rpms/xorg-x11-server
6
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18

Browse Source 
- cve-2007-6429.patch: Fix patch to not break java apps
This commit is contained in:
Dave Airlie 2008-01-18 20:46:02 +00:00
parent d134ef1fdb
commit 2cdf25d7af
1 changed files with 69 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
cve-2007-6429.patch
View File

@ -1,13 +1,55 @@
From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001 From 6970d8c3c8b96b294159b4029c1428813568e20b Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com> From: Dave Airlie <airlied@redhat.com>
Date: Thu, 17 Jan 2008 15:28:03 +0100 Date: Sat, 19 Jan 2008 06:37:58 +1000
Subject: [PATCH] Fix for fix for CVE-2007-6429 Subject: [PATCH] CVE-2007-6429: EVI and MIT-SHM Vunerability updated patch
--- ---
Xext/EVI.c | 15 ++++++++++++++-
Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
Xext/shm.c | 52 ++++++++++++++++++++++++++++++++++++++++++++--------
3 files changed, 82 insertions(+), 14 deletions(-)
--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400 diff --git a/Xext/EVI.c b/Xext/EVI.c
+++ xorg-server-1.1.1/Xext/sampleEVI.c 2008-01-18 14:15:44.000000000 -0500 index 4bd050c..a637bae 100644
@@ -36,6 +36,13 @@ --- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "modinit.h"
+#include "scrnintstr.h"
static EviPrivPtr eviPriv;
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b8f39c7 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h> #include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h" #include "EVIstruct.h"
#include "scrnintstr.h" #include "scrnintstr.h"
@ -21,7 +63,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
static int sampleGetVisualInfo( static int sampleGetVisualInfo(
VisualID32 *visual, VisualID32 *visual,
int n_visual, int n_visual,
@@ -44,24 +51,36 @@ @@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
VisualID32 **conflict_rn, VisualID32 **conflict_rn,
int *n_conflict_rn) int *n_conflict_rn)
{ {
@ -63,44 +105,12 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) { for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI]; evi[sz_evi].core_visual_id = visual[visualI];
--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400 diff --git a/Xext/shm.c b/Xext/shm.c
+++ xorg-server-1.1.1/Xext/EVI.c 2008-01-18 14:15:44.000000000 -0500 index e3d7a23..0f7a7eb 100644
@@ -36,6 +36,7 @@ --- a/Xext/shm.c
#include <X11/extensions/XEVIstr.h> +++ b/Xext/shm.c
#include "EVIstruct.h" @@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
#include "modinit.h" int i, j, result, rc;
+#include "scrnintstr.h"
#if 0
static unsigned char XEVIReqCode = 0;
@@ -89,10 +90,22 @@
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429 2006-07-05 14:31:36.000000000 -0400
+++ xorg-server-1.1.1/Xext/shm.c 2008-01-18 14:19:28.000000000 -0500
@@ -725,6 +725,8 @@
int i, j, result;
ShmDescPtr shmdesc; ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq); REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth; + unsigned int width, height, depth;
@ -108,9 +118,9 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
PanoramiXRes *newPix; PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq); REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -734,11 +736,18 @@ @@ -770,11 +772,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client); return rc;
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height) - if (!stuff->width || !stuff->height)
+ +
@ -128,7 +138,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
if (stuff->depth != 1) if (stuff->depth != 1)
{ {
pDepth = pDraw->pScreen->allowedDepths; pDepth = pDraw->pScreen->allowedDepths;
@@ -748,10 +757,19 @@ @@ -784,10 +793,19 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth; client->errorValue = stuff->depth;
return BadValue; return BadValue;
} }
@ -151,8 +161,8 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc; return BadAlloc;
@@ -1049,6 +1067,8 @@ @@ -1086,6 +1104,8 @@ ProcShmCreatePixmap(client)
register int i; register int i, rc;
ShmDescPtr shmdesc; ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq); REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth; + unsigned int width, height, depth;
@ -160,9 +170,9 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
REQUEST_SIZE_MATCH(xShmCreatePixmapReq); REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid; client->errorValue = stuff->pid;
@@ -1057,11 +1077,18 @@ @@ -1098,11 +1118,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client); return rc;
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height) - if (!stuff->width || !stuff->height)
+ +
@ -180,7 +190,7 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
if (stuff->depth != 1) if (stuff->depth != 1)
{ {
pDepth = pDraw->pScreen->allowedDepths; pDepth = pDraw->pScreen->allowedDepths;
@@ -1071,10 +1098,19 @@ @@ -1112,10 +1139,19 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth; client->errorValue = stuff->depth;
return BadValue; return BadValue;
} }
@ -203,3 +213,6 @@ Subject: [PATCH] Fix for fix for CVE-2007-6429
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width, pDraw->pScreen, stuff->width,
stuff->height, stuff->depth, stuff->height, stuff->depth,
--
1.5.3.6