1
0
OBS User unknown 2007-01-10 17:04:50 +00:00 committed by Git OBS Bridge
parent 1a507912f5
commit 93da6ee7da
3 changed files with 200 additions and 2 deletions

View File

@ -0,0 +1,183 @@
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 5b43dd1..6a2ed6a 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -42,6 +42,11 @@
#include <dix-config.h>
#endif
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
#include <X11/X.h>
#include <X11/Xproto.h>
#include "scrnintstr.h"
@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client)
return(Success);
}
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
/* Allocate array to record swap information. */
- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
if (swapInfo == NULL)
{
return(BadAlloc);
@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client)
if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
SecurityWriteAccess)))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadWindow);
}
/* Each window must be double-buffered - BadMatch. */
if (DBE_WINDOW_PRIV(pWin) == NULL)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client)
{
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
}
@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client)
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
(dbeSwapInfo[i].swapAction != XdbeCopied ))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadValue);
}
@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client)
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
if (error != Success)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(error);
}
}
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(Success);
} /* ProcDbeSwapBuffers() */
@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
/* Make sure any specified drawables are valid. */
if (stuff->n != 0)
{
- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
sizeof(DrawablePtr))))
{
return(BadAlloc);
@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
drawables[i], client, SecurityReadAccess)))
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
return(BadDrawable);
}
}
@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
{
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
/* Free pDrawables if we needed to allocate it above. */
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(client->noClientException);
diff --git a/render/render.c b/render/render.c
index e4d8d6b..55f360a 100644
--- a/render/render.c
+++ b/render/render.c
@@ -47,6 +47,12 @@
#include <X11/Xfuncproto.h>
#include "cursorstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
static int ProcRenderQueryVersion (ClientPtr pClient);
static int ProcRenderQueryPictFormats (ClientPtr pClient);
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client)
}
nglyphs = stuff->nglyphs;
+ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+ return BadAlloc;
+
if (nglyphs <= NLOCALGLYPH)
glyphsBase = glyphsLocal;
else
{
- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
if (!glyphsBase)
return BadAlloc;
}
@@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client)
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return client->noClientException;
bail:
while (glyphs != glyphsBase)
@@ -1173,7 +1182,7 @@ bail:
xfree (glyphs->glyph);
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return err;
}

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Jan 9 17:05:27 CET 2007 - sndirsch@suse.de
- cve-2006-6101_6102_6103.diff:
* CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972)
* CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974)
* CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975)
-------------------------------------------------------------------
Tue Dec 19 15:11:17 CET 2006 - sndirsch@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package xorg-x11-server (Version 7.2)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@ -17,7 +17,7 @@ BuildRequires: Mesa-devel fontconfig-devel freetype2-devel ghostscript-library
URL: http://xorg.freedesktop.org/
%define EXPERIMENTAL 0
Version: 7.2
Release: 33
Release: 39
License: X11/MIT
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Group: System/X11/Servers/XF86_4
@ -69,6 +69,7 @@ Patch34: Mesa-6.5.2.diff
Patch35: xorg-server-1.1.99.901-GetDrawableAttributes.patch
Patch36: libdrm.diff
Patch37: int10-fix.diff
Patch38: cve-2006-6101_6102_6103.diff
Patch334: p_pci-domain.diff
Patch357: p_pci-ce-x.diff
@ -138,6 +139,7 @@ popd
%patch35 -p1
%patch36 -p0
%patch37 -p1
%patch38 -p1
%build
autoreconf -fi
@ -442,6 +444,11 @@ exit 0
%endif
%changelog -n xorg-x11-server
* Tue Jan 09 2007 - sndirsch@suse.de
- cve-2006-6101_6102_6103.diff:
* CVE-2006-6101 iDefense X.org ProcRenderAddGlyphs (Bug #225972)
* CVE-2006-6102 iDefense X.org ProcDbeGetVisualInfo (Bug #225974)
* CVE-2006-6103 iDefense X.org ProcDbeSwapBuffers (Bug #225975)
* Tue Dec 19 2006 - sndirsch@suse.de
- int10-fix.diff
* Set Int10Current->Tag for the linux native int10 module (X.Org