[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

X Strike Force X.Org X11 SVN commit: r33 - in trunk: debian debian/patches xc/extras/Xpm/lib



Author: branden
Date: 2005-03-10 14:57:08 -0500 (Thu, 10 Mar 2005)
New Revision: 33

Modified:
   trunk/debian/changelog
   trunk/debian/patches/0000_backport_from_upstream.diff
   trunk/xc/extras/Xpm/lib/create.c
   trunk/xc/extras/Xpm/lib/scan.c
Log:
Backport fix from upstream CVS trunk:
+ Fix CAN-2005-0605: scan.c in the Xpm library may allow attackers to
  execute arbitrary code via a negative bitmap_unit value that leads
  to a buffer overflow. (see Debian #298939)


Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2005-03-10 19:49:25 UTC (rev 32)
+++ trunk/debian/changelog	2005-03-10 19:57:08 UTC (rev 33)
@@ -16,14 +16,17 @@
       build-essential package libc6-dev), bzip2 and dbs (new organization of
       source package will not require these).
 
-  * Backport fix from upstream CVS trunk:
+  * Backport fixes from upstream CVS trunk:
     + Shut up (tons of) Imake warnings on Debian systems by testing for
       variable being defined before testing its value.  (Presumably the
       fallback definition of NothingOutsideProjectRoot in Imake.tmpl was
       intended to prevent this, but it apparently is not in effect yet
       when linux.cf is parsed.)
+    + Fix CAN-2005-0605: scan.c in the Xpm library may allow attackers to
+      execute arbitrary code via a negative bitmap_unit value that leads
+      to a buffer overflow. (see Debian #298939)
 
- -- Branden Robinson <branden@debian.org>  Thu, 10 Mar 2005 14:47:41 -0500
+ -- Branden Robinson <branden@debian.org>  Thu, 10 Mar 2005 14:53:09 -0500
 
   $Id$
 

Modified: trunk/debian/patches/0000_backport_from_upstream.diff
===================================================================
--- trunk/debian/patches/0000_backport_from_upstream.diff	2005-03-10 19:49:25 UTC (rev 32)
+++ trunk/debian/patches/0000_backport_from_upstream.diff	2005-03-10 19:57:08 UTC (rev 33)
@@ -1,5 +1,12 @@
 $Id$
 
+Change descriptions are taken from xc/ChangeLog, with comments in
+[brackets] added by Debian where necessary for further explanation or
+context.
+
+Diffs from CVS may have hunks that change only RCS/CVS keyword lines
+elided so that they apply cleanly.
+
 2005-03-06 Branden Robinson <branden@debian.org>
 
 	* xc/config/cf/linux.cf
@@ -9,6 +16,16 @@
 	intended to prevent this, but it apparently is not in effect yet
 	when linux.cf is parsed.)
 
+2005-02-21  Matthieu Herrb <matthieu.herrb@laas.fr>
+
+	* extras/Xpm/lib/create.c:
+	* extras/Xpm/lib/scan.c:
+	Avoid inifite loops. From Chris Gilbert in bug #1920.
+
+	[Fixes CAN-2005-0605: scan.c for LibXPM may allow attackers to
+	execute arbitrary code via a negative bitmap_unit value that leads
+	to a buffer overflow.]
+
 Index: xc/config/cf/linux.cf
 ===================================================================
 RCS file: /cvs/xorg/xc/config/cf/linux.cf,v
@@ -42,3 +59,53 @@
  # define SharedLibXdmGreet	NO
  # define LinkGLToUsrInclude	NO
  # define LinkGLToUsrLib		NO
+Index: xc/extras/Xpm/lib/create.c
+===================================================================
+RCS file: /cvs/xorg/xc/extras/Xpm/lib/create.c,v
+retrieving revision 1.4
+retrieving revision 1.5
+diff -u -r1.4 -r1.5
+--- xc/extras/Xpm/lib/create.c	25 Nov 2004 21:19:11 -0000	1.4
++++ xc/extras/Xpm/lib/create.c	21 Feb 2005 20:52:32 -0000	1.5
+@@ -1215,10 +1215,10 @@
+     register char *src;
+     register char *dst;
+     register unsigned int *iptr;
+-    register unsigned int x, y, i;
++    register unsigned int x, y;
+     register char *data;
+     Pixel pixel, px;
+-    int nbytes, depth, ibu, ibpp;
++    int nbytes, depth, ibu, ibpp, i;
+ 
+     data = image->data;
+     iptr = pixelindex;
+Index: xc/extras/Xpm/lib/scan.c
+===================================================================
+RCS file: /cvs/xorg/xc/extras/Xpm/lib/scan.c,v
+retrieving revision 1.4
+retrieving revision 1.5
+diff -u -r1.4 -r1.5
+--- xc/extras/Xpm/lib/scan.c	25 Nov 2004 21:19:11 -0000	1.4
++++ xc/extras/Xpm/lib/scan.c	21 Feb 2005 20:52:32 -0000	1.5
+@@ -621,8 +621,8 @@
+     char *dst;
+     unsigned int *iptr;
+     char *data;
+-    unsigned int x, y, i;
+-    int bits, depth, ibu, ibpp, offset;
++    unsigned int x, y;
++    int bits, depth, ibu, ibpp, offset, i;
+     unsigned long lbt;
+     Pixel pixel, px;
+ 
+@@ -633,6 +633,9 @@
+     ibpp = image->bits_per_pixel;
+     offset = image->xoffset;
+ 
++    if (image->bitmap_unit < 0)
++	    return (XpmNoMemory);
++
+     if ((image->bits_per_pixel | image->depth) == 1) {
+ 	ibu = image->bitmap_unit;
+ 	for (y = 0; y < height; y++)

Modified: trunk/xc/extras/Xpm/lib/create.c
===================================================================
--- trunk/xc/extras/Xpm/lib/create.c	2005-03-10 19:49:25 UTC (rev 32)
+++ trunk/xc/extras/Xpm/lib/create.c	2005-03-10 19:57:08 UTC (rev 33)
@@ -1215,10 +1215,10 @@
     register char *src;
     register char *dst;
     register unsigned int *iptr;
-    register unsigned int x, y, i;
+    register unsigned int x, y;
     register char *data;
     Pixel pixel, px;
-    int nbytes, depth, ibu, ibpp;
+    int nbytes, depth, ibu, ibpp, i;
 
     data = image->data;
     iptr = pixelindex;

Modified: trunk/xc/extras/Xpm/lib/scan.c
===================================================================
--- trunk/xc/extras/Xpm/lib/scan.c	2005-03-10 19:49:25 UTC (rev 32)
+++ trunk/xc/extras/Xpm/lib/scan.c	2005-03-10 19:57:08 UTC (rev 33)
@@ -621,8 +621,8 @@
     char *dst;
     unsigned int *iptr;
     char *data;
-    unsigned int x, y, i;
-    int bits, depth, ibu, ibpp, offset;
+    unsigned int x, y;
+    int bits, depth, ibu, ibpp, offset, i;
     unsigned long lbt;
     Pixel pixel, px;
 
@@ -633,6 +633,9 @@
     ibpp = image->bits_per_pixel;
     offset = image->xoffset;
 
+    if (image->bitmap_unit < 0)
+	    return (XpmNoMemory);
+
     if ((image->bits_per_pixel | image->depth) == 1) {
 	ibu = image->bitmap_unit;
 	for (y = 0; y < height; y++)



Reply to: