xserver: Branch 'master' - 5 commits
Matthieu Herrb
herrb at kemper.freedesktop.org
Wed Jun 11 07:10:17 PDT 2008
Xext/security.c | 10 +++++++---
Xext/shm.c | 13 +++++++++++--
record/record.c | 16 +++++++++++++---
render/render.c | 29 +++++++++++++++++++++++------
4 files changed, 54 insertions(+), 14 deletions(-)
New commits:
commit 9171206db349a0c6fda719746be0b15049d57aaa
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:23:03 2008 -0600
CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for
the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
and SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.
diff --git a/render/render.c b/render/render.c
index 7787e18..638aa46 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1996,6 +1996,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2584,18 +2586,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2618,6 +2620,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2645,6 +2649,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2669,6 +2675,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit 5257a0f83d5f3d80d0cd44dd76d047bac3869592
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:22:30 2008 -0600
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the ProcRenderCreateCursor() function which
will cause less memory to be allocated than expected, leading later to
dereferencing un-mapped memory, causing a crash of the X server.
diff --git a/render/render.c b/render/render.c
index 16b8eb3..7787e18 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1569,6 +1569,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);
commit c5f69b297b1227cb802394fa90efdbe1de607f3c
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:21:26 2008 -0600
CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
diff --git a/render/render.c b/render/render.c
index f03f54a..16b8eb3 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
for (i = 0; i < nglyphs; i++)
{
+ size_t padded_width;
glyph_new = &glyphs[i];
- size = gi[i].height * PixmapBytePad (gi[i].width,
- glyphSet->format->depth);
+
+ padded_width = PixmapBytePad (gi[i].width,
+ glyphSet->format->depth);
+
+ if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
+ break;
+
+ size = gi[i].height * padded_width;
if (remain < size)
break;
commit 063f18ef6d7bf834225ddfd3527e58c078628f5f
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:20:43 2008 -0600
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
diff --git a/Xext/shm.c b/Xext/shm.c
index 80780bb..3f51b9c 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -894,8 +894,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;
commit 95d162c4389857d960da9b0158345c1714e91f31
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:20:00 2008 -0600
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
diff --git a/Xext/security.c b/Xext/security.c
index f28b10d..bd92600 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -676,15 +676,19 @@ SProcSecurityGenerateAuthorization(
char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index ec06ca9..d7314b1 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2658,7 +2658,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2669,11 +2669,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2681,11 +2687,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2694,11 +2702,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
More information about the xorg-commit
mailing list