Imported nx-X11-3.2.0-2.tar.gz

Summary: Imported nx-X11-3.2.0-2.tar.gz Keywords: Imported nx-X11-3.2.0-2.tar.gz into Git repository

Imported nx-X11-3.2.0-2.tar.gz
30463b08 · Reinhard Tartler · 713da226 · 30463b08 · 30463b08 · 30463b08
Commit 30463b08 authored Oct 10, 2011 by Reinhard Tartler
9 changed files
--- a/nx-X11/CHANGELOG
+++ b/nx-X11/CHANGELOG
 ChangeLog:

+nx-X11-3.2.0-2
+
+- Imported patch fixing issues from  X.Org security advisory, June
+  11th, 2008: Multiple vulnerabilities in X server extensions. CVE
+  IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
+  CVE-2008-2362.
+
 nx-X11-3.2.0-1

 - Opened the 3.2.0 branch based on nx-X11-3.1.0-6.

--- a/nx-X11/CHANGELOG.NX.original
+++ b/nx-X11/CHANGELOG.NX.original
 ChangeLog:

+nx-X11-3.2.0-2
+
+- Imported patch fixing issues from  X.Org security advisory, June
+  11th, 2008: Multiple vulnerabilities in X server extensions. CVE
+  IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
+  CVE-2008-2362.
+
+nx-X11-3.2.0-1
+
+- Opened the 3.2.0 branch based on nx-X11-3.1.0-6.
+
 nx-X11-3.1.0-6

 - Modified Xserver Imakefile to link the Xfixes library.

--- a/nx-X11/programs/Xserver/Xext/security.c
+++ b/nx-X11/programs/Xserver/Xext/security.c
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
    register char 	n;
    CARD32 *values;
    unsigned long nvalues;
+    int values_offset;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
    swaps(&stuff->nbytesAuthProto, n);
    swaps(&stuff->nbytesAuthData, n);
    swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
    nvalues = (((CARD32 *)stuff) + stuff->length) - values;
    SwapLongs(values, nvalues);
    return ProcSecurityGenerateAuthorization(client);

--- a/nx-X11/programs/Xserver/Xext/security.c.NX.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
    register char 	n;
    CARD32 *values;
    unsigned long nvalues;
+    int values_offset;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
    swaps(&stuff->nbytesAuthProto, n);
    swaps(&stuff->nbytesAuthData, n);
    swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
    nvalues = (((CARD32 *)stuff) + stuff->length) - values;
    SwapLongs(values, nvalues);
    return ProcSecurityGenerateAuthorization(client);

--- a/nx-X11/programs/Xserver/Xext/security.c.X.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.X.original
@@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization(
    register char 	n;
    CARD32 *values;
    unsigned long nvalues;
+    int values_offset;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
    swaps(&stuff->nbytesAuthProto, n);
    swaps(&stuff->nbytesAuthData, n);
    swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
    nvalues = (((CARD32 *)stuff) + stuff->length) - values;
    SwapLongs(values, nvalues);
    return ProcSecurityGenerateAuthorization(client);

--- a/nx-X11/programs/Xserver/Xext/shm.c
+++ b/nx-X11/programs/Xserver/Xext/shm.c
@@ -863,8 +863,17 @@ ProcShmPutImage(client)
        return BadValue;
    }

-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
    if (stuff->srcX > stuff->totalWidth)
    {
 	client->errorValue = stuff->srcX;

--- a/nx-X11/programs/Xserver/record/record.c
+++ b/nx-X11/programs/Xserver/record/record.c
@@ -2720,7 +2720,7 @@ SProcRecordQueryVersion(client)
 } /* SProcRecordQueryVersion */


-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
    register char n;
@@ -2731,11 +2731,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
    swapl(&stuff->nClients, n);
    swapl(&stuff->nRanges, n);
    pClientID = (XID *)&stuff[1];
+    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+	return BadLength;
    for (i = 0; i < stuff->nClients; i++, pClientID++)
    {
 	swapl(pClientID, n);
    }
+    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+	- stuff->nClients)
+	return BadLength;
    RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */


@@ -2744,11 +2750,13 @@ SProcRecordCreateContext(client)
    ClientPtr client;
 {
    REQUEST(xRecordCreateContextReq);
+    int			status;
    register char 	n;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
    return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */

@@ -2758,11 +2766,13 @@ SProcRecordRegisterClients(client)
    ClientPtr client;
 {
    REQUEST(xRecordRegisterClientsReq);
+    int			status;
    register char 	n;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
    return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */


--- a/nx-X11/programs/Xserver/render/glyph.c
+++ b/nx-X11/programs/Xserver/render/glyph.c
@@ -43,6 +43,12 @@
 #include "picturestr.h"
 #include "glyphstr.h"

+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /*
 * From Knuth -- a good choice for hash/rehash values is p, p-2 where
 * p and p-2 are both prime.  These tables are sized to have an extra 10%
@@ -334,8 +340,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
 {
    int		size;
    GlyphPtr	glyph;
-
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size_t	     padded_width;
+    
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+	return 0;
+    size = gi->height * padded_width;
    glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
    if (!glyph)
 	return 0;

--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -1505,6 +1505,8 @@ ProcRenderCreateCursor (ClientPtr client)
    pScreen = pSrc->pDrawable->pScreen;
    width = pSrc->pDrawable->width;
    height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
    if ( stuff->x > width 
      || stuff->y > height )
 	return (BadMatch);
@@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
    LEGAL_NEW_RESOURCE(stuff->pid, client);

    len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
    if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
        return BadLength;

@@ -2489,18 +2493,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
    return (*ProcRenderVector[stuff->renderReqType]) (client);
 }

-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
 {
-    int i;
+    int i, n;
    CARD32 *stops;
    CARD16 *colors;
    stops = (CARD32 *)(stuff);
-    for (i = 0; i < n; ++i) {
+    for (i = 0; i < num; ++i) {
        swapl(stops, n);
        ++stops;
    }
    colors = (CARD16 *)(stops);
-    for (i = 0; i < 4*n; ++i) {
+    for (i = 0; i < 4*num; ++i) {
        swaps(stops, n);
        ++stops;
    }
@@ -2523,6 +2527,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
    swapl(&stuff->nStops, n);

    len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
    if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
        return BadLength;

@@ -2550,6 +2556,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
    swapl(&stuff->nStops, n);

    len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
    if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
        return BadLength;

@@ -2574,6 +2582,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
    swapl(&stuff->nStops, n);

    len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
    if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
        return BadLength;