Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
This commit is contained in:
Matthieu Herrb
parent
359d20532b
commit
e3aa6ad201
34
dbe/dbe.c
34
dbe/dbe.c
|
|
@ -39,6 +39,11 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#if HAVE_STDINT_H
|
||||||
|
#include <stdint.h>
|
||||||
|
#elif !defined(UINT32_MAX)
|
||||||
|
#define UINT32_MAX 0xffffffffU
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <X11/X.h>
|
#include <X11/X.h>
|
||||||
#include <X11/Xproto.h>
|
#include <X11/Xproto.h>
|
||||||
|
|
@ -711,11 +716,14 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
return(Success);
|
return(Success);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
|
||||||
|
return BadAlloc;
|
||||||
|
|
||||||
/* Get to the swap info appended to the end of the request. */
|
/* Get to the swap info appended to the end of the request. */
|
||||||
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
|
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
|
||||||
|
|
||||||
/* Allocate array to record swap information. */
|
/* Allocate array to record swap information. */
|
||||||
swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
|
swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
|
||||||
if (swapInfo == NULL)
|
if (swapInfo == NULL)
|
||||||
{
|
{
|
||||||
return(BadAlloc);
|
return(BadAlloc);
|
||||||
|
|
@ -730,14 +738,14 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
error = dixLookupWindow(&pWin, dbeSwapInfo[i].window, client,
|
error = dixLookupWindow(&pWin, dbeSwapInfo[i].window, client,
|
||||||
DixWriteAccess);
|
DixWriteAccess);
|
||||||
if (error != Success) {
|
if (error != Success) {
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Each window must be double-buffered - BadMatch. */
|
/* Each window must be double-buffered - BadMatch. */
|
||||||
if (DBE_WINDOW_PRIV(pWin) == NULL)
|
if (DBE_WINDOW_PRIV(pWin) == NULL)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return(BadMatch);
|
return(BadMatch);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -746,7 +754,7 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
{
|
{
|
||||||
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
|
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return(BadMatch);
|
return(BadMatch);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -757,7 +765,7 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
|
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
|
||||||
(dbeSwapInfo[i].swapAction != XdbeCopied ))
|
(dbeSwapInfo[i].swapAction != XdbeCopied ))
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return(BadValue);
|
return(BadValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -787,12 +795,12 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
|
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
|
||||||
if (error != Success)
|
if (error != Success)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return(error);
|
return(error);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
DEALLOCATE_LOCAL(swapInfo);
|
Xfree(swapInfo);
|
||||||
return(Success);
|
return(Success);
|
||||||
|
|
||||||
} /* ProcDbeSwapBuffers() */
|
} /* ProcDbeSwapBuffers() */
|
||||||
|
|
@ -874,10 +882,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
||||||
|
|
||||||
|
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
|
||||||
|
return BadAlloc;
|
||||||
/* Make sure any specified drawables are valid. */
|
/* Make sure any specified drawables are valid. */
|
||||||
if (stuff->n != 0)
|
if (stuff->n != 0)
|
||||||
{
|
{
|
||||||
if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
|
if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
|
||||||
sizeof(DrawablePtr))))
|
sizeof(DrawablePtr))))
|
||||||
{
|
{
|
||||||
return(BadAlloc);
|
return(BadAlloc);
|
||||||
|
|
@ -890,7 +900,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||||
rc = dixLookupDrawable(pDrawables+i, drawables[i], client, 0,
|
rc = dixLookupDrawable(pDrawables+i, drawables[i], client, 0,
|
||||||
DixReadAccess);
|
DixReadAccess);
|
||||||
if (rc != Success) {
|
if (rc != Success) {
|
||||||
DEALLOCATE_LOCAL(pDrawables);
|
Xfree(pDrawables);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -902,7 +912,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||||
{
|
{
|
||||||
if (pDrawables)
|
if (pDrawables)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(pDrawables);
|
Xfree(pDrawables);
|
||||||
}
|
}
|
||||||
|
|
||||||
return(BadAlloc);
|
return(BadAlloc);
|
||||||
|
|
@ -929,7 +939,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||||
/* Free pDrawables if we needed to allocate it above. */
|
/* Free pDrawables if we needed to allocate it above. */
|
||||||
if (pDrawables)
|
if (pDrawables)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(pDrawables);
|
Xfree(pDrawables);
|
||||||
}
|
}
|
||||||
|
|
||||||
return(BadAlloc);
|
return(BadAlloc);
|
||||||
|
|
@ -1010,7 +1020,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
||||||
|
|
||||||
if (pDrawables)
|
if (pDrawables)
|
||||||
{
|
{
|
||||||
DEALLOCATE_LOCAL(pDrawables);
|
Xfree(pDrawables);
|
||||||
}
|
}
|
||||||
|
|
||||||
return(client->noClientException);
|
return(client->noClientException);
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,12 @@
|
||||||
#include <X11/Xfuncproto.h>
|
#include <X11/Xfuncproto.h>
|
||||||
#include "cursorstr.h"
|
#include "cursorstr.h"
|
||||||
|
|
||||||
|
#if HAVE_STDINT_H
|
||||||
|
#include <stdint.h>
|
||||||
|
#elif !defined(UINT32_MAX)
|
||||||
|
#define UINT32_MAX 0xffffffffU
|
||||||
|
#endif
|
||||||
|
|
||||||
static int ProcRenderQueryVersion (ClientPtr pClient);
|
static int ProcRenderQueryVersion (ClientPtr pClient);
|
||||||
static int ProcRenderQueryPictFormats (ClientPtr pClient);
|
static int ProcRenderQueryPictFormats (ClientPtr pClient);
|
||||||
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
|
static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
|
||||||
|
|
@ -1105,11 +1111,14 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||||
}
|
}
|
||||||
|
|
||||||
nglyphs = stuff->nglyphs;
|
nglyphs = stuff->nglyphs;
|
||||||
|
if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
|
||||||
|
return BadAlloc;
|
||||||
|
|
||||||
if (nglyphs <= NLOCALGLYPH)
|
if (nglyphs <= NLOCALGLYPH)
|
||||||
glyphsBase = glyphsLocal;
|
glyphsBase = glyphsLocal;
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
|
glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
|
||||||
if (!glyphsBase)
|
if (!glyphsBase)
|
||||||
return BadAlloc;
|
return BadAlloc;
|
||||||
}
|
}
|
||||||
|
|
@ -1166,7 +1175,7 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (glyphsBase != glyphsLocal)
|
if (glyphsBase != glyphsLocal)
|
||||||
DEALLOCATE_LOCAL (glyphsBase);
|
Xfree (glyphsBase);
|
||||||
return client->noClientException;
|
return client->noClientException;
|
||||||
bail:
|
bail:
|
||||||
while (glyphs != glyphsBase)
|
while (glyphs != glyphsBase)
|
||||||
|
|
@ -1175,7 +1184,7 @@ bail:
|
||||||
xfree (glyphs->glyph);
|
xfree (glyphs->glyph);
|
||||||
}
|
}
|
||||||
if (glyphsBase != glyphsLocal)
|
if (glyphsBase != glyphsLocal)
|
||||||
DEALLOCATE_LOCAL (glyphsBase);
|
Xfree (glyphsBase);
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user