X Strike Force XFree86 SVN commit: r2295 - in branches/4.1.0/woody/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force XFree86 SVN commit: r2295 - in branches/4.1.0/woody/debian: . patches
From: X Strike Force SVN Repository Admin <branden+svnadmin@deadbeast.net>
Date: Mon, 19 Sep 2005 09:09:22 -0500 (EST)
Message-id: <[🔎] 20050919140922.39D1E5C05B@necrotic.deadbeast.net>
Mail-followup-to: debian-x@lists.debian.org
Author: fjp
Date: 2005-09-19 09:09:20 -0500 (Mon, 19 Sep 2005)
New Revision: 2295

Added:
   branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff
Modified:
   branches/4.1.0/woody/debian/changelog
Log:
* Add patch 077_SECURITY_fix_pixmap_size_overflows.diff:
  CAN-2005-2495: overflows when allocating size for large pixmaps may
  allow attackers to execute arbitrary code; with the patches for this
  issue, pixmap size has been limited to 32767x32767.
* Release 4.1.0-16woody7 (security update)


Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog	2005-09-01 19:41:35 UTC (rev 2294)
+++ branches/4.1.0/woody/debian/changelog	2005-09-19 14:09:20 UTC (rev 2295)
@@ -1,5 +1,10 @@
-xfree86 (4.1.0-16woody7) UNRELEASED; urgency=high
+xfree86 (4.1.0-16woody7) oldstable-security; urgency=high
 
+  * Security update release.  Resolves the following issue:
+    + CAN-2005-2495: overflows when allocating size for large pixmaps may
+      allow attackers to execute arbitrary code; with the patches for this
+      issue, pixmap size has been limited to 32767x32767.
+
   * Replace s_popen()-based fix for CAN-2004-0914 with a better fix from
     freedesktop.org xorg CVS.  There were several problems with s_popen(),
     some merely functional, and some themselves security-flawed.  There does
@@ -12,9 +17,9 @@
     create.c; and 6) preprocessor-enforced ignorance of PutPixel32() on 64-bit
     systems (whose implementation was already disabled on 64-bit systems).
     (Closes: #309143)
-     
- -- Frans Pop <fjp@debian.org>  Sat, 27 Aug 2005 21:26:35 +0200
 
+ -- Frans Pop <fjp@debian.org>  Sun, 28 Aug 2005 01:15:25 +0200
+
 xfree86 (4.1.0-16woody6) stable-security; urgency=high
 
   * Security update release.  Resolves the following issue:

