From 2300ed7f0a5632d99d04ec0f22189de66025e11b Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@fedoraproject.org>
Date: Jan 18 2008 20:00:12 +0000
Subject: * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18

- cve-2007-6429.patch: Fix patch to not break java apps

---

diff --git a/cve-2007-6429.patch b/cve-2007-6429.patch
index 9cfc3a6..1fae920 100644
--- a/cve-2007-6429.patch
+++ b/cve-2007-6429.patch
@@ -1,69 +1,20 @@
-From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@bluenote.herrb.com>
-Date: Thu, 17 Jan 2008 15:28:42 +0100
-Subject: [PATCH] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
-
----
- Xext/EVI.c       |   15 ++++++++++++++-
- Xext/sampleEVI.c |   29 ++++++++++++++++++++++++-----
- Xext/shm.c       |   46 ++++++++++++++++++++++++++++++++++++++--------
- 3 files changed, 76 insertions(+), 14 deletions(-)
-
-diff --git a/Xext/EVI.c b/Xext/EVI.c
-index 4bd050c..a637bae 100644
---- a/Xext/EVI.c
-+++ b/Xext/EVI.c
-@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/XEVIstr.h>
- #include "EVIstruct.h"
- #include "modinit.h"
-+#include "scrnintstr.h"
- 
- static EviPrivPtr eviPriv;
- 
-@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
- {
-     REQUEST(xEVIGetVisualInfoReq);
-     xEVIGetVisualInfoReply rep;
--    int n, n_conflict, n_info, sz_info, sz_conflict;
-+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
-     VisualID32 *conflict;
-+    unsigned int total_visuals = 0;
-     xExtendedVisualInfo *eviInfo;
-     int status;
-+
-+    /*
-+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
-+     * here that you don't have more than 2^32 visuals over all your screens;
-+     * this seems like a safe assumption.
-+     */
-+    for (i = 0; i < screenInfo.numScreens; i++)
-+	total_visuals += screenInfo.screens[i]->numVisuals;
-+    if (stuff->n_visual > total_visuals)
-+	return BadValue;
-+
-     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
-     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
- 		&eviInfo, &n_info, &conflict, &n_conflict);
-diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
-index 7508aa7..b871bfd 100644
---- a/Xext/sampleEVI.c
-+++ b/Xext/sampleEVI.c
-@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+--- xorg-server-1.1.1/Xext/sampleEVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/sampleEVI.c	2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,13 @@
  #include <X11/extensions/XEVIstr.h>
  #include "EVIstruct.h"
  #include "scrnintstr.h"
 +
 +#if HAVE_STDINT_H
 +#include <stdint.h>
-+#elif !defined(UINT32_MAX)
-+#define UINT32_MAX 0xffffffffU
++#elif !defined(INT_MAX)
++#define INT_MAX 0x7fffffff
 +#endif
 +
  static int sampleGetVisualInfo(
      VisualID32 *visual,
      int n_visual,
-@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
+@@ -44,24 +51,36 @@
      VisualID32 **conflict_rn,
      int *n_conflict_rn)
  {
@@ -105,12 +56,44 @@ index 7508aa7..b871bfd 100644
      for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
          for (visualI = 0; visualI < n_visual; visualI++) {
  	    evi[sz_evi].core_visual_id = visual[visualI];
-diff --git a/Xext/shm.c b/Xext/shm.c
-index e3d7a23..c545e49 100644
---- a/Xext/shm.c
-+++ b/Xext/shm.c
-@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
-     int i, j, result, rc;
+--- xorg-server-1.1.1/Xext/EVI.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/EVI.c	2008-01-18 14:15:44.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+ 
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -89,10 +90,22 @@
+ {
+     REQUEST(xEVIGetVisualInfoReq);
+     xEVIGetVisualInfoReply rep;
+-    int n, n_conflict, n_info, sz_info, sz_conflict;
++    int i, n, n_conflict, n_info, sz_info, sz_conflict;
+     VisualID32 *conflict;
++    unsigned int total_visuals = 0;
+     xExtendedVisualInfo *eviInfo;
+     int status;
++
++    /*
++     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
++     * here that you don't have more than 2^32 visuals over all your screens;
++     * this seems like a safe assumption.
++     */
++    for (i = 0; i < screenInfo.numScreens; i++)
++	total_visuals += screenInfo.screens[i]->numVisuals;
++    if (stuff->n_visual > total_visuals)
++	return BadValue;
++
+     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ 		&eviInfo, &n_info, &conflict, &n_conflict);
+--- xorg-server-1.1.1/Xext/shm.c.cve-2007-6429	2006-07-05 14:31:36.000000000 -0400
++++ xorg-server-1.1.1/Xext/shm.c	2008-01-18 14:19:28.000000000 -0500
+@@ -725,6 +725,8 @@
+     int i, j, result;
      ShmDescPtr shmdesc;
      REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@@ -118,9 +101,9 @@ index e3d7a23..c545e49 100644
      PanoramiXRes *newPix;
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
-@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
- 	return rc;
- 
+@@ -734,11 +736,18 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +
@@ -134,31 +117,35 @@ index e3d7a23..c545e49 100644
      }
 +    if (width > 32767 || height > 32767)
 +        return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+        if (size < width * height)
-+            return BadAlloc;
-+        /* thankfully, offset is unsigned */
-+        if (stuff->offset + size < size)
-+            return BadAlloc;
-+    }
 +
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
+@@ -748,10 +757,19 @@
+ 	client->errorValue = stuff->depth;
          return BadValue;
      }
++
  CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
++    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
  
