Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 105889 Details for
Bug 157421
x11-base/xorg-server Multiple vulnerabilities in X.Org Render and DBE extensions (Vendor-Sec) (CVE-2006-610[1-3])
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1.1.1-dbe-render.diff
1.1.1-dbe-render.diff (text/plain), 5.20 KB, created by
Joshua Baergen (RETIRED)
on 2007-01-07 17:22:28 UTC
(
hide
)
Description:
1.1.1-dbe-render.diff
Filename:
MIME Type:
Creator:
Joshua Baergen (RETIRED)
Created:
2007-01-07 17:22:28 UTC
Size:
5.20 KB
patch
obsolete
>diff --git a/dbe/dbe.c b/dbe/dbe.c >index 5b43dd1..6a2ed6a 100644 >--- a/dbe/dbe.c >+++ b/dbe/dbe.c >@@ -39,6 +39,11 @@ > #endif > > #include <string.h> >+#if HAVE_STDINT_T >+#include <stdint.h> >+#elif !defined(UINT32_MAX) >+#define UINT32_MAX 0xffffffffU >+#endif > > #include <X11/X.h> > #include <X11/Xproto.h> >@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client) > return(Success); > } > >+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) >+ return BadAlloc; >+ > /* Get to the swap info appended to the end of the request. */ > dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; > > /* Allocate array to record swap information. */ >- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); >+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); > if (swapInfo == NULL) > { > return(BadAlloc); >@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client) > if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, > SecurityWriteAccess))) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadWindow); > } > > /* Each window must be double-buffered - BadMatch. */ > if (DBE_WINDOW_PRIV(pWin) == NULL) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadMatch); > } > >@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client) > { > if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadMatch); > } > } >@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client) > (dbeSwapInfo[i].swapAction != XdbeUntouched ) && > (dbeSwapInfo[i].swapAction != XdbeCopied )) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(BadValue); > } > >@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client) > error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); > if (error != Success) > { >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(error); > } > } > >- DEALLOCATE_LOCAL(swapInfo); >+ Xfree(swapInfo); > return(Success); > > } /* ProcDbeSwapBuffers() */ >@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client) > > REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); > >+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) >+ return BadAlloc; > /* Make sure any specified drawables are valid. */ > if (stuff->n != 0) > { >- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * >+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * > sizeof(DrawablePtr)))) > { > return(BadAlloc); >@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client) > if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( > drawables[i], client, SecurityReadAccess))) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > return(BadDrawable); > } > } >@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client) > { > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(BadAlloc); >@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client) > /* Free pDrawables if we needed to allocate it above. */ > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(BadAlloc); >@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client) > > if (pDrawables) > { >- DEALLOCATE_LOCAL(pDrawables); >+ Xfree(pDrawables); > } > > return(client->noClientException); >diff --git a/render/render.c b/render/render.c >index e4d8d6b..55f360a 100644 >--- a/render/render.c >+++ b/render/render.c >@@ -47,6 +47,12 @@ > #include <X11/Xfuncproto.h> > #include "cursorstr.h" > >+#if HAVE_STDINT_H >+#include <stdint.h> >+#elif !defined(UINT32_MAX) >+#define UINT32_MAX 0xffffffffU >+#endif >+ > static int ProcRenderQueryVersion (ClientPtr pClient); > static int ProcRenderQueryPictFormats (ClientPtr pClient); > static int ProcRenderQueryPictIndexValues (ClientPtr pClient); >@@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client) > } > > nglyphs = stuff->nglyphs; >+ if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) >+ return BadAlloc; >+ > if (nglyphs <= NLOCALGLYPH) > glyphsBase = glyphsLocal; > else > { >- glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); >+ glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); > if (!glyphsBase) > return BadAlloc; > } >@@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client) > } > > if (glyphsBase != glyphsLocal) >- DEALLOCATE_LOCAL (glyphsBase); >+ Xfree (glyphsBase); > return client->noClientException; > bail: > while (glyphs != glyphsBase) >@@ -1173,7 +1182,7 @@ bail: > xfree (glyphs->glyph); > } > if (glyphsBase != glyphsLocal) >- DEALLOCATE_LOCAL (glyphsBase); >+ Xfree (glyphsBase); > return err; > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 157421
:
105779
|
105781
|
105783
|
105785
|
105885
|
105887
| 105889 |
105891