Added: branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff	2005-09-01 19:41:35 UTC (rev 2294)
+++ branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff	2005-09-19 14:09:20 UTC (rev 2295)
@@ -0,0 +1,177 @@
+diff -Nru xc.after076/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c
+--- xc.after076/programs/Xserver/afb/afbpixmap.c	2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/afb/afbpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -73,10 +73,14 @@
+ 	int				depth;
+ {
+ 	PixmapPtr pPixmap;
+-	int datasize;
+-	int paddedWidth;
++	size_t datasize;
++	size_t paddedWidth;
+ 
+ 	paddedWidth = BitmapBytePad(width);
++
++	if (paddedWidth > 32767 || height > 32767)
++	    return NullPixmap;
++
+ 	datasize = height * paddedWidth * depth;
+ 	pPixmap = AllocatePixmap(pScreen, datasize);
+ 	if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c
+--- xc.after076/programs/Xserver/cfb/cfbpixmap.c	2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/cfb/cfbpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -66,10 +66,13 @@
+     int		depth;
+ {
+     PixmapPtr pPixmap;
+-    int datasize;
+-    int paddedWidth;
++    size_t datasize;
++    size_t paddedWidth;
+ 
+     paddedWidth = PixmapBytePad(width, depth);
++
++    if (paddedWidth > 32767 || height > 32767)
++	return NullPixmap;
+     datasize = height * paddedWidth;
+     pPixmap = AllocatePixmap(pScreen, datasize);
+     if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c
+--- xc.after076/programs/Xserver/dix/dispatch.c	2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/dix/dispatch.c	2005-08-28 00:55:22.000000000 +0200
+@@ -1498,6 +1498,23 @@
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (stuff->width > 32767 || stuff->height > 32767)
++    {
++     /* It is allowed to try and allocate a pixmap which is larger than
++      * 32767 in either dimension. However, all of the framebuffer code
++      * is buggy and does not reliably draw to such big pixmaps, basically
++      * because the Region data structure operates with signed shorts
++      * for the rectangles in it.
++      *
++      * Furthermore, several places in the X server computes the
++      * size in bytes of the pixmap and tries to store it in an
++      * integer. This integer can overflow and cause the allocated size
++      * to be much smaller.
++      *
++      * So, such big pixmaps are rejected here with a BadAlloc
++      */
++     return BadAlloc;
++    }
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+diff -Nru xc.after076/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c
+--- xc.after076/programs/Xserver/fb/fbpixmap.c	2005-08-27 20:39:03.000000000 +0200
++++ xc/programs/Xserver/fb/fbpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -32,12 +32,14 @@
+ fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
+ {
+     PixmapPtr	pPixmap;
+-    int		datasize;
+-    int		paddedWidth;
++    size_t	datasize;
++    size_t	paddedWidth;
+     int		adjust;
+     int		base;
+ 
+     paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
++    if (paddedWidth > 32767 || height > 32767)
++	return NullPixmap;
+     datasize = height * paddedWidth;
+ #ifdef PIXPRIV
+     base = pScreen->totalPixmapSize;
+diff -Nru xc.after076/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c
+--- xc.after076/programs/Xserver/hw/xfree86/xaa/xaaInit.c	2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c	2005-08-28 00:55:22.000000000 +0200
+@@ -476,6 +476,9 @@
+     XAAPixmapPtr pPriv;
+     PixmapPtr pPix = NULL;
+     int size = w * h;
++
++    if (w > 32767 || h > 32767)
++	return NullPixmap;
+     
+     if (!infoRec->offscreenDepthsInitialized)
+ 	XAAInitializeOffscreenDepths (pScreen);
+diff -Nru xc.after076/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c
+--- xc.after076/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c	2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -85,13 +85,16 @@
+     int		depth ;
+ {
+     register PixmapPtr pPixmap  = (PixmapPtr)NULL;
+-    int size ;
++    size_t size ;
+     
+     TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
+ 
+     if ( depth > 8 )
+ 	return (PixmapPtr) NULL ;
+ 
++    if (width > 32767 || height > 32767)
++	return (PixmapPtr) NULL ;
++
+     size = PixmapBytePad(width, depth);
+     pPixmap = AllocatePixmap (pScreen, (height * size));
+     
+diff -Nru xc.after076/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c
+--- xc.after076/programs/Xserver/ilbm/ilbmpixmap.c	2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/ilbm/ilbmpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -75,10 +75,12 @@
+ 	int				depth;
+ {
+ 	PixmapPtr pPixmap;
+-	int datasize;
+-	int paddedWidth;
++	size_t datasize;
++	size_t paddedWidth;
+ 
+ 	paddedWidth = BitmapBytePad(width);
++	if (paddedWidth > 32767 || height > 32767)
++		return NullPixmap;
+ 	datasize = height * paddedWidth * depth;
+ 	pPixmap = AllocatePixmap(pScreen, datasize);
+ 	if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c
+--- xc.after076/programs/Xserver/iplan2p4/iplpixmap.c	2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/iplan2p4/iplpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -74,12 +74,14 @@
+     int		depth;
+ {
+     PixmapPtr pPixmap;
+-    int datasize;
+-    int paddedWidth;
++    size_t datasize;
++    size_t paddedWidth;
+     int ipad=INTER_PLANES*2 - 1;
+ 
+     paddedWidth = PixmapBytePad(width, depth);
+     paddedWidth = (paddedWidth + ipad) & ~ipad;
++    if (paddedWidth > 32767 || height > 32767)
++	return NullPixmap;
+     datasize = height * paddedWidth;
+     pPixmap = AllocatePixmap(pScreen, datasize);
+     if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c
+--- xc.after076/programs/Xserver/mfb/mfbpixmap.c	2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/mfb/mfbpixmap.c	2005-08-28 00:55:22.000000000 +0200
+@@ -68,11 +68,13 @@
+     int		depth;
+ {
+     PixmapPtr pPixmap;
+-    int datasize;
+-    int paddedWidth;
++    size_t datasize;
++    size_t paddedWidth;
+ 
+     if (depth != 1)
+ 	return NullPixmap;
++    if (width > 32767 || height > 32767)
++	return NullPixmap;
+     paddedWidth = BitmapBytePad(width);
+     datasize = height * paddedWidth;
+     pPixmap = AllocatePixmap(pScreen, datasize);
Reply to:
Prev by Date: xfree86_4.1.0-16woody7_sparc.changes REJECTED
Next by Date: Incomplete upload found in Debian upload queue
Previous by thread: xfree86_4.1.0-16woody7_sparc.changes REJECTED
Next by thread: Processing of xfree86_4.3.0.dfsg.1-14sarge1_i386.changes
Index(es):
- Date
- Thread