[X2Go-Commits] nx-libs.git - build-baikal (branch) updated: nx-X11/3.2.0-2

X2Go dev team git-admin at x2go.org
Fri Aug 30 16:23:26 CEST 2013


The branch, build-baikal has been updated
       via  30463b084b2833193aa6fdc2ceafefc8a1c06fee (commit)
      from  713da22603c4abc7a97feddd931f29c507b7984b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 nx-X11/CHANGELOG                                   |    7 +++++++
 nx-X11/CHANGELOG.NX.original                       |   11 +++++++++++
 nx-X11/programs/Xserver/Xext/security.c            |   10 +++++++---
 .../programs/Xserver/Xext/security.c.NX.original   |   10 +++++++---
 nx-X11/programs/Xserver/Xext/security.c.X.original |   10 +++++++---
 nx-X11/programs/Xserver/Xext/shm.c                 |   13 +++++++++++--
 nx-X11/programs/Xserver/record/record.c            |   16 +++++++++++++---
 nx-X11/programs/Xserver/render/glyph.c             |   14 ++++++++++++--
 nx-X11/programs/Xserver/render/render.c            |   18 ++++++++++++++----
 9 files changed, 89 insertions(+), 20 deletions(-)

The diff of changes is:
diff --git a/nx-X11/CHANGELOG b/nx-X11/CHANGELOG
index 7c8afed..60104c6 100644
--- a/nx-X11/CHANGELOG
+++ b/nx-X11/CHANGELOG
@@ -1,5 +1,12 @@
 ChangeLog:
 
+nx-X11-3.2.0-2
+
+- Imported patch fixing issues from  X.Org security advisory, June
+  11th, 2008: Multiple vulnerabilities in X server extensions. CVE
+  IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
+  CVE-2008-2362.
+
 nx-X11-3.2.0-1
 
 - Opened the 3.2.0 branch based on nx-X11-3.1.0-6.
diff --git a/nx-X11/CHANGELOG.NX.original b/nx-X11/CHANGELOG.NX.original
index 8225428..60104c6 100644
--- a/nx-X11/CHANGELOG.NX.original
+++ b/nx-X11/CHANGELOG.NX.original
@@ -1,5 +1,16 @@
 ChangeLog:
 
+nx-X11-3.2.0-2
+
+- Imported patch fixing issues from  X.Org security advisory, June
+  11th, 2008: Multiple vulnerabilities in X server extensions. CVE
+  IDs: CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361,
+  CVE-2008-2362.
+
+nx-X11-3.2.0-1
+
+- Opened the 3.2.0 branch based on nx-X11-3.1.0-6.
+
 nx-X11-3.1.0-6
 
 - Modified Xserver Imakefile to link the Xfixes library.
diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c
index cee8935..e3cca43 100644
--- a/nx-X11/programs/Xserver/Xext/security.c
+++ b/nx-X11/programs/Xserver/Xext/security.c
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original
index cee8935..e3cca43 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.NX.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original
index 765769a..c6a5167 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.X.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.X.original
@@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization(
     register char 	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c
index e2cf8cd..f25bb9b 100644
--- a/nx-X11/programs/Xserver/Xext/shm.c
+++ b/nx-X11/programs/Xserver/Xext/shm.c
@@ -863,8 +863,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
diff --git a/nx-X11/programs/Xserver/record/record.c b/nx-X11/programs/Xserver/record/record.c
index beea616..fd5e5db 100644
--- a/nx-X11/programs/Xserver/record/record.c
+++ b/nx-X11/programs/Xserver/record/record.c
@@ -2720,7 +2720,7 @@ SProcRecordQueryVersion(client)
 } /* SProcRecordQueryVersion */
 
 
-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
     register char n;
@@ -2731,11 +2731,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
     swapl(&stuff->nClients, n);
     swapl(&stuff->nRanges, n);
     pClientID = (XID *)&stuff[1];
+    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+	return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++)
     {
 	swapl(pClientID, n);
     }
+    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+	- stuff->nClients)
+	return BadLength;
     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */
 
 
@@ -2744,11 +2750,13 @@ SProcRecordCreateContext(client)
     ClientPtr client;
 {
     REQUEST(xRecordCreateContextReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */
 
@@ -2758,11 +2766,13 @@ SProcRecordRegisterClients(client)
     ClientPtr client;
 {
     REQUEST(xRecordRegisterClientsReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */
 
diff --git a/nx-X11/programs/Xserver/render/glyph.c b/nx-X11/programs/Xserver/render/glyph.c
index 45c5dd9..9f4d1c8 100644
--- a/nx-X11/programs/Xserver/render/glyph.c
+++ b/nx-X11/programs/Xserver/render/glyph.c
@@ -43,6 +43,12 @@
 #include "picturestr.h"
 #include "glyphstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /*
  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
  * p and p-2 are both prime.  These tables are sized to have an extra 10%
@@ -334,8 +340,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
 {
     int		size;
     GlyphPtr	glyph;
-
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size_t	     padded_width;
+    
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+	return 0;
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index d2759ab..d25d497 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -1505,6 +1505,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
@@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2489,18 +2493,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
 
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
 {
-    int i;
+    int i, n;
     CARD32 *stops;
     CARD16 *colors;
     stops = (CARD32 *)(stuff);
-    for (i = 0; i < n; ++i) {
+    for (i = 0; i < num; ++i) {
         swapl(stops, n);
         ++stops;
     }
     colors = (CARD16 *)(stops);
-    for (i = 0; i < 4*n; ++i) {
+    for (i = 0; i < 4*num; ++i) {
         swaps(stops, n);
         ++stops;
     }
@@ -2523,6 +2527,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2550,6 +2556,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2574,6 +2582,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 


hooks/post-receive
-- 
nx-libs.git (NX (redistributed))

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nx-libs.git" (NX (redistributed)).




More information about the x2go-commits mailing list