xorg-server: Changes to 'debian-unstable'
ChangeLog | 104 +++++++++++++
Xext/security.c | 10 -
Xext/shm.c | 13 +
Xi/exevents.c | 11 +
configure.ac | 4
debian/changelog | 9 +
debian/patches/idef-apr08-v3-xserver-1.4.diff | 203 --------------------------
debian/patches/series | 1
dix/getevents.c | 2
hw/xfree86/modes/xf86Crtc.c | 4
record/record.c | 16 +-
render/glyph.c | 14 +
render/render.c | 18 +-
13 files changed, 183 insertions(+), 226 deletions(-)
New commits:
commit 4c399327fb8d124bd1ed7da1eca308074fc9141b
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Jun 11 19:07:16 2008 +0200
Update changelog for latest cherry-picked patches
diff --git a/debian/changelog b/debian/changelog
index a33c907..c857473 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ xorg-server (2:1.4.2-1) UNRELEASED; urgency=low
* New upstream release.
* Security fixes from the previous upload are included upstream.
+ * Cherry-pick patches from upstream git to make the LeftOf and Above options
+ in xorg.conf actually work (closes: #466526).
-- Julien Cristau <jcristau@debian.org> Wed, 11 Jun 2008 18:57:01 +0200
commit 3094028e30ca18b8ec98be7a46cc4e29a746b00b
Author: Julien Cristau <jcristau@debian.org>
Date: Mon May 19 03:15:11 2008 +0200
xfree86: fix initial output positions with Above or LeftOf and rotation
The fix in fa19e84714aa84a2f2e817e363d6440349d0b619 was incomplete,
as it was still using the wrong output's initial rotation to compute
the position.
(cherry picked from commit 82c4075d4ba3bea03341c80b754b0f9d2f62a826)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index ad206f1..9d93993 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -1068,10 +1068,10 @@ xf86InitialOutputPositions (ScrnInfoPtr scrn, DisplayModePtr *modes)
output->initial_x += xf86ModeWidth (modes[or], relative->initial_rotation);
break;
case OPTION_ABOVE:
- output->initial_y -= xf86ModeHeight (modes[o], relative->initial_rotation);
+ output->initial_y -= xf86ModeHeight (modes[o], output->initial_rotation);
break;
case OPTION_LEFT_OF:
- output->initial_x -= xf86ModeWidth (modes[o], relative->initial_rotation);
+ output->initial_x -= xf86ModeWidth (modes[o], output->initial_rotation);
break;
default:
break;
commit 94a1a611180ba38902b88d2be56a38f31b2eaed5
Author: Matthias Hopf <mhopf@suse.de>
Date: Tue Nov 20 16:54:50 2007 +0100
Fix initial placement of LeftOf and Above.
(cherry picked from commit fa19e84714aa84a2f2e817e363d6440349d0b619)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index d375da8..ad206f1 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -1068,10 +1068,10 @@ xf86InitialOutputPositions (ScrnInfoPtr scrn, DisplayModePtr *modes)
output->initial_x += xf86ModeWidth (modes[or], relative->initial_rotation);
break;
case OPTION_ABOVE:
- output->initial_y -= xf86ModeHeight (modes[or], relative->initial_rotation);
+ output->initial_y -= xf86ModeHeight (modes[o], relative->initial_rotation);
break;
case OPTION_LEFT_OF:
- output->initial_x -= xf86ModeWidth (modes[or], relative->initial_rotation);
+ output->initial_x -= xf86ModeWidth (modes[o], relative->initial_rotation);
break;
default:
break;
commit 80e3bd7b9b1a8fa7073ec8bef0b2e8c8671710a5
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Jun 11 18:58:36 2008 +0200
Update changelogs and drop patch included upstream
diff --git a/ChangeLog b/ChangeLog
index ba131de..f25053b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,107 @@
+commit c3a7903f6a6a27e53ba0372408e0c5a68c608e86
+Author: Julien Cristau <jcristau@debian.org>
+Date: Wed Jun 11 16:27:10 2008 +0200
+
+ Bump to 1.4.2
+
+ And update release date.
+
+commit 08e6292e7efff518730e3c54f3a082c6139d618d
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun Jun 8 11:16:23 2008 -0600
+
+ CVE-2008-1379 - MIT-SHM arbitrary memory read
+
+ An integer overflow in the validation of the parameters of the
+ ShmPutImage() request makes it possible to trigger the copy of
+ arbitrary server memory to a pixmap that can subsequently be read by
+ the client, to read arbitrary parts of the X server memory space.
