xserver: Branch 'server-1.5-branch' - 9 commits
Matthieu Herrb
herrb at kemper.freedesktop.org
Thu Jun 19 08:02:38 PDT 2008
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 7e3ec36e0e87c8592e6783319dcc1fe0246fbffe
Merge: d254903... ad10515...
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Wed Jun 18 09:20:05 2008 +0200
Merge branch 'server-1.5-branch' of git+ssh://herrb@git.freedesktop.org/git/xorg/xserver into server-1.5-branch
commit d2549034133a92d1f5755edd9c34ee84e601d753
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Sat Jun 14 14:40:32 2008 -0600
configure.ac: fix the help string for --with-freetype.
Default value was changed to 'no' in e5b1d38e142807b59ce4ec89764c949f707ec541
but the help string wasn't updated.
diff --git a/configure.ac b/configure.ac
index b251dce..97e46b0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -584,7 +584,7 @@ AC_ARG_ENABLE(xfake, AS_HELP_STRING([--enable-xfake], [Build the kdrive
AC_ARG_ENABLE(xfbdev, AS_HELP_STRING([--enable-xfbdev], [Build the kdrive framebuffer device server (default: auto)]), [XFBDEV=$enableval], [XFBDEV=auto])
AC_ARG_ENABLE(kdrive-vesa, AS_HELP_STRING([--enable-kdrive-vesa], [Build the kdrive VESA-based servers (default: auto)]), [KDRIVEVESA=$enableval], [KDRIVEVESA=auto])
dnl xprint
-AC_ARG_ENABLE(freetype, AS_HELP_STRING([ --enable-freetype], [Build Xprint FreeType backend (default: yes)]), [XP_USE_FREETYPE=$enableval],[XP_USE_FREETYPE=no])
+AC_ARG_ENABLE(freetype, AS_HELP_STRING([ --enable-freetype], [Build Xprint FreeType backend (default: no)]), [XP_USE_FREETYPE=$enableval],[XP_USE_FREETYPE=no])
AC_ARG_WITH(freetype-config, AS_HELP_STRING([ --with-freetype-config=PROG], [Use FreeType configuration program PROG (default: auto)]), freetype_config=$withval, freetype_config=auto)
commit c2877c073b4d02850b1f85ba2ba80e68a74e43cd
Merge: a645b47... 2552026...
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Sat Jun 14 14:32:42 2008 -0600
Merge branch 'server-1.5-branch' of git+ssh://herrb@git.freedesktop.org/git/xorg/xserver into server-1.5-branch
commit a645b47f047375fb81a87bbbc245369f680a6dab
Merge: 6de2855... 2124870...
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Thu Jun 12 14:22:32 2008 -0600
Merge branch 'server-1.5-branch' of git+ssh://herrb@git.freedesktop.org/git/xorg/xserver into server-1.5-branch
commit 6de2855b888e19c13d03d5e900248c1428724104
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:20:43 2008 -0600
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
diff --git a/Xext/shm.c b/Xext/shm.c
index b2973bf..8cf5944 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -894,8 +894,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;
commit ebd916314de1f4570964312e008b17a9c96800ea
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:20:00 2008 -0600
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
diff --git a/Xext/security.c b/Xext/security.c
index e82b976..ad30e06 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -679,15 +679,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index debe3c4..5fb860c 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2657,7 +2657,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2668,11 +2668,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2680,11 +2686,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2693,11 +2701,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
commit a1733327aa71bc1131e758fc80566c3d66627343
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:23:03 2008 -0600
CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for
the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
and SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.
diff --git a/render/render.c b/render/render.c
index 7787e18..638aa46 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1996,6 +1996,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2584,18 +2586,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2618,6 +2620,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2645,6 +2649,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2669,6 +2675,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit 5677751a0480426beaefc990303c7ade963eb137
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:22:30 2008 -0600
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the ProcRenderCreateCursor() function which
will cause less memory to be allocated than expected, leading later to
dereferencing un-mapped memory, causing a crash of the X server.
diff --git a/render/render.c b/render/render.c
index 16b8eb3..7787e18 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1569,6 +1569,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);
commit f7c40a003d85b8a83d55a33d362f2a364f4ab702
Author: Matthieu Herrb <matthieu.herrb at laas.fr>
Date: Tue Jun 10 12:21:26 2008 -0600
CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
diff --git a/render/render.c b/render/render.c
index f03f54a..16b8eb3 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
for (i = 0; i < nglyphs; i++)
{
+ size_t padded_width;
glyph_new = &glyphs[i];
- size = gi[i].height * PixmapBytePad (gi[i].width,
- glyphSet->format->depth);
+
+ padded_width = PixmapBytePad (gi[i].width,
+ glyphSet->format->depth);
+
+ if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
+ break;
+
+ size = gi[i].height * padded_width;
if (remain < size)
break;
More information about the xorg-commit
mailing list