      if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
  	return BadAlloc;
-@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
-     register int i, rc;
+@@ -1049,6 +1067,8 @@
+     register int i;
      ShmDescPtr shmdesc;
      REQUEST(xShmCreatePixmapReq);
 +    unsigned int width, height, depth;
@@ -166,9 +153,9 @@ index e3d7a23..c545e49 100644
  
      REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
      client->errorValue = stuff->pid;
-@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
- 	return rc;
- 
+@@ -1057,11 +1077,18 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
      VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
 -    if (!stuff->width || !stuff->height)
 +    
@@ -182,29 +169,30 @@ index e3d7a23..c545e49 100644
      }
 +    if (width > 32767 || height > 32767)
 +	return BadAlloc;
-+    size = PixmapBytePad(width, depth) * height;
-+    if (sizeof(size) == 4) {
-+	if (size < width * height)
-+	    return BadAlloc;
-+	/* thankfully, offset is unsigned */
-+	if (stuff->offset + size < size)
-+	    return BadAlloc;
-+    }
 +
      if (stuff->depth != 1)
      {
          pDepth = pDraw->pScreen->allowedDepths;
-@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
+@@ -1071,10 +1098,19 @@
+ 	client->errorValue = stuff->depth;
          return BadValue;
      }
++
  CreatePmap:
 -    VERIFY_SHMSIZE(shmdesc, stuff->offset,
 -		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
 -		   client);
++    /* now w/h/d are valid; but will they overflow a 32-bit pointer? */
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(void *) == 4 && BitsPerPixel(depth) > 8) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
 +    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
      pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
  			    pDraw->pScreen, stuff->width,
  			    stuff->height, stuff->depth,
--- 
-1.5.3.6
-
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index dc3200e..b9f3f76 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -20,7 +20,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.4.99.1
-Release:   0.17.%{?gitdate}%{?dist}
+Release:   0.18.%{?gitdate}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -515,6 +515,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.18
+- cve-2007-6429.patch: Fix patch to not break java apps
+
 * Fri Jan 18 2008 Dave Airlie <airlied@redhat.com> 1.4.99.1-0.17
 - cve-2007-5760.patch: XFree86-Misc Extension Invalid Array Index Vulnerability
 - cve-2007-6427.patch: XInput Extension Memory Corruption Vulnerability