+
+commit 8ffaf613705a915c4b53ae11096dacd786fd1d22
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun Jun 8 11:16:55 2008 -0600
+
+ CVE-2008-1377 - RECORD and Security extensions memory corruption
+
+ Lack of validation of the parameters of the
+ SProcSecurityGenerateAuthorization SProcRecordCreateContext
+ functions makes it possible for a specially crafted request to trigger
+ the swapping of bytes outside the parameter of these requests, causing
+ memory corruption.
+
+commit 702e709973252d596be736c2f5c0de4837446501
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun Jun 8 11:15:39 2008 -0600
+
+ CVE-2008-2362 - RENDER Extension memory corruption
+
+ Integer overflows can occur in the code validating the parameters for
+ the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
+ and SProcRenderCreateConicalGradient functions, leading to memory
+ corruption by swapping bytes outside of the intended request
+ parameters.
+
+commit c4937bbb697579ceff0e30b17aca409f56e78566
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun Jun 8 11:14:31 2008 -0600
+
+ CVE-2008-2361 - RENDER Extension crash
+
+ An integer overflow may occur in the computation of the
+ size of the glyph to be allocated by the ProcRenderCreateCursor()
+ function which will cause less memory to be allocated than expected,
+ leading later to dereferencing un-mapped memory, causing a crash of
+ the X server.
+
+commit b1a4a96885bf191d5f4afcfb2b41a88631b8412b
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun Jun 8 11:13:47 2008 -0600
+
+ CVE-2008-2360 - RENDER Extension heap buffer overflow
+
+ An integer overflow may occur in the computation of the size of the
+ glyph to be allocated by the AllocateGlyph() function which will cause
+ less memory to be allocated than expected, leading to later heap
+ overflow.
+
+ On systems where the X SIGSEGV handler includes a stack trace, more
+ malloc()-type functions are called, which may lead to other
+ exploitable issues.
+
+commit 43285b4f72a0eb47aa0c33e4e41cd10434969991
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Tue Jun 10 18:36:38 2008 +0300
+
+ Bump to 1.4.1
+
+ Whatever. It doesn't have to be perfect.
+
+commit 4d59afd613cd7e82255fc83e921300f6bd3a7552
+Author: Daniel Stone <daniel@fooishbar.org>
+Date: Tue Jun 10 18:33:57 2008 +0300
+
+ Xi: event_{x,y} should refer to the extended device (bug #16289)
+
+ ProcessOtherEvents was unconditionally stomping the root_{x,y}
+ co-ordinates provided by GetPointerEvents with those of the core
+ pointer, meaning that both root_{x,y} and event_{x,y} reported to
+ clients would reflect the sprite's position, not the position reported
+ by the device that generated the DeviceMotionNotify or the
+ DeviceButton{Press,Release} event in the first place.
+
+ For key events we still take the sprite's co-ords, as we're delivering
+ to the focus, which is the (VCP) sprite.
+
+ Not cherry-picked from master as MPX fixes this anyway, by taking the
+ co-ords of the sprite the device moves (be it visible or no).
+ (cherry picked from commit 8259d19f7155d82197ecc2aa16b316376c2dcb12)
+
+commit 7982aaa7f071f9a21ad402da872d5328bd7e51ff
+Author: Sascha Hlusiak <saschahlusiak@arcor.de>
+Date: Fri May 30 19:30:06 2008 +0200
+
+ Fix getValuatorEvents to compute number of valuators correctly.
+
commit ddcca23a81abf5215f906a7ad097f1ed088ed92b
Author: Peter Hutterer <peter@cs.unisa.edu.au>
Date: Thu Feb 7 15:48:04 2008 +1030
diff --git a/debian/changelog b/debian/changelog
index 4426246..a33c907 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg-server (2:1.4.2-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+ * Security fixes from the previous upload are included upstream.
