Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-base/xorg-server/files/1.4-0007-CVE-2007-6429-Don-t-spuriously-reject-8bpp-shm-pix.patch
blob: 903f2be0efc9882de6c69538d874d6f7a59f04a3 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 18 Jan 2008 14:41:20 -0500
Subject: [PATCH] CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.

Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
protected from overflow by the width and height checks.
---
 Xext/shm.c |   36 ++++++++++++++++++++----------------
 1 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/Xext/shm.c b/Xext/shm.c
index c545e49..e46f6fc 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap(
     }
     if (width > 32767 || height > 32767)
         return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-        if (size < width * height)
-            return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap(
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client)
     }
     if (width > 32767 || height > 32767)
 	return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-	if (size < width * height)
-	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client)
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
-- 
1.5.3.8