crtc confine, pointer barriers, vbe malloc fix

2011-03-17 14:15:32 -04:00 · 2011-03-17 14:15:32 -04:00 · dbc91b7571
commit dbc91b7571
parent e108d14472
3 changed files with 1106 additions and 1 deletions
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -30,7 +30,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.10.0
-Release:   3%{?gitdate:.%{gitdate}}%{dist}
+Release:   4%{?gitdate:.%{gitdate}}%{dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -85,6 +85,9 @@ Patch6053: xserver-1.8-disable-vboxvideo.patch
 # misc
 Patch7005: xserver-1.9.0-qxl-fallback.patch

+Patch7006: xserver-1.10-pointer-barriers.patch
+Patch7007: xserver-1.10-vbe-malloc.patch
+
 %define moduledir	%{_libdir}/xorg/modules
 %define drimoduledir	%{_libdir}/dri
 %define sdkdir		%{_includedir}/xorg
@ -545,6 +548,11 @@ rm -rf $RPM_BUILD_ROOT
 %{xserver_source_dir}

 %changelog
+* Thu Mar 17 2011 Adam Jackson <ajax@redhat.com> 1.10.0-4
+- xserver-1.10-pointer-barriers.patch: Backport CRTC confinement from master
+  and pointer barriers from the development tree for same.
+- xserver-1.10-vbe-malloc.patch: Fix a buffer overrun in the VBE code.
+
 * Fri Mar 11 2011 Peter Hutterer <peter.hutterer@redhat.com> 1.10.0-3
 - Add Xen virtual pointer quirk to 10-quirks.conf (#523914, #679699)

--- a/xserver-1.10-pointer-barriers.patch
+++ b/xserver-1.10-pointer-barriers.patch
--- a/xserver-1.10-vbe-malloc.patch
+++ b/xserver-1.10-vbe-malloc.patch
@ -0,0 +1,43 @@
+From 0ab680f08208afe51ad6ddc1018b7d6f8b851840 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Thu, 24 Feb 2011 16:06:34 -0500
+Subject: [PATCH] vbe: Fix malloc size bug
+
+v2: Slightly more obvious sizing math.
+
+==14882== Invalid write of size 2
+==14882==    at 0x6750267: VBEGetVBEInfo (vbe.c:400)
+==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
+==14882==    by 0x471895: InitOutput (xf86Init.c:519)
+==14882==    by 0x422778: main (main.c:205)
+==14882==  Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
+==14882==    at 0x4A0640D: malloc (vg_replace_malloc.c:236)
+==14882==    by 0x675024B: VBEGetVBEInfo (vbe.c:398)
+==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
+==14882==    by 0x471895: InitOutput (xf86Init.c:519)
+==14882==    by 0x422778: main (main.c:205)
+
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534)
+---
+ hw/xfree86/vbe/vbe.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
+index bcda5ec..04132d9 100644
+--- a/hw/xfree86/vbe/vbe.c
+++ b/hw/xfree86/vbe/vbe.c
+@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
+     i = 0;
+     while (modes[i] != 0xffff)
+ 	i++;
+-    block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
+    block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));
+     memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);
+     block->VideoModePtr[i] = 0xffff;
+ 
+-- 
+1.7.4
+