; - } -- /* large command's header is 4 bytes longer, so add 4 */ -- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { -- return BadLength; -- } -- } else { -- /* constant size command */ -- if (cmdlen != __GLX_PAD(entry->bytes + 4)) { -- return BadLength; -- } - } -+ /* the +4 is safe because we know entry->bytes is small */ -+ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { -+ return BadLength; -+ } -+ - /* - ** Make enough space in the buffer, then copy the entire request. - */ -@@ -698,6 +704,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** We are receiving subsequent (i.e. not the first) requests of a - ** multi request command. - */ -+ int bytesSoFar; /* including this packet */ - - /* - ** Check the request number and the total request count. -@@ -716,7 +723,13 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - /* - ** Check that we didn't get too much data. - */ -- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { -+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { -+ client->errorValue = dataBytes; -+ __glXResetLargeCommandStatus(cl); -+ return __glXBadLargeRequest; -+ } -+ -+ if (bytesSoFar > cl->largeCmdBytesTotal) { - client->errorValue = dataBytes; - __glXResetLargeCommandStatus(cl); - return __glXBadLargeRequest; -@@ -730,17 +743,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** This is the last request; it must have enough bytes to complete - ** the command. - */ -- /* NOTE: the two pad macros have been added below; they are needed -- ** because the client library pads the total byte count, but not -- ** the per-request byte counts. The Protocol Encoding says the -- ** total byte count should not be padded, so a proposal will be -- ** made to the ARB to relax the padding constraint on the total -- ** byte count, thus preserving backward compatibility. Meanwhile, -- ** the padding done below fixes a bug that did not allow -- ** large commands of odd sizes to be accepted by the server. -+ /* NOTE: the pad macro below is needed because the client library -+ ** pads the total byte count, but not the per-request byte counts. -+ ** The Protocol Encoding says the total byte count should not be -+ ** padded, so a proposal will be made to the ARB to relax the -+ ** padding constraint on the total byte count, thus preserving -+ ** backward compatibility. Meanwhile, the padding done below -+ ** fixes a bug that did not allow large commands of odd sizes to -+ ** be accepted by the server. - */ -- if (__GLX_PAD(cl->largeCmdBytesSoFar) != -- __GLX_PAD(cl->largeCmdBytesTotal)) { -+ -+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { - client->errorValue = dataBytes; - __glXResetLargeCommandStatus(cl); - return __glXBadLargeRequest; --- -2.1.4 - diff --git a/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch b/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch new file mode 100644 index 000000000..91433b6e8 --- /dev/null +++ b/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch @@ -0,0 +1,290 @@ +From 9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:43 -0500 +Subject: [PATCH 39/40] glx: Length checking for RenderLarge requests (v2) + [CVE-2014-8098 3/8] (v3) + +This is a half-measure until we start passing request length into the +varsize function, but it's better than the nothing we had before. + +v2: Verify that there's at least a large render header's worth of +dataBytes (Julien Cristau) + +v3: backport to RHEL5 + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie + +fixup swap +--- + nx-X11/programs/Xserver/GL/glx/glxcmds.c | 58 ++++++++++++++++----------- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 59 +++++++++++++++++----------- + 2 files changed, 71 insertions(+), 46 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +index 831c65b..20c12f3 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +@@ -1535,6 +1535,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** duplicated there. + */ + ++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); ++ + req = (xGLXRenderLargeReq *) pc; + glxc = __glXForceCurrent(cl, req->contextTag, &error); + if (!glxc) { +@@ -1542,12 +1544,15 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + __glXResetLargeCommandStatus(cl); + return error; + } ++ if (safe_pad(req->dataBytes) < 0) ++ return BadLength; ++ + dataBytes = req->dataBytes; + + /* + ** Check the request length. + */ +- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { ++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { + client->errorValue = req->length; + /* Reset in case this isn't 1st request. */ + __glXResetLargeCommandStatus(cl); +@@ -1557,7 +1562,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; +- int extra, cmdlen; ++ int extra = 0, cmdlen; + /* + ** This is the first request of a multi request command. + ** Make enough space in the buffer, then copy the entire request. +@@ -1567,9 +1572,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + return __glXBadLargeRequest; + } + ++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) ++ return BadLength; ++ + hdr = (__GLXrenderLargeHeader *) pc; +- cmdlen = hdr->length; + opcode = hdr->opcode; ++ if ((cmdlen = safe_pad(hdr->length)) < 0) ++ return BadLength; + + /* + ** Check for core opcodes and grab entry data. +@@ -1603,16 +1612,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (extra < 0) { + return BadLength; + } +- /* large command's header is 4 bytes longer, so add 4 */ +- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { +- return BadLength; +- } +- } else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry->bytes + 4)) { +- return BadLength; +- } + } ++ ++ /* the +4 is safe because we know entry.bytes is small */ ++ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { ++ return BadLength; ++ } ++ + /* + ** Make enough space in the buffer, then copy the entire request. + */ +@@ -1641,6 +1647,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** We are receiving subsequent (i.e. not the first) requests of a + ** multi request command. + */ ++ int bytesSoFar; /* including this packet */ + + /* + ** Check the request number and the total request count. +@@ -1659,7 +1666,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + /* + ** Check that we didn't get too much data. + */ +- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { ++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { ++ client->errorValue = dataBytes; ++ __glXResetLargeCommandStatus(cl); ++ return __glXBadLargeRequest; ++ } ++ ++ if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; +@@ -1673,17 +1686,16 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** This is the last request; it must have enough bytes to complete + ** the command. + */ +- /* NOTE: the two pad macros have been added below; they are needed +- ** because the client library pads the total byte count, but not +- ** the per-request byte counts. The Protocol Encoding says the +- ** total byte count should not be padded, so a proposal will be +- ** made to the ARB to relax the padding constraint on the total +- ** byte count, thus preserving backward compatibility. Meanwhile, +- ** the padding done below fixes a bug that did not allow +- ** large commands of odd sizes to be accepted by the server. ++ /* NOTE: the pad macro below is needed because the client library ++ ** pads the total byte count, but not the per-request byte counts. ++ ** The Protocol Encoding says the total byte count should not be ++ ** padded, so a proposal will be made to the ARB to relax the ++ ** padding constraint on the total byte count, thus preserving ++ ** backward compatibility. Meanwhile, the padding done below ++ ** fixes a bug that did not allow large commands of odd sizes to ++ ** be accepted by the server. + */ +- if (__GLX_PAD(cl->largeCmdBytesSoFar) != +- __GLX_PAD(cl->largeCmdBytesTotal)) { ++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 2685355..2e228c0 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -587,6 +587,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** duplicated there. + */ + ++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); ++ + req = (xGLXRenderLargeReq *) pc; + __GLX_SWAP_SHORT(&req->length); + __GLX_SWAP_INT(&req->contextTag); +@@ -599,12 +601,15 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + __glXResetLargeCommandStatus(cl); + return error; + } ++ if (safe_pad(req->dataBytes) < 0) ++ return BadLength; ++ + dataBytes = req->dataBytes; + + /* + ** Check the request length. + */ +- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { ++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { + client->errorValue = req->length; + /* Reset in case this isn't 1st request. */ + __glXResetLargeCommandStatus(cl); +@@ -614,7 +619,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; +- int extra; ++ int extra = 0; + size_t cmdlen; + /* + ** This is the first request of a multi request command. +@@ -624,12 +629,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + client->errorValue = req->requestNumber; + return __glXBadLargeRequest; + } ++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) ++ return BadLength; ++ + hdr = (__GLXrenderLargeHeader *) pc; + __GLX_SWAP_INT(&hdr->length); + __GLX_SWAP_INT(&hdr->opcode); +- cmdlen = hdr->length; + opcode = hdr->opcode; + ++ if ((cmdlen = safe_pad(hdr->length)) < 0) ++ return BadLength; ++ + if ( (opcode >= __GLX_MIN_RENDER_OPCODE) && + (opcode <= __GLX_MAX_RENDER_OPCODE) ) { + entry = &__glXRenderSizeTable[opcode]; +@@ -661,16 +671,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (extra < 0) { + return BadLength; + } +- /* large command's header is 4 bytes longer, so add 4 */ +- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) { +- return BadLength; +- } +- } else { +- /* constant size command */ +- if (cmdlen != __GLX_PAD(entry->bytes + 4)) { +- return BadLength; +- } + } ++ /* the +4 is safe because we know entry->bytes is small */ ++ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) { ++ return BadLength; ++ } ++ + /* + ** Make enough space in the buffer, then copy the entire request. + */ +@@ -698,6 +704,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** We are receiving subsequent (i.e. not the first) requests of a + ** multi request command. + */ ++ int bytesSoFar; /* including this packet */ + + /* + ** Check the request number and the total request count. +@@ -716,7 +723,13 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + /* + ** Check that we didn't get too much data. + */ +- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { ++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { ++ client->errorValue = dataBytes; ++ __glXResetLargeCommandStatus(cl); ++ return __glXBadLargeRequest; ++ } ++ ++ if (bytesSoFar > cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; +@@ -730,17 +743,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** This is the last request; it must have enough bytes to complete + ** the command. + */ +- /* NOTE: the two pad macros have been added below; they are needed +- ** because the client library pads the total byte count, but not +- ** the per-request byte counts. The Protocol Encoding says the +- ** total byte count should not be padded, so a proposal will be +- ** made to the ARB to relax the padding constraint on the total +- ** byte count, thus preserving backward compatibility. Meanwhile, +- ** the padding done below fixes a bug that did not allow +- ** large commands of odd sizes to be accepted by the server. ++ /* NOTE: the pad macro below is needed because the client library ++ ** pads the total byte count, but not the per-request byte counts. ++ ** The Protocol Encoding says the total byte count should not be ++ ** padded, so a proposal will be made to the ARB to relax the ++ ** padding constraint on the total byte count, thus preserving ++ ** backward compatibility. Meanwhile, the padding done below ++ ** fixes a bug that did not allow large commands of odd sizes to ++ ** be accepted by the server. + */ +- if (__GLX_PAD(cl->largeCmdBytesSoFar) != +- __GLX_PAD(cl->largeCmdBytesTotal)) { ++ ++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXBadLargeRequest; +-- +2.1.4 + diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-.full.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-.full.patch new file mode 100644 index 000000000..85181f071 --- /dev/null +++ b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-.full.patch @@ -0,0 +1,622 @@ +From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 10 Nov 2014 12:13:48 -0500 +Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2) + [CVE-2014-8098 8/8] (V3) + +v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) + +v3: RHEL5 backport + +v4: backport to nx-libs 3.6.x (Mike DePaulo) + +Reviewed-by: Julien Cristau +Reviewed-by: Michal Srb +Reviewed-by: Andy Ritger +Signed-off-by: Adam Jackson +Signed-off-by: Alan Coopersmith +Signed-off-by: Fedora X Ninjas +Signed-off-by: Dave Airlie +--- + nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +- + nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +- + nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++---------- + nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++------------- + 4 files changed, 121 insertions(+), 107 deletions(-) + +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +index 20c12f3..a1bb259 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c +@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) + + if (entry->varsize) { + /* variable size command */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; + int extra = 0, cmdlen; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + /* + ** This is the first request of a multi request command. + ** Make enough space in the buffer, then copy the entire request. +@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** be computed from its parameters), all the parameters needed + ** will be in the 1st request, so it's okay to do this. + */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +index 2e228c0..33a748a 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c ++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c +@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) + + if (entry->varsize) { + /* variable size command */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData *entry; + int extra = 0; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + size_t cmdlen; + /* + ** This is the first request of a multi request command. +@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) + ** be computed from its parameters), all the parameters needed + ** will be in the 1st request, so it's okay to do this. + */ +- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); ++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + return BadLength; + } +diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h +index 4047574..193ebcb 100644 +--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h ++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h +@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[]; + */ + typedef struct { + int bytes; +- int (*varsize)(GLbyte *pc, Bool swap); ++ int (*varsize)(GLbyte *pc, Bool swap, int left); + } __GLXrenderSizeData; + extern __GLXrenderSizeData __glXRenderSizeTable[]; + extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; +@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type, + GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows, + GLint alignment); + +-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); +-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); +-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXFogivReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightivReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); +-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); +-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); +-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); +-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); +-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); +-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); +-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); +-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); +-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); ++extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ); ++extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); + + /* + * Routines for computing the size of returned data. +@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname); + extern int __glXColorTableParameterfvSize(GLenum pname); + extern int __glXColorTableParameterivSize(GLenum pname); + +-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); +-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); ++extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); ++extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); + + #endif /* !__GLX_server_h__ */ +diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c +index 9bf0d00..dc3475e 100644 +--- a/nx-X11/programs/Xserver/GL/glx/rensize.c ++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c +@@ -48,7 +48,7 @@ + (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ + ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) + +-int __glXCallListsReqSize(GLbyte *pc, Bool swap ) ++int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *)(pc + 0); + GLenum type = *(GLenum *)(pc + 4); +@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) + return n * __glCallLists_size( type ); + } + +-int __glXFogivReqSize(GLbyte *pc, Bool swap ) ++int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) + return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXFogfvReqSize(GLbyte *pc, Bool swap ) ++int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXFogivReqSize( pc, swap ); ++ return __glXFogivReqSize( pc, swap, reqlen); + } + +-int __glXLightfvReqSize(GLbyte *pc, Bool swap ) ++int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXLightivReqSize(GLbyte *pc, Bool swap ) ++int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXLightfvReqSize( pc, swap ); ++ return __glXLightfvReqSize( pc, swap, reqlen); + } + +-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) ++int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) ++int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXLightModelfvReqSize( pc, swap ); ++ return __glXLightModelfvReqSize( pc, swap, reqlen); + } + +-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) ++int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) ++int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXMaterialfvReqSize( pc, swap ); ++ return __glXMaterialfvReqSize( pc, swap, reqlen); + } + +-int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) + return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXTexGenfvReqSize( pc, swap ); ++ return __glXTexGenfvReqSize( pc, swap, reqlen); + } + +-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXTexParameterfvReqSize( pc, swap ); ++ return __glXTexParameterfvReqSize( pc, swap, reqlen); + } + +-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) ++int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ + } + +-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) ++int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) + { +- return __glXTexEnvfvReqSize( pc, swap ); ++ return __glXTexEnvfvReqSize( pc, swap, reqlen); + } + +-int __glXMap1dReqSize(GLbyte *pc, Bool swap ) ++int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) + { + GLenum target; + GLint order; +@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) + return safe_mul(8, safe_mul(__glMap1d_size(target), order)); + } + +-int __glXMap1fReqSize(GLbyte *pc, Bool swap ) ++int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) + { + GLenum target; + GLint order; +@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) + return safe_mul(k, safe_mul(majorOrder, minorOrder)); + } + +-int __glXMap2dReqSize(GLbyte *pc, Bool swap ) ++int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) + return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); + } + +-int __glXMap2fReqSize(GLbyte *pc, Bool swap ) ++int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder; +@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) + return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); + } + +-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLint mapsize; + mapsize = *(GLint *)(pc + 4); +@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) + return 4 * mapsize; + } + +-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXPixelMapfvReqSize( pc, swap ); ++ return __glXPixelMapfvReqSize( pc, swap, reqlen); + } + +-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) ++int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLint mapsize; + mapsize = *(GLint *)(pc + 4); +@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, + } + + +-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) ++int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; + GLenum format = hdr->format; +@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXBitmapReqSize(GLbyte *pc, Bool swap ) ++int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; + GLint w = hdr->width; +@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; + GLenum target = hdr->target; +@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; + GLenum target = hdr->target; +@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) + } + } + +-int __glXDrawArraysSize( GLbyte *pc, Bool swap ) ++int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i=0; iformat; +@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; + GLenum format = hdr->format; +@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, skipRows, alignment ); + } + +-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; + GLenum target = hdr->target; +@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) + } + } + +-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) ++int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchTexSubImage3DHeader *hdr = + (__GLXdispatchTexSubImage3DHeader *) pc; +@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) + } + } + +-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) + return __glXConvolutionParameterivSize(pname); + } + +-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) + return 4 * __glXConvolutionParameterivSize( pname ); + } + +-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { +- return __glXConvolutionParameterivReqSize( pc, swap ); ++ return __glXConvolutionParameterivReqSize( pc, swap, reqlen); + } + +-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) ++int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; +@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) + return __glXColorTableParameterfvSize(pname); + } + +-int __glXColorTableReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchColorTableHeader *hdr = + (__GLXdispatchColorTableHeader *) pc; +@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) ++int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) + { + __GLXdispatchColorSubTableHeader *hdr = + (__GLXdispatchColorSubTableHeader *) pc; +@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) + 0, rowLength, 0, 0, alignment ); + } + +-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 4); + if (swap) { +@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) + return 4 * __glXColorTableParameterfvSize(pname); + } + +-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + /* no difference between fv and iv versions */ +- return __glXColorTableParameterfvReqSize(pc, swap); ++ return __glXColorTableParameterfvReqSize(pc, swap, reqlen); + } + +-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) ++int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *)(pc + 0); + if (swap) { +@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) + return 4 * __glPointParameterfvEXT_size( pname ); + } + +-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) ++int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) + { + /* no difference between fv and iv versions */ +- return __glXPointParameterfvARBReqSize(pc, swap); ++ return __glXPointParameterfvARBReqSize(pc, swap, reqlen); + } +-- +2.1.4 + diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch deleted file mode 100644 index 85181f071..000000000 --- a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch +++ /dev/null @@ -1,622 +0,0 @@ -From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001 -From: Adam Jackson -Date: Mon, 10 Nov 2014 12:13:48 -0500 -Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2) - [CVE-2014-8098 8/8] (V3) - -v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) - -v3: RHEL5 backport - -v4: backport to nx-libs 3.6.x (Mike DePaulo) - -Reviewed-by: Julien Cristau -Reviewed-by: Michal Srb -Reviewed-by: Andy Ritger -Signed-off-by: Adam Jackson -Signed-off-by: Alan Coopersmith -Signed-off-by: Fedora X Ninjas -Signed-off-by: Dave Airlie ---- - nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +- - nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +- - nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++---------- - nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++------------- - 4 files changed, 121 insertions(+), 107 deletions(-) - -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -index 20c12f3..a1bb259 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c -@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc) - - if (entry->varsize) { - /* variable size command */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; - int extra = 0, cmdlen; -+ int left = (req->length << 2) - sz_xGLXRenderLargeReq; - /* - ** This is the first request of a multi request command. - ** Make enough space in the buffer, then copy the entire request. -@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** be computed from its parameters), all the parameters needed - ** will be in the 1st request, so it's okay to do this. - */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False, -+ left - __GLX_RENDER_LARGE_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -index 2e228c0..33a748a 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -+++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c -@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc) - - if (entry->varsize) { - /* variable size command */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True, -+ left - __GLX_RENDER_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - if (cl->largeCmdRequestsSoFar == 0) { - __GLXrenderSizeData *entry; - int extra = 0; -+ int left = (req->length << 2) - sz_xGLXRenderLargeReq; - size_t cmdlen; - /* - ** This is the first request of a multi request command. -@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc) - ** be computed from its parameters), all the parameters needed - ** will be in the 1st request, so it's okay to do this. - */ -- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True); -+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True, -+ left - __GLX_RENDER_LARGE_HDR_SIZE); - if (extra < 0) { - return BadLength; - } -diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h -index 4047574..193ebcb 100644 ---- a/nx-X11/programs/Xserver/GL/glx/glxserver.h -+++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h -@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[]; - */ - typedef struct { - int bytes; -- int (*varsize)(GLbyte *pc, Bool swap); -+ int (*varsize)(GLbyte *pc, Bool swap, int left); - } __GLXrenderSizeData; - extern __GLXrenderSizeData __glXRenderSizeTable[]; - extern __GLXrenderSizeData __glXRenderSizeTable_EXT[]; -@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type, - GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows, - GLint alignment); - --extern int __glXCallListsReqSize(GLbyte *pc, Bool swap); --extern int __glXBitmapReqSize(GLbyte *pc, Bool swap); --extern int __glXFogfvReqSize(GLbyte *pc, Bool swap); --extern int __glXFogivReqSize(GLbyte *pc, Bool swap); --extern int __glXLightfvReqSize(GLbyte *pc, Bool swap); --extern int __glXLightivReqSize(GLbyte *pc, Bool swap); --extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap); --extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap); --extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap); --extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap); --extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap); --extern int __glXMap1dReqSize(GLbyte *pc, Bool swap); --extern int __glXMap1fReqSize(GLbyte *pc, Bool swap); --extern int __glXMap2dReqSize(GLbyte *pc, Bool swap); --extern int __glXMap2fReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap); --extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap); --extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap); --extern int __glXDrawArraysSize(GLbyte *pc, Bool swap); --extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap); --extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap); --extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ); --extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap); --extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableReqSize(GLbyte *pc, Bool swap); --extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap); --extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap); -+extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen ); -+extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); - - /* - * Routines for computing the size of returned data. -@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname); - extern int __glXColorTableParameterfvSize(GLenum pname); - extern int __glXColorTableParameterivSize(GLenum pname); - --extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap); --extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap); -+extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen); -+extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen); - - #endif /* !