X Strike Force XFree86 SVN commit: r2297 - in branches/4.3.0/sarge/debian: . patches
Author: fjp
Date: 2005-09-19 15:33:19 -0500 (Mon, 19 Sep 2005)
New Revision: 2297
Added:
branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff
Modified:
branches/4.3.0/sarge/debian/changelog
Log:
* Add patch 099za_SECURITY_fix_pixmap_size_overflows.diff:
CAN-2005-2495: overflows when allocating size for large pixmaps may
allow attackers to execute arbitrary code; with the patches for
this issue, pixmap size has been limited to 32767x32767.
* Release 4.3.0.dfsg.1-14.sarge1.
Modified: branches/4.3.0/sarge/debian/changelog
===================================================================
--- branches/4.3.0/sarge/debian/changelog 2005-09-19 20:28:13 UTC (rev 2296)
+++ branches/4.3.0/sarge/debian/changelog 2005-09-19 20:33:19 UTC (rev 2297)
@@ -1,3 +1,12 @@
+xfree86 (4.3.0.dfsg.1-14sarge1) stable-security; urgency=high
+
+ * Security update release. Resolves the following issue:
+ + CAN-2005-2495: overflows when allocating size for large pixmaps may
+ allow attackers to execute arbitrary code; with the patches for
+ this issue, pixmap size has been limited to 32767x32767.
+
+ -- Frans Pop <fjp@debian.org> Sun, 28 Aug 2005 22:35:10 +0200
+
xfree86 (4.3.0.dfsg.1-14) unstable; urgency=high
Urgency set to high due to fix for security flaw (see below).
Added: branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff
===================================================================
--- branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff 2005-09-19 20:28:13 UTC (rev 2296)
+++ branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff 2005-09-19 20:33:19 UTC (rev 2297)
@@ -0,0 +1,177 @@
+diff -Nru xc.before099z/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c
+--- xc.before099z/programs/Xserver/afb/afbpixmap.c 2005-08-27 23:29:16.000000000 +0200
++++ xc/programs/Xserver/afb/afbpixmap.c 2005-08-27 23:53:11.000000000 +0200
+@@ -73,10 +73,14 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = BitmapBytePad(width);
++
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
++
+ datasize = height * paddedWidth * depth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.before099z/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c
+--- xc.before099z/programs/Xserver/cfb/cfbpixmap.c 2005-08-27 23:29:16.000000000 +0200
++++ xc/programs/Xserver/cfb/cfbpixmap.c 2005-08-28 00:29:58.000000000 +0200
+@@ -70,10 +70,13 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = PixmapBytePad(width, depth);
++
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.before099z/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c
+--- xc.before099z/programs/Xserver/dix/dispatch.c 2005-08-27 23:29:17.000000000 +0200
++++ xc/programs/Xserver/dix/dispatch.c 2005-08-27 23:44:08.000000000 +0200
+@@ -1492,6 +1492,23 @@
+ client->errorValue = 0;
+ return BadValue;
+ }
++ if (stuff->width > 32767 || stuff->height > 32767)
++ {
++ /* It is allowed to try and allocate a pixmap which is larger than
++ * 32767 in either dimension. However, all of the framebuffer code
++ * is buggy and does not reliably draw to such big pixmaps, basically
++ * because the Region data structure operates with signed shorts
++ * for the rectangles in it.
++ *
++ * Furthermore, several places in the X server computes the
++ * size in bytes of the pixmap and tries to store it in an
++ * integer. This integer can overflow and cause the allocated size
++ * to be much smaller.
++ *
++ * So, such big pixmaps are rejected here with a BadAlloc
++ */
++ return BadAlloc;
++ }
+ if (stuff->depth != 1)
+ {
+ pDepth = pDraw->pScreen->allowedDepths;
+diff -Nru xc.before099z/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c
+--- xc.before099z/programs/Xserver/fb/fbpixmap.c 2005-08-27 23:29:17.000000000 +0200
++++ xc/programs/Xserver/fb/fbpixmap.c 2005-08-27 23:50:00.000000000 +0200
+@@ -32,12 +32,14 @@
+ fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+ int adjust;
+ int base;
+
+ paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ #ifdef PIXPRIV
+ base = pScreen->totalPixmapSize;
+diff -Nru xc.before099z/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c
+--- xc.before099z/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-27 23:29:35.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-28 00:40:38.000000000 +0200
+@@ -480,6 +480,9 @@
+ XAAPixmapPtr pPriv;
+ PixmapPtr pPix = NULL;
+ int size = w * h;
++
++ if (w > 32767 || h > 32767)
++ return NullPixmap;
+
+ if (!infoRec->offscreenDepthsInitialized)
+ XAAInitializeOffscreenDepths (pScreen);
+diff -Nru xc.before099z/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c
+--- xc.before099z/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-27 23:29:35.000000000 +0200
++++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-27 23:55:49.000000000 +0200
+@@ -85,13 +85,16 @@
+ int depth ;
+ {
+ register PixmapPtr pPixmap = (PixmapPtr)NULL;
+- int size ;
++ size_t size ;
+
+ TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
+
+ if ( depth > 8 )
+ return (PixmapPtr) NULL ;
+
++ if (width > 32767 || height > 32767)
++ return (PixmapPtr) NULL ;
++
+ size = PixmapBytePad(width, depth);
+ pPixmap = AllocatePixmap (pScreen, (height * size));
+
+diff -Nru xc.before099z/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c
+--- xc.before099z/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-27 23:29:36.000000000 +0200
++++ xc/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-27 23:54:42.000000000 +0200
+@@ -75,10 +75,12 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ paddedWidth = BitmapBytePad(width);
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth * depth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.before099z/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c
+--- xc.before099z/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-27 23:29:36.000000000 +0200
++++ xc/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-28 00:29:07.000000000 +0200
+@@ -74,12 +74,14 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+ int ipad=INTER_PLANES*2 - 1;
+
+ paddedWidth = PixmapBytePad(width, depth);
+ paddedWidth = (paddedWidth + ipad) & ~ipad;
++ if (paddedWidth > 32767 || height > 32767)
++ return NullPixmap;
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
+ if (!pPixmap)
+diff -Nru xc.before099z/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c
+--- xc.before099z/programs/Xserver/mfb/mfbpixmap.c 2005-08-27 23:29:36.000000000 +0200
++++ xc/programs/Xserver/mfb/mfbpixmap.c 2005-08-27 23:57:27.000000000 +0200
+@@ -72,11 +72,13 @@
+ int depth;
+ {
+ PixmapPtr pPixmap;
+- int datasize;
+- int paddedWidth;
++ size_t datasize;
++ size_t paddedWidth;
+
+ if (depth != 1)
+ return NullPixmap;
++ if (width > 32767 || height > 32767)
++ return NullPixmap;
+ paddedWidth = BitmapBytePad(width);
+ datasize = height * paddedWidth;
+ pPixmap = AllocatePixmap(pScreen, datasize);
Reply to: