Fix from X.Org for CVE-2007-5760 - XFree86 Misc extension out of

bounds array index.
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:41:19 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:41:19 +0000
commit: 2997f26ffb0082b668060c24438e76da502c1c08 (patch)
tree: 36e9b2184fa3232b63f2e3e3bb7599162cc46678
parent: 8f147aba9bd83bffcdcd9d7c0e1a27db831789a7 (diff)
1 files changed, 9 insertions, 97 deletions
diff --git a/xserver/hw/xfree86/common/xf86MiscExt.c b/xserver/hw/xfree86/common/xf86MiscExt.c
index 7596fbea7..40c196a3e 100644
--- a/xserver/hw/xfree86/common/xf86MiscExt.c
+++ b/xserver/hw/xfree86/common/xf86MiscExt.c
@@ -34,10 +34,6 @@
 #include <xorg-config.h>
 #endif
 
-#ifdef __UNIXOS2__
-#define I_NEED_OS2_H
-#endif
-
 #include <X11/X.h>
 #include "os.h"
 #include "xf86.h"
@@ -89,6 +85,7 @@ typedef struct {
 	int	rate;
 	int	delay;
 	int	serverNumLock;	/* obsolete */
+        pointer private;
 } kbdParamsRec, *kbdParamsPtr;
 
 /*
@@ -155,8 +152,6 @@ MiscExtGetMouseSettings(pointer *mouse, char **devname)
 {
     mseParamsPtr mseptr;
 
-    DEBUG_P("MiscExtGetMouseSettings");
-
     mseptr = MiscExtCreateStruct(MISC_POINTER);
     if (!mseptr)
 	return FALSE;
@@ -187,8 +182,6 @@ MiscExtGetMouseValue(pointer mouse, MiscExtMseValType valtype)
 {
     mseParamsPtr mse = mouse;
 
-    DEBUG_P("MiscExtGetMouseValue");
-
     switch (valtype) {
 	case MISC_MSE_PROTO:		return mse->type;
 	case MISC_MSE_BAUDRATE:		return mse->baudrate;
@@ -208,8 +201,6 @@ MiscExtSetMouseValue(pointer mouse, MiscExtMseValType valtype, int value)
 {
     mseParamsPtr mse = mouse;
 
-    DEBUG_P("MiscExtSetMouseValue");
-
     switch (valtype) {
 	case MISC_MSE_PROTO:
 	    mse->type = value;
@@ -246,7 +237,6 @@ _X_EXPORT Bool
 MiscExtSetMouseDevice(pointer mouse, char* device)
 {
     mseParamsPtr mse = mouse;
-
     mse->device = device;
     
     return TRUE;
@@ -255,54 +245,18 @@ MiscExtSetMouseDevice(pointer mouse, char* device)
 _X_EXPORT Bool
 MiscExtGetKbdSettings(pointer *kbd)
 {
-    kbdParamsPtr kbdptr;
-
-    DEBUG_P("MiscExtGetKbdSettings");
-
-    kbdptr = MiscExtCreateStruct(MISC_KEYBOARD);
-    if (!kbdptr)
-	return FALSE;
-    kbdptr->type  = xf86Info.kbdType;
-    kbdptr->rate  = xf86Info.kbdRate;
-    kbdptr->delay = xf86Info.kbdDelay;
-    *kbd = kbdptr;
-    return TRUE;
+    return FALSE;
 }
 
 _X_EXPORT int
 MiscExtGetKbdValue(pointer keyboard, MiscExtKbdValType valtype)
 {
-    kbdParamsPtr kbd = keyboard;
-
-    DEBUG_P("MiscExtGetKbdValue");
-    switch (valtype) {
-	case MISC_KBD_TYPE:		return kbd->type;
-	case MISC_KBD_RATE:		return kbd->rate;
-	case MISC_KBD_DELAY:		return kbd->delay;
-	case MISC_KBD_SERVNUMLOCK:	return 0;
-    }
     return 0;
 }
 
 _X_EXPORT Bool
 MiscExtSetKbdValue(pointer keyboard, MiscExtKbdValType valtype, int value)
 {
-    kbdParamsPtr kbd = keyboard;
-
-    DEBUG_P("MiscExtSetKbdValue");
-    switch (valtype) {
-	case MISC_KBD_TYPE:
-		kbd->type = value;
-		return TRUE;
-	case MISC_KBD_RATE:
-		kbd->rate = value;
-		return TRUE;
-	case MISC_KBD_DELAY:
-		kbd->delay = value;
-		return TRUE;
-	case MISC_KBD_SERVNUMLOCK:
-		return TRUE;
-    }
     return FALSE;
 }
 
@@ -328,8 +282,6 @@ MiscExtClientStateCallback(CallbackListPtr *callbacks,
 _X_EXPORT int
 MiscExtSetGrabKeysState(ClientPtr client, int state)
 {
-    DEBUG_P("MiscExtSetGrabKeysState");
-
     if (xf86Info.grabInfo.override == NULL ||
 	xf86Info.grabInfo.override == client) {
 	if (state == 0 && xf86Info.grabInfo.disabled == 0) {
@@ -356,8 +308,6 @@ MiscExtSetGrabKeysState(ClientPtr client, int state)
 _X_EXPORT pointer
 MiscExtCreateStruct(MiscExtStructType mse_or_kbd)
 {
-    DEBUG_P("MiscExtCreateStruct");
-    
     switch (mse_or_kbd) {
     case MISC_POINTER:
     {
@@ -365,7 +315,7 @@ MiscExtCreateStruct(MiscExtStructType mse_or_kbd)
 	InputInfoPtr pInfo = xf86InputDevs;
 	
