rpms/xorg-x11-server/FC-6 xorg-xserver-1.1.0-dbe-render.diff, NONE, 1.1 xorg-x11-server.spec, 1.184, 1.185
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 9 22:54:02 UTC 2007
- Previous message (by thread): rpms/xorg-x11-server/FC-5 xorg-xserver-1.0.1-dbe-render.diff, NONE, 1.1 xorg-x11-server.spec, 1.54, 1.55
- Next message (by thread): rpms/xorg-x11-server/devel xorg-xserver-1.1.0-dbe-render.diff, NONE, 1.1 xorg-x11-server-1.1.0-redhat-xephyr-only-hack.patch, 1.1, 1.2 xorg-x11-server.spec, 1.196, 1.197
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: ajackson
Update of /cvs/dist/rpms/xorg-x11-server/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv21506
Modified Files:
xorg-x11-server.spec
Added Files:
xorg-xserver-1.1.0-dbe-render.diff
Log Message:
* Tue Jan 09 2007 Adam Jackson <ajax at redhat.com> 1.1.1-47.4.fc6
- xorg-xserver-1.1.0-dbe-render.diff: CVE #2006-6101.
xorg-xserver-1.1.0-dbe-render.diff:
dbe/dbe.c | 34 ++++++++++++++++++++++------------
render/render.c | 15 ++++++++++++---
2 files changed, 34 insertions(+), 15 deletions(-)
--- NEW FILE xorg-xserver-1.1.0-dbe-render.diff ---
Index: xorg/dbe/dbe.c
===================================================================
RCS file: /cvs/xorg/xserver/xorg/dbe/dbe.c,v
retrieving revision 1.7
diff -u -u -r1.7 dbe.c
--- xorg/dbe/dbe.c 28 Mar 2006 01:20:59 -0000 1.7
+++ xorg/dbe/dbe.c 9 Jan 2007 12:53:54 -0000
@@ -42,6 +42,11 @@
#endif
#include <string.h>
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
#include <X11/X.h>
#include <X11/Xproto.h>
@@ -716,11 +721,14 @@
return(Success);
}
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
/* Allocate array to record swap information. */
- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
if (swapInfo == NULL)
{
return(BadAlloc);
@@ -735,14 +743,14 @@
if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
SecurityWriteAccess)))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadWindow);
}
/* Each window must be double-buffered - BadMatch. */
if (DBE_WINDOW_PRIV(pWin) == NULL)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
@@ -751,7 +759,7 @@
{
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
}
@@ -762,7 +770,7 @@
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
(dbeSwapInfo[i].swapAction != XdbeCopied ))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadValue);
}
@@ -792,12 +800,12 @@
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
if (error != Success)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(error);
}
}
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(Success);
} /* ProcDbeSwapBuffers() */
@@ -879,10 +887,12 @@
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
/* Make sure any specified drawables are valid. */
if (stuff->n != 0)
{
- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
sizeof(DrawablePtr))))
{
return(BadAlloc);
@@ -895,7 +905,7 @@
if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
drawables[i], client, SecurityReadAccess)))
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
return(BadDrawable);
}
}
@@ -907,7 +917,7 @@
{
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -934,7 +944,7 @@
/* Free pDrawables if we needed to allocate it above. */
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -1015,7 +1025,7 @@
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(client->noClientException);
Index: xorg/render/render.c
===================================================================
RCS file: /cvs/xorg/xserver/xorg/render/render.c,v
retrieving revision 1.13.4.1
diff -u -u -r1.13.4.1 render.c
--- xorg/render/render.c 9 May 2006 22:35:52 -0000 1.13.4.1
+++ xorg/render/render.c 9 Jan 2007 12:53:57 -0000
@@ -49,6 +49,12 @@
#include <X11/Xfuncproto.h>
#include "cursorstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
static int ProcRenderQueryVersion (ClientPtr pClient);
static int ProcRenderQueryPictFormats (ClientPtr pClient);
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1105,11 +1111,14 @@
}
nglyphs = stuff->nglyphs;
+ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+ return BadAlloc;
+
if (nglyphs <= NLOCALGLYPH)
glyphsBase = glyphsLocal;
else
{
- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
if (!glyphsBase)
return BadAlloc;
}
@@ -1166,7 +1175,7 @@
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return client->noClientException;
bail:
while (glyphs != glyphsBase)
@@ -1175,7 +1184,7 @@
xfree (glyphs->glyph);
}
if (glyphsBase != glyphsLocal)
- DEALLOCATE_LOCAL (glyphsBase);
+ Xfree (glyphsBase);
return err;
}
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/dist/rpms/xorg-x11-server/FC-6/xorg-x11-server.spec,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -r1.184 -r1.185
--- xorg-x11-server.spec 5 Dec 2006 17:14:59 -0000 1.184
+++ xorg-x11-server.spec 9 Jan 2007 22:54:00 -0000 1.185
@@ -3,7 +3,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.1.1
-Release: 47.3%{?dist}
+Release: 47.4%{?dist}
URL: http://www.x.org
License: MIT/X11
Group: User Interface/X
@@ -28,6 +28,9 @@
Patch12: xorg-x11-server-1.1.1-graphics-expose.patch
Patch13: xorg-x11-server-1.1.1-xkb-vidmode-switch.patch
+# http://xorg.freedesktop.org/releases/X11R7.1/patches/xorg-xserver-1.1.0-dbe-render.diff
+Patch50: xorg-xserver-1.1.0-dbe-render.diff
+
# OpenGL compositing manager feature/optimization patches.
Patch100: xorg-x11-server-1.1.0-no-move-damage.patch
Patch101: xorg-x11-server-1.1.0-dont-backfill-bg-none.patch
@@ -355,6 +358,8 @@
%patch12 -p1 -b .graphics-expose
%patch13 -p1 -b .xkb-vidmode-switch
+%patch50 -p1 -b .alloca
+
%patch100 -p0 -b .no-move-damage
%patch101 -p0 -b .dont-backfill-bg-none
%patch103 -p0 -b .tfp-damage
@@ -730,6 +735,9 @@
# -------------------------------------------------------------------
%changelog
+* Tue Jan 09 2007 Adam Jackson <ajax at redhat.com> 1.1.1-47.4.fc6
+- xorg-xserver-1.1.0-dbe-render.diff: CVE #2006-6101.
+
* Tue Dec 5 2006 Adam Jackson <ajax at redhat.com> 1.1.1-47.3.fc6
- xorg-x11-server-1.1.1-xf86config-comment-less.patch: Added, makes
pyxf86config not grow the config file every time it's run.
- Previous message (by thread): rpms/xorg-x11-server/FC-5 xorg-xserver-1.0.1-dbe-render.diff, NONE, 1.1 xorg-x11-server.spec, 1.54, 1.55
- Next message (by thread): rpms/xorg-x11-server/devel xorg-xserver-1.1.0-dbe-render.diff, NONE, 1.1 xorg-x11-server-1.1.0-redhat-xephyr-only-hack.patch, 1.1, 1.2 xorg-x11-server.spec, 1.196, 1.197
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list