head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.24 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.22 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.20 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.18 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.16 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.14 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.12 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.10 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.8 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.6 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.4 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.2 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.1.0.6 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.4 pkgsrc-2007Q1-base:1.1 pkgsrc-2006Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2007.08.17.20.25.42; author joerg; state dead; branches; next 1.1; 1.1 date 2007.01.17.16.32.35; author joerg; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2007.01.17.16.32.35; author salo; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2007.01.17.19.29.39; author salo; state Exp; branches; next ; desc @@ 1.2 log @To quote Johnny Lam: "In modular-xorg we trust" Remove xorg 6.9 packages from pkgsrc. @ text @$NetBSD: patch-cv,v 1.1 2007/01/17 16:32:35 joerg Exp $ --- programs/Xserver/dbe/dbe.c.orig 2005-07-03 07:01:17.000000000 +0000 +++ programs/Xserver/dbe/dbe.c @@@@ -55,6 +55,10 @@@@ #include "xf86_ansic.h" #endif +#if !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + /* GLOBALS */ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */ @@@@ -733,11 +737,14 @@@@ ProcDbeSwapBuffers(client) return(Success); } + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; /* Allocate array to record swap information. */ - swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); + swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); if (swapInfo == NULL) { return(BadAlloc); @@@@ -752,14 +759,14 @@@@ ProcDbeSwapBuffers(client) if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, SecurityWriteAccess))) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadWindow); } /* Each window must be double-buffered - BadMatch. */ if (DBE_WINDOW_PRIV(pWin) == NULL) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } @@@@ -768,7 +775,7 @@@@ ProcDbeSwapBuffers(client) { if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } } @@@@ -779,7 +786,7 @@@@ ProcDbeSwapBuffers(client) (dbeSwapInfo[i].swapAction != XdbeUntouched ) && (dbeSwapInfo[i].swapAction != XdbeCopied )) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadValue); } @@@@ -809,12 +816,12 @@@@ ProcDbeSwapBuffers(client) error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); if (error != Success) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(error); } } - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(Success); } /* ProcDbeSwapBuffers() */ @@@@ -898,10 +905,12 @@@@ ProcDbeGetVisualInfo(client) REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; /* Make sure any specified drawables are valid. */ if (stuff->n != 0) { - if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * + if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * sizeof(DrawablePtr)))) { return(BadAlloc); @@@@ -914,7 +923,7 @@@@ ProcDbeGetVisualInfo(client) if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( drawables[i], client, SecurityReadAccess))) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); return(BadDrawable); } } @@@@ -926,7 +935,7 @@@@ ProcDbeGetVisualInfo(client) { if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@@@ -953,7 +962,7 @@@@ ProcDbeGetVisualInfo(client) /* Free pDrawables if we needed to allocate it above. */ if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@@@ -1034,7 +1043,7 @@@@ ProcDbeGetVisualInfo(client) if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(client->noClientException); @ 1.1 log @Add vendor patch for CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103; this fixes possible overflows in the extensions dbe and render. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-cv was added on branch pkgsrc-2006Q4 on 2007-01-17 16:32:35 +0000 @ text @d1 131 @ 1.1.2.2 log @Pullup ticket 1998 - requested by joerg security fix for xorg-server Revisions pulled up: - pkgsrc/x11/xorg-server/Makefile 1.50 - pkgsrc/x11/xorg-libs/distinfo 1.58 - pkgsrc/x11/xorg-libs/patches/patch-cv 1.1 - pkgsrc/x11/xorg-libs/patches/patch-cw 1.1 Module Name: pkgsrc Committed By: joerg Date: Wed Jan 17 16:32:35 UTC 2007 Modified Files: pkgsrc/x11/xorg-libs: distinfo pkgsrc/x11/xorg-server: Makefile Added Files: pkgsrc/x11/xorg-libs/patches: patch-cv patch-cw Log Message: Add vendor patch for CVE-2006-6101, CVE-2006-6102 and CVE-2006-6103; this fixes possible overflows in the extensions dbe and render. @ text @a0 131 $NetBSD: patch-cv,v 1.1.2.1 2007/01/17 19:29:39 salo Exp $ --- programs/Xserver/dbe/dbe.c.orig 2005-07-03 07:01:17.000000000 +0000 +++ programs/Xserver/dbe/dbe.c @@@@ -55,6 +55,10 @@@@ #include "xf86_ansic.h" #endif +#if !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + /* GLOBALS */ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */ @@@@ -733,11 +737,14 @@@@ ProcDbeSwapBuffers(client) return(Success); } + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; /* Allocate array to record swap information. */ - swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); + swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); if (swapInfo == NULL) { return(BadAlloc); @@@@ -752,14 +759,14 @@@@ ProcDbeSwapBuffers(client) if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client, SecurityWriteAccess))) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadWindow); } /* Each window must be double-buffered - BadMatch. */ if (DBE_WINDOW_PRIV(pWin) == NULL) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } @@@@ -768,7 +775,7 @@@@ ProcDbeSwapBuffers(client) { if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } } @@@@ -779,7 +786,7 @@@@ ProcDbeSwapBuffers(client) (dbeSwapInfo[i].swapAction != XdbeUntouched ) && (dbeSwapInfo[i].swapAction != XdbeCopied )) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadValue); } @@@@ -809,12 +816,12 @@@@ ProcDbeSwapBuffers(client) error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); if (error != Success) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(error); } } - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(Success); } /* ProcDbeSwapBuffers() */ @@@@ -898,10 +905,12 @@@@ ProcDbeGetVisualInfo(client) REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; /* Make sure any specified drawables are valid. */ if (stuff->n != 0) { - if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * + if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * sizeof(DrawablePtr)))) { return(BadAlloc); @@@@ -914,7 +923,7 @@@@ ProcDbeGetVisualInfo(client) if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable( drawables[i], client, SecurityReadAccess))) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); return(BadDrawable); } } @@@@ -926,7 +935,7 @@@@ ProcDbeGetVisualInfo(client) { if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@@@ -953,7 +962,7 @@@@ ProcDbeGetVisualInfo(client) /* Free pDrawables if we needed to allocate it above. */ if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@@@ -1034,7 +1043,7 @@@@ ProcDbeGetVisualInfo(client) if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(client->noClientException); @