From 542508d9bc8ad48768f24ccdf1705cfda718994a Mon Sep 17 00:00:00 2001 From: joerg Date: Wed, 17 Jan 2007 16:32:35 +0000 Subject: Add vendor patch for CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103; this fixes possible overflows in the extensions dbe and render. --- x11/xorg-libs/distinfo | 4 +- x11/xorg-libs/patches/patch-cv | 131 +++++++++++++++++++++++++++++++++++++++++ x11/xorg-libs/patches/patch-cw | 49 +++++++++++++++ 3 files changed, 183 insertions(+), 1 deletion(-) create mode 100644 x11/xorg-libs/patches/patch-cv create mode 100644 x11/xorg-libs/patches/patch-cw (limited to 'x11/xorg-libs') diff --git a/x11/xorg-libs/distinfo b/x11/xorg-libs/distinfo index c8d016b2953..3d28739715b 100644 --- a/x11/xorg-libs/distinfo +++ b/x11/xorg-libs/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.57 2006/12/16 11:32:44 abs Exp $ +$NetBSD: distinfo,v 1.58 2007/01/17 16:32:35 joerg Exp $ SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8 @@ -74,3 +74,5 @@ SHA1 (patch-cr) = c613afdca92b36a1a34264a53f9eaf4a8276a5fa SHA1 (patch-cs) = 686c444c42acbbae4030ff198bcd4fbd08e7a0e3 SHA1 (patch-ct) = 96084456c2d7d4aaf05b2eebd13be2e575cead29 SHA1 (patch-cu) = 99e0ec0a7119ccc8d0df72dec67ee5e4fe0dd5c7 +SHA1 (patch-cv) = a314b92adeadc66481ecfe5893f104640dbc2228 +SHA1 (patch-cw) = f57f4436817fbc73f758f48e83062bf8b4a716b2 diff --git a/x11/xorg-libs/patches/patch-cv b/x11/xorg-libs/patches/patch-cv new file mode 100644 index 00000000000..a633f3e3325 --- /dev/null +++ b/x11/xorg-libs/patches/patch-cv @@ -0,0 +1,131 @@ +$NetBSD: patch-cv,v 1.1 2007/01/17 16:32:35 joerg Exp $ + +--- programs/Xserver/dbe/dbe.c.orig 2005-07-03 07:01:17.000000000 +0000 ++++ programs/Xserver/dbe/dbe.c +@@ -55,6 +55,10 @@ + #include "xf86_ansic.h" + #endif + ++#if !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + /* GLOBALS */ + + /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */ +@@ -733,11 +737,14 @@ ProcDbeSwapBuffers(client) + return(Success); + } + ++ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; + + /* Allocate array to record swap information. */ +- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); ++ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); + if (swapInfo == NULL) + { + return(BadAlloc); +@@ -752,14 +759,14 @@ ProcDbeSwapBuffers(client) + if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, + SecurityWriteAccess))) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadWindow); + } + + /* Each window must be double-buffered - BadMatch. */ + if (DBE_WINDOW_PRIV(pWin) == NULL) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + +@@ -768,7 +775,7 @@ ProcDbeSwapBuffers(client) + { + if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadMatch); + } + } +@@ -779,7 +786,7 @@ ProcDbeSwapBuffers(client) + (dbeSwapInfo[i].swapAction != XdbeUntouched ) && + (dbeSwapInfo[i].swapAction != XdbeCopied )) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(BadValue); + } + +@@ -809,12 +816,12 @@ ProcDbeSwapBuffers(client) + error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); + if (error != Success) + { +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(error); + } + } + +- DEALLOCATE_LOCAL(swapInfo); ++ Xfree(swapInfo); + return(Success); + + } /* ProcDbeSwapBuffers() */ +@@ -898,10 +905,12 @@ ProcDbeGetVisualInfo(client) + + REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + ++ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) ++ return BadAlloc; + /* Make sure any specified drawables are valid. */ + if (stuff->n != 0) + { +- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * ++ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * + sizeof(DrawablePtr)))) + { + return(BadAlloc); +@@ -914,7 +923,7 @@ ProcDbeGetVisualInfo(client) + if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( + drawables[i], client, SecurityReadAccess))) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + return(BadDrawable); + } + } +@@ -926,7 +935,7 @@ ProcDbeGetVisualInfo(client) + { + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -953,7 +962,7 @@ ProcDbeGetVisualInfo(client) + /* Free pDrawables if we needed to allocate it above. */ + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(BadAlloc); +@@ -1034,7 +1043,7 @@ ProcDbeGetVisualInfo(client) + + if (pDrawables) + { +- DEALLOCATE_LOCAL(pDrawables); ++ Xfree(pDrawables); + } + + return(client->noClientException); diff --git a/x11/xorg-libs/patches/patch-cw b/x11/xorg-libs/patches/patch-cw new file mode 100644 index 00000000000..00a0b111eee --- /dev/null +++ b/x11/xorg-libs/patches/patch-cw @@ -0,0 +1,49 @@ +$NetBSD: patch-cw,v 1.1 2007/01/17 16:32:35 joerg Exp $ + +--- programs/Xserver/render/render.c.orig 2005-08-28 19:47:39.000000000 +0000 ++++ programs/Xserver/render/render.c +@@ -52,6 +52,10 @@ + #include "xf86_ansic.h" + #endif + ++#if !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + static int ProcRenderQueryVersion (ClientPtr pClient); + static int ProcRenderQueryPictFormats (ClientPtr pClient); + static int ProcRenderQueryPictIndexValues (ClientPtr pClient); +@@ -1108,11 +1112,14 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + nglyphs = stuff->nglyphs; ++ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) ++ return BadAlloc; ++ + if (nglyphs <= NLOCALGLYPH) + glyphsBase = glyphsLocal; + else + { +- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); ++ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); + if (!glyphsBase) + return BadAlloc; + } +@@ -1169,7 +1176,7 @@ ProcRenderAddGlyphs (ClientPtr client) + } + + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return client->noClientException; + bail: + while (glyphs != glyphsBase) +@@ -1178,7 +1185,7 @@ bail: + xfree (glyphs->glyph); + } + if (glyphsBase != glyphsLocal) +- DEALLOCATE_LOCAL (glyphsBase); ++ Xfree (glyphsBase); + return err; + } + -- cgit v1.2.3