__GLX_server_h__ */ -diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c -index 9bf0d00..dc3475e 100644 ---- a/nx-X11/programs/Xserver/GL/glx/rensize.c -+++ b/nx-X11/programs/Xserver/GL/glx/rensize.c -@@ -48,7 +48,7 @@ - (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ - ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) - --int __glXCallListsReqSize(GLbyte *pc, Bool swap ) -+int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLsizei n = *(GLsizei *)(pc + 0); - GLenum type = *(GLenum *)(pc + 4); -@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap ) - return n * __glCallLists_size( type ); - } - --int __glXFogivReqSize(GLbyte *pc, Bool swap ) -+int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap ) - return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */ - } - --int __glXFogfvReqSize(GLbyte *pc, Bool swap ) -+int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXFogivReqSize( pc, swap ); -+ return __glXFogivReqSize( pc, swap, reqlen); - } - --int __glXLightfvReqSize(GLbyte *pc, Bool swap ) -+int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXLightivReqSize(GLbyte *pc, Bool swap ) -+int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXLightfvReqSize( pc, swap ); -+ return __glXLightfvReqSize( pc, swap, reqlen); - } - --int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) -+int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXLightModelivReqSize(GLbyte *pc, Bool swap ) -+int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXLightModelfvReqSize( pc, swap ); -+ return __glXLightModelfvReqSize( pc, swap, reqlen); - } - --int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) -+int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXMaterialivReqSize(GLbyte *pc, Bool swap ) -+int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXMaterialfvReqSize( pc, swap ); -+ return __glXMaterialfvReqSize( pc, swap, reqlen); - } - --int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap ) - return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexGenivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXTexGenfvReqSize( pc, swap ); -+ return __glXTexGenfvReqSize( pc, swap, reqlen); - } - --int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXTexParameterfvReqSize( pc, swap ); -+ return __glXTexParameterfvReqSize( pc, swap, reqlen); - } - --int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) -+int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */ - } - --int __glXTexEnvivReqSize(GLbyte *pc, Bool swap ) -+int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen ) - { -- return __glXTexEnvfvReqSize( pc, swap ); -+ return __glXTexEnvfvReqSize( pc, swap, reqlen); - } - --int __glXMap1dReqSize(GLbyte *pc, Bool swap ) -+int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen ) - { - GLenum target; - GLint order; -@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap ) - return safe_mul(8, safe_mul(__glMap1d_size(target), order)); - } - --int __glXMap1fReqSize(GLbyte *pc, Bool swap ) -+int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen ) - { - GLenum target; - GLint order; -@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder) - return safe_mul(k, safe_mul(majorOrder, minorOrder)); - } - --int __glXMap2dReqSize(GLbyte *pc, Bool swap ) -+int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum target; - GLint uorder, vorder; -@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap ) - return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); - } - --int __glXMap2fReqSize(GLbyte *pc, Bool swap ) -+int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum target; - GLint uorder, vorder; -@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap ) - return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); - } - --int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLint mapsize; - mapsize = *(GLint *)(pc + 4); -@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap ) - return 4 * mapsize; - } - --int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXPixelMapfvReqSize( pc, swap ); -+ return __glXPixelMapfvReqSize( pc, swap, reqlen); - } - --int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap ) -+int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLint mapsize; - mapsize = *(GLint *)(pc + 4); -@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target, - } - - --int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) -+int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc; - GLenum format = hdr->format; -@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXBitmapReqSize(GLbyte *pc, Bool swap ) -+int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc; - GLint w = hdr->width; -@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; - GLenum target = hdr->target; -@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage2DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc; - GLenum target = hdr->target; -@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm) - } - } - --int __glXDrawArraysSize( GLbyte *pc, Bool swap ) -+int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; - __GLXdispatchDrawArraysComponentHeader *compHeader; - GLint numVertexes = hdr->numVertexes; - GLint numComponents = hdr->numComponents; - GLint arrayElementSize = 0; -+ GLint x, size; - int i; - - if (swap) { -@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap ) - } - - pc += sizeof(__GLXdispatchDrawArraysHeader); -+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); -+ -+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), -+ numComponents); -+ if (size < 0 || reqlen < 0 || reqlen < size) -+ return -1; -+ - compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; - - for (i=0; iformat; -@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc; - GLenum format = hdr->format; -@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, skipRows, alignment ); - } - --int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc; - GLenum target = hdr->target; -@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap ) - } - } - --int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) -+int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchTexSubImage3DHeader *hdr = - (__GLXdispatchTexSubImage3DHeader *) pc; -@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap ) - } - } - --int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname) - return __glXConvolutionParameterivSize(pname); - } - --int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap ) - return 4 * __glXConvolutionParameterivSize( pname ); - } - --int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { -- return __glXConvolutionParameterivReqSize( pc, swap ); -+ return __glXConvolutionParameterivReqSize( pc, swap, reqlen); - } - --int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap ) -+int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchConvolutionFilterHeader *hdr = - (__GLXdispatchConvolutionFilterHeader *) pc; -@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname) - return __glXColorTableParameterfvSize(pname); - } - --int __glXColorTableReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchColorTableHeader *hdr = - (__GLXdispatchColorTableHeader *) pc; -@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) -+int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen) - { - __GLXdispatchColorSubTableHeader *hdr = - (__GLXdispatchColorSubTableHeader *) pc; -@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap ) - 0, rowLength, 0, 0, alignment ); - } - --int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 4); - if (swap) { -@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap ) - return 4 * __glXColorTableParameterfvSize(pname); - } - --int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - /* no difference between fv and iv versions */ -- return __glXColorTableParameterfvReqSize(pc, swap); -+ return __glXColorTableParameterfvReqSize(pc, swap, reqlen); - } - --int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) -+int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen) - { - GLenum pname = *(GLenum *)(pc + 0); - if (swap) { -@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap ) - return 4 * __glPointParameterfvEXT_size( pname ); - } - --int __glXPointParameterivReqSize(GLbyte *pc, Bool swap ) -+int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen) - { - /* no difference between fv and iv versions */ -- return __glXPointParameterfvARBReqSize(pc, swap); -+ return __glXPointParameterfvARBReqSize(pc, swap, reqlen); - } --- -2.1.4 - diff --git a/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch b/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch new file mode 100644 index 000000000..b74b2d405 --- /dev/null +++ b/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch @@ -0,0 +1,35 @@ +From b04f11915e29d9563d279e1326f61b50ea414dba Mon Sep 17 00:00:00 2001 +From: Mihai Moldovan +Date: Mon, 16 Feb 2015 06:03:48 +0100 +Subject: [PATCH 01/02] nx-X11/lib/font/fc/fserve.c: initialize remaining + bufleft variables. + +--- + nx-X11/lib/font/fc/fserve.