Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff
diff options
context:
space:
mode:
Diffstat (limited to 'x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff')
-rw-r--r--x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff88
1 files changed, 88 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff
new file mode 100644
index 0000000..4eb7e1d
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1377.diff
@@ -0,0 +1,88 @@
+diff --git a/Xext/security.c b/Xext/security.c
+index ba057de..f34c463 100644
+--- a/Xext/security.c
++++ b/Xext/security.c
+@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
+ register char n;
+ CARD32 *values;
+ unsigned long nvalues;
++ int values_offset;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
+ swaps(&stuff->nbytesAuthProto, n);
+ swaps(&stuff->nbytesAuthData, n);
+ swapl(&stuff->valueMask, n);
+- values = (CARD32 *)(&stuff[1]) +
+- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
++ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
++ if (values_offset >
++ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
++ return BadLength;
++ values = (CARD32 *)(&stuff[1]) + values_offset;
+ nvalues = (((CARD32 *)stuff) + stuff->length) - values;
+ SwapLongs(values, nvalues);
+ return ProcSecurityGenerateAuthorization(client);
+diff --git a/record/record.c b/record/record.c
+index 0ed8f84..9a166d6 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+
+-static void
++static int
+ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ {
+ register char n;
+@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
+ swapl(&stuff->nClients, n);
+ swapl(&stuff->nRanges, n);
+ pClientID = (XID *)&stuff[1];
++ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
++ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++)
+ {
+ swapl(pClientID, n);
+ }
++ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
++ - stuff->nClients)
++ return BadLength;
+ RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
++ return Success;
+ } /* SwapCreateRegister */
+
+
+@@ -2679,11 +2685,13 @@ static int
+ SProcRecordCreateContext(ClientPtr client)
+ {
+ REQUEST(xRecordCreateContextReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+
+@@ -2692,11 +2700,13 @@ static int
+ SProcRecordRegisterClients(ClientPtr client)
+ {
+ REQUEST(xRecordRegisterClientsReq);
++ int status;
+ register char n;
+
+ swaps(&stuff->length, n);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- SwapCreateRegister((pointer)stuff);
++ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
++ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+