diff options
author | drochner <drochner@pkgsrc.org> | 2007-04-03 20:28:38 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2007-04-03 20:28:38 +0000 |
commit | 7e90b1e274ca5247b56145ae8788b0c4acd98b11 (patch) | |
tree | 0731e9234b4cdb95dbae4d3800bc8987f8754b9e /x11 | |
parent | 0d0c8b0486823303b6e5b9726086d4cde31d2444 (diff) | |
download | pkgsrc-7e90b1e274ca5247b56145ae8788b0c4acd98b11.tar.gz |
fix a possible memory corruption due to incomplete input validation in
XInitImage()
(CVE 2007-1667)
bump PKGREVISION
Diffstat (limited to 'x11')
-rw-r--r-- | x11/libX11/Makefile | 3 | ||||
-rw-r--r-- | x11/libX11/distinfo | 3 | ||||
-rw-r--r-- | x11/libX11/patches/patch-aa | 87 |
3 files changed, 91 insertions, 2 deletions
diff --git a/x11/libX11/Makefile b/x11/libX11/Makefile index 1de5b6ba5cd..0ef07fe0777 100644 --- a/x11/libX11/Makefile +++ b/x11/libX11/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.3 2007/01/23 19:47:53 joerg Exp $ +# $NetBSD: Makefile,v 1.4 2007/04/03 20:28:38 drochner Exp $ # DISTNAME= libX11-1.1.1 +PKGREVISION= 1 CATEGORIES= x11 devel MASTER_SITES= http://xorg.freedesktop.org/releases/individual/lib/ EXTRACT_SUFX= .tar.bz2 diff --git a/x11/libX11/distinfo b/x11/libX11/distinfo index e55d1b1dbd6..0bcb2171c68 100644 --- a/x11/libX11/distinfo +++ b/x11/libX11/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.2 2007/01/23 19:47:53 joerg Exp $ +$NetBSD: distinfo,v 1.3 2007/04/03 20:28:38 drochner Exp $ SHA1 (libX11-1.1.1.tar.bz2) = 048dc3d850666010e81a86bbe0960a643557251a RMD160 (libX11-1.1.1.tar.bz2) = 99c2d2bd6823c09667dffa5e4265924e93e76eef Size (libX11-1.1.1.tar.bz2) = 1426405 bytes +SHA1 (patch-aa) = f51b17bac7490edbfcf29f2aef3e04eca1647fe4 diff --git a/x11/libX11/patches/patch-aa b/x11/libX11/patches/patch-aa new file mode 100644 index 00000000000..fe29a91c12d --- /dev/null +++ b/x11/libX11/patches/patch-aa @@ -0,0 +1,87 @@ +$NetBSD: patch-aa,v 1.1 2007/04/03 20:28:38 drochner Exp $ + +--- src/ImUtil.c.orig 2007-04-03 19:08:57.000000000 +0200 ++++ src/ImUtil.c +@@ -327,12 +327,13 @@ XImage *XCreateImage (dpy, visual, depth + { + register XImage *image; + int bits_per_pixel = 1; ++ int min_bytes_per_line; + + if (depth == 0 || depth > 32 || + (format != XYBitmap && format != XYPixmap && format != ZPixmap) || + (format == XYBitmap && depth != 1) || + (xpad != 8 && xpad != 16 && xpad != 32) || +- offset < 0 || image_bytes_per_line < 0) ++ offset < 0) + return (XImage *) NULL; + if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) + return (XImage *) NULL; +@@ -363,16 +364,21 @@ XImage *XCreateImage (dpy, visual, depth + /* + * compute per line accelerator. + */ +- if (image_bytes_per_line == 0) + { + if (format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((width + offset), image->bitmap_pad); + } +- else image->bytes_per_line = image_bytes_per_line; ++ if (image_bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image_bytes_per_line < min_bytes_per_line) { ++ return 0; ++ } else { ++ image->bytes_per_line = image_bytes_per_line; ++ } + + image->bits_per_pixel = bits_per_pixel; + image->obdata = NULL; +@@ -384,7 +390,11 @@ XImage *XCreateImage (dpy, visual, depth + Status XInitImage (image) + XImage *image; + { ++ int min_bytes_per_line; ++ + if (image->depth == 0 || image->depth > 32 || ++ image->bits_per_pixel > 32 || image->bitmap_unit > 32 || ++ image->bits_per_pixel < 0 || image->bitmap_unit < 0 || + (image->format != XYBitmap && + image->format != XYPixmap && + image->format != ZPixmap) || +@@ -392,21 +402,24 @@ Status XInitImage (image) + (image->bitmap_pad != 8 && + image->bitmap_pad != 16 && + image->bitmap_pad != 32) || +- image->xoffset < 0 || image->bytes_per_line < 0) ++ image->xoffset < 0) + return 0; + + /* + * compute per line accelerator. + */ +- if (image->bytes_per_line == 0) +- { + if (image->format == ZPixmap) +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->bits_per_pixel * image->width), + image->bitmap_pad); + else +- image->bytes_per_line = ++ min_bytes_per_line = + ROUNDUP((image->width + image->xoffset), image->bitmap_pad); ++ ++ if (image->bytes_per_line == 0) { ++ image->bytes_per_line = min_bytes_per_line; ++ } else if (image->bytes_per_line < min_bytes_per_line) { ++ return 0; + } + + _XInitImageFuncPtrs (image); |