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 86b5753..6bbb8c2 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -1917,7 +1917,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FontInfoPtr pfi = &pfont->info; + fsQueryXBitmaps16Reply *rep; + char *buf; +- long bufleft; /* length of reply left to use */ ++ long bufleft = 0; /* length of reply left to use */ + fsOffset32 *ppbits; + fsOffset32 local_off; + char *off_adr; +@@ -2501,7 +2501,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; + fsListFontsWithXInfoReply *rep; + char *buf; +- long bufleft; ++ long bufleft = 0; + FSFpePtr conn = (FSFpePtr) fpe->private; + fsPropInfo *pi; + fsPropOffset *po; +-- +2.1.4 + diff --git a/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch b/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch deleted file mode 100644 index b74b2d405..000000000 --- a/debian/patches/1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b04f11915e29d9563d279e1326f61b50ea414dba Mon Sep 17 00:00:00 2001 -From: Mihai Moldovan -Date: Mon, 16 Feb 2015 06:03:48 +0100 -Subject: [PATCH 01/02] nx-X11/lib/font/fc/fserve.c: initialize remaining - bufleft variables. - ---- - nx-X11/lib/font/fc/fserve.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 86b5753..6bbb8c2 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -1917,7 +1917,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -- long bufleft; /* length of reply left to use */ -+ long bufleft = 0; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -2501,7 +2501,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; - fsListFontsWithXInfoReply *rep; - char *buf; -- long bufleft; -+ long bufleft = 0; - FSFpePtr conn = (FSFpePtr) fpe->private; - fsPropInfo *pi; - fsPropOffset *po; --- -2.1.4 - diff --git a/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch new file mode 100644 index 000000000..9ea330101 --- /dev/null +++ b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch @@ -0,0 +1,110 @@ +From 36368e658a2b83753230af5296978ce27f468d8b Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger +Date: Sun, 21 Aug 2011 18:51:53 +0200 +Subject: [PATCH 02/02] Do proper input validation to fix for CVE-2011-2895. + +It ensures that all valid input can be decompressed, checks that the +overflow conditions doesn't happen and generally tightens the +validation of the LZW stream and doesn't pessimize the inner loop for +no good reason. It's derived from a change in libarchive from 2004. + +v2: backports to nx-libs 3.6.x (Mihai Moldovan) +v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) +Signed-off-by: Matthieu Herrb +Reviewed-by: Tomas Hoger +--- + nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c +index 553b315..c7e649f 100644 +--- a/nx-X11/lib/font/fontfile/decompress.c ++++ b/nx-X11/lib/font/fontfile/decompress.c +@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ + #define FIRST 257 /* first free entry */ + #define CLEAR 256 /* table clear output code */ + +-#define STACK_SIZE 8192 ++#define STACK_SIZE 65300 + + typedef struct _compressedFILE { + BufFilePtr file; +@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) + file->tab_suffix[code] = (char_type) code; + } + file->free_ent = ((file->block_compress) ? FIRST : 256 ); ++ file->oldcode = -1; + file->clear_flg = 0; + file->offset = 0; + file->size = 0; + file->stackp = file->de_stack; + bzero(file->buf, BITS); +- file->finchar = file->oldcode = getcode (file); +- if (file->oldcode != -1) +- *file->stackp++ = file->finchar; + return BufFileCreate ((char *) file, + BufCompressedFill, + 0, +@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) + if (buf == bufend) + break; + +- if (oldcode == -1) +- break; +- + code = getcode (file); + if (code == -1) + break; +@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f) + for ( code = 255; code >= 0; code-- ) + file->tab_prefix[code] = 0; + file->clear_flg = 1; +- file->free_ent = FIRST - 1; +- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ +- break; ++ file->free_ent = FIRST; ++ oldcode = -1; ++ continue; + } + incode = code; + /* + * Special case for KwKwK string. + */ + if ( code >= file->free_ent ) { ++ if ( code > file->free_ent || oldcode == -1 ) { ++ /* Bad stream. */ ++ return BUFFILEEOF; ++ } + *stackp++ = finchar; + code = oldcode; + } +- ++ /* ++ * The above condition ensures that code < free_ent. ++ * The construction of tab_prefixof in turn guarantees that ++ * each iteration decreases code and therefore stack usage is ++ * bound by 1 << BITS - 256. ++ */ ++ + /* + * Generate output characters in reverse order + */ + while ( code >= 256 ) + { +- if (stackp - de_stack >= STACK_SIZE - 1) +- return BUFFILEEOF; + *stackp++ = file->tab_suffix[code]; + code = file->tab_prefix[code]; + } +@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f) + /* + * Generate the new entry. + */ +- if ( (code=file->free_ent) < file->maxmaxcode ) { ++ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + file->tab_prefix[code] = (unsigned short)oldcode; + file->tab_suffix[code] = finchar; + file->free_ent = code+1; +-- +2.1.4 + diff --git a/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch deleted file mode 100644 index 9ea330101..000000000 --- a/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 36368e658a2b83753230af5296978ce27f468d8b Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger -Date: Sun, 21 Aug 2011 18:51:53 +0200 -Subject: [PATCH 02/02] Do proper input validation to fix for CVE-2011-2895. - -It ensures that all valid input can be decompressed, checks that the -overflow conditions doesn't happen and generally tightens the -validation of the LZW stream and doesn't pessimize the inner loop for -no good reason. It's derived from a change in libarchive from 2004. - -v2: backports to nx-libs 3.6.x (Mihai Moldovan) -v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) -Signed-off-by: Matthieu Herrb -Reviewed-by: Tomas Hoger ---- - nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++-------------- - 1 file changed, 17 insertions(+), 14 deletions(-) - -diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c -index 553b315..c7e649f 100644 ---- a/nx-X11/lib/font/fontfile/decompress.c -+++ b/nx-X11/lib/font/fontfile/decompress.c -@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ - #define FIRST 257 /* first free entry */ - #define CLEAR 256 /* table clear output code */ - --#define STACK_SIZE 8192 -+#define STACK_SIZE 65300 - - typedef struct _compressedFILE { - BufFilePtr file; -@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) - file->tab_suffix[code] = (char_type) code; - } - file->free_ent = ((file->block_compress) ? FIRST : 256 ); -+ file->oldcode = -1; - file->clear_flg = 0; - file->offset = 0; - file->size = 0; - file->stackp = file->de_stack; - bzero(file->buf, BITS); -- file->finchar = file->oldcode = getcode (file); -- if (file->oldcode != -1) -- *file->stackp++ = file->finchar; - return BufFileCreate ((char *) file, - BufCompressedFill, - 0, -@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) - if (buf == bufend) - break; - -- if (oldcode == -1) -- break; -- - code = getcode (file); - if (code == -1) - break; -@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f) - for ( code = 255; code >= 0; code-- ) - file->tab_prefix[code] = 0; - file->clear_flg = 1; -- file->free_ent = FIRST - 1; -- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ -- break; -+ file->free_ent = FIRST; -+ oldcode = -1; -+ continue; - } - incode = code; - /* - * Special case for KwKwK string. - */ - if ( code >= file->free_ent ) { -+ if ( code > file->free_ent || oldcode == -1 ) { -+ /* Bad stream. */ -+ return BUFFILEEOF; -+ } - *stackp++ = finchar; - code = oldcode; - } -- -+ /* -+ * The above condition ensures that code < free_ent. -+ * The construction of tab_prefixof in turn guarantees that -+ * each iteration decreases code and therefore stack usage is -+ * bound by 1 << BITS - 256. -+ */ -+ - /* - * Generate output characters in reverse order - */ - while ( code >= 256 ) - { -- if (stackp - de_stack >= STACK_SIZE - 1) -- return BUFFILEEOF; - *stackp++ = file->tab_suffix[code]; - code = file->tab_prefix[code]; - } -@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f) - /* - * Generate the new entry. - */ -- if ( (code=file->free_ent) < file->maxmaxcode ) { -+ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { - file->tab_prefix[code] = (unsigned short)oldcode; - file->tab_suffix[code] = finchar; - file->free_ent = code+1; --- -2.1.4 - diff --git a/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.full.patch b/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.full.patch new file mode 100644 index 000000000..e373bae26 --- /dev/null +++ b/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.full.patch @@ -0,0 +1,63 @@ +From d6ce946f9c0bb5746b8333b3f589aa8527739431 Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Fri, 7 Apr 2006 16:07:50 +0000 +Subject: [PATCH 1/4] Coverity #844, #845, #846: Fix memory leaks. + +v2: backport to nx-libs 3.6.x as a prereq for +the CVE-2015-0255 fix (Mike DePaulo) +--- + nx-X11/programs/Xserver/xkb/xkb.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c +index 2405090..2561c89 100644 +--- a/nx-X11/programs/Xserver/xkb/xkb.c ++++ b/nx-X11/programs/Xserver/xkb/xkb.c +@@ -4794,9 +4794,20 @@ char * wire; + for (i=0;inProperties;i++) { + char *name,*val; + name= _GetCountedString(&wire,client->swapped); ++ if (!name) ++ return BadAlloc; + val= _GetCountedString(&wire,client->swapped); +- if ((!name)||(!val)||(XkbAddGeomProperty(geom,name,val)==NULL)) ++ if (!val) { ++ xfree(name); ++ return BadAlloc; ++ } ++ if (XkbAddGeomProperty(geom,name,val)==NULL) { ++ xfree(name); ++ xfree(val); + return BadAlloc; ++ } ++ xfree(name); ++ xfree(val); + } + + if (req->nColors<2) { +@@ -4813,15 +4824,20 @@ char * wire; + } + if (req->labelColorNdx==req->baseColorNdx) { + client->errorValue= _XkbErrCode3(0x04,req->baseColorNdx, +- req->labelColorNdx); ++ req->labelColorNdx); + return BadMatch; + } + + for (i=0;inColors;i++) { + char *name; + name= _GetCountedString(&wire,client->swapped); +- if ((!name)||(!XkbAddGeomColor(geom,name,geom->num_colors))) ++ if (!name) ++ return BadAlloc; ++ if (!XkbAddGeomColor(geom,name,geom->num_colors)) { ++ xfree(name); + return BadAlloc; ++ } ++ xfree(name); + } + if (req->nColors!