* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18
- cve-2007-6429.patch: Fix patch to not break java apps
This commit is contained in:
Dave Airlie
parent
d134ef1fdb
commit
2cdf25d7af
@ -1,13 +1,55 @@
|
||||
From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001
|
||||
From: Adam Jackson <ajax@redhat.com>
|
||||
Date: Thu, 17 Jan 2008 15:28:03 +0100
|
||||
Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
From 6970d8c3c8b96b294159b4029c1428813568e20b Mon Sep 17 00:00:00 2001
|
||||
From: Dave Airlie <airlied@redhat.com>
|
||||
Date: Sat, 19 Jan 2008 06:37:58 +1000
|
||||
Subject: [PATCH] CVE-2007-6429: EVI and MIT-SHM Vunerability updated patch
|
||||
|
||||
---
|
||||
Xext/EVI.c | 15 ++++++++++++++-
|
||||
Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
|
||||
Xext/shm.c | 52 ++++++++++++++++++++++++++++++++++++++++++++--------
|
||||
3 files changed, 82 insertions(+), 14 deletions(-)
|
||||
|
||||
--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
|
||||
+++ xorg-server-1.1.1/Xext/sampleEVI.c 2008-01-18 14:15:44.000000000 -0500
|
||||
@@ -36,6 +36,13 @@
|
||||
diff --git a/Xext/EVI.c b/Xext/EVI.c
|
||||
index 4bd050c..a637bae 100644
|
||||
--- a/Xext/EVI.c
|
||||
+++ b/Xext/EVI.c
|
||||
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
#include <X11/extensions/XEVIstr.h>
|
||||
#include "EVIstruct.h"
|
||||
#include "modinit.h"
|
||||
+#include "scrnintstr.h"
|
||||
|
||||
static EviPrivPtr eviPriv;
|
||||
|
||||
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
|
||||
{
|
||||
REQUEST(xEVIGetVisualInfoReq);
|
||||
xEVIGetVisualInfoReply rep;
|
||||
- int n, n_conflict, n_info, sz_info, sz_conflict;
|
||||
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
|
||||
VisualID32 *conflict;
|
||||
+ unsigned int total_visuals = 0;
|
||||
xExtendedVisualInfo *eviInfo;
|
||||
int status;
|
||||
+
|
||||
+ /*
|
||||
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
|
||||
+ * here that you don't have more than 2^32 visuals over all your screens;
|
||||
+ * this seems like a safe assumption.
|
||||
+ */
|
||||
+ for (i = 0; i < screenInfo.numScreens; i++)
|
||||
+ total_visuals += screenInfo.screens[i]->numVisuals;
|
||||
+ if (stuff->n_visual > total_visuals)
|
||||
+ return BadValue;
|
||||
+
|
||||
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
|
||||
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
|
||||
&eviInfo, &n_info, &conflict, &n_conflict);
|
||||
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
|
||||
index 7508aa7..b8f39c7 100644
|
||||
--- a/Xext/sampleEVI.c
|
||||
+++ b/Xext/sampleEVI.c
|
||||
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
#include <X11/extensions/XEVIstr.h>
|
||||
#include "EVIstruct.h"
|
||||
#include "scrnintstr.h"
|
||||
@ -21,7 +63,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
static int sampleGetVisualInfo(
|
||||
VisualID32 *visual,
|
||||
int n_visual,
|
||||
@@ -44,24 +51,36 @@
|
||||
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
|
||||
VisualID32 **conflict_rn,
|
||||
int *n_conflict_rn)
|
||||
{
|
||||
@ -63,44 +105,12 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
|
||||
for (visualI = 0; visualI < n_visual; visualI++) {
|
||||
evi[sz_evi].core_visual_id = visual[visualI];
|
||||
--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
|
||||
+++ xorg-server-1.1.1/Xext/EVI.c 2008-01-18 14:15:44.000000000 -0500
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <X11/extensions/XEVIstr.h>
|
||||
#include "EVIstruct.h"
|
||||
#include "modinit.h"
|
||||
+#include "scrnintstr.h"
|
||||
|
||||
#if 0
|
||||
static unsigned char XEVIReqCode = 0;
|
||||
@@ -89,10 +90,22 @@
|
||||
{
|
||||
REQUEST(xEVIGetVisualInfoReq);
|
||||
xEVIGetVisualInfoReply rep;
|
||||
- int n, n_conflict, n_info, sz_info, sz_conflict;
|
||||
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
|
||||
VisualID32 *conflict;
|
||||
+ unsigned int total_visuals = 0;
|
||||
xExtendedVisualInfo *eviInfo;
|
||||
int status;
|
||||
+
|
||||
+ /*
|
||||
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
|
||||
+ * here that you don't have more than 2^32 visuals over all your screens;
|
||||
+ * this seems like a safe assumption.
