diff options
Diffstat (limited to 'x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch')
-rw-r--r-- | x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch b/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch new file mode 100644 index 0000000..903f2be --- /dev/null +++ b/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch @@ -0,0 +1,85 @@ +From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Fri, 18 Jan 2008 14:41:20 -0500 +Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. + +Move size validation after depth validation, and only validate size if +the bpp of the pixmap format is > 8. If bpp < 8 then we're already +protected from overflow by the width and height checks. +--- + Xext/shm.c | 36 ++++++++++++++++++++---------------- + 1 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/Xext/shm.c b/Xext/shm.c +index c545e49..e46f6fc 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap( + } + if (width > 32767 || height > 32767) + return BadAlloc; +- size = PixmapBytePad(width, depth) * height; +- if (sizeof(size) == 4) { +- if (size < width * height) +- return BadAlloc; +- /* thankfully, offset is unsigned */ +- if (stuff->offset + size < size) +- return BadAlloc; +- } + + if (stuff->depth != 1) + { +@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap( + client->errorValue = stuff->depth; + return BadValue; + } ++ + CreatePmap: ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + + if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) +@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client) + } + if (width > 32767 || height > 32767) + return BadAlloc; +- size = PixmapBytePad(width, depth) * height; +- if (sizeof(size) == 4) { +- if (size < width * height) +- return BadAlloc; +- /* thankfully, offset is unsigned */ +- if (stuff->offset + size < size) +- return BadAlloc; +- } + + if (stuff->depth != 1) + { +@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client) + client->errorValue = stuff->depth; + return BadValue; + } ++ + CreatePmap: ++ size = PixmapBytePad(width, depth) * height; ++ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { ++ if (size < width * height) ++ return BadAlloc; ++ /* thankfully, offset is unsigned */ ++ if (stuff->offset + size < size) ++ return BadAlloc; ++ } ++ + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); + pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( + pDraw->pScreen, stuff->width, +-- +1.5.3.8 + |