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 11 Jun 2008 18:57:01 +0200
+
xorg-server (2:1.4.1~git20080517-2) unstable; urgency=high
* High urgency upload for security fixes.
diff --git a/debian/patches/idef-apr08-v3-xserver-1.4.diff b/debian/patches/idef-apr08-v3-xserver-1.4.diff
deleted file mode 100644
index 4d805f3..0000000
--- a/debian/patches/idef-apr08-v3-xserver-1.4.diff
+++ /dev/null
@@ -1,203 +0,0 @@
-Index: xorg-server/Xext/security.c
-===================================================================
---- xorg-server.orig/Xext/security.c
-+++ xorg-server/Xext/security.c
-@@ -651,15 +651,19 @@
- register char n;
- CARD32 *values;
- unsigned long nvalues;
-+ int values_offset;
-
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
- swaps(&stuff->nbytesAuthProto, n);
- swaps(&stuff->nbytesAuthData, n);
- swapl(&stuff->valueMask, n);
-- values = (CARD32 *)(&stuff[1]) +
-- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
-+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
-+ if (values_offset >
-+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
-+ return BadLength;
-+ values = (CARD32 *)(&stuff[1]) + values_offset;
- nvalues = (((CARD32 *)stuff) + stuff->length) - values;
- SwapLongs(values, nvalues);
- return ProcSecurityGenerateAuthorization(client);
-Index: xorg-server/Xext/shm.c
-===================================================================
---- xorg-server.orig/Xext/shm.c
-+++ xorg-server/Xext/shm.c
-@@ -848,8 +848,17 @@
- return BadValue;
- }
-
-- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-- client);
-+ /*
-+ * There's a potential integer overflow in this check:
-+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-+ * client);
-+ * the version below ought to avoid it
-+ */
-+ if (stuff->totalHeight != 0 &&
-+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
-+ client->errorValue = stuff->totalWidth;
-+ return BadValue;
-+ }
- if (stuff->srcX > stuff->totalWidth)
- {
- client->errorValue = stuff->srcX;
-Index: xorg-server/record/record.c
-===================================================================
---- xorg-server.orig/record/record.c
-+++ xorg-server/record/record.c
-@@ -2656,7 +2656,7 @@
- } /* SProcRecordQueryVersion */
-
-
--static void
-+static int
- SwapCreateRegister(xRecordRegisterClientsReq *stuff)
- {
- register char n;
-@@ -2667,11 +2667,17 @@
- swapl(&stuff->nClients, n);
- swapl(&stuff->nRanges, n);
- pClientID = (XID *)&stuff[1];
-+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
-+ return BadLength;
- for (i = 0; i < stuff->nClients; i++, pClientID++)
- {
- swapl(pClientID, n);
- }
-+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
-+ - stuff->nClients)
-+ return BadLength;
- RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
-+ return Success;
- } /* SwapCreateRegister */
-
-
-@@ -2679,11 +2685,13 @@
- SProcRecordCreateContext(ClientPtr client)
- {
- REQUEST(xRecordCreateContextReq);
-+ int status;
- register char n;
-
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-- SwapCreateRegister((pointer)stuff);
-+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
-+ return status;
- return ProcRecordCreateContext(client);
- } /* SProcRecordCreateContext */
-
-@@ -2692,11 +2700,13 @@
- SProcRecordRegisterClients(ClientPtr client)
- {
- REQUEST(xRecordRegisterClientsReq);
-+ int status;
- register char n;
-
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-- SwapCreateRegister((pointer)stuff);
-+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
-+ return status;
- return ProcRecordRegisterClients(client);
- } /* SProcRecordRegisterClients */
-
-Index: xorg-server/render/glyph.c
-===================================================================
---- xorg-server.orig/render/glyph.c
-+++ xorg-server/render/glyph.c
-@@ -626,8 +626,12 @@
- int size;
- GlyphPtr glyph;
- int i;
--
-- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
-+ size_t padded_width;
-+
-+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
-+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
-+ return 0;
-+ size = gi->height * padded_width;
- glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
- if (!glyph)
- return 0;
-Index: xorg-server/render/render.c
-===================================================================
---- xorg-server.orig/render/render.c
-+++ xorg-server/render/render.c
-@@ -1504,6 +1504,8 @@
- pScreen = pSrc->pDrawable->pScreen;
- width = pSrc->pDrawable->width;
- height = pSrc->pDrawable->height;
-+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
-+ return BadAlloc;
- if ( stuff->x > width
- || stuff->y > height )
- return (BadMatch);
-@@ -1918,6 +1920,8 @@
- LEGAL_NEW_RESOURCE(stuff->pid, client);
-
- len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
