CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(),
ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory.
This commit is contained in:
matthieu
parent
3fb8967270
commit
dedec17e25
@ -39,6 +39,11 @@
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
#if HAVE_STDINT_T
|
||||
#include <stdint.h>
|
||||
#elif !defined(UINT32_MAX)
|
||||
#define UINT32_MAX 0xffffffffU
|
||||
#endif
|
||||
|
||||
#include <X11/X.h>
|
||||
#include <X11/Xproto.h>
|
||||
@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||
return(Success);
|
||||
}
|
||||
|
||||
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
|
||||
return BadAlloc;
|
||||
|
||||
/* Get to the swap info appended to the end of the request. */
|
||||
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
|
||||
|
||||
/* Allocate array to record swap information. */
|
||||
swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
|
||||
swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
|
||||
if (swapInfo == NULL)
|
||||
{
|
||||
return(BadAlloc);
|
||||
@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||
if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
|
||||
SecurityWriteAccess)))
|
||||
{
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(BadWindow);
|
||||
}
|
||||
|
||||
/* Each window must be double-buffered - BadMatch. */
|
||||
if (DBE_WINDOW_PRIV(pWin) == NULL)
|
||||
{
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(BadMatch);
|
||||
}
|
||||
|
||||
@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||
{
|
||||
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
|
||||
{
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(BadMatch);
|
||||
}
|
||||
}
|
||||
@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
|
||||
(dbeSwapInfo[i].swapAction != XdbeCopied ))
|
||||
{
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(BadValue);
|
||||
}
|
||||
|
||||
@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
|
||||
if (error != Success)
|
||||
{
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(error);
|
||||
}
|
||||
}
|
||||
|
||||
DEALLOCATE_LOCAL(swapInfo);
|
||||
Xfree(swapInfo);
|
||||
return(Success);
|
||||
|
||||
} /* ProcDbeSwapBuffers() */
|
||||
@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
||||
|
||||
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
|
||||
return BadAlloc;
|
||||
/* Make sure any specified drawables are valid. */
|
||||
if (stuff->n != 0)
|
||||
{
|
||||
if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
|
||||
if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
|
||||
sizeof(DrawablePtr))))
|
||||
{
|
||||
return(BadAlloc);
|
||||
@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||
if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
|
||||
drawables[i], client, SecurityReadAccess)))
|
||||
{
|
||||
DEALLOCATE_LOCAL(pDrawables);
|
||||
Xfree(pDrawables);
|
||||
return(BadDrawable);
|
||||
}
|
||||
}
|
||||
@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||
{
|
||||
if (pDrawables)
|
||||
{
|
||||
DEALLOCATE_LOCAL(pDrawables);
|
||||
Xfree(pDrawables);
|
||||
}
|
||||
|
||||
return(BadAlloc);
|
||||
@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||
/* Free pDrawables if we needed to allocate it above. */
|
||||
if (pDrawables)
|
||||
{
|
||||
DEALLOCATE_LOCAL(pDrawables);
|
||||
Xfree(pDrawables);
|
||||
}
|
||||
|
||||
return(BadAlloc);
|
||||
@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||
|
||||
if (pDrawables)
|
||||
{
|
||||
DEALLOCATE_LOCAL(pDrawables);
|
||||
Xfree(pDrawables);
|
||||
}
|
||||
|
||||
return(client->noClientException);
|
||||
|
||||
@ -47,6 +47,12 @@
|
||||
#include <X11/Xfuncproto.h>
|
||||
#include "cursorstr.h"
|
||||
|
||||
#if HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#elif !defined(UINT32_MAX)
|
||||
#define UINT32_MAX 0xffffffffU
|
||||
#endif
|
||||
|
||||
static int ProcRenderQueryVersion (ClientPtr pClient);
|
||||
static int ProcRenderQueryPictFormats (ClientPtr pClient);
|
||||
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
|
||||
@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||
}
|
||||
|
||||
nglyphs = stuff->nglyphs;
|
||||
if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
|
||||
return BadAlloc;
|
||||
|
||||
if (nglyphs <= NLOCALGLYPH)
|
||||
glyphsBase = glyphsLocal;
|
||||
else
|
||||
{
|
||||
glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
|
||||
glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
|
||||
if (!glyphsBase)
|
||||
return BadAlloc;
|
||||
}
|
||||
@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||
}
|
||||
|
||||
if (glyphsBase != glyphsLocal)
|
||||
DEALLOCATE_LOCAL (glyphsBase);
|
||||
Xfree (glyphsBase);
|
||||
return client->noClientException;
|
||||
bail:
|
||||
while (glyphs != glyphsBase)
|
||||
@ -1173,7 +1182,7 @@ bail:
|
||||
xfree (glyphs->glyph);
|
||||
}
|
||||
if (glyphsBase != glyphsLocal)
|
||||
DEALLOCATE_LOCAL (glyphsBase);
|
||||
Xfree (glyphsBase);
|
||||
return err;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user