X Strike Force XFree86 SVN commit: r2295 - in branches/4.1.0/woody/debian: . patches
Author: fjp
Date: 2005-09-19 09:09:20 -0500 (Mon, 19 Sep 2005)
New Revision: 2295
Added:
branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff
Modified:
branches/4.1.0/woody/debian/changelog
Log:
* Add patch 077_SECURITY_fix_pixmap_size_overflows.diff:
CAN-2005-2495: overflows when allocating size for large pixmaps may
allow attackers to execute arbitrary code; with the patches for this
issue, pixmap size has been limited to 32767x32767.
* Release 4.1.0-16woody7 (security update)
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2005-09-01 19:41:35 UTC (rev 2294)
+++ branches/4.1.0/woody/debian/changelog 2005-09-19 14:09:20 UTC (rev 2295)
@@ -1,5 +1,10 @@
-xfree86 (4.1.0-16woody7) UNRELEASED; urgency=high
+xfree86 (4.1.0-16woody7) oldstable-security; urgency=high
+ * Security update release. Resolves the following issue:
+ + CAN-2005-2495: overflows when allocating size for large pixmaps may
+ allow attackers to execute arbitrary code; with the patches for this
+ issue, pixmap size has been limited to 32767x32767.
+
* Replace s_popen()-based fix for CAN-2004-0914 with a better fix from
freedesktop.org xorg CVS. There were several problems with s_popen(),
some merely functional, and some themselves security-flawed. There does
@@ -12,9 +17,9 @@
create.c; and 6) preprocessor-enforced ignorance of PutPixel32() on 64-bit
systems (whose implementation was already disabled on 64-bit systems).
(Closes: #309143)
-
- -- Frans Pop <fjp@debian.org> Sat, 27 Aug 2005 21:26:35 +0200
+ -- Frans Pop <fjp@debian.org> Sun, 28 Aug 2005 01:15:25 +0200
+
xfree86 (4.1.0-16woody6) stable-security; urgency=high
* Security update release. Resolves the following issue:
Added: branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff 2005-09-01 19:41:35 UTC (rev 2294)
+++ branches/4.1.0/woody/debian/patches/077_SECURITY_fix_pixmap_size_overflows.diff 2005-09-19 14:09:20 UTC (rev 2295)
@@ -0,0 +1,177 @@
+diff -Nru xc.after076/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c
+--- xc.after076/programs/Xserver/afb/afbpixmap.c 2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/afb/afbpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -73,10 +73,14 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = BitmapBytePad(width);
++
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
++
+ datasize = height * paddedWidth * depth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c
+--- xc.after076/programs/Xserver/cfb/cfbpixmap.c 2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/cfb/cfbpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -66,10 +66,13 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = PixmapBytePad(width, depth);
++
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c
+--- xc.after076/programs/Xserver/dix/dispatch.c 2005-08-27 20:39:02.000000000 +0200
++++ xc/programs/Xserver/dix/dispatch.c 2005-08-28 00:55:22.000000000 +0200
+@@ -1498,6 +1498,23 @@
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (stuff->width > 32767 || stuff->height > 32767)
++ {
++ /* It is allowed to try and allocate a pixmap which is larger than
++ * 32767 in either dimension. However, all of the framebuffer code
++ * is buggy and does not reliably draw to such big pixmaps, basically
++ * because the Region data structure operates with signed shorts
++ * for the rectangles in it.
++ *
++ * Furthermore, several places in the X server computes the
++ * size in bytes of the pixmap and tries to store it in an
++ * integer. This integer can overflow and cause the allocated size
++ * to be much smaller.
++ *
++ * So, such big pixmaps are rejected here with a BadAlloc
++ */
++ return BadAlloc;
++ }
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+diff -Nru xc.after076/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c
+--- xc.after076/programs/Xserver/fb/fbpixmap.c 2005-08-27 20:39:03.000000000 +0200
++++ xc/programs/Xserver/fb/fbpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -32,12 +32,14 @@
+ fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+ int adjust;
+ int base;
+
+ paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ #ifdef PIXPRIV
+ base = pScreen->totalPixmapSize;
+diff -Nru xc.after076/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c
+--- xc.after076/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-28 00:55:22.000000000 +0200
+@@ -476,6 +476,9 @@
+ XAAPixmapPtr pPriv;
+ PixmapPtr pPix = NULL;
+ int size = w * h;
++
++ if (w > 32767 || h > 32767)
++ return NullPixmap;
+
+ if (!infoRec->offscreenDepthsInitialized)
+ XAAInitializeOffscreenDepths (pScreen);
+diff -Nru xc.after076/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c
+--- xc.after076/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -85,13 +85,16 @@
+ int depth ;
+ {
+ register PixmapPtr pPixmap = (PixmapPtr)NULL;
+- int size ;
++ size_t size ;
+
+ TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
+
+ if ( depth > 8 )
+ return (PixmapPtr) NULL ;
+
++ if (width > 32767 || height > 32767)
++ return (PixmapPtr) NULL ;
++
+ size = PixmapBytePad(width, depth);
+ pPixmap = AllocatePixmap (pScreen, (height * size));
+
+diff -Nru xc.after076/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c
+--- xc.after076/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -75,10 +75,12 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = BitmapBytePad(width);
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth * depth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c
+--- xc.after076/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -74,12 +74,14 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+ int ipad=INTER_PLANES*2 - 1;
+
+ paddedWidth = PixmapBytePad(width, depth);
+ paddedWidth = (paddedWidth + ipad) & ~ipad;
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.after076/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c
+--- xc.after076/programs/Xserver/mfb/mfbpixmap.c 2005-08-27 20:39:11.000000000 +0200
++++ xc/programs/Xserver/mfb/mfbpixmap.c 2005-08-28 00:55:22.000000000 +0200
+@@ -68,11 +68,13 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ if (depth != 1)
+ return NullPixmap;
++ if (width > 32767 || height > 32767)
++ return NullPixmap;
+ paddedWidth = BitmapBytePad(width);
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
Reply to: