Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 105885 Details for
Bug 157421
x11-base/xorg-server Multiple vulnerabilities in X.Org Render and DBE extensions (Vendor-Sec) (CVE-2006-610[1-3])
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1.0.2-dbe-render.diff
1.0.2-dbe-render.diff (text/plain), 5.11 KB, created by
Joshua Baergen (RETIRED)
on 2007-01-07 17:21:13 UTC
(
hide
)
Description:
1.0.2-dbe-render.diff
Filename:
MIME Type:
Creator:
Joshua Baergen (RETIRED)
Created:
2007-01-07 17:21:13 UTC
Size:
5.11 KB
patch
obsolete
>--- dbe/dbe.c.old 2007-01-07 09:56:29.000000000 -0700 >+++ dbe/dbe.c 2007-01-07 10:00:13.000000000 -0700 >@@ -41,6 +41,12 @@ > #include <dix-config.h> > #endif > >+#if HAVE_STDINT_T >+#include <stdint.h> >+#elif !defined(UINT32_MAX) >+#define UINT32_MAX 0xffffffffU >+#endif >+ > #include <X11/X.h> > #include <X11/Xproto.h> > #include "scrnintstr.h" >@@ -733,11 +739,14 @@ ProcDbeSwapBuffers(client) > return(Success); > } > >+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) >+ return BadAlloc; >+ > /* Get to the swap info appended to the end of the request. */ > dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; > > /* Allocate array to record swap information. */ >- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); >+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); > if (swapInfo == NULL) > { > return(BadAlloc); >@@ -752,14 +761,14 @@ ProcDbeSwapBuffers(client) > if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, > SecurityWriteAccess))) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadWindow); > } > > /* Each window must be double-buffered - BadMatch. */ > if (DBE_WINDOW_PRIV(pWin) == NULL) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadMatch); > } > >@@ -768,7 +777,7 @@ ProcDbeSwapBuffers(client) > { > if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadMatch); > } > } >@@ -779,7 +788,7 @@ ProcDbeSwapBuffers(client) > (dbeSwapInfo[i].swapAction != XdbeUntouched ) && > (dbeSwapInfo[i].swapAction != XdbeCopied )) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadValue); > } > >@@ -809,12 +818,12 @@ ProcDbeSwapBuffers(client) > error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); > if (error != Success) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(error); > } > } > >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(Success); > > } /* ProcDbeSwapBuffers() */ >@@ -898,10 +907,12 @@ ProcDbeGetVisualInfo(client) > > REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); > >+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) >+ return BadAlloc; > /* Make sure any specified drawables are valid. */ > if (stuff->n != 0) > { >- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * >+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * > sizeof(DrawablePtr)))) > { > return(BadAlloc); >@@ -914,7 +925,7 @@ ProcDbeGetVisualInfo(client) > if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( > drawables[i], client, SecurityReadAccess))) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > return(BadDrawable); > } > } >@@ -926,7 +937,7 @@ ProcDbeGetVisualInfo(client) > { > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(BadAlloc); >@@ -953,7 +964,7 @@ ProcDbeGetVisualInfo(client) > /* Free pDrawables if we needed to allocate it above. */ > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(BadAlloc); >@@ -1034,7 +1045,7 @@ ProcDbeGetVisualInfo(client) > > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(client->noClientException); >--- render/render.c.old 2007-01-07 09:56:46.000000000 -0700 >+++ render/render.c 2007-01-07 09:58:10.000000000 -0700 >@@ -52,6 +52,12 @@ > #include "xf86_ansic.h" > #endif > >+#if HAVE_STDINT_H >+#include <stdint.h> >+#elif !defined(UINT32_MAX) >+#define UINT32_MAX 0xffffffffU >+#endif >+ > static int ProcRenderQueryVersion (ClientPtr pClient); > static int ProcRenderQueryPictFormats (ClientPtr pClient); > static int ProcRenderQueryPictIndexValues (ClientPtr pClient); >@@ -1108,11 +1114,14 @@ ProcRenderAddGlyphs (ClientPtr client) > } > > nglyphs = stuff->nglyphs; >+ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) >+ return BadAlloc; >+ > if (nglyphs <= NLOCALGLYPH) > glyphsBase = glyphsLocal; > else > { >- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); >+ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); > if (!glyphsBase) > return BadAlloc; > } >@@ -1169,7 +1178,7 @@ ProcRenderAddGlyphs (ClientPtr client) > } > > if (glyphsBase != glyphsLocal) >- DEALLOCATE_LOCAL (glyphsBase); >+ Xfree (glyphsBase); > return client->noClientException; > bail: > while (glyphs != glyphsBase) >@@ -1178,7 +1187,7 @@ bail: > xfree (glyphs->glyph); > } > if (glyphsBase != glyphsLocal) >- DEALLOCATE_LOCAL (glyphsBase); >+ Xfree (glyphsBase); > return err; > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 157421
:
105779
|
105781
|
105783
|
105785
| 105885 |
105887
|
105889
|
105891