[X2Go-Commits] nx-libs.git - build-main (branch) updated: nxagent/3.1.0-7
X2Go dev team
git-admin at x2go.org
Fri Aug 30 16:22:00 CEST 2013
The branch, build-main has been updated
via 266b5554943baffafbf1d574f567283cc9792278 (commit)
from 3e7c6697ac2631a215691c8d23a32a790db33b85 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
nx-X11/programs/Xserver/hw/nxagent/CHANGELOG | 10 ++++
nx-X11/programs/Xserver/hw/nxagent/Drawable.c | 16 +++++++
nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c | 7 +++
.../Xserver/hw/nxagent/X/NXdixfonts.c.NX.original | 7 +++
.../Xserver/hw/nxagent/X/NXdixfonts.c.X.original | 7 +++
nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c | 50 ++++++++++++++++----
.../Xserver/hw/nxagent/X/NXshm.c.NX.original | 50 ++++++++++++++++----
.../Xserver/hw/nxagent/X/NXshm.c.X.original | 50 ++++++++++++++++----
8 files changed, 173 insertions(+), 24 deletions(-)
The diff of changes is:
diff --git a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
index e913874..285ecb6 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
+++ b/nx-X11/programs/Xserver/hw/nxagent/CHANGELOG
@@ -1,5 +1,15 @@
ChangeLog:
+nxagent-3.1.0-7
+
+- Imported patch fixing issues from X.Org security advisory, January
+ 17th, 2008: Multiple vulnerabilities in the X server. CVE IDs:
+ CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428
+ CVE-2007-6429 CVE-2008-0006.
+
+- Handled the case if nxagentCreateDrawableBitmap() fails to create
+ the pixmap intended to store the bitmap data.
+
nxagent-3.1.0-6
- Fixed a compile warning in Args.c.
diff --git a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
index 1644d51..abc228e 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/Drawable.c
@@ -2609,8 +2609,24 @@ void nxagentCreateDrawableBitmap(DrawablePtr pDrawable)
goto nxagentCreateDrawableBitmapEnd;
}
+ /*
+ * FIXME: A better way it would be create the bitmap
+ * with the same extents of the clipRegion. This
+ * requires to save the offset with respect to the
+ * drawable origin like in the backing store.
+ */
+
pBitmap = nxagentCreatePixmap(pDrawable -> pScreen, pDrawable -> width, pDrawable -> height, pDrawable -> depth);
+ if (pBitmap == NULL)
+ {
+ #ifdef WARNING
+ fprintf(stderr, "nxagentCreateDrawableBitmap: Cannot create pixmap for the bitmap data.\n");
+ #endif
+
+ goto nxagentCreateDrawableBitmapEnd;
+ }
+
pGC = GetScratchGC(pBitmap -> drawable.depth, pBitmap -> drawable.pScreen);
ValidateGC((DrawablePtr) pBitmap, pGC);
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
index 6dfff37..b431796 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c
@@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
index 6dfff37..b431796 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.NX.original
@@ -437,6 +437,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
index 9de9984..2c5874e 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdixfonts.c.X.original
@@ -336,6 +336,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
index 3aecaf2..e3e4f4b 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
@@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
index 3aecaf2..e3e4f4b 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original
@@ -832,6 +832,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -841,11 +843,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -855,10 +864,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1174,6 +1191,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1182,11 +1201,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1196,10 +1222,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
index 806008c..e2cf8cd 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
@@ -728,6 +728,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -737,11 +739,18 @@ ProcPanoramiXShmCreatePixmap(
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -751,10 +760,18 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1052,6 +1069,8 @@ ProcShmCreatePixmap(client)
register int i;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1060,11 +1079,18 @@ ProcShmCreatePixmap(client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1074,10 +1100,18 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
hooks/post-receive
--
nx-libs.git (NX (redistributed))
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "nx-libs.git" (NX (redistributed)).
More information about the x2go-commits
mailing list