diff --git a/cve-2006-6101_6102_6103.diff b/cve-2006-6101_6102_6103.diff new file mode 100644 index 0000000..18a33c0 --- /dev/null +++ b/cve-2006-6101_6102_6103.diff @@ -0,0 +1,183 @@ +diff --git a/dbe/dbe.c b/dbe/dbe.c +index 5b43dd1..6a2ed6a 100644 +--- a/dbe/dbe.c ++++ b/dbe/dbe.c +@@ -42,6 +42,11 @@ + #include + #endif + ++#if HAVE_STDINT_H ++#include ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif + #include + #include + #include "scrnintstr.h" +@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client) + return(Success); + } + ++ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; + + /* Allocate array to record swap information. */ +- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); ++ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); + if (swapInfo == NULL) + { + return(BadAlloc); +@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client) + if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, + SecurityWriteAccess))) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadWindow); + } + + /* Each window must be double-buffered - BadMatch. */ + if (DBE_WINDOW_PRIV(pWin) == NULL) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + +@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client) + { + if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + } +@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client) + (dbeSwapInfo[i].swapAction != XdbeUntouched ) && + (dbeSwapInfo[i].swapAction != XdbeCopied )) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadValue); + } + +@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client) + error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); + if (error != Success) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(error); + } + } + +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(Success); + + } /* ProcDbeSwapBuffers() */ +@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client) + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + ++ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) ++ return BadAlloc; + /* Make sure any specified drawables are valid. */ + if (stuff->n != 0) + { +- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * ++ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * + sizeof(DrawablePtr)))) + { + return(BadAlloc); +@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( + drawables[i], client, SecurityReadAccess))) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + return(BadDrawable); + } + } +@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + { + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + /* Free pDrawables if we needed to allocate it above. */ + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client) + + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(client->noClientException); +diff --git a/render/render.c b/render/render.c +index e4d8d6b..55f360a 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -47,6 +47,12 @@ + #include + #include "cursorstr.h" + ++#if HAVE_STDINT_H ++#include ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int ProcRenderQueryVersion (ClientPtr pClient); + static int ProcRenderQueryPictFormats (ClientPtr pClient); + static int ProcRenderQueryPictIndexValues (ClientPtr pClient); +@@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + nglyphs = stuff->nglyphs; ++ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) ++ return BadAlloc; ++ + if (nglyphs <= NLOCALGLYPH) + glyphsBase = glyphsLocal; + else + { +- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); ++ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); + if (!glyphsBase) + return BadAlloc; + } +@@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return client->noClientException; + bail: + while (glyphs != glyphsBase) +@@ -1173,7 +1182,7 @@ bail: + xfree (glyphs->glyph); + } + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return err; + } + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 6fd812e..f91a4ab 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jan 9 17:05:27 CET 2007 - sndirsch@suse.de + +- cve-2006-6101_6102_6103.diff: + * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) + * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) + * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) + ------------------------------------------------------------------- Tue Dec 19 15:11:17 CET 2006 - sndirsch@suse.de diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 0c625f0..04cffb8 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -1,7 +1,7 @@ # # spec file for package xorg-x11-server (Version 7.2) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -17,7 +17,7 @@ BuildRequires: Mesa-devel fontconfig-devel freetype2-devel ghostscript-library URL: http://xorg.freedesktop.org/ %define EXPERIMENTAL 0 Version: 7.2 -Release: 33 +Release: 39 License: X11/MIT BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -69,6 +69,7 @@ Patch34: Mesa-6.5.2.diff Patch35: xorg-server-1.1.99.901-GetDrawableAttributes.patch Patch36: libdrm.diff Patch37: int10-fix.diff +Patch38: cve-2006-6101_6102_6103.diff Patch334: p_pci-domain.diff Patch357: p_pci-ce-x.diff @@ -138,6 +139,7 @@ popd %patch35 -p1 %patch36 -p0 %patch37 -p1 +%patch38 -p1 %build autoreconf -fi @@ -442,6 +444,11 @@ exit 0 %endif %changelog -n xorg-x11-server +* Tue Jan 09 2007 - sndirsch@suse.de +- cve-2006-6101_6102_6103.diff: + * CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972) + * CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974) + * CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975) * Tue Dec 19 2006 - sndirsch@suse.de - int10-fix.diff * Set Int10Current->Tag for the linux native int10 module (X.Org