-+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
-+ return BadLength;
- if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
- return BadLength;
-
-@@ -2491,18 +2495,18 @@
- return (*ProcRenderVector[stuff->renderReqType]) (client);
- }
-
--static void swapStops(void *stuff, int n)
-+static void swapStops(void *stuff, int num)
- {
-- int i;
-+ int i, n;
- CARD32 *stops;
- CARD16 *colors;
- stops = (CARD32 *)(stuff);
-- for (i = 0; i < n; ++i) {
-+ for (i = 0; i < num; ++i) {
- swapl(stops, n);
- ++stops;
- }
- colors = (CARD16 *)(stops);
-- for (i = 0; i < 4*n; ++i) {
-+ for (i = 0; i < 4*num; ++i) {
- swaps(stops, n);
- ++stops;
- }
-@@ -2525,6 +2529,8 @@
- swapl(&stuff->nStops, n);
-
- len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
-+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
-+ return BadLength;
- if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
- return BadLength;
-
-@@ -2552,6 +2558,8 @@
- swapl(&stuff->nStops, n);
-
- len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
-+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
-+ return BadLength;
- if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
- return BadLength;
-
-@@ -2576,6 +2584,8 @@
- swapl(&stuff->nStops, n);
-
- len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
-+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
-+ return BadLength;
- if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
- return BadLength;
-
diff --git a/debian/patches/series b/debian/patches/series
index 24f1e59..9713eb7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -20,7 +20,6 @@
45_only_XF86_APM_CAPABILITY_CHANGED_for_video_change_acpi_events.diff
46_reduce_wakeups_from_smart_scheduler.patch
#47_fbdevhw_magic_numbers.diff
-idef-apr08-v3-xserver-1.4.diff
91_ttf2pt1
91_ttf2pt1_updates
92_xprint-security-holes-fix.patch
commit c3a7903f6a6a27e53ba0372408e0c5a68c608e86
Author: Julien Cristau <jcristau@debian.org>
Date: Wed Jun 11 16:27:10 2008 +0200
Bump to 1.4.2
And update release date.
diff --git a/configure.ac b/configure.ac
index c64117f..f75fc61 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.57)
-AC_INIT([xorg-server], 1.4.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.4.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
AC_CONFIG_SRCDIR([Makefile.am])
AM_INIT_AUTOMAKE([dist-bzip2 foreign])
AM_MAINTAINER_MODE
@@ -392,7 +392,7 @@ VENDOR_MAN_VERSION="Version ${PACKAGE_VERSION}"
VENDOR_NAME="The X.Org Foundation"
VENDOR_NAME_SHORT="X.Org"
-RELEASE_DATE="5 September 2007"
+RELEASE_DATE="11 June 2008"
VENDOR_WEB="http://wiki.x.org";
m4_ifdef([AS_HELP_STRING], , [m4_define([AS_HELP_STRING], m4_defn([AC_HELP_STRING]))])
commit 08e6292e7efff518730e3c54f3a082c6139d618d
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:16:23 2008 -0600
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
diff --git a/Xext/shm.c b/Xext/shm.c
index 3c0d1ee..de908cf 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -848,8 +848,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;
commit 8ffaf613705a915c4b53ae11096dacd786fd1d22
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:16:55 2008 -0600
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
diff --git a/Xext/security.c b/Xext/security.c
index 14ad354..a8a75ea 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index 0ed8f84..9a166d6 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
-static void
+static int
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
{
register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
swapl(&stuff->nClients, n);
swapl(&stuff->nRanges, n);
pClientID = (XID *)&stuff[1];
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+ return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++)
{
swapl(pClientID, n);
}
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+ - stuff->nClients)
+ return BadLength;
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+ return Success;
} /* SwapCreateRegister */
@@ -2679,11 +2685,13 @@ static int
SProcRecordCreateContext(ClientPtr client)
{
REQUEST(xRecordCreateContextReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2692,11 +2700,13 @@ static int
SProcRecordRegisterClients(ClientPtr client)
{
REQUEST(xRecordRegisterClientsReq);
+ int status;
register char n;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- SwapCreateRegister((pointer)stuff);
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+ return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
commit 702e709973252d596be736c2f5c0de4837446501
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:15:39 2008 -0600
CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for
the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
and SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.
