Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch
diff options
context:
space:
mode:
Diffstat (limited to 'x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch')
-rw-r--r--x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch85
1 files changed, 85 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch b/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch
new file mode 100644
index 0000000..903f2be
--- /dev/null
+++ b/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch
@@ -0,0 +1,85 @@
+From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Fri, 18 Jan 2008 14:41:20 -0500
+Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
+
+Move size validation after depth validation, and only validate size if
+the bpp of the pixmap format is > 8. If bpp < 8 then we're already
+protected from overflow by the width and height checks.
+---
+ Xext/shm.c | 36 ++++++++++++++++++++----------------
+ 1 files changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index c545e49..e46f6fc 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap(
+ }
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+- size = PixmapBytePad(width, depth) * height;
+- if (sizeof(size) == 4) {
+- if (size < width * height)
+- return BadAlloc;
+- /* thankfully, offset is unsigned */
+- if (stuff->offset + size < size)
+- return BadAlloc;
+- }
+
+ if (stuff->depth != 1)
+ {
+@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap(
+ client->errorValue = stuff->depth;
+ return BadValue;
+ }
++
+ CreatePmap:
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+
+ if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client)
+ }
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+- size = PixmapBytePad(width, depth) * height;
+- if (sizeof(size) == 4) {
+- if (size < width * height)
+- return BadAlloc;
+- /* thankfully, offset is unsigned */
+- if (stuff->offset + size < size)
+- return BadAlloc;
+- }
+
+ if (stuff->depth != 1)
+ {
+@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client)
+ client->errorValue = stuff->depth;
+ return BadValue;
+ }
++
+ CreatePmap:
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ pDraw->pScreen, stuff->width,
+--
+1.5.3.8
+