|
||||
+ */
|
||||
+ for (i = 0; i < screenInfo.numScreens; i++)
|
||||
+ total_visuals += screenInfo.screens[i]->numVisuals;
|
||||
+ if (stuff->n_visual > total_visuals)
|
||||
+ return BadValue;
|
||||
+
|
||||
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
|
||||
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
|
||||
&eviInfo, &n_info, &conflict, &n_conflict);
|
||||
--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
|
||||
+++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500
|
||||
@@ -725,6 +725,8 @@
|
||||
int i, j, result;
|
||||
diff --git a/Xext/shm.c b/Xext/shm.c
|
||||
index e3d7a23..0f7a7eb 100644
|
||||
--- a/Xext/shm.c
|
||||
+++ b/Xext/shm.c
|
||||
@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
|
||||
int i, j, result, rc;
|
||||
ShmDescPtr shmdesc;
|
||||
REQUEST(xShmCreatePixmapReq);
|
||||
+ unsigned int width, height, depth;
|
||||
@ -108,9 +118,9 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
PanoramiXRes *newPix;
|
||||
|
||||
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
|
||||
@@ -734,11 +736,18 @@
|
||||
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
||||
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
|
||||
@@ -770,11 +772,18 @@ ProcPanoramiXShmCreatePixmap(
|
||||
return rc;
|
||||
|
||||
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
|
||||
- if (!stuff->width || !stuff->height)
|
||||
+
|
||||
@ -128,7 +138,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
if (stuff->depth != 1)
|
||||
{
|
||||
pDepth = pDraw->pScreen->allowedDepths;
|
||||
@@ -748,10 +757,19 @@
|
||||
@@ -784,10 +793,19 @@ ProcPanoramiXShmCreatePixmap(
|
||||
client->errorValue = stuff->depth;
|
||||
return BadValue;
|
||||
}
|
||||
@ -151,8 +161,8 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
|
||||
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
|
||||
return BadAlloc;
|
||||
@@ -1049,6 +1067,8 @@
|
||||
register int i;
|
||||
@@ -1086,6 +1104,8 @@ ProcShmCreatePixmap(client)
|
||||
register int i, rc;
|
||||
ShmDescPtr shmdesc;
|
||||
REQUEST(xShmCreatePixmapReq);
|
||||
+ unsigned int width, height, depth;
|
||||
@ -160,9 +170,9 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
|
||||
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
|
||||
client->errorValue = stuff->pid;
|
||||
@@ -1057,11 +1077,18 @@
|
||||
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
||||
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
|
||||
@@ -1098,11 +1118,18 @@ ProcShmCreatePixmap(client)
|
||||
return rc;
|
||||
|
||||
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
|
||||
- if (!stuff->width || !stuff->height)
|
||||
+
|
||||
@ -180,7 +190,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
if (stuff->depth != 1)
|
||||
{
|
||||
pDepth = pDraw->pScreen->allowedDepths;
|
||||
@@ -1071,10 +1098,19 @@
|
||||
@@ -1112,10 +1139,19 @@ ProcShmCreatePixmap(client)
|
||||
client->errorValue = stuff->depth;
|
||||
return BadValue;
|
||||
}
|
||||
@ -203,3 +213,6 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
|
||||
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
|
||||
pDraw->pScreen, stuff->width,
|
||||
stuff->height, stuff->depth,
|
||||
--
|
||||
1.5.3.6
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user