diff --git a/render/render.c b/render/render.c
index 74c5f63..b53e878 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit c4937bbb697579ceff0e30b17aca409f56e78566
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:14:31 2008 -0600
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the
size of the glyph to be allocated by the ProcRenderCreateCursor()
function which will cause less memory to be allocated than expected,
leading later to dereferencing un-mapped memory, causing a crash of
the X server.
diff --git a/render/render.c b/render/render.c
index caaa278..74c5f63 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);
commit b1a4a96885bf191d5f4afcfb2b41a88631b8412b
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun Jun 8 11:13:47 2008 -0600
CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
On systems where the X SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.
diff --git a/render/glyph.c b/render/glyph.c
index 583a52b..42ae65d 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -42,6 +42,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
int size;
GlyphPtr glyph;
int i;
-
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;
commit 43285b4f72a0eb47aa0c33e4e41cd10434969991
Author: Daniel Stone <daniel@fooishbar.org>
Date: Tue Jun 10 18:36:38 2008 +0300
Bump to 1.4.1
Whatever. It doesn't have to be perfect.
diff --git a/configure.ac b/configure.ac
index 6145aa2..c64117f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.57)
-AC_INIT([xorg-server], 1.4.0.90, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+AC_INIT([xorg-server], 1.4.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
AC_CONFIG_SRCDIR([Makefile.am])
AM_INIT_AUTOMAKE([dist-bzip2 foreign])
AM_MAINTAINER_MODE
commit 4d59afd613cd7e82255fc83e921300f6bd3a7552
Author: Daniel Stone <daniel@fooishbar.org>
Date: Tue Jun 10 18:33:57 2008 +0300
Xi: event_{x,y} should refer to the extended device (bug #16289)
ProcessOtherEvents was unconditionally stomping the root_{x,y}
co-ordinates provided by GetPointerEvents with those of the core
pointer, meaning that both root_{x,y} and event_{x,y} reported to
clients would reflect the sprite's position, not the position reported
by the device that generated the DeviceMotionNotify or the
DeviceButton{Press,Release} event in the first place.
For key events we still take the sprite's co-ords, as we're delivering
to the focus, which is the (VCP) sprite.
Not cherry-picked from master as MPX fixes this anyway, by taking the
co-ords of the sprite the device moves (be it visible or no).
(cherry picked from commit 8259d19f7155d82197ecc2aa16b316376c2dcb12)
diff --git a/Xi/exevents.c b/Xi/exevents.c
index 7cf0c50..0de5ea8 100644
--- a/Xi/exevents.c
+++ b/Xi/exevents.c
@@ -123,9 +123,14 @@ ProcessOtherEvent(xEventPtr xE, DeviceIntPtr other, int count)
deviceValuator *xV = (deviceValuator *) xE;
if (xE->u.u.type != DeviceValuator) {
- GetSpritePosition(&rootX, &rootY);
- xE->u.keyButtonPointer.rootX = rootX;
- xE->u.keyButtonPointer.rootY = rootY;
+ /* Other types already have root{X,Y} filled in. */
+ if (xE->u.u.type == DeviceKeyPress ||
+ xE->u.u.type == DeviceKeyRelease) {
+ GetSpritePosition(&rootX, &rootY);
+ xE->u.keyButtonPointer.rootX = rootX;
+ xE->u.keyButtonPointer.rootY = rootY;
+ }
+
key = xE->u.u.detail;
NoticeEventTime(xE);
xE->u.keyButtonPointer.state = inputInfo.keyboard->key->state |
commit 7982aaa7f071f9a21ad402da872d5328bd7e51ff
Author: Sascha Hlusiak <saschahlusiak@arcor.de>
Date: Fri May 30 19:30:06 2008 +0200
Fix getValuatorEvents to compute number of valuators correctly.
diff --git a/dix/getevents.c b/dix/getevents.c
index d0fe2db..c96ee68 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -347,7 +347,7 @@ getValuatorEvents(xEvent *events, DeviceIntPtr pDev, int first_valuator,
for (i = first_valuator; i < final_valuator; i += 6, xv++, events++) {
xv->type = DeviceValuator;
xv->first_valuator = i;
- xv->num_valuators = ((num_valuators - i) > 6) ? 6 : (num_valuators - i);
+ xv->num_valuators = ((final_valuator - i) > 6) ? 6 : (final_valuator - i);
xv->deviceid = pDev->id;
switch (final_valuator - i) {
case 6:
Reply to: