diff options
Diffstat (limited to 'x11/modular-xorg-server/patches')
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ac | 34 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ae | 63 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-da | 13 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ed | 29 | ||||
-rw-r--r-- | x11/modular-xorg-server/patches/patch-ef | 39 |
5 files changed, 157 insertions, 21 deletions
diff --git a/x11/modular-xorg-server/patches/patch-ac b/x11/modular-xorg-server/patches/patch-ac new file mode 100644 index 00000000000..5fccfbd17bd --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-ac @@ -0,0 +1,34 @@ +$NetBSD: patch-ac,v 1.2.10.1 2008/06/25 10:20:58 tron Exp $ + +CVE-2008-2360 + +--- render/glyph.c.orig 2006-09-18 08:04:18.000000000 +0200 ++++ render/glyph.c +@@ -42,6 +42,12 @@ + #include "picturestr.h" + #include "glyphstr.h" + ++#if HAVE_STDINT_H ++#include <stdint.h> ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + /* + * From Knuth -- a good choice for hash/rehash values is p, p-2 where + * p and p-2 are both prime. These tables are sized to have an extra 10% +@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdept + int size; + GlyphPtr glyph; + int i; +- +- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ size_t padded_width; ++ ++ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); ++ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) ++ return 0; ++ size = gi->height * padded_width; + glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); + if (!glyph) + return 0; diff --git a/x11/modular-xorg-server/patches/patch-ae b/x11/modular-xorg-server/patches/patch-ae new file mode 100644 index 00000000000..de830b3b4b5 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-ae @@ -0,0 +1,63 @@ +$NetBSD: patch-ae,v 1.4.6.1 2008/06/25 10:20:58 tron Exp $ + +CVE-2008-1377 + +--- record/record.c.orig 2006-09-18 08:04:18.000000000 +0200 ++++ record/record.c +@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client + } /* SProcRecordQueryVersion */ + + +-static void ++static int + SwapCreateRegister(xRecordRegisterClientsReq *stuff) + { + register char n; +@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClient + swapl(&stuff->nClients, n); + swapl(&stuff->nRanges, n); + pClientID = (XID *)&stuff[1]; ++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) ++ return BadLength; + for (i = 0; i < stuff->nClients; i++, pClientID++) + { + swapl(pClientID, n); + } ++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) ++ - stuff->nClients) ++ return BadLength; + RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); ++ return Success; + } /* SwapCreateRegister */ + + +@@ -2679,11 +2685,13 @@ static int + SProcRecordCreateContext(ClientPtr client) + { + REQUEST(xRecordCreateContextReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordCreateContext(client); + } /* SProcRecordCreateContext */ + +@@ -2692,11 +2700,13 @@ static int + SProcRecordRegisterClients(ClientPtr client) + { + REQUEST(xRecordRegisterClientsReq); ++ int status; + register char n; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); +- SwapCreateRegister((pointer)stuff); ++ if ((status = SwapCreateRegister((pointer)stuff)) != Success) ++ return status; + return ProcRecordRegisterClients(client); + } /* SProcRecordRegisterClients */ + diff --git a/x11/modular-xorg-server/patches/patch-da b/x11/modular-xorg-server/patches/patch-da deleted file mode 100644 index db54d9adb6c..00000000000 --- a/x11/modular-xorg-server/patches/patch-da +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-da,v 1.1 2007/02/05 23:08:36 joerg Exp $ - ---- Xext/shm.c.orig 2007-02-05 20:58:14.000000000 +0000 -+++ Xext/shm.c -@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi - } - - --#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) -+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) - #include <sys/signal.h> - - static Bool badSysCall = FALSE; diff --git a/x11/modular-xorg-server/patches/patch-ed b/x11/modular-xorg-server/patches/patch-ed index 3063b0c39b1..43f320f4cd6 100644 --- a/x11/modular-xorg-server/patches/patch-ed +++ b/x11/modular-xorg-server/patches/patch-ed @@ -1,8 +1,31 @@ -$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ +$NetBSD: patch-ed,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ --- Xext/security.c.orig 2006-11-16 18:39:03.000000000 +0100 +++ Xext/security.c -@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void) +@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( + register char n; + CARD32 *values; + unsigned long nvalues; ++ int values_offset; + + swaps(&stuff->length, n); + REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); + swaps(&stuff->nbytesAuthProto, n); + swaps(&stuff->nbytesAuthData, n); + swapl(&stuff->valueMask, n); +- values = (CARD32 *)(&stuff[1]) + +- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + +- ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + ++ ((stuff->nbytesAuthData + (unsigned)3) >> 2); ++ if (values_offset > ++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) ++ return BadLength; ++ values = (CARD32 *)(&stuff[1]) + values_offset; + nvalues = (((CARD32 *)stuff) + stuff->length) - values; + SwapLongs(values, nvalues); + return ProcSecurityGenerateAuthorization(client); +@@ -1567,9 +1571,9 @@ SecurityLoadPropertyAccessList(void) return; #ifndef __UNIXOS2__ @@ -14,7 +37,7 @@ $NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $ #endif if (!f) { -@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void) +@@ -1653,7 +1657,7 @@ SecurityLoadPropertyAccessList(void) } #endif /* PROPDEBUG */ diff --git a/x11/modular-xorg-server/patches/patch-ef b/x11/modular-xorg-server/patches/patch-ef index ba2d29e4492..378d070674f 100644 --- a/x11/modular-xorg-server/patches/patch-ef +++ b/x11/modular-xorg-server/patches/patch-ef @@ -1,7 +1,16 @@ -$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ +$NetBSD: patch-ef,v 1.1.2.1 2008/06/25 10:20:58 tron Exp $ ---- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100 +--- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 +++ Xext/shm.c +@@ -156,7 +156,7 @@ static ShmFuncs fbFuncs = {fbShmCreatePi + } + + +-#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) ++#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) + #include <sys/signal.h> + + static Bool badSysCall = FALSE; @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; @@ -50,7 +59,27 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; -@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client) +@@ -841,8 +856,17 @@ ProcShmPutImage(client) + return BadValue; + } + +- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, +- client); ++ /* ++ * There's a potential integer overflow in this check: ++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, ++ * client); ++ * the version below ought to avoid it ++ */ ++ if (stuff->totalHeight != 0 && ++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { ++ client->errorValue = stuff->totalWidth; ++ return BadValue; ++ } + if (stuff->srcX > stuff->totalWidth) + { + client->errorValue = stuff->srcX; +@@ -1047,6 +1071,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); @@ -59,7 +88,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; -@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client) +@@ -1055,11 +1081,26 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); @@ -87,7 +116,7 @@ $NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $ if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; -@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client) +@@ -1070,9 +1111,7 @@ ProcShmCreatePixmap(client) return BadValue; } CreatePmap: |