Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 155985 Details for
Bug 225419
x11-base/xorg-server Multiple vulnerabilities in X server extensions (CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cve-2008-1377
xorg-xserver-1.4-cve-2008-1377.diff (text/plain), 2.84 KB, created by
Matthias Geerdsen (RETIRED)
on 2008-06-08 18:44:11 UTC
(
hide
)
Description:
cve-2008-1377
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2008-06-08 18:44:11 UTC
Size:
2.84 KB
patch
obsolete
>diff --git a/Xext/security.c b/Xext/security.c >index ba057de..f34c463 100644 >--- a/Xext/security.c >+++ b/Xext/security.c >@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( > register char n; > CARD32 *values; > unsigned long nvalues; >+ int values_offset; > > swaps(&stuff->length, n); > REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); > swaps(&stuff->nbytesAuthProto, n); > swaps(&stuff->nbytesAuthData, n); > swapl(&stuff->valueMask, n); >- values = (CARD32 *)(&stuff[1]) + >- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + >- ((stuff->nbytesAuthData + (unsigned)3) >> 2); >+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + >+ ((stuff->nbytesAuthData + (unsigned)3) >> 2); >+ if (values_offset > >+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) >+ return BadLength; >+ values = (CARD32 *)(&stuff[1]) + values_offset; > nvalues = (((CARD32 *)stuff) + stuff->length) - values; > SwapLongs(values, nvalues); > return ProcSecurityGenerateAuthorization(client); >diff --git a/record/record.c b/record/record.c >index 0ed8f84..9a166d6 100644 >--- a/record/record.c >+++ b/record/record.c >@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client) > } /* SProcRecordQueryVersion */ > > >-static void >+static int > SwapCreateRegister(xRecordRegisterClientsReq *stuff) > { > register char n; >@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff) > swapl(&stuff->nClients, n); > swapl(&stuff->nRanges, n); > pClientID = (XID *)&stuff[1]; >+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) >+ return BadLength; > for (i = 0; i < stuff->nClients; i++, pClientID++) > { > swapl(pClientID, n); > } >+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) >+ - stuff->nClients) >+ return BadLength; > RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); >+ return Success; > } /* SwapCreateRegister */ > > >@@ -2679,11 +2685,13 @@ static int > SProcRecordCreateContext(ClientPtr client) > { > REQUEST(xRecordCreateContextReq); >+ int status; > register char n; > > swaps(&stuff->length, n); > REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); >- SwapCreateRegister((pointer)stuff); >+ if ((status = SwapCreateRegister((pointer)stuff)) != Success) >+ return status; > return ProcRecordCreateContext(client); > } /* SProcRecordCreateContext */ > >@@ -2692,11 +2700,13 @@ static int > SProcRecordRegisterClients(ClientPtr client) > { > REQUEST(xRecordRegisterClientsReq); >+ int status; > register char n; > > swaps(&stuff->length, n); > REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); >- SwapCreateRegister((pointer)stuff); >+ if ((status = SwapCreateRegister((pointer)stuff)) != Success) >+ return status; > return ProcRecordRegisterClients(client); > } /* SProcRecordRegisterClients */ >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225419
: 155985 |
155987
|
155989
|
155991
|
155993
|
156325