21. Adapt from X.Org fixes for the CVE-2007-5760, CVE-2007-5958,

CVE-2007-6427, CVE-2007-6428, CVE-2007-6429 and CVE-2008-0006 security advisories.
author: tsi <tsi> 2008-03-18 19:50:44 +0000
committer: tsi <tsi> 2008-03-18 19:50:44 +0000
commit: 9cdde6f42a86a917c650affe6b4b2d7f4e2d2326 (patch)
tree: f52215b032e24d333eefd193d19f3c30e388c9e6
parent: d5f61bf1c1711ef2184c895ee5152cfb046e005a (diff)
13 files changed, 74 insertions, 88 deletions
diff --git a/lib/font/bitmap/pcfread.c b/lib/font/bitmap/pcfread.c
index c3a834ecc..04de398c1 100644
--- a/lib/font/bitmap/pcfread.c
+++ b/lib/font/bitmap/pcfread.c
@@ -1,3 +1,4 @@
+/* $XFree86: xc/lib/font/bitmap/pcfread.c,v 1.25tsi Exp $ */
 /*
 
 Copyright 1990, 1998  The Open Group
@@ -25,7 +26,6 @@ other dealings in this Software without prior written authorization
 from The Open Group.
 
 */
-/* $XFree86: xc/lib/font/bitmap/pcfread.c,v 1.24 2006/07/23 19:44:49 tsi Exp $ */
 
 /*
  * Author:  Keith Packard, MIT X Consortium
@@ -582,6 +582,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
     pFont->info.lastRow = pcfGetINT16(file, format);
     pFont->info.defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if ((pFont->info.firstCol > pFont->info.lastCol) ||
+	(pFont->info.firstRow > pFont->info.lastRow) ||
+	((pFont->info.lastCol - pFont->info.firstCol) > 255)) goto Bail;
 
     nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
 	(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -720,6 +723,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, FontFilePtr file)
     pFontInfo->lastRow = pcfGetINT16(file, format);
     pFontInfo->defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if ((pFontInfo->firstCol > pFontInfo->lastCol) ||
+	(pFontInfo->firstRow > pFontInfo->lastRow) ||
+	((pFontInfo->lastCol - pFontInfo->firstCol) > 255)) goto Bail;
 
     nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
 	(pFontInfo->lastRow - pFontInfo->firstRow + 1);
diff --git a/programs/Xserver/Xi/chgfctl.c b/programs/Xserver/Xi/chgfctl.c
index ece0307e8..d8e72b2f3 100644
--- a/programs/Xserver/Xi/chgfctl.c
+++ b/programs/Xserver/Xi/chgfctl.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/chgfctl.c,v 3.4tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/chgfctl.c,v 3.5tsi Exp $ */
 
 /************************************************************
 
@@ -500,8 +500,7 @@ ChangeStringFeedback (client, dev, mask, s, f)
     StringFeedbackPtr 	s;
     xStringFeedbackCtl 	*f;
     {
-    register char n;
-    register long *p;
+    char n;
     int		i, j;
     KeySym	*syms, *sup_syms;
 
@@ -509,12 +508,7 @@ ChangeStringFeedback (client, dev, mask, s, f)
     if (client->swapped)
 	{
 	swaps(&f->length,n);	/* swapped num_keysyms in calling proc */
-	p = (long *) (syms);
-	for (i=0; i<f->num_keysyms; i++)
-	    {
-	    swapl(p, n);
-	    p++;
-	    }
+	SwapLongs((CARD32 *)syms, f->num_keysyms);
 	}
 
     if (f->num_keysyms > s->ctrl.max_symbols)
diff --git a/programs/Xserver/Xi/chgkmap.c b/programs/Xserver/Xi/chgkmap.c
index 0a50c5e80..6380410a8 100644
--- a/programs/Xserver/Xi/chgkmap.c
+++ b/programs/Xserver/Xi/chgkmap.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/chgkmap.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/chgkmap.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -74,22 +74,17 @@ SOFTWARE.
 
 int
 SProcXChangeDeviceKeyMapping(client)
-    register ClientPtr client;
+    ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i, count;
+    char n;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-    p = (long *) &stuff[1];
     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-    for (i = 0; i < count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+    SwapLongs((CARD32 *)(&stuff[1]), count);
     return(ProcXChangeDeviceKeyMapping(client));
     }
 
