rpm/xorg-x11-server
SHA256
1
0
Fork 0
forked from pool/xorg-x11-server
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=4

Browse Source
This commit is contained in:
OBS User unknown 2007-01-10 17:04:50 +00:00 committed by Git OBS Bridge
parent 1a507912f5
commit 93da6ee7da
3 changed files with 200 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
cve-2006-6101_6102_6103.diff Normal file
View File

@ -0,0 +1,183 @@
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 5b43dd1..6a2ed6a 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -42,6 +42,11 @@
#include <dix-config.h>
#endif
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
#include <X11/X.h>
#include <X11/Xproto.h>
#include "scrnintstr.h"
@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client)
return(Success);
}
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
/* Allocate array to record swap information. */
- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
if (swapInfo == NULL)
{
return(BadAlloc);
@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client)
if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
SecurityWriteAccess)))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadWindow);
}
/* Each window must be double-buffered - BadMatch. */
if (DBE_WINDOW_PRIV(pWin) == NULL)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client)
{
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
}
@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client)
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
(dbeSwapInfo[i].swapAction != XdbeCopied ))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadValue);
}
@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client)
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
if (error != Success)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(error);
}
}
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(Success);
} /* ProcDbeSwapBuffers() */
@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
/* Make sure any specified drawables are valid. */
if (stuff->n != 0)
{
- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
sizeof(DrawablePtr))))
{
return(BadAlloc);
@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
drawables[i], client, SecurityReadAccess)))
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
return(BadDrawable);
}
}
@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
{
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
/* Free pDrawables if we needed to allocate it above. */
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(client->noClientException);
diff --git a/render/render.c b/render/render.c
index e4d8d6b..55f360a 100644
--- a/render/render.c
+++ b/render/render.c
@@ -47,6 +47,12 @@
#include <X11/Xfuncproto.h>
#include "cursorstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
static int ProcRenderQueryVersion (ClientPtr pClient);
static int ProcRenderQueryPictFormats (ClientPtr pClient);
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client)
}
nglyphs = stuff->nglyphs;
+ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+ return BadAlloc;
+
if (nglyphs <= NLOCALGLYPH)
glyphsBase = glyphsLocal;
else
{
- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
if (!glyphsBase)
return BadAlloc;
}
@@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client)
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return client->noClientException;
bail:
while (glyphs != glyphsBase)
@@ -1173,7 +1182,7 @@ bail:
xfree (glyphs->glyph);
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return err;
}

8
xorg-x11-server.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Jan 9 17:05:27 CET 2007 - sndirsch@suse.de
- cve-2006-6101_6102_6103.diff:
* CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972)
* CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974)
* CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 19 15:11:17 CET 2006 - sndirsch@suse.de Tue Dec 19 15:11:17 CET 2006 - sndirsch@suse.de

11
xorg-x11-server.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package xorg-x11-server (Version 7.2) # spec file for package xorg-x11-server (Version 7.2)
# #
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine # This file and all modifications and additions to the pristine
# package are under the same license as the package itself. # package are under the same license as the package itself.
# #
@ -17,7 +17,7 @@ BuildRequires: Mesa-devel fontconfig-devel freetype2-devel ghostscript-library
URL: http://xorg.freedesktop.org/ URL: http://xorg.freedesktop.org/
%define EXPERIMENTAL 0 %define EXPERIMENTAL 0
Version: 7.2 Version: 7.2
Release: 33 Release: 39
License: X11/MIT License: X11/MIT
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Group: System/X11/Servers/XF86_4 Group: System/X11/Servers/XF86_4
@ -69,6 +69,7 @@ Patch34: Mesa-6.5.2.diff
Patch35: xorg-server-1.1.99.901-GetDrawableAttributes.patch Patch35: xorg-server-1.1.99.901-GetDrawableAttributes.patch
Patch36: libdrm.diff Patch36: libdrm.diff
Patch37: int10-fix.diff Patch37: int10-fix.diff
Patch38: cve-2006-6101_6102_6103.diff
Patch334: p_pci-domain.diff Patch334: p_pci-domain.diff
Patch357: p_pci-ce-x.diff Patch357: p_pci-ce-x.diff
@ -138,6 +139,7 @@ popd
%patch35 -p1 %patch35 -p1
%patch36 -p0 %patch36 -p0
%patch37 -p1 %patch37 -p1
%patch38 -p1
%build %build
autoreconf -fi autoreconf -fi
@ -442,6 +444,11 @@ exit 0
%endif %endif
%changelog -n xorg-x11-server %changelog -n xorg-x11-server
* Tue Jan 09 2007 - sndirsch@suse.de
- cve-2006-6101_6102_6103.diff:
* CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972)
* CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974)
* CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975)
* Tue Dec 19 2006 - sndirsch@suse.de * Tue Dec 19 2006 - sndirsch@suse.de
- int10-fix.diff - int10-fix.diff
* Set Int10Current->Tag for the linux native int10 module (X.Org * Set Int10Current->Tag for the linux native int10 module (X.Org