=geom->num_colors) { + client->errorValue= _XkbErrCode3(0x05,req->nColors,geom->num_colors); +-- +1.9.1 + diff --git a/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.patch b/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.patch deleted file mode 100644 index e373bae26..000000000 --- a/debian/patches/1101-Coverity-844-845-846-Fix-memory-leaks.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d6ce946f9c0bb5746b8333b3f589aa8527739431 Mon Sep 17 00:00:00 2001 -From: Daniel Stone -Date: Fri, 7 Apr 2006 16:07:50 +0000 -Subject: [PATCH 1/4] Coverity #844, #845, #846: Fix memory leaks. - -v2: backport to nx-libs 3.6.x as a prereq for -the CVE-2015-0255 fix (Mike DePaulo) ---- - nx-X11/programs/Xserver/xkb/xkb.c | 22 +++++++++++++++++++--- - 1 file changed, 19 insertions(+), 3 deletions(-) - -diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c -index 2405090..2561c89 100644 ---- a/nx-X11/programs/Xserver/xkb/xkb.c -+++ b/nx-X11/programs/Xserver/xkb/xkb.c -@@ -4794,9 +4794,20 @@ char * wire; - for (i=0;inProperties;i++) { - char *name,*val; - name= _GetCountedString(&wire,client->swapped); -+ if (!name) -+ return BadAlloc; - val= _GetCountedString(&wire,client->swapped); -- if ((!name)||(!val)||(XkbAddGeomProperty(geom,name,val)==NULL)) -+ if (!val) { -+ xfree(name); -+ return BadAlloc; -+ } -+ if (XkbAddGeomProperty(geom,name,val)==NULL) { -+ xfree(name); -+ xfree(val); - return BadAlloc; -+ } -+ xfree(name); -+ xfree(val); - } - - if (req->nColors<2) { -@@ -4813,15 +4824,20 @@ char * wire; - } - if (req->labelColorNdx==req->baseColorNdx) { - client->errorValue= _XkbErrCode3(0x04,req->baseColorNdx, -- req->labelColorNdx); -+ req->labelColorNdx); - return BadMatch; - } - - for (i=0;inColors;i++) { - char *name; - name= _GetCountedString(&wire,client->swapped); -- if ((!name)||(!XkbAddGeomColor(geom,name,geom->num_colors))) -+ if (!name) -+ return BadAlloc; -+ if (!XkbAddGeomColor(geom,name,geom->num_colors)) { -+ xfree(name); - return BadAlloc; -+ } -+ xfree(name); - } - if (req->nColors!=geom->num_colors) { - client->errorValue= _XkbErrCode3(0x05,req->nColors,geom->num_colors); --- -1.9.1 - diff --git a/debian/patches/1102-include-introduce-byte-counting-functions.full.patch b/debian/patches/1102-include-introduce-byte-counting-functions.full.patch new file mode 100644 index 000000000..eb6366a1b --- /dev/null +++ b/debian/patches/1102-include-introduce-byte-counting-functions.full.patch @@ -0,0 +1,70 @@ +From 3937db18a203f9936387286b95328f27013a5ffe Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 29 Jun 2009 13:09:57 +1000 +Subject: [PATCH 2/4] include: introduce byte counting functions. + +This patch adds the following three functions: + bits_to_bytes(bits) - the number of bytes needed to hold 'bits' + bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' + pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than + 'bytes'. + +All three operations are common in protocol processing and currently the +server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set +of functions reduce the error rate of these (albeit simple) calculations and +improve readability of the code. + +The functions do not check for overflow. + +v2: backport to nx-libs 3.6.x as a prereq for +the CVE-2015-0255 fix (Mike DePaulo) + +Signed-off-by: Peter Hutterer +--- + nx-X11/programs/Xserver/include/misc.h | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/nx-X11/programs/Xserver/include/misc.h b/nx-X11/programs/Xserver/include/misc.h +index 5944a42..849f1b5 100644 +--- a/nx-X11/programs/Xserver/include/misc.h ++++ b/nx-X11/programs/Xserver/include/misc.h +@@ -193,6 +193,36 @@ typedef struct _xReq *xReqPtr; + + #endif + ++/** ++ * Calculate the number of bytes needed to hold bits. ++ * @param bits The minimum number of bits needed. ++ * @return The number of bytes needed to hold bits. ++ */ ++static __inline__ int ++bits_to_bytes(const int bits) { ++ return ((bits + 7) >> 3); ++} ++/** ++ * Calculate the number of 4-byte units needed to hold the given number of ++ * bytes. ++ * @param bytes The minimum number of bytes needed. ++ * @return The number of 4-byte units needed to hold bytes. ++ */ ++static __inline__ int ++bytes_to_int32(const int bytes) { ++ return (((bytes) + 3) >> 2); ++} ++ ++/** ++ * Calculate the number of bytes (in multiples of 4) needed to hold bytes. ++ * @param bytes The minimum number of bytes needed. ++ * @return The closest multiple of 4 that is equal or higher than bytes. ++ */ ++static __inline__ int ++pad_to_int32(const int bytes) { ++ return (((bytes) + 3) & ~3); ++} ++ + /* some macros to help swap requests, replies, and events */ + + #define LengthRestB(stuff) \ +-- +1.9.1 + diff --git a/debian/patches/1102-include-introduce-byte-counting-functions.patch b/debian/patches/1102-include-introduce-byte-counting-functions.patch deleted file mode 100644 index eb6366a1b..000000000 --- a/debian/patches/1102-include-introduce-byte-counting-functions.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 3937db18a203f9936387286b95328f27013a5ffe Mon Sep 17 00:00:00 2001 -From: Peter Hutterer -Date: Mon, 29 Jun 2009 13:09:57 +1000 -Subject: [PATCH 2/4] include: introduce byte counting functions. - -This patch adds the following three functions: - bits_to_bytes(bits) - the number of bytes needed to hold 'bits' - bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' - pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than - 'bytes'. - -All three operations are common in protocol processing and currently the -server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set -of functions reduce the error rate of these (albeit simple) calculations and -improve readability of the code. - -The functions do not check for overflow. - -v2: backport to nx-libs 3.6.x as a prereq for -the CVE-2015-0255 fix (Mike DePaulo) - -Signed-off-by: Peter Hutterer ---- - nx-X11/programs/Xserver/include/misc.h | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/nx-X11/programs/Xserver/include/misc.h b/nx-X11/programs/Xserver/include/misc.h -index 5944a42..849f1b5 100644 ---- a/nx-X11/programs/Xserver/include/misc.h -+++ b/nx-X11/programs/Xserver/include/misc.h -@@ -193,6 +193,36 @@ typedef struct _xReq *xReqPtr; - - #endif - -+/** -+ * Calculate the number of bytes needed to hold bits. -+ * @param bits The minimum number of bits needed. -+ * @return The number of bytes needed to hold bits. -+ */ -+static __inline__ int -+bits_to_bytes(const int bits) { -+ return ((bits + 7) >> 3); -+} -+/** -+ * Calculate the number of 4-byte units needed to hold the given number of -+ * bytes. -+ * @param bytes The minimum number of bytes needed. -+ * @return The number of 4-byte units needed to hold bytes. -+ */ -+static __inline__ int -+bytes_to_int32(const int bytes) { -+ return (((bytes) + 3) >> 2); -+} -+ -+/** -+ * Calculate the number of bytes (in multiples of 4) needed to hold bytes. -+ * @param bytes The minimum number of bytes needed. -+ * @return The closest multiple of 4 that is equal or higher than bytes. -+ */ -+static __inline__ int -+pad_to_int32(const int bytes) { -+ return (((bytes) + 3) & ~3); -+} -+ - /* some macros to help swap requests, replies, and events */ - - #define LengthRestB(stuff) \ --- -1.9.1 - diff --git a/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch b/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch deleted file mode 100644 index 328853a2c..000000000 --- a/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 9308c79ba2757cb1a64e0040176b8290b435544f Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 16 Jan 2015 20:08:59 +0100 -Subject: [PATCH 3/4] xkb: Don't swap XkbSetGeometry data in the input buffer - -The XkbSetGeometry request embeds data which needs to be swapped when the -server and the client have different endianess. - -_XkbSetGeometry() invokes functions that swap these data directly in the -input buffer. - -However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once -(if there is more than one keyboard), thus causing on swapped clients the -same data to be swapped twice in memory, further causing a server crash -because the strings lengths on the second time are way off bounds. - -To allow _XkbSetGeometry() to run reliably more than once with swapped -clients, do not swap the data in the buffer, use variables instead. - -v3: backport to nx-libs 3.6.x as a prereq for -the CVE-2015-0255 fix (Mike DePaulo) - -Signed-off-by: Olivier Fourdan -Signed-off-by: Peter Hutterer -(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) -(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) -Signed-off-by: Julien Cristau -index 2405090..7db0959 100644 ---- - nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++---------------- - 1 file changed, 19 insertions(+), 16 deletions(-) - -diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c -index 2561c89..d8b5b2c 100644 ---- a/nx-X11/programs/Xserver/xkb/xkb.c -+++ b/nx-X11/programs/Xserver/xkb/xkb.c -@@ -4441,15 +4441,14 @@ static char * - _GetCountedString(char **wire_inout,Bool swap) - { - char * wire,*str; --CARD16 len,*plen; -+CARD16 len; - - wire= *wire_inout; -- plen= (CARD16 *)wire; -+ len= (CARD16 *)wire; - if (swap) { - register int n; -- swaps(plen,n); -+ swaps(&len, n); - } -- len= *plen; - str= (char *)_XkbAlloc(len+1); - if (str) { - memcpy(str,&wire[2],len); -@@ -4468,26 +4467,29 @@ _CheckSetDoodad( char ** wire_inout, - { - char * wire; - xkbDoodadWireDesc * dWire; -+xkbAnyDoodadWireDesc any; -+xkbTextDoodadWireDesc text; - XkbDoodadPtr doodad; - - dWire= (xkbDoodadWireDesc *)(*wire_inout); -+ any = dWire->any; - wire= (char *)&dWire[1]; - if (client->swapped) { - register int