@@ -106,10 +101,14 @@ ProcXChangeDeviceKeyMapping(client)
     int	ret;
     unsigned len;
     DeviceIntPtr dev;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 
+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
     dev = LookupDeviceIntRec (stuff->deviceid);
     if (dev == NULL)
 	{
diff --git a/programs/Xserver/Xi/chgprop.c b/programs/Xserver/Xi/chgprop.c
index e8291314c..4b2b8917f 100644
--- a/programs/Xserver/Xi/chgprop.c
+++ b/programs/Xserver/Xi/chgprop.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/chgprop.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/chgprop.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -78,21 +78,16 @@ int
 SProcXChangeDeviceDontPropagateList(client)
     register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *) &stuff[1];
-    for (i=0; i<stuff->count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+		       stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *)(&stuff[1]), stuff->count);
     return(ProcXChangeDeviceDontPropagateList(client));
     }
 
diff --git a/programs/Xserver/Xi/grabdev.c b/programs/Xserver/Xi/grabdev.c
index feb96f8c6..255b684a0 100644
--- a/programs/Xserver/Xi/grabdev.c
+++ b/programs/Xserver/Xi/grabdev.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/grabdev.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/grabdev.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -80,9 +80,7 @@ int
 SProcXGrabDevice(client)
     register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -90,12 +88,11 @@ SProcXGrabDevice(client)
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
-    p = (long *) &stuff[1];
-    for (i=0; i<stuff->event_count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+	return BadLength;
+
+    SwapLongs((CARD32 *)(&stuff[1]), stuff->event_count);
 
     return(ProcXGrabDevice(client));
     }
diff --git a/programs/Xserver/Xi/grabdevb.c b/programs/Xserver/Xi/grabdevb.c
index 892a8be9d..07b652367 100644
--- a/programs/Xserver/Xi/grabdevb.c
+++ b/programs/Xserver/Xi/grabdevb.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/grabdevb.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/grabdevb.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -77,9 +77,7 @@ int
 SProcXGrabDeviceButton(client)
     register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
@@ -87,12 +85,9 @@ SProcXGrabDeviceButton(client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *) &stuff[1];
-    for (i=0; i<stuff->event_count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+		       stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *)(&stuff[1]), stuff->event_count);
 
     return(ProcXGrabDeviceButton(client));
     }
diff --git a/programs/Xserver/Xi/grabdevk.c b/programs/Xserver/Xi/grabdevk.c
index 384b89d9e..343ee0c1d 100644
--- a/programs/Xserver/Xi/grabdevk.c
+++ b/programs/Xserver/Xi/grabdevk.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/grabdevk.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/grabdevk.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -77,9 +77,7 @@ int
 SProcXGrabDeviceKey(client)
     register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xGrabDeviceKeyReq);
     swaps(&stuff->length, n);
@@ -87,12 +85,8 @@ SProcXGrabDeviceKey(client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *) &stuff[1];
-    for (i=0; i<stuff->event_count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *)(&stuff[1]), stuff->event_count);
     return(ProcXGrabDeviceKey(client));
     }
 
diff --git a/programs/Xserver/Xi/selectev.c b/programs/Xserver/Xi/selectev.c
index e02147ac4..d400e88fb 100644
--- a/programs/Xserver/Xi/selectev.c
+++ b/programs/Xserver/Xi/selectev.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/selectev.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/selectev.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -81,21 +81,16 @@ int
 SProcXSelectExtensionEvent (client)
 register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
 
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *) &stuff[1];
-    for (i=0; i<stuff->count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+		       stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *)(&stuff[1]), stuff->count);
     return(ProcXSelectExtensionEvent(client));
     }
 
diff --git a/programs/Xserver/Xi/sendexev.c b/programs/Xserver/Xi/sendexev.c
index fb1f546e2..531a87883 100644
--- a/programs/Xserver/Xi/sendexev.c
+++ b/programs/Xserver/Xi/sendexev.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/Xi/sendexev.c,v 3.3tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/Xi/sendexev.c,v 3.4tsi Exp $ */
 /************************************************************
 
 Copyright 1989, 1998  The Open Group
@@ -80,9 +80,8 @@ int
 SProcXSendExtensionEvent(client)
     register ClientPtr client;
     {
-    register char n;
-    register long *p;
-    register int i;
+    char n;
+    int i;
     xEvent eventT;
     xEvent *eventP;
     EventSwapPtr proc;
@@ -92,22 +91,23 @@ SProcXSendExtensionEvent(client)
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
+    if (stuff->length !=
+	((sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+	 (stuff->num_events * (sizeof(xEvent) >> 2))))
+	return BadLength;
+
     eventP = (xEvent *) &stuff[1];
     for (i=0; i<stuff->num_events; i++,eventP++)
         {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
- 	if (proc == NotImplemented)   /* no swapping proc; invalid event type? */
+ 	if (proc == NotImplemented) /* no swapping proc; invalid event type? */
 	    return (BadValue);
 	(*proc)(eventP, &eventT);
 	*eventP = eventT;
 	}
 
-    p = (long *) (((xEvent *) &stuff[1]) + stuff->num_events);
-    for (i=0; i<stuff->count; i++)
-        {
-        swapl(p, n);
-	p++;
-        }
+    SwapLongs((CARD32 *)((xEvent *)(&stuff[1]) + stuff->num_events),
+	      stuff->count);
     return(ProcXSendExtensionEvent(client));
     }
 
diff --git a/programs/Xserver/Xprint/pcl/PclColor.c b/programs/Xserver/Xprint/pcl/PclColor.c
index cc00fbcb0..5d7dde563 100644
--- a/programs/Xserver/Xprint/pcl/PclColor.c
+++ b/programs/Xserver/Xprint/pcl/PclColor.c
@@ -1,3 +1,4 @@
+/* $XFree86: xc/programs/Xserver/Xprint/pcl/PclColor.c,v 1.11tsi Exp $ */
 /*******************************************************************
 **
 **    *********************************************************
@@ -44,7 +45,6 @@ not be used in advertising or otherwise to promote the sale, use or other
 dealings in this Software without prior written authorization from said
 copyright holders.
 */
-/* $XFree86: xc/programs/Xserver/Xprint/pcl/PclColor.c,v 1.10 2003/10/29 22:11:00 tsi Exp $ */
 
