xserver: Branch 'xorg-server-1.2-apple' - 7 commits

Jeremy Huddleston jeremyhu at kemper.freedesktop.org
Wed Jun 11 12:08:57 PDT 2008 

 Xext/security.c |   10 +++++++---
 Xext/shm.c      |   13 +++++++++++--
 configure.ac    |    2 +-
 record/record.c |   16 +++++++++++++---
 render/render.c |   18 ++++++++++++++----
 5 files changed, 46 insertions(+), 13 deletions(-)

New commits:
commit b3373877b7c9fa35d02c052e6e753529943e4095
Author: Jeremy Huddleston <jeremyhu at freedesktop.org>
Date:   Wed Jun 11 12:08:45 2008 -0700

    1.3.0-apple21

diff --git a/configure.ac b/configure.ac
index 8f91fea..429492b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,7 +28,7 @@ dnl Process this file with autoconf to create configure.
 AC_PREREQ(2.57)
 dnl This is the not the Xorg version number, it's the server version number.
 dnl Yes, that's weird.
-AC_INIT([xorg-server], 1.3.0-apple20, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.3.0-apple21, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
 AC_CONFIG_SRCDIR([Makefile.am])
 AM_INIT_AUTOMAKE([dist-bzip2 foreign])
 AM_MAINTAINER_MODE
commit 89ef982e16f1e3961921c1a5493e7927736137f7
Merge: ea62dfc... f912b5c...
Author: Jeremy Huddleston <jeremyhu at freedesktop.org>
Date:   Wed Jun 11 12:08:22 2008 -0700

    Merge branch 'server-1.3-branch' into xorg-server-1.2-apple

commit f912b5ccd3bfb8f0fc0d142feb88871858c07fb0
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date:   Sun Jun 8 11:13:47 2008 -0600

    CVE-2008-2360 - RENDER Extension heap buffer overflow
    
    An integer overflow may occur in the computation of the size of the
    glyph to be allocated by the AllocateGlyph() function which will cause
    less memory to be allocated than expected, leading to later heap
    overflow.
    
    On systems where the X  SIGSEGV handler includes a stack trace, more
    malloc()-type functions are called, which may lead to other
    exploitable issues.
    (cherry picked from commit b1a4a96885bf191d5f4afcfb2b41a88631b8412b)

diff --git a/render/glyph.c b/render/glyph.c
index 6d09a0e..2ca02f0 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -42,6 +42,12 @@
 #include "picturestr.h"
 #include "glyphstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /*
  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
  * p and p-2 are both prime.  These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
     int		     size;
     GlyphPtr	     glyph;
     int		     i;
-
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size_t	     padded_width;
+    
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+	return 0;
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
commit 6d0a0a637f1863dfb6b300b1bb106415376b19e4
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date:   Tue Jun 10 12:23:03 2008 -0600

    CVE-2008-2362 - RENDER Extension memory corruption
    
    Integer overflows can occur in the code validating the parameters for
    the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
    and SProcRenderCreateConicalGradient functions, leading to memory
    corruption by swapping bytes outside of the intended request
    parameters.
    (cherry picked from commit 9171206db349a0c6fda719746be0b15049d57aaa)

diff --git a/render/render.c b/render/render.c
index d7dd80c..bb7208d 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1917,6 +1917,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2488,18 +2490,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
 
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
 {
-    int i;
+    int i, n;
     CARD32 *stops;
     CARD16 *colors;
     stops = (CARD32 *)(stuff);
-    for (i = 0; i < n; ++i) {
+    for (i = 0; i < num; ++i) {
         swapl(stops, n);
         ++stops;
     }
     colors = (CARD16 *)(stops);
-    for (i = 0; i < 4*n; ++i) {
+    for (i = 0; i < 4*num; ++i) {
         swaps(stops, n);
         ++stops;
     }
@@ -2522,6 +2524,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2549,6 +2553,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2573,6 +2579,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
commit 87e94198432603d1ede6d4dabb34f8617e84c18b
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date:   Tue Jun 10 12:22:30 2008 -0600

    CVE-2008-2361 - RENDER Extension crash
    
    An integer overflow may occur in the computation of the size of the
    glyph to be allocated by the ProcRenderCreateCursor() function which
    will cause less memory to be allocated than expected, leading later to
    dereferencing un-mapped memory, causing a crash of the X server.
    (cherry picked from commit 5257a0f83d5f3d80d0cd44dd76d047bac3869592)

diff --git a/render/render.c b/render/render.c
index 55f360a..d7dd80c 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1502,6 +1502,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
commit b0a9b429613faacb71c0aad3f774a13bd7d985df
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date:   Tue Jun 10 12:20:43 2008 -0600

    CVE-2008-1379 - MIT-SHM arbitrary memory read
    
    An integer overflow in the validation of the parameters of the
    ShmPutImage() request makes it possible to trigger the copy of
    arbitrary server memory to a pixmap that can subsequently be read by
    the client, to read arbitrary parts of the X server memory space.
    (cherry picked from commit 063f18ef6d7bf834225ddfd3527e58c078628f5f)

diff --git a/Xext/shm.c b/Xext/shm.c
index be79862..e3fa2d3 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -841,8 +841,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
commit 2af571dbf176a1f77c2235d750356663f7e70282
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date:   Tue Jun 10 12:20:00 2008 -0600

    CVE-2008-1377 - RECORD and Security extensions memory corruption
    
    Lack of validation of the parameters of the
    SProcSecurityGenerateAuthorization SProcRecordCreateContext
    functions makes it possible for a specially crafted request to trigger
    the swapping of bytes outside the parameter of these requests, causing
    memory corruption.
    (cherry picked from commit 95d162c4389857d960da9b0158345c1714e91f31)

diff --git a/Xext/security.c b/Xext/security.c
index ac76279..7e8a06e 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index 0ed8f84..9a166d6 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
 } /* SProcRecordQueryVersion */
 
 
-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
     register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
     swapl(&stuff->nClients, n);
     swapl(&stuff->nRanges, n);
     pClientID = (XID *)&stuff[1];
+    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+	return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++)
     {
 	swapl(pClientID, n);
     }
+    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+	- stuff->nClients)
+	return BadLength;
     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */
 
 
@@ -2679,11 +2685,13 @@ static int
 SProcRecordCreateContext(ClientPtr client)
 {
     REQUEST(xRecordCreateContextReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */
 
@@ -2692,11 +2700,13 @@ static int
 SProcRecordRegisterClients(ClientPtr client)
 {
     REQUEST(xRecordRegisterClientsReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */

More information about the xorg-commit mailing list