 	while (pInfo) {
-	    if (xf86IsCorePointer(pInfo->dev))
+	    if (pInfo->dev == inputInfo.pointer)
 		break;
 	    pInfo = pInfo->next;
 	}
@@ -386,8 +336,6 @@ MiscExtCreateStruct(MiscExtStructType mse_or_kbd)
 _X_EXPORT void
 MiscExtDestroyStruct(pointer structure, MiscExtStructType mse_or_kbd)
 {
-    DEBUG_P("MiscExtDestroyStruct");
-
     switch (mse_or_kbd) {
 	case MISC_POINTER:
 	case MISC_KEYBOARD:
@@ -448,8 +396,6 @@ MiscExtAuthorizeDevice(InputInfoPtr pInfo, char *device)
 _X_EXPORT MiscExtReturn
 MiscExtApply(pointer structure, MiscExtStructType mse_or_kbd)
 {
-    DEBUG_P("MiscExtApply");
-
     if (mse_or_kbd == MISC_POINTER) {
 	Bool protoChanged = FALSE;
 	int oldflags;
@@ -463,15 +409,13 @@ MiscExtApply(pointer structure, MiscExtStructType mse_or_kbd)
 	if (!xf86MouseProtocolIDToName)
 	    return MISC_RET_NOMODULE;
 	if (mse->type < MTYPE_MICROSOFT
-		|| ( mse->type > MTYPE_EXPPS2
-		    && (mse->type!=MTYPE_OSMOUSE && mse->type!=MTYPE_XQUEUE)))
+		|| (mse->type > MTYPE_EXPPS2
+		    && (mse->type != MTYPE_OSMOUSE)))
 	    return MISC_RET_BADMSEPROTO;
 #ifdef OSMOUSE_ONLY
 	if (mse->type != MTYPE_OSMOUSE)
 	    return MISC_RET_BADMSEPROTO;
 #else
-	if (mse->type == MTYPE_XQUEUE)
-	    return MISC_RET_BADMSEPROTO;
 	if (mse->type == MTYPE_OSMOUSE)
 	    return MISC_RET_BADMSEPROTO;
 #endif /* OSMOUSE_ONLY */
@@ -492,7 +436,6 @@ MiscExtApply(pointer structure, MiscExtStructType mse_or_kbd)
 	    mse->flags &= ~MF_REOPEN;
 	}
 	if (mse->type != MTYPE_OSMOUSE
-		&& mse->type != MTYPE_XQUEUE
 		&& mse->type != MTYPE_PS_2
 		&& mse->type != MTYPE_BUSMOUSE
 		&& mse->type != MTYPE_IMPS2
@@ -513,7 +456,6 @@ MiscExtApply(pointer structure, MiscExtStructType mse_or_kbd)
 	    return MISC_RET_BADFLAGS;
 
 	if (mse->type != MTYPE_OSMOUSE
-		&& mse->type != MTYPE_XQUEUE
 		&& mse->type != MTYPE_BUSMOUSE)
 	{
 	    if (mse->samplerate < 0)
@@ -586,45 +528,13 @@ MiscExtApply(pointer structure, MiscExtStructType mse_or_kbd)
 	   xf86ReplaceBoolOption(pInfo->options, "ClearRTS",
 				 pMse->mouseFlags | MF_CLEAR_RTS);
     }
-    if (mse_or_kbd == MISC_KEYBOARD) {
-	kbdParamsPtr kbd = structure;
-
-	if (kbd->rate < 0)
-	    return MISC_RET_BADVAL;
-	if (kbd->delay < 0)
-	    return MISC_RET_BADVAL;
-	if (kbd->type < KTYPE_UNKNOWN || kbd->type > KTYPE_XQUEUE)
-	    return MISC_RET_BADKBDTYPE;
-
-	if (xf86Info.kbdRate!=kbd->rate || xf86Info.kbdDelay!=kbd->delay) {
-	    char rad;
-
-	    xf86Info.kbdRate = kbd->rate;
-	    xf86Info.kbdDelay = kbd->delay;
-	    if      (xf86Info.kbdDelay <= 375) rad = 0x00;
-	    else if (xf86Info.kbdDelay <= 625) rad = 0x20;
-	    else if (xf86Info.kbdDelay <= 875) rad = 0x40;
-	    else                               rad = 0x60;
-
-	    if      (xf86Info.kbdRate <=  2)   rad |= 0x1F;
-	    else if (xf86Info.kbdRate >= 30)   rad |= 0x00;
-	    else                               rad |= ((58/xf86Info.kbdRate)-2);
-
-	    xf86SetKbdRepeat(rad);
-	}
-#if 0   /* Not done yet */
-	xf86Info.kbdType = kbd->kbdtype;
-#endif
-    }
-    return MISC_RET_SUCCESS;
+    return MISC_RET_BADVAL;
 }
 
 _X_EXPORT Bool
 MiscExtGetFilePaths(const char **configfile, const char **modulepath,
 		    const char **logfile)
 {
-    DEBUG_P("MiscExtGetFilePaths");
-
     *configfile = xf86ConfigFile;
     *modulepath = xf86ModulePath;
     *logfile    = xf86LogFile;
@@ -638,7 +548,9 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
 {
     ScrnInfoPtr pScr = xf86Screens[scrnIndex];
 
-    DEBUG