e002a5ab25
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability - cve-2008-0006-server-fixup.patch: PCF Font Vulnerability - this patch isn't strictly required with new version of libXfont.
264 lines
7.1 KiB
Diff
264 lines
7.1 KiB
Diff
From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001
|
|
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
|
|
Date: Thu, 17 Jan 2008 15:27:34 +0100
|
|
Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
|
|
|
|
---
|
|
Xi/chgfctl.c | 7 +------
|
|
Xi/chgkmap.c | 14 +++++++-------
|
|
Xi/chgprop.c | 10 +++-------
|
|
Xi/grabdev.c | 12 +++++-------
|
|
Xi/grabdevb.c | 10 +++-------
|
|
Xi/grabdevk.c | 9 ++-------
|
|
Xi/selectev.c | 11 ++++-------
|
|
Xi/sendexev.c | 14 ++++++++------
|
|
8 files changed, 33 insertions(+), 54 deletions(-)
|
|
|
|
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
|
|
index 8fc24d5..696b74a 100644
|
|
--- a/Xi/chgfctl.c
|
|
+++ b/Xi/chgfctl.c
|
|
@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
|
|
xStringFeedbackCtl * f)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
int i, j;
|
|
KeySym *syms, *sup_syms;
|
|
|
|
syms = (KeySym *) (f + 1);
|
|
if (client->swapped) {
|
|
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
|
|
- p = (long *)(syms);
|
|
- for (i = 0; i < f->num_keysyms; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
|
|
}
|
|
|
|
if (f->num_keysyms > s->ctrl.max_symbols)
|
|
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
|
|
index 3361e98..df334c1 100644
|
|
--- a/Xi/chgkmap.c
|
|
+++ b/Xi/chgkmap.c
|
|
@@ -75,18 +75,14 @@ int
|
|
SProcXChangeDeviceKeyMapping(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i, count;
|
|
+ unsigned int count;
|
|
|
|
REQUEST(xChangeDeviceKeyMappingReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
|
- p = (long *)&stuff[1];
|
|
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
|
- for (i = 0; i < count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), count);
|
|
return (ProcXChangeDeviceKeyMapping(client));
|
|
}
|
|
|
|
@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
|
|
int ret;
|
|
unsigned len;
|
|
DeviceIntPtr dev;
|
|
+ unsigned int count;
|
|
|
|
REQUEST(xChangeDeviceKeyMappingReq);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
|
|
|
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
|
+
|
|
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
|
|
if (ret != Success)
|
|
return ret;
|
|
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
|
|
index 58db886..3fb33e1 100644
|
|
--- a/Xi/chgprop.c
|
|
+++ b/Xi/chgprop.c
|
|
@@ -77,19 +77,15 @@ int
|
|
SProcXChangeDeviceDontPropagateList(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i;
|
|
|
|
REQUEST(xChangeDeviceDontPropagateListReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
|
|
swapl(&stuff->window, n);
|
|
swaps(&stuff->count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
|
|
+ stuff->count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
|
return (ProcXChangeDeviceDontPropagateList(client));
|
|
}
|
|
|
|
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
|
|
index 110fc6b..0671e0e 100644
|
|
--- a/Xi/grabdev.c
|
|
+++ b/Xi/grabdev.c
|
|
@@ -78,8 +78,6 @@ int
|
|
SProcXGrabDevice(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i;
|
|
|
|
REQUEST(xGrabDeviceReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
|
|
swapl(&stuff->grabWindow, n);
|
|
swapl(&stuff->time, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+
|
|
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
|
|
+ return BadLength;
|
|
+
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
|
|
return (ProcXGrabDevice(client));
|
|
}
|
|
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
|
|
index c2661e8..ce0dcc5 100644
|
|
--- a/Xi/grabdevb.c
|
|
+++ b/Xi/grabdevb.c
|
|
@@ -77,8 +77,6 @@ int
|
|
SProcXGrabDeviceButton(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i;
|
|
|
|
REQUEST(xGrabDeviceButtonReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
|
|
swapl(&stuff->grabWindow, n);
|
|
swaps(&stuff->modifiers, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
|
|
+ stuff->event_count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
|
|
return (ProcXGrabDeviceButton(client));
|
|
}
|
|
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
|
|
index 43b1928..d4b7fe8 100644
|
|
--- a/Xi/grabdevk.c
|
|
+++ b/Xi/grabdevk.c
|
|
@@ -77,8 +77,6 @@ int
|
|
SProcXGrabDeviceKey(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i;
|
|
|
|
REQUEST(xGrabDeviceKeyReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
|
|
swapl(&stuff->grabWindow, n);
|
|
swaps(&stuff->modifiers, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
return (ProcXGrabDeviceKey(client));
|
|
}
|
|
|
|
diff --git a/Xi/selectev.c b/Xi/selectev.c
|
|
index b93618a..d3670ab 100644
|
|
--- a/Xi/selectev.c
|
|
+++ b/Xi/selectev.c
|
|
@@ -127,19 +127,16 @@ int
|
|
SProcXSelectExtensionEvent(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
- int i;
|
|
|
|
REQUEST(xSelectExtensionEventReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
|
|
swapl(&stuff->window, n);
|
|
swaps(&stuff->count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
|
|
+ stuff->count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
|
+
|
|
return (ProcXSelectExtensionEvent(client));
|
|
}
|
|
|
|
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
|
index e4e38d7..588c910 100644
|
|
--- a/Xi/sendexev.c
|
|
+++ b/Xi/sendexev.c
|
|
@@ -80,7 +80,7 @@ int
|
|
SProcXSendExtensionEvent(ClientPtr client)
|
|
{
|
|
char n;
|
|
- long *p;
|
|
+ CARD32 *p;
|
|
int i;
|
|
xEvent eventT;
|
|
xEvent *eventP;
|
|
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
|
|
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
|
|
swapl(&stuff->destination, n);
|
|
swaps(&stuff->count, n);
|
|
+
|
|
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
|
|
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
|
|
+ return BadLength;
|
|
+
|
|
eventP = (xEvent *) & stuff[1];
|
|
for (i = 0; i < stuff->num_events; i++, eventP++) {
|
|
proc = EventSwapVector[eventP->u.u.type & 0177];
|
|
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
|
|
*eventP = eventT;
|
|
}
|
|
|
|
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
|
+ SwapLongs(p, stuff->count);
|
|
return (ProcXSendExtensionEvent(client));
|
|
}
|
|
|
|
--
|
|
1.5.3.6
|
|
|