Add vendor patch for CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103;

this fixes possible overflows in the extensions dbe and render.
author: joerg <joerg> 2007-01-17 16:32:35 +0000
committer: joerg <joerg> 2007-01-17 16:32:35 +0000
commit: 542508d9bc8ad48768f24ccdf1705cfda718994a (patch)
tree: 2f72544ee3312e176d5251dcb9612a5e114a5b01 /x11/xorg-libs
parent: bb3e400ade0ddc062aefdd97cb3ee8314c2bff5f (diff)
download: pkgsrc-542508d9bc8ad48768f24ccdf1705cfda718994a.tar.gz
3 files changed, 183 insertions, 1 deletions
diff --git a/x11/xorg-libs/distinfo b/x11/xorg-libs/distinfo
index c8d016b2953..3d28739715b 100644
--- a/x11/xorg-libs/distinfo
+++ b/x11/xorg-libs/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.57 2006/12/16 11:32:44 abs Exp $
+$NetBSD: distinfo,v 1.58 2007/01/17 16:32:35 joerg Exp $
 
 SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef
 RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8
@@ -74,3 +74,5 @@ SHA1 (patch-cr) = c613afdca92b36a1a34264a53f9eaf4a8276a5fa
 SHA1 (patch-cs) = 686c444c42acbbae4030ff198bcd4fbd08e7a0e3
 SHA1 (patch-ct) = 96084456c2d7d4aaf05b2eebd13be2e575cead29
 SHA1 (patch-cu) = 99e0ec0a7119ccc8d0df72dec67ee5e4fe0dd5c7
+SHA1 (patch-cv) = a314b92adeadc66481ecfe5893f104640dbc2228
+SHA1 (patch-cw) = f57f4436817fbc73f758f48e83062bf8b4a716b2
diff --git a/x11/xorg-libs/patches/patch-cv b/x11/xorg-libs/patches/patch-cv
new file mode 100644
index 00000000000..a633f3e3325
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-cv
@@ -0,0 +1,131 @@
+$NetBSD: patch-cv,v 1.1 2007/01/17 16:32:35 joerg Exp $
+
+--- programs/Xserver/dbe/dbe.c.orig	2005-07-03 07:01:17.000000000 +0000
++++ programs/Xserver/dbe/dbe.c
+@@ -55,6 +55,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /* GLOBALS */
+ 
+ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
+@@ -733,11 +737,14 @@ ProcDbeSwapBuffers(client)
+         return(Success);
+     }
+ 
++    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
++	    return BadAlloc;
++
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
+ 
+     /* Allocate array to record swap information. */ 
+-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
++    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
+     if (swapInfo == NULL)
+     {
+         return(BadAlloc);
+@@ -752,14 +759,14 @@ ProcDbeSwapBuffers(client)
+         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
+ 					  SecurityWriteAccess)))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+ 	    return(BadWindow);
+         }
+ 
+         /* Each window must be double-buffered - BadMatch. */
+         if (DBE_WINDOW_PRIV(pWin) == NULL)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadMatch);
+         }
+ 
+@@ -768,7 +775,7 @@ ProcDbeSwapBuffers(client)
+         {
+             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
+             {
+-                DEALLOCATE_LOCAL(swapInfo);
++                Xfree(swapInfo);
+                 return(BadMatch);
+ 	    }
+         }
+@@ -779,7 +786,7 @@ ProcDbeSwapBuffers(client)
+             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
+             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadValue);
+         }
+ 
+@@ -809,12 +816,12 @@ ProcDbeSwapBuffers(client)
+         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
+         if (error != Success)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(error);
+         }
+     }
+     
+-    DEALLOCATE_LOCAL(swapInfo);
++    Xfree(swapInfo);
+     return(Success);
+ 
+ } /* ProcDbeSwapBuffers() */
+@@ -898,10 +905,12 @@ ProcDbeGetVisualInfo(client)
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ 
++    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
++	    return BadAlloc;
+     /* Make sure any specified drawables are valid. */
+     if (stuff->n != 0)
+     {
+-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
++        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
+                                                  sizeof(DrawablePtr))))
+         {
+             return(BadAlloc);
+@@ -914,7 +923,7 @@ ProcDbeGetVisualInfo(client)
+             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
+ 				drawables[i], client, SecurityReadAccess)))
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+                 return(BadDrawable);
+             }
+         }
+@@ -926,7 +935,7 @@ ProcDbeGetVisualInfo(client)
+     {
+         if (pDrawables)
+         {
+-            DEALLOCATE_LOCAL(pDrawables);
++            Xfree(pDrawables);
+         }
+ 
+         return(BadAlloc);
+@@ -953,7 +962,7 @@ ProcDbeGetVisualInfo(client)
+             /* Free pDrawables if we needed to allocate it above. */
+             if (pDrawables)
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+             }
+ 
+             return(BadAlloc);
+@@ -1034,7 +1043,7 @@ ProcDbeGetVisualInfo(client)
+ 
+     if (pDrawables)
+     {
+-        DEALLOCATE_LOCAL(pDrawables);
++        Xfree(pDrawables);
+     }
+ 
+     return(client->noClientException);
diff --git a/x11/xorg-libs/patches/patch-cw b/x11/xorg-libs/patches/patch-cw
new file mode 100644
index 00000000000..00a0b111eee
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-cw
@@ -0,0 +1,49 @@
+$NetBSD: patch-cw,v 1.1 2007/01/17 16:32:35 joerg Exp $
+
+--- programs/Xserver/render/render.c.orig	2005-08-28 19:47:39.000000000 +0000
++++ programs/Xserver/render/render.c
+@@ -52,6 +52,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int ProcRenderQueryVersion (ClientPtr pClient);
+ static int ProcRenderQueryPictFormats (ClientPtr pClient);
+ static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
+@@ -1108,11 +1112,14 @@ ProcRenderAddGlyphs (ClientPtr client)
+     }
+ 
+     nglyphs = stuff->nglyphs;
++    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
++	    return BadAlloc;
++
+     if (nglyphs <= NLOCALGLYPH)
+ 	glyphsBase = glyphsLocal;
+     else
+     {
+-	glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
++	glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
+ 	if (!glyphsBase)
+ 	    return BadAlloc;
+     }
+@@ -1169,7 +1176,7 @@ ProcRenderAddGlyphs (ClientPtr client)
+     }
+ 
+     if (glyphsBase != glyphsLocal)
+-	DEALLOCATE_LOCAL (glyphsBase);
++	Xfree (glyphsBase);
+     return client->noClientException;
+ bail:
+     while (glyphs != glyphsBase)
+@@ -1178,7 +1185,7 @@ bail:
+ 	xfree (glyphs->glyph);
+     }
+     if (glyphsBase != glyphsLocal)
+-	DEALLOCATE_LOCAL (glyphsBase);
++	Xfree (glyphsBase);
+     return err;
+ }
+
author	joerg <joerg>	2007-01-17 16:32:35 +0000
committer	joerg <joerg>	2007-01-17 16:32:35 +0000
commit	542508d9bc8ad48768f24ccdf1705cfda718994a (patch)
tree	2f72544ee3312e176d5251dcb9612a5e114a5b01 /x11/xorg-libs
parent	bb3e400ade0ddc062aefdd97cb3ee8314c2bff5f (diff)
download	pkgsrc-542508d9bc8ad48768f24ccdf1705cfda718994a.tar.gz