n; -- swapl(&dWire->any.name,n); -- swaps(&dWire->any.top,n); -- swaps(&dWire->any.left,n); -- swaps(&dWire->any.angle,n); -+ swapl(&any.name, n); -+ swaps(&any.top, n); -+ swaps(&any.left, n); -+ swaps(&any.angle, n); - } - CHK_ATOM_ONLY(dWire->any.name); -- doodad= XkbAddGeomDoodad(geom,section,dWire->any.name); -+ doodad = XkbAddGeomDoodad(geom, section, any.name); - if (!doodad) - return BadAlloc; - doodad->any.type= dWire->any.type; - doodad->any.priority= dWire->any.priority; -- doodad->any.top= dWire->any.top; -- doodad->any.left= dWire->any.left; -- doodad->any.angle= dWire->any.angle; -+ doodad->any.top = any.top; -+ doodad->any.left = any.left; -+ doodad->any.angle = any.angle; - switch (doodad->any.type) { - case XkbOutlineDoodad: - case XkbSolidDoodad: -@@ -4510,13 +4512,14 @@ XkbDoodadPtr doodad; - dWire->text.colorNdx); - return BadMatch; - } -+ text = dWire->text; - if (client->swapped) { - register int n; -- swaps(&dWire->text.width,n); -- swaps(&dWire->text.height,n); -+ swaps(&text.width, n); -+ swaps(&text.height, n); - } -- doodad->text.width= dWire->text.width; -- doodad->text.height= dWire->text.height; -+ doodad->text.width= text.width; -+ doodad->text.height= text.height; - doodad->text.color_ndx= dWire->text.colorNdx; - doodad->text.text= _GetCountedString(&wire,client->swapped); - doodad->text.font= _GetCountedString(&wire,client->swapped); --- -1.9.1 - diff --git a/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch b/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch new file mode 100644 index 000000000..328853a2c --- /dev/null +++ b/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch @@ -0,0 +1,115 @@ +From 9308c79ba2757cb1a64e0040176b8290b435544f Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 20:08:59 +0100 +Subject: [PATCH 3/4] xkb: Don't swap XkbSetGeometry data in the input buffer + +The XkbSetGeometry request embeds data which needs to be swapped when the +server and the client have different endianess. + +_XkbSetGeometry() invokes functions that swap these data directly in the +input buffer. + +However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once +(if there is more than one keyboard), thus causing on swapped clients the +same data to be swapped twice in memory, further causing a server crash +because the strings lengths on the second time are way off bounds. + +To allow _XkbSetGeometry() to run reliably more than once with swapped +clients, do not swap the data in the buffer, use variables instead. + +v3: backport to nx-libs 3.6.x as a prereq for +the CVE-2015-0255 fix (Mike DePaulo) + +Signed-off-by: Olivier Fourdan +Signed-off-by: Peter Hutterer +(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) +(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) +Signed-off-by: Julien Cristau +index 2405090..7db0959 100644 +--- + nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c +index 2561c89..d8b5b2c 100644 +--- a/nx-X11/programs/Xserver/xkb/xkb.c ++++ b/nx-X11/programs/Xserver/xkb/xkb.c +@@ -4441,15 +4441,14 @@ static char * + _GetCountedString(char **wire_inout,Bool swap) + { + char * wire,*str; +-CARD16 len,*plen; ++CARD16 len; + + wire= *wire_inout; +- plen= (CARD16 *)wire; ++ len= (CARD16 *)wire; + if (swap) { + register int n; +- swaps(plen,n); ++ swaps(&len, n); + } +- len= *plen; + str= (char *)_XkbAlloc(len+1); + if (str) { + memcpy(str,&wire[2],len); +@@ -4468,26 +4467,29 @@ _CheckSetDoodad( char ** wire_inout, + { + char * wire; + xkbDoodadWireDesc * dWire; ++xkbAnyDoodadWireDesc any; ++xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; + + dWire= (xkbDoodadWireDesc *)(*wire_inout); ++ any = dWire->any; + wire= (char *)&dWire[1]; + if (client->swapped) { + register int n; +- swapl(&dWire->any.name,n); +- swaps(&dWire->any.top,n); +- swaps(&dWire->any.left,n); +- swaps(&dWire->any.angle,n); ++ swapl(&any.name, n); ++ swaps(&any.top, n); ++ swaps(&any.left, n); ++ swaps(&any.angle, n); + } + CHK_ATOM_ONLY(dWire->any.name); +- doodad= XkbAddGeomDoodad(geom,section,dWire->any.name); ++ doodad = XkbAddGeomDoodad(geom, section, any.name); + if (!doodad) + return BadAlloc; + doodad->any.type= dWire->any.type; + doodad->any.priority= dWire->any.priority; +- doodad->any.top= dWire->any.top; +- doodad->any.left= dWire->any.left; +- doodad->any.angle= dWire->any.angle; ++ doodad->any.top = any.top; ++ doodad->any.left = any.left; ++ doodad->any.angle = any.angle; + switch (doodad->any.type) { + case XkbOutlineDoodad: + case XkbSolidDoodad: +@@ -4510,13 +4512,14 @@ XkbDoodadPtr doodad; + dWire->text.colorNdx); + return BadMatch; + } ++ text = dWire->text; + if (client->swapped) { + register int n; +- swaps(&dWire->text.width,n); +- swaps(&dWire->text.height,n); ++ swaps(&text.width, n); ++ swaps(&text.height, n); + } +- doodad->text.width= dWire->text.width; +- doodad->text.height= dWire->text.height; ++ doodad->text.width= text.width; ++ doodad->text.height= text.height; + doodad->text.color_ndx= dWire->text.colorNdx; + doodad->text.text= _GetCountedString(&wire,client->swapped); + doodad->text.font= _GetCountedString(&wire,client->swapped); +-- +1.9.1 + diff --git a/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch b/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch new file mode 100644 index 000000000..533ddcc3b --- /dev/null +++ b/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch @@ -0,0 +1,148 @@ +From d7258444a876a65986212c10ddcaa1783af558bf Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 16 Jan 2015 08:44:45 +0100 +Subject: [PATCH 4/4] xkb: Check strings length against request size + +Ensure that the given strings length in an XkbSetGeometry request remain +within the limits of the size of the request. + +v3: backport to nx-libs 3.6.x because this is +the CVE-2015-0255 fix (Mike DePaulo) + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +Signed-off-by: Peter Hutterer +(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) +(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) +Signed-off-by: Julien Cristau +--- + nx-X11/programs/Xserver/xkb/xkb.c | 66 ++++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 25 deletions(-) + +diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c +index d8b5b2c..778269f 100644 +--- a/nx-X11/programs/Xserver/xkb/xkb.c ++++ b/nx-X11/programs/Xserver/xkb/xkb.c +@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client) + + /***====================================================================***/ + +-static char * +-_GetCountedString(char **wire_inout,Bool swap) ++static Status ++_GetCountedString(char **wire_inout, ClientPtr client, char **str) + { +-char * wire,*str; ++char * wire, *next; + CARD16 len; + + wire= *wire_inout; + len= (CARD16 *)wire; +- if (swap) { ++ if (client->swapped) { + register int n; + swaps(&len, n); + } +- str= (char *)_XkbAlloc(len+1); +- if (str) { +- memcpy(str,&wire[2],len); +- str[len]= '\0'; +- } +- wire+= XkbPaddedSize(len+2); +- *wire_inout= wire; +- return str; ++ next = wire + XkbPaddedSize(len + 2); ++ /* Check we're still within the size of the request */ ++ if (client->req_len < ++ bytes_to_int32(next - (char *) client->requestBuffer)) ++ return BadValue; ++ *str = malloc(len + 1); ++ if (!*str) ++ return BadAlloc; ++ memcpy(*str, &wire[2], len); ++ *(*str + len) = '\0'; ++ *wire_inout = next; ++ return Success; + } + + static Status +@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc * dWire; + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; + XkbDoodadPtr doodad; ++Status status; + + dWire= (xkbDoodadWireDesc *)(*wire_inout); + any = dWire->any; +@@ -4521,8 +4526,14 @@ XkbDoodadPtr doodad; + doodad->text.width= text.width; + doodad->text.height= text.height; + doodad->text.color_ndx= dWire->text.colorNdx; +- doodad->text.text= _GetCountedString(&wire,client->swapped); +- doodad->text.font= _GetCountedString(&wire,client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->text.text); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &doodad->text.font); ++ if (status != Success) { ++ free (doodad->text.text); ++ return status; ++ } + break; + case XkbIndicatorDoodad: + if (dWire->indicator.onColorNdx>=geom->num_colors) { +@@ -4557,7 +4568,9 @@ XkbDoodadPtr doodad; + } + doodad->logo.color_ndx= dWire->logo.colorNdx; + doodad->logo.shape_ndx= dWire->logo.shapeNdx; +- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); ++ if (status != Success) ++ return status; + break; + default: + client->errorValue= _XkbErrCode2(0x4F,dWire->any.type); +@@ -4792,17 +4805,19 @@ Status status; + char * wire; + + wire= (char *)&req[1]; +- geom->label_font= _GetCountedString(&wire,client->swapped); ++ status = _GetCountedString(&wire, client, &geom->label_font); ++ if (status != Success) ++ return status; + + for (i=0;inProperties;i++) { + char *name,*val; +- name= _GetCountedString(&wire,client->swapped); +- if (!name) +- return BadAlloc; +- val= _GetCountedString(&wire,client->swapped); +- if (!val) { ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &val); ++ if (status != Success) { + xfree(name); +- return BadAlloc; ++ return status; + } + if (XkbAddGeomProperty(geom,name,val)==NULL) { + xfree(name); +@@ -4833,9 +4848,10 @@ char * wire; + + for (i=0;inColors;i++) { + char *name; +- name= _GetCountedString(&wire,client->swapped); +- if (!name) +- return BadAlloc; ++ ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; + if (!XkbAddGeomColor(geom,name,geom->num_colors)) { + xfree(name); + return BadAlloc; +-- +1.9.1 + diff --git a/debian/patches/1104-xkb-Check-strings-length-against-request-size.patch b/debian/patches/1104-xkb-Check-strings-length-against-request-size.patch deleted file mode 100644 index 533ddcc3b..000000000 --- a/debian/patches/1104-xkb-Check-strings-length-against-request-size.patch +++ /dev/null @@ -1,148 +0,0 @@ -From d7258444a876a65986212c10ddcaa1783af558bf Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 16 Jan 2015 08:44:45 +0100 -Subject: [PATCH 4/4] xkb: Check strings length against request size - -Ensure that the given strings length in an XkbSetGeometry request remain -within the limits of the size of the request. - -v3: backport to nx-libs 3.6.x because this is -the CVE-2015-0255 fix (Mike DePaulo) - -Signed-off-by: Olivier Fourdan -Reviewed-by: Peter Hutterer -Signed-off-by: Peter Hutterer -(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) -(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) -Signed-off-by: Julien Cristau ---- - nx-X11/programs/Xserver/xkb/xkb.c | 66 ++++++++++++++++++++++++--------------- - 1 file changed, 41 insertions(+), 25 deletions(-) - -diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c -index d8b5b2c..778269f 100644 ---- a/nx-X11/programs/Xserver/xkb/xkb.c -+++ b/nx-X11/programs/Xserver/xkb/xkb.c -@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client) - - /***====================================================================***/ - --static char * --_GetCountedString(char **wire_inout,Bool swap) -+static Status -+_GetCountedString(char **wire_inout, ClientPtr client, char **str) - { --char * wire,*str; -+char * wire, *next; - CARD16 len; - - wire= *wire_inout; - len= (CARD16 *)wire; -- if (swap) { -+ if (client->swapped) { - register int n; - swaps(&len, n); - } -- str= (char *)_XkbAlloc(len+1); -- if (str) { -- memcpy(str,&wire[2],len); -- str[len]= '\0'; -- } -- wire+= XkbPaddedSize(len+2); -- *wire_inout= wire; -- return str; -+ next = wire + XkbPaddedSize(len + 2); -+ /* Check we're still within the size of the request */ -+ if (client->req_len < -+ bytes_to_int32(next - (char *) client->requestBuffer)) -+ return BadValue; -+ *str = malloc(len + 1); -+ if (!*str) -+ return BadAlloc; -+ memcpy(*str, &wire[2], len); -+ *(*str + len) = '\0'; -+ *wire_inout = next; -+ return Success; - } - - static Status -@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc * dWire; - xkbAnyDoodadWireDesc any; - xkbTextDoodadWireDesc text; - XkbDoodadPtr doodad; -+Status status; - - dWire= (xkbDoodadWireDesc *)(*wire_inout); - any = dWire->any; -@@ -4521,8 +4526,14 @@ XkbDoodadPtr doodad; - doodad->text.width= text.width; - doodad->text.height= text.height; - doodad->text.color_ndx= dWire->text.colorNdx; -- doodad->text.text= _GetCountedString(&wire,client->swapped); -- doodad->text.font= _GetCountedString(&wire,client->swapped); -+ status = _GetCountedString(&wire, client, &doodad->text.text); -+ if (status != Success) -+ return status; -+ status = _GetCountedString(&wire, client, &doodad->text.font); -+ if (status != Success) { -+ free (doodad->text.text); -+ return status; -+ } - break; - case XkbIndicatorDoodad: - if (dWire->indicator.onColorNdx>=geom->num_colors) { -@@ -4557,7 +4568,9 @@ XkbDoodadPtr doodad; - } - doodad->logo.color_ndx= dWire->logo.colorNdx; - doodad->logo.shape_ndx= dWire->logo.shapeNdx; -- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped); -+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); -+ if (status != Success) -+ return status; - break; - default: - client->errorValue= _XkbErrCode2(0x4F,dWire->any.type); -@@ -4792,17 +4805,19 @@ Status status; - char * wire; - - wire= (char *)&req[1]; -- geom->label_font= _GetCountedString(&wire,client->swapped); -+ status = _GetCountedString(&wire, client, &geom->label_font); -+ if (status != Success) -+ return status; - - for (i=0;inProperties;i++) { - char *name,*val; -- name= _GetCountedString(&wire,client->swapped); -- if (!name) -- return BadAlloc; -- val= _GetCountedString(&wire,client->swapped); -- if (!val) { -+ status = _GetCountedString(&wire, client, &name); -+ if (status != Success) -+ return status; -+ status = _GetCountedString(&wire, client, &val); -+ if (status != Success) { - xfree(name); -- return BadAlloc; -+ return status; - } - if (XkbAddGeomProperty(geom,name,val)==NULL) { - xfree(name); -@@ -4833,9 +4848,10 @@ char * wire; - - for (i=0;inColors;i++) { - char *name; -- name= _GetCountedString(&wire,client->swapped); -- if (!name) -- return BadAlloc; -+ -+ status = _GetCountedString(&wire, client, &name); -+ if (status != Success) -+ return status; - if (!XkbAddGeomColor(geom,name,geom->num_colors)) { - xfree(name); - return BadAlloc; --- -1.9.1 - diff --git a/debian/patches/series b/debian/patches/series index 2856cbe9b..80a0e5e07 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -83,52 +83,52 @@ 0991_fix-hr-typos.full+lite.patch 0991_fix-hr-typos.full.patch 0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch -1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch -1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch -1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch -1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch -1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch -1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch -1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch -1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch -1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch -1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch -1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch -1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch -1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch -1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch -1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch -1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch -1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch -1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch -1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch -1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch -1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch -1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch -1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch -1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch -1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch -1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch -1027-render-check-request-size-before-reading-it-CVE-2014.patch -1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch -1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch -1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch -1031-glx-Be-more-paranoid-about-variable-length-requests-.patch -1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch -1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch -1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch -1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch -1036-glx-Integer-overflow-protection-for-non-generated-re.patch -1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch -1038-glx-Length-checking-for-non-generated-single-request.patch -1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch -1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch -1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch -1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch -1101-Coverity-844-845-846-Fix-memory-leaks.patch -1102-include-introduce-byte-counting-functions.patch -1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch -1104-xkb-Check-strings-length-against-request-size.patch +1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch +1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch +1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch +1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch +1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch +1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch +1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch +1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch +1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch +1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch +1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch +1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch +1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch +1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch +1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch +1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch +1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch +1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch +1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch +1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch +1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch +1027-render-check-request-size-before-reading-it-CVE.full.patch +1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch +1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch +1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch +1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch +1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch +1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch +1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch +1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch +1036-glx-Integer-overflow-protection-for-non-generat.full.patch +1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch +1038-glx-Length-checking-for-non-generated-single-re.full.patch +1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch +1040-glx-Pass-remaining-request-length-into-varsize-.full.patch +1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch +1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch +1101-Coverity-844-845-846-Fix-memory-leaks.full.patch +1102-include-introduce-byte-counting-functions.full.patch +1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch +1104-xkb-Check-strings-length-against-request-size.full.patch 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch 0016_nx-X11_install-location.debian.patch 0102_xserver-xext_set-securitypolicy-path.debian.patch -- cgit v1.2.3