head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.14 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.12 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.10 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.8 pkgsrc-2011Q2-base:1.3 pkgsrc-2009Q4:1.3.0.6 pkgsrc-2009Q4-base:1.3 pkgsrc-2008Q4:1.3.0.4 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.2 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.2.0.6 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.4 pkgsrc-2008Q2-base:1.2 cwrapper:1.2.0.2 pkgsrc-2008Q1:1.1.0.2 pkgsrc-2008Q1-base:1.1; locks; strict; comment @# @; 1.3 date 2008.09.18.20.56.01; author bjs; state dead; branches; next 1.2; 1.2 date 2008.06.20.13.34.40; author joerg; state Exp; branches; next 1.1; 1.1 date 2008.02.25.15.39.16; author joerg; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2008.06.25.10.20.58; author tron; state Exp; branches; next ; desc @@ 1.3 log @Welcome to modular-xorg-server-1.4.2. This long-overdue update brings many improvements: - Many improvements to EXA - Input Hotplugging via HAL or dbus (not enabled yet) - Support for RandR 1.2. Users using a dual-head configuration are encouraged to see for more information. - The server now uses the same version of Mesa we have in pkgsrc; this likely will result in more reliable OpenGL/DRI operation. I realize that this server is still not the latest release (1.5.0); upgrading to that version will require an involved mesa update, libpciaccess, etc. I hope that by the next quarter, that work will be done. Please file a problem report and/or contact us via the usual means (mailing lists, etc.) should you encounter any issues. @ text @$NetBSD: patch-ef,v 1.2 2008/06/20 13:34:40 joerg Exp $ --- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 +++ Xext/shm.c @@@@ -156,7 +156,7 @@@@ static ShmFuncs fbFuncs = {fbShmCreatePi } -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) #include static Bool badSysCall = FALSE; @@@@ -723,6 +723,8 @@@@ ProcPanoramiXShmCreatePixmap( int i, j, result; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; PanoramiXRes *newPix; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); @@@@ -732,11 +734,26 @@@@ ProcPanoramiXShmCreatePixmap( LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@@@ -747,9 +764,7 @@@@ ProcPanoramiXShmCreatePixmap( return BadValue; } CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) return BadAlloc; @@@@ -841,8 +856,17 @@@@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; @@@@ -1047,6 +1071,8 @@@@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@@@ -1055,11 +1081,26 @@@@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@@@ -1070,9 +1111,7 @@@@ ProcShmCreatePixmap(client) return BadValue; } CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth, @ 1.2 log @modular-xorg-server-1.3.0.0nb9: Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and CVE-2008-2362 based on upstream patches. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @modular-xorg-server-1.3.0nb5: Fix a number of buffer-overflows, privacy-leaks and memory corruptions. @ text @d3 1 a3 1 --- Xext/shm.c.orig 2008-02-25 15:43:05.000000000 +0100 d5 9 d62 21 a82 1 @@@@ -1047,6 +1062,8 @@@@ ProcShmCreatePixmap(client) d91 1 a91 1 @@@@ -1055,11 +1072,26 @@@@ ProcShmCreatePixmap(client) d119 1 a119 1 @@@@ -1070,9 +1102,7 @@@@ ProcShmCreatePixmap(client) @ 1.1.2.1 log @Pullup ticket #2433 - requested by joerg Security patch for modular-xorg-server Revisions pulled up: - x11/modular-xorg-server/Makefile 1.30 via patch - x11/modular-xorg-server/distinfo 1.21 - x11/modular-xorg-server/patches/patch-ac 1.3 - x11/modular-xorg-server/patches/patch-ae 1.5 - x11/modular-xorg-server/patches/patch-da delete - x11/modular-xorg-server/patches/patch-ed 1.2 - x11/modular-xorg-server/patches/patch-ef 1.2 --- Module Name: pkgsrc Committed By: joerg Date: Fri Jun 20 13:34:40 UTC 2008 Modified Files: pkgsrc/x11/modular-xorg-server: Makefile distinfo pkgsrc/x11/modular-xorg-server/patches: patch-ed patch-ef Added Files: pkgsrc/x11/modular-xorg-server/patches: patch-ac patch-ae Removed Files: pkgsrc/x11/modular-xorg-server/patches: patch-da Log Message: modular-xorg-server-1.3.0.0nb9: Fix CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361 and CVE-2008-2362 based on upstream patches. @ text @d3 1 a3 1 --- Xext/shm.c.orig 2008-06-20 14:39:43.000000000 +0200 a4 9 @@@@ -156,7 +156,7 @@@@ static ShmFuncs fbFuncs = {fbShmCreatePi } -#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__CYGWIN__) || defined(__DragonFly__) #include static Bool badSysCall = FALSE; d53 1 a53 21 @@@@ -841,8 +856,17 @@@@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; @@@@ -1047,6 +1071,8 @@@@ ProcShmCreatePixmap(client) d62 1 a62 1 @@@@ -1055,11 +1081,26 @@@@ ProcShmCreatePixmap(client) d90 1 a90 1 @@@@ -1070,9 +1111,7 @@@@ ProcShmCreatePixmap(client) @