xorg-server: Changes to 'upstream-unstable'
Xext/security.c | 10 +++++++---
Xext/shm.c | 13 +++++++++++--
Xi/exevents.c | 11 ++++++++---
configure.ac | 4 ++--
dix/getevents.c | 2 +-
record/record.c | 16 +++++++++++++---
render/glyph.c | 14 ++++++++++++--
render/render.c | 18 ++++++++++++++----
8 files changed, 68 insertions(+), 20 deletions(-)
New commits:
commit c3a7903f6a6a27e53ba0372408e0c5a68c608e86
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Jun 11 16:27:10 2008 +0200
Bump to 1.4.2
And update release date.
diff --git a/configure.ac b/configure.ac
index c64117f..f75fc61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.57)
-AC_INIT([xorg-server], 1.4.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.4.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
AC_CONFIG_SRCDIR([Makefile.am])
AM_INIT_AUTOMAKE([dist-bzip2 foreign])
AM_MAINTAINER_MODE
@@ -392,7 +392,7 @@ VENDOR_MAN_VERSION="Version ${PACKAGE_VERSION}"
VENDOR_NAME="The X.Org Foundation"
VENDOR_NAME_SHORT="X.Org"
-RELEASE_DATE="5 September 2007"
+RELEASE_DATE="11 June 2008"
VENDOR_WEB="http://wiki.x.org";
m4_ifdef([AS_HELP_STRING], , [m4_define([AS_HELP_STRING], m4_defn([AC_HELP_STRING]))])
commit 08e6292e7efff518730e3c54f3a082c6139d618d
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:16:23 2008 -0600
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
diff --git a/Xext/shm.c b/Xext/shm.c
index 3c0d1ee..de908cf 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -848,8 +848,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;
commit 8ffaf613705a915c4b53ae11096dacd786fd1d22
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:16:55 2008 -0600
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
diff --git a/Xext/security.c b/Xext/security.c
index 14ad354..a8a75ea 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index 0ed8f84..9a166d6 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
commit 702e709973252d596be736c2f5c0de4837446501
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:15:39 2008 -0600
CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for
the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
and SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.
diff --git a/render/render.c b/render/render.c
index 74c5f63..b53e878 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit c4937bbb697579ceff0e30b17aca409f56e78566
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:14:31 2008 -0600
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the
size of the glyph to be allocated by the ProcRenderCreateCursor()
function which will cause less memory to be allocated than expected,
leading later to dereferencing un-mapped memory, causing a crash of
the X server.
diff --git a/render/render.c b/render/render.c
index caaa278..74c5f63 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);
commit b1a4a96885bf191d5f4afcfb2b41a88631b8412b
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:13:47 2008 -0600
CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
On systems where the X SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.
diff --git a/render/glyph.c b/render/glyph.c
index 583a52b..42ae65d 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -42,6 +42,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
int size;
GlyphPtr glyph;
int i;
-
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;
commit 43285b4f72a0eb47aa0c33e4e41cd10434969991
Author: Daniel Stone <daniel@fooishbar.org>
Date: Tue Jun 10 18:36:38 2008 +0300
Bump to 1.4.1
Whatever. It doesn't have to be perfect.
diff --git a/configure.ac b/configure.ac
index 6145aa2..c64117f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.57)
-AC_INIT([xorg-server], 1.4.0.90, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.4.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
AC_CONFIG_SRCDIR([Makefile.am])
AM_INIT_AUTOMAKE([dist-bzip2 foreign])
AM_MAINTAINER_MODE
commit 4d59afd613cd7e82255fc83e921300f6bd3a7552
Author: Daniel Stone <daniel@fooishbar.org>
Date: Tue Jun 10 18:33:57 2008 +0300
Xi: event_{x,y} should refer to the extended device (bug #16289)
ProcessOtherEvents was unconditionally stomping the root_{x,y}
co-ordinates provided by GetPointerEvents with those of the core
pointer, meaning that both root_{x,y} and event_{x,y} reported to
clients would reflect the sprite's position, not the position reported
by the device that generated the DeviceMotionNotify or the
DeviceButton{Press,Release} event in the first place.
For key events we still take the sprite's co-ords, as we're delivering
to the focus, which is the (VCP) sprite.
Not cherry-picked from master as MPX fixes this anyway, by taking the
co-ords of the sprite the device moves (be it visible or no).
(cherry picked from commit 8259d19f7155d82197ecc2aa16b316376c2dcb12)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 7cf0c50..0de5ea8 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -123,9 +123,14 @@ ProcessOtherEvent(xEventPtr xE, DeviceIntPtr other, int count)
deviceValuator *xV = (deviceValuator *) xE;
if (xE->u.u.type != DeviceValuator) {
- GetSpritePosition(&rootX, &rootY);
- xE->u.keyButtonPointer.rootX = rootX;
- xE->u.keyButtonPointer.rootY = rootY;
+ /* Other types already have root{X,Y} filled in. */
+ if (xE->u.u.type == DeviceKeyPress ||
+ xE->u.u.type == DeviceKeyRelease) {
+ GetSpritePosition(&rootX, &rootY);
+ xE->u.keyButtonPointer.rootX = rootX;
+ xE->u.keyButtonPointer.rootY = rootY;
+ }
+
key = xE->u.u.detail;
NoticeEventTime(xE);
xE->u.keyButtonPointer.state = inputInfo.keyboard->key->state |
commit 7982aaa7f071f9a21ad402da872d5328bd7e51ff
Author: Sascha Hlusiak <saschahlusiak@arcor.de>
Date: Fri May 30 19:30:06 2008 +0200
Fix getValuatorEvents to compute number of valuators correctly.
diff --git a/dix/getevents.c b/dix/getevents.c
index d0fe2db..c96ee68 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -347,7 +347,7 @@ getValuatorEvents(xEvent *events, DeviceIntPtr pDev, int first_valuator,
for (i = first_valuator; i < final_valuator; i += 6, xv++, events++) {
xv->type = DeviceValuator;
xv->first_valuator = i;
- xv->num_valuators = ((num_valuators - i) > 6) ? 6 : (num_valuators - i);
+ xv->num_valuators = ((final_valuator - i) > 6) ? 6 : (final_valuator - i);
xv->deviceid = pDev->id;
switch (final_valuator - i) {
case 6:
Reply to: