r1803 - trunk/xorg

archaic at linuxfromscratch.org archaic at linuxfromscratch.org
Sat Apr 28 19:32:38 PDT 2007


Author: archaic
Date: 2007-04-28 20:32:38 -0600 (Sat, 28 Apr 2007)
New Revision: 1803

Added:
   trunk/xorg/libX11-1.1.1-xinitimage-1.patch
   trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch
   trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch
Log:
Added some upstream patches for xorg-7.2.

Added: trunk/xorg/libX11-1.1.1-xinitimage-1.patch
===================================================================
--- trunk/xorg/libX11-1.1.1-xinitimage-1.patch	                        (rev 0)
+++ trunk/xorg/libX11-1.1.1-xinitimage-1.patch	2007-04-29 02:32:38 UTC (rev 1803)
@@ -0,0 +1,94 @@
+Submitted By: Archaic <archaic AT linuxfromscratch DOT org>
+Date: 2007-04-28
+Initial Package Version: 1.1.1
+Upstream Status: Applied
+Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/
+Description: Fixes possible memory corruption from specially crafted images.
+http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html
+
+diff -Naur libX11-1.1.1.orig/src/ImUtil.c libX11-1.1.1/src/ImUtil.c
+--- libX11-1.1.1.orig/src/ImUtil.c	2006-09-25 10:57:47.000000000 +0000
++++ libX11-1.1.1/src/ImUtil.c	2007-04-29 01:48:51.000000000 +0000
+@@ -327,12 +327,13 @@
+ {
+ 	register XImage *image;
+ 	int bits_per_pixel = 1;
++	int min_bytes_per_line;
+ 
+ 	if (depth == 0 || depth > 32 ||
+ 	    (format != XYBitmap && format != XYPixmap && format != ZPixmap) ||
+ 	    (format == XYBitmap && depth != 1) ||
+ 	    (xpad != 8 && xpad != 16 && xpad != 32) ||
+-	    offset < 0 || image_bytes_per_line < 0)
++	    offset < 0)
+ 	    return (XImage *) NULL;
+ 	if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
+ 	    return (XImage *) NULL;
+@@ -363,16 +364,21 @@
+ 	/*
+ 	 * compute per line accelerator.
+ 	 */
+-	if (image_bytes_per_line == 0)
+ 	{
+ 	if (format == ZPixmap)
+-	    image->bytes_per_line = 
++	    min_bytes_per_line = 
+ 	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ 	else
+-	    image->bytes_per_line =
++	    min_bytes_per_line =
+ 	        ROUNDUP((width + offset), image->bitmap_pad);
+ 	}
+-	else image->bytes_per_line = image_bytes_per_line;
++	if (image_bytes_per_line == 0) {
++	    image->bytes_per_line = min_bytes_per_line;
++	} else if (image_bytes_per_line < min_bytes_per_line) {
++	    return 0;
++	} else {
++	    image->bytes_per_line = image_bytes_per_line;
++	}
+ 
+ 	image->bits_per_pixel = bits_per_pixel;
+ 	image->obdata = NULL;
+@@ -384,7 +390,11 @@
+ Status XInitImage (image)
+     XImage *image;
+ {
++	int min_bytes_per_line;
++
+ 	if (image->depth == 0 || image->depth > 32 ||
++	    image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
++	    image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
+ 	    (image->format != XYBitmap &&
+ 	     image->format != XYPixmap &&
+ 	     image->format != ZPixmap) ||
+@@ -392,21 +402,24 @@
+ 	    (image->bitmap_pad != 8 &&
+ 	     image->bitmap_pad != 16 &&
+ 	     image->bitmap_pad != 32) ||
+-	    image->xoffset < 0 || image->bytes_per_line < 0)
++	    image->xoffset < 0)
+ 	    return 0;
+ 
+ 	/*
+ 	 * compute per line accelerator.
+ 	 */
+-	if (image->bytes_per_line == 0)
+-	{
+ 	if (image->format == ZPixmap)
+-	    image->bytes_per_line = 
++	    min_bytes_per_line = 
+ 	       ROUNDUP((image->bits_per_pixel * image->width),
+ 		       image->bitmap_pad);
+ 	else
+-	    image->bytes_per_line =
++	    min_bytes_per_line =
+ 	        ROUNDUP((image->width + image->xoffset), image->bitmap_pad);
++
++	if (image->bytes_per_line == 0) {
++	    image->bytes_per_line = min_bytes_per_line;
++	} else if (image->bytes_per_line < min_bytes_per_line) {
++	    return 0;
+ 	}
+ 
+ 	_XInitImageFuncPtrs (image);

Added: trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch
===================================================================
--- trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch	                        (rev 0)
+++ trunk/xorg/libXfont-1.2.7-bdf_fontsdir-1.patch	2007-04-29 02:32:38 UTC (rev 1803)
@@ -0,0 +1,58 @@
+Submitted By: Archaic <archaic AT linuxfromscratch DOT org>
+Date: 2007-04-28
+Initial Package Version: 1.2.7
+Upstream Status: Applied
+Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/
+Description: Fixes possible memory corruption from specially crafted images and
+a file parsing integer overflow.
+http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html
+
+diff -Naur libXfont-1.2.7.orig/src/bitmap/bdfread.c libXfont-1.2.7/src/bitmap/bdfread.c
+--- libXfont-1.2.7.orig/src/bitmap/bdfread.c	2006-07-04 18:55:31.000000000 +0000
++++ libXfont-1.2.7/src/bitmap/bdfread.c	2007-04-29 02:05:54.000000000 +0000
+@@ -65,6 +65,12 @@
+ #include <X11/fonts/bitmap.h>
+ #include <X11/fonts/bdfint.h>
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++
+ #define INDICES 256
+ #define MAXENCODING 0xFFFF
+ #define BDFLINELEN  1024
+@@ -288,6 +294,11 @@
+ 	bdfError("invalid number of CHARS in BDF file\n");
+ 	return (FALSE);
+     }
++    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
++	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
++		 sizeof(CharInfoRec));
++	goto BAILOUT;
++    }
+     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
+     if (!ci) {
+ 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
+diff -Naur libXfont-1.2.7.orig/src/fontfile/fontdir.c libXfont-1.2.7/src/fontfile/fontdir.c
+--- libXfont-1.2.7.orig/src/fontfile/fontdir.c	2006-07-04 18:55:31.000000000 +0000
++++ libXfont-1.2.7/src/fontfile/fontdir.c	2007-04-29 02:05:54.000000000 +0000
+@@ -38,9 +38,17 @@
+ #include    <X11/fonts/fntfilst.h>
+ #include    <X11/keysym.h>
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++
+ Bool
+ FontFileInitTable (FontTablePtr table, int size)
+ {
++    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) 
++	return FALSE;
+     if (size)
+     {
+ 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);

Added: trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch
===================================================================
--- trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch	                        (rev 0)
+++ trunk/xorg/xorg-server-1.2.0-xcmisc-1.patch	2007-04-29 02:32:38 UTC (rev 1803)
@@ -0,0 +1,45 @@
+Submitted By: Archaic <archaic AT linuxfromscratch DOT org>
+Date: 2007-04-28
+Initial Package Version: 1.2.0
+Upstream Status: Applied
+Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/
+Description: Fixes possible integer overflow in XC-MISC extension.
+http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html
+
+diff -Naur xorg-server-1.2.0.orig/Xext/xcmisc.c xorg-server-1.2.0/Xext/xcmisc.c
+--- xorg-server-1.2.0.orig/Xext/xcmisc.c	2007-01-23 05:39:15.000000000 +0000
++++ xorg-server-1.2.0/Xext/xcmisc.c	2007-04-29 02:18:13.000000000 +0000
+@@ -42,6 +42,12 @@
+ #include <X11/extensions/xcmiscstr.h>
+ #include "modinit.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ #if 0
+ static unsigned char XCMiscCode;
+ #endif
+@@ -143,7 +149,10 @@
+ 
+     REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+ 
+-    pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
++    if (stuff->count > UINT32_MAX / sizeof(XID))
++	    return BadAlloc;
++
++    pids = (XID *)Xalloc(stuff->count * sizeof(XID));
+     if (!pids)
+     {
+ 	return BadAlloc;
+@@ -164,7 +173,7 @@
+     	client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
+ 	WriteSwappedDataToClient(client, count * sizeof(XID), pids);
+     }
+-    DEALLOCATE_LOCAL(pids);
++    Xfree(pids);
+     return(client->noClientException);
+ }
+ 




More information about the patches mailing list