kwizart / rpms / xorg-x11-server

Forked from rpms/xorg-x11-server 4 years ago
Clone
Source Code
GIT

Files

  1.   08344a2a452125a207561992ef99c81588952282
  2.   cve-2007-6427.patch
Blob Blame History Raw 
From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:27:34 +0100
Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.

---
 Xi/chgfctl.c  |    7 +------
 Xi/chgkmap.c  |   14 +++++++-------
 Xi/chgprop.c  |   10 +++-------
 Xi/grabdev.c  |   12 +++++-------
 Xi/grabdevb.c |   10 +++-------
 Xi/grabdevk.c |    9 ++-------
 Xi/selectev.c |   11 ++++-------
 Xi/sendexev.c |   14 ++++++++------
 8 files changed, 33 insertions(+), 54 deletions(-)

diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 8fc24d5..696b74a 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
 		     xStringFeedbackCtl * f)
 {
     char n;
-    long *p;
     int i, j;
     KeySym *syms, *sup_syms;
 
     syms = (KeySym *) (f + 1);
     if (client->swapped) {
 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
-	p = (long *)(syms);
-	for (i = 0; i < f->num_keysyms; i++) {
-	    swapl(p, n);
-	    p++;
-	}
+	SwapLongs((CARD32 *) syms, f->num_keysyms);
     }
 
     if (f->num_keysyms > s->ctrl.max_symbols)
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index 3361e98..df334c1 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -75,18 +75,14 @@ int
 SProcXChangeDeviceKeyMapping(ClientPtr client)
 {
     char n;
-    long *p;
-    int i, count;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-    p = (long *)&stuff[1];
     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-    for (i = 0; i < count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), count);
     return (ProcXChangeDeviceKeyMapping(client));
 }
 
@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
     int ret;
     unsigned len;
     DeviceIntPtr dev;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 
+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
     if (ret != Success)
 	return ret;
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index 58db886..3fb33e1 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -77,19 +77,15 @@ int
 SProcXChangeDeviceDontPropagateList(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
     return (ProcXChangeDeviceDontPropagateList(client));
 }
 
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index 110fc6b..0671e0e 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -78,8 +78,6 @@ int
 SProcXGrabDevice(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+       return BadLength;
+    
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDevice(client));
 }
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index c2661e8..ce0dcc5 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -77,8 +77,6 @@ int
 SProcXGrabDeviceButton(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+                      stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDeviceButton(client));
 }
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index 43b1928..d4b7fe8 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -77,8 +77,6 @@ int
 SProcXGrabDeviceKey(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceKeyReq);
     swaps(&stuff->length, n);
@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDeviceKey(client));
 }
 
diff --git a/Xi/selectev.c b/Xi/selectev.c
index b93618a..d3670ab 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -127,19 +127,16 @@ int
 SProcXSelectExtensionEvent(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
     return (ProcXSelectExtensionEvent(client));
 }
 
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index e4e38d7..588c910 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -80,7 +80,7 @@ int
 SProcXSendExtensionEvent(ClientPtr client)
 {
     char n;
-    long *p;
+    CARD32 *p;
     int i;
     xEvent eventT;
     xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
+
+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+       (stuff->num_events * (sizeof(xEvent) >> 2)))
+       return BadLength;
+
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
 	*eventP = eventT;
     }
 
-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+    SwapLongs(p, stuff->count);
     return (ProcXSendExtensionEvent(client));
 }
 
-- 
1.5.3.6
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.