 #include <stdio.h>
 #include <string.h>
@@ -677,7 +677,7 @@ unsigned char *PclReadMap(char *name, int *dim)
     unsigned char *data;
     long size;
 
-    if ((fp=fopen(name, "r")) == NULL) {
+    if ((fp=Fopen(name, "r")) == NULL) {
 	return(NULL);
     }
 
@@ -717,7 +717,7 @@ unsigned char *PclReadMap(char *name, int *dim)
 	return(NULL);
     }
 
-    fclose(fp);
+    Fclose(fp);
     return(data);
 }
 
diff --git a/programs/Xserver/dix/dixfonts.c b/programs/Xserver/dix/dixfonts.c
index f6b29b882..27f2ef188 100644
--- a/programs/Xserver/dix/dixfonts.c
+++ b/programs/Xserver/dix/dixfonts.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/dix/dixfonts.c,v 3.35tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/dix/dixfonts.c,v 3.36tsi Exp $ */
 /************************************************************************
 Copyright 1987 by Digital Equipment Corporation, Maynard, Massachusetts.
 
@@ -350,6 +350,12 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
 	err = BadFontName;
 	goto bail;
     }
+    if ((pfont->info.firstCol > pfont->info.lastCol) ||
+	(pfont->info.firstRow > pfont->info.lastRow) ||
+	((pfont->info.lastCol - pfont->info.firstCol) > 255)) {
+	err = AllocError;
+	goto bail;
+    }
     if (!pfont->fpe)
 	pfont->fpe = fpe;
     pfont->refcnt++;
diff --git a/programs/Xserver/hw/xfree86/CHANGELOG b/programs/Xserver/hw/xfree86/CHANGELOG
index ec96a6a9b..bb0d92acc 100644
--- a/programs/Xserver/hw/xfree86/CHANGELOG
+++ b/programs/Xserver/hw/xfree86/CHANGELOG
@@ -1,4 +1,7 @@
 XFree86 4.7.99.14 (xx March 2008)
+  21. Adapt from X.Org fixes for the CVE-2007-5760, CVE-2007-5958,
+      CVE-2007-6427, CVE-2007-6428, CVE-2007-6429 and CVE-2008-0006 security
+      advisories.
   20. Remove unnecessary #include of <linux/config.h> from our Linux DRM
       source  (Bugzilla #1689, Marc La France).
   19. When building an XFree86 loader server with stack backtrace support, use
@@ -20660,4 +20663,4 @@ XFree86 3.0a (28 April 1994)
 XFree86 3.0 (26 April 1994)
 
 
-$XFree86: xc/programs/Xserver/hw/xfree86/CHANGELOG,v 3.3932 2008/03/18 19:36:52 tsi Exp $
+$XFree86: xc/programs/Xserver/hw/xfree86/CHANGELOG,v 3.3933 2008/03/18 19:41:54 tsi Exp $
diff --git a/programs/Xserver/hw/xfree86/loader/dixsym.c b/programs/Xserver/hw/xfree86/loader/dixsym.c
index 2b4f47acc..1410cd63c 100644
--- a/programs/Xserver/hw/xfree86/loader/dixsym.c
+++ b/programs/Xserver/hw/xfree86/loader/dixsym.c
@@ -1,4 +1,4 @@
-/* $XFree86: xc/programs/Xserver/hw/xfree86/loader/dixsym.c,v 1.70 2006/02/19 15:51:27 tsi Exp $ */
+/* $XFree86: xc/programs/Xserver/hw/xfree86/loader/dixsym.c,v 1.71tsi Exp $ */
 
 /*
  * Copyright 1995-1998 by Metro Link, Inc.
@@ -342,6 +342,8 @@ LOOKUP dixLookupTab[] = {
     SYMFUNC(AdjustWaitForDelay)
     SYMVAR(noTestExtensions)
     SYMFUNC(GiveUp)
+    SYMFUNC(Fopen)
+    SYMFUNC(Fclose)
     /* log.c */
     SYMFUNC(LogVWrite)
     SYMFUNC(LogWrite)
author	tsi <tsi>	2008-03-18 19:50:44 +0000
committer	tsi <tsi>	2008-03-18 19:50:44 +0000
commit	9cdde6f42a86a917c650affe6b4b2d7f4e2d2326 (patch)
tree	f52215b032e24d333eefd193d19f3c30e388c9e6
parent	d5f61bf1c1711ef2184c895ee5152cfb046e005a (diff)