debian/patches/56_CVE-2007-6429_MIT-SHM.diff | 56 ++++++++++++++-------------
1 file changed, 31 insertions(+), 25 deletions(-)
New commits:
commit 5993f19b04bf9385c8a518e56a3be50a2e04e2f2
Author: Julien Cristau <[EMAIL PROTECTED]>
Date: Sat Jan 19 01:35:48 2008 +0100
Update patch for CVE-2007-6429 to fixed version.
The previous one introduced a regression, see bug#461410.
diff --git a/debian/patches/56_CVE-2007-6429_MIT-SHM.diff
b/debian/patches/56_CVE-2007-6429_MIT-SHM.diff
index 7495a78..253824f 100644
--- a/debian/patches/56_CVE-2007-6429_MIT-SHM.diff
+++ b/debian/patches/56_CVE-2007-6429_MIT-SHM.diff
@@ -1,7 +1,5 @@
-Index: xorg-server/Xext/shm.c
-===================================================================
---- xorg-server.orig/Xext/shm.c 2008-01-06 17:19:48.000000000 +0100
-+++ xorg-server/Xext/shm.c 2008-01-06 17:20:02.000000000 +0100
+--- xorg-server.orig/Xext/shm.c
++++ xorg-server/Xext/shm.c
@@ -723,6 +723,8 @@
int i, j, result;
ShmDescPtr shmdesc;
@@ -11,7 +9,7 @@ Index: xorg-server/Xext/shm.c
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -732,11 +734,26 @@
+@@ -732,11 +734,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -27,30 +25,34 @@ Index: xorg-server/Xext/shm.c
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -747,9 +764,7 @@
+@@ -746,10 +755,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
-@@ -1047,6 +1062,8 @@
+@@ -1047,6 +1065,8 @@
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
@@ -59,7 +61,7 @@ Index: xorg-server/Xext/shm.c
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
-@@ -1055,11 +1072,26 @@
+@@ -1055,11 +1075,18 @@
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
@@ -75,25 +77,29 @@ Index: xorg-server/Xext/shm.c
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
-+ size = PixmapBytePad(width, depth) * height;
-+ if (sizeof(size) == 4) {
-+ if (size < width * height)
-+ return BadAlloc;
-+ /* thankfully, offset is unsigned */
-+ if (stuff->offset + size < size)
-+ return BadAlloc;
-+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
-@@ -1070,9 +1102,7 @@
+@@ -1069,10 +1096,19 @@
+ client->errorValue = stuff->depth;
return BadValue;
}
++
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
++ /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++ size = PixmapBytePad(width, depth) * height;
++ if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++ if (size < width * height)
++ return BadAlloc;
++ /* thankfully, offset is unsigned */
++ if (stuff->offset + size < size)
++ return BadAlloc;
++ }
++
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
