ac5c859b15
- cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability - cve-2007-5958.patch: Xorg / XFree86 file existence disclosure vulnerability - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability - cve-2007-6428.patch: TOG-CUP Extension Memory Corruption Vulnerability - cve-2007-6429.patch: EVI and MIT-SHM Extension Integer Overflow Vulnerability
228 lines
6.8 KiB
Diff
228 lines
6.8 KiB
Diff
--- xorg-server-1.1.1/Xi/chgprop.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/chgprop.c 2007-12-14 11:52:27.000000000 +1000
|
|
@@ -81,19 +81,15 @@
|
|
SProcXChangeDeviceDontPropagateList(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i;
|
|
|
|
REQUEST(xChangeDeviceDontPropagateListReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
|
|
swapl(&stuff->window, n);
|
|
swaps(&stuff->count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
|
|
+ stuff->count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
|
return (ProcXChangeDeviceDontPropagateList(client));
|
|
}
|
|
|
|
--- xorg-server-1.1.1/Xi/sendexev.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/sendexev.c 2007-12-14 11:54:20.000000000 +1000
|
|
@@ -83,7 +83,7 @@
|
|
SProcXSendExtensionEvent(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
+ register CARD32 *p;
|
|
register int i;
|
|
xEvent eventT;
|
|
xEvent *eventP;
|
|
@@ -94,6 +94,11 @@
|
|
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
|
|
swapl(&stuff->destination, n);
|
|
swaps(&stuff->count, n);
|
|
+
|
|
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
|
|
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
|
|
+ return BadLength;
|
|
+
|
|
eventP = (xEvent *) & stuff[1];
|
|
for (i = 0; i < stuff->num_events; i++, eventP++) {
|
|
proc = EventSwapVector[eventP->u.u.type & 0177];
|
|
@@ -103,11 +108,8 @@
|
|
*eventP = eventT;
|
|
}
|
|
|
|
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
|
+ SwapLongs(p, stuff->count);
|
|
return (ProcXSendExtensionEvent(client));
|
|
}
|
|
|
|
--- xorg-server-1.1.1/Xi/chgkmap.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/chgkmap.c 2007-12-14 11:52:00.000000000 +1000
|
|
@@ -79,18 +79,14 @@
|
|
SProcXChangeDeviceKeyMapping(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i, count;
|
|
+ register unsigned int count;
|
|
|
|
REQUEST(xChangeDeviceKeyMappingReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
|
- p = (long *)&stuff[1];
|
|
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
|
- for (i = 0; i < count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), count);
|
|
return (ProcXChangeDeviceKeyMapping(client));
|
|
}
|
|
|
|
@@ -106,10 +102,14 @@
|
|
int ret;
|
|
unsigned len;
|
|
DeviceIntPtr dev;
|
|
+ unsigned int count;
|
|
|
|
REQUEST(xChangeDeviceKeyMappingReq);
|
|
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
|
|
|
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
|
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
|
+
|
|
dev = LookupDeviceIntRec(stuff->deviceid);
|
|
if (dev == NULL) {
|
|
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
|
|
--- xorg-server-1.1.1/Xi/grabdevb.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/grabdevb.c 2007-12-14 11:53:03.000000000 +1000
|
|
@@ -80,8 +80,6 @@
|
|
SProcXGrabDeviceButton(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i;
|
|
|
|
REQUEST(xGrabDeviceButtonReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -89,11 +87,9 @@
|
|
swapl(&stuff->grabWindow, n);
|
|
swaps(&stuff->modifiers, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
|
|
+ stuff->event_count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
|
|
return (ProcXGrabDeviceButton(client));
|
|
}
|
|
--- xorg-server-1.1.1/Xi/selectev.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/selectev.c 2007-12-14 11:53:54.000000000 +1000
|
|
@@ -84,19 +84,15 @@
|
|
SProcXSelectExtensionEvent(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i;
|
|
|
|
REQUEST(xSelectExtensionEventReq);
|
|
swaps(&stuff->length, n);
|
|
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
|
|
swapl(&stuff->window, n);
|
|
swaps(&stuff->count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
|
|
+ stuff->count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
|
return (ProcXSelectExtensionEvent(client));
|
|
}
|
|
|
|
--- xorg-server-1.1.1/Xi/grabdevk.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/grabdevk.c 2007-12-14 11:53:15.000000000 +1000
|
|
@@ -80,8 +80,6 @@
|
|
SProcXGrabDeviceKey(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i;
|
|
|
|
REQUEST(xGrabDeviceKeyReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -89,11 +87,8 @@
|
|
swapl(&stuff->grabWindow, n);
|
|
swaps(&stuff->modifiers, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
return (ProcXGrabDeviceKey(client));
|
|
}
|
|
|
|
--- xorg-server-1.1.1/Xi/grabdev.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/grabdev.c 2007-12-14 11:52:47.000000000 +1000
|
|
@@ -82,8 +82,6 @@
|
|
SProcXGrabDevice(register ClientPtr client)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
- register int i;
|
|
|
|
REQUEST(xGrabDeviceReq);
|
|
swaps(&stuff->length, n);
|
|
@@ -91,11 +89,11 @@
|
|
swapl(&stuff->grabWindow, n);
|
|
swapl(&stuff->time, n);
|
|
swaps(&stuff->event_count, n);
|
|
- p = (long *)&stuff[1];
|
|
- for (i = 0; i < stuff->event_count; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+
|
|
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
|
|
+ return BadLength;
|
|
+
|
|
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
|
|
|
return (ProcXGrabDevice(client));
|
|
}
|
|
--- xorg-server-1.1.1/Xi/chgfctl.c.da 2006-07-06 04:31:36.000000000 +1000
|
|
+++ xorg-server-1.1.1/Xi/chgfctl.c 2007-12-14 11:50:50.000000000 +1000
|
|
@@ -451,18 +451,13 @@
|
|
xStringFeedbackCtl * f)
|
|
{
|
|
register char n;
|
|
- register long *p;
|
|
int i, j;
|
|
KeySym *syms, *sup_syms;
|
|
|
|
syms = (KeySym *) (f + 1);
|
|
if (client->swapped) {
|
|
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
|
|
- p = (long *)(syms);
|
|
- for (i = 0; i < f->num_keysyms; i++) {
|
|
- swapl(p, n);
|
|
- p++;
|
|
- }
|
|
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
|
|
}
|
|
|
|
if (f->num_keysyms > s->ctrl.max_symbols) {
|