rpms/xorg-x11-server/F-8 cve-2007-6429.patch, 1.1, 1.2 xorg-x11-server.spec, 1.266, 1.267
Dave Airlie (airlied)
fedora-extras-commits at redhat.com
Fri Jan 18 19:54:44 UTC 2008
Author: airlied
Update of /cvs/pkgs/rpms/xorg-x11-server/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13987
Modified Files:
cve-2007-6429.patch xorg-x11-server.spec
Log Message:
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-39
- cve-2007-6429.patch: Fix patch to not break java apps
cve-2007-6429.patch:
Index: cve-2007-6429.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/F-8/cve-2007-6429.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- cve-2007-6429.patch 18 Jan 2008 02:33:46 -0000 1.1
+++ cve-2007-6429.patch 18 Jan 2008 19:53:58 -0000 1.2
@@ -1,5 +1,97 @@
---- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520 2006-07-06 04:31:36.000000000 +1000
-+++ xorg-server-1.1.1/Xext/shm.c 2007-12-14 13:08:59.000000000 +1000
+--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/sampleEVI.c 2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,13 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT_MAX)
++#define INT_MAX 0x7fffffff
++#endif
++
+ static int sampleGetVisualInfo(
+ VisualID32 *visual,
+ int n_visual,
+@@ -44,24 +51,36 @@
+ VisualID32 **conflict_rn,
+ int *n_conflict_rn)
+ {
+- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++ unsigned int max_sz_evi;
+ VisualID32 *temp_conflict;
+ xExtendedVisualInfo *evi;
+- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+- if (!*evi_rn)
+- return BadAlloc;
++
++ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
++ return BadAlloc;
++ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+ max_visuals = screenInfo.screens[scrI]->numVisuals;
+ }
++
++ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
++ * max_visuals))
++ return BadAlloc;
+ max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
++
++ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++ if (!*evi_rn)
++ return BadAlloc;
++
+ temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+ if (!temp_conflict) {
+ xfree(*evi_rn);
+ return BadAlloc;
+ }
++
+ for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+ for (visualI = 0; visualI < n_visual; visualI++) {
+ evi[sz_evi].core_visual_id = visual[visualI];
+--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/EVI.c 2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -89,10 +90,22 @@
+ {
+ REQUEST(xEVIGetVisualInfoReq);
+ xEVIGetVisualInfoReply rep;
+- int n, n_conflict, n_info, sz_info, sz_conflict;
++ int i, n, n_conflict, n_info, sz_info, sz_conflict;
+ VisualID32 *conflict;
++ unsigned int total_visuals = 0;
+ xExtendedVisualInfo *eviInfo;
+ int status;
++
++ /*
++ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
++ * here that you don't have more than 2^32 visuals over all your screens;
++ * this seems like a safe assumption.
++ */
++ for (i = 0; i < screenInfo.numScreens; i++)
++ total_visuals += screenInfo.screens[i]->numVisuals;
++ if (stuff->n_visual > total_visuals)
++ return BadValue;
++
+ REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+ status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ &eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500
@@ -725,6 +725,8 @@
int i, j, result;
ShmDescPtr shmdesc;
@@ -9,7 +101,7 @@
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -734,11 +736,26 @@
+@@ -734,11 +736,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -25,30 +117,34 @@
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -749,9 +766,7 @@
+@@ -748,10 +757,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1049,6 +1064,8 @@
+@@ -1049,6 +1067,8 @@
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
@@ -57,7 +153,7 @@
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1057,11 +1074,26 @@
+@@ -1057,11 +1077,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -73,122 +169,30 @@
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1072,9 +1104,7 @@
+@@ -1071,10 +1098,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
-diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 8fe3481..13bd32a 100644
---- a/Xext/EVI.c
-+++ b/Xext/EVI.c
-@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
-
- #if 0
- static unsigned char XEVIReqCode = 0;
-@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
- {
- REQUEST(xEVIGetVisualInfoReq);
- xEVIGetVisualInfoReply rep;
-- int n, n_conflict, n_info, sz_info, sz_conflict;
-+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
- VisualID32 *conflict;
-+ unsigned int total_visuals = 0;
- xExtendedVisualInfo *eviInfo;
- int status;
-+
-+ /*
-+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
-+ * here that you don't have more than 2^32 visuals over all your screens;
-+ * this seems like a safe assumption.
-+ */
-+ for (i = 0; i < screenInfo.numScreens; i++)
-+ total_visuals += screenInfo.screens[i]->numVisuals;
-+ if (stuff->n_visual > total_visuals)
-+ return BadValue;
-+
- REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
- status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
- &eviInfo, &n_info, &conflict, &n_conflict);
-diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b8f39c7 100644
---- a/Xext/sampleEVI.c
-+++ b/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "scrnintstr.h"
-+
-+#if HAVE_STDINT_H
-+#include <stdint.h>
-+#elif !defined(INT_MAX)
-+#define INT_MAX 0x7fffffff
-+#endif
-+
- static int sampleGetVisualInfo(
- VisualID32 *visual,
- int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
- VisualID32 **conflict_rn,
- int *n_conflict_rn)
- {
-- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
-+ unsigned int max_sz_evi;
- VisualID32 *temp_conflict;
- xExtendedVisualInfo *evi;
-- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
-+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
- register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
-- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-- if (!*evi_rn)
-- return BadAlloc;
-+
-+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
-+ return BadAlloc;
-+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
-+
- for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
- if (screenInfo.screens[scrI]->numVisuals > max_visuals)
- max_visuals = screenInfo.screens[scrI]->numVisuals;
- }
-+
-+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
-+ * max_visuals))
-+ return BadAlloc;
- max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
-+
-+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-+ if (!*evi_rn)
-+ return BadAlloc;
-+
- temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
- if (!temp_conflict) {
- xfree(*evi_rn);
- return BadAlloc;
- }
-+
- for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
- for (visualI = 0; visualI < n_visual; visualI++) {
- evi[sz_evi].core_visual_id = visual[visualI];
Index: xorg-x11-server.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xorg-x11-server/F-8/xorg-x11-server.spec,v
retrieving revision 1.266
retrieving revision 1.267
diff -u -r1.266 -r1.267
--- xorg-x11-server.spec 18 Jan 2008 03:02:33 -0000 1.266
+++ xorg-x11-server.spec 18 Jan 2008 19:53:58 -0000 1.267
@@ -9,7 +9,7 @@
Summary: X.Org X11 X server
Name: xorg-x11-server
Version: 1.3.0.0
-Release: 38%{?dist}
+Release: 39%{?dist}
URL: http://www.x.org
License: MIT
Group: User Interface/X
@@ -641,6 +641,9 @@
%changelog
+* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-39
+- cve-2007-6429.patch: Fix patch to not break java apps
+
* Fri Jan 18 2008 Dave Airlie <airlied at redhat.com> 1.3.0.0-38
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
- cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability
More information about the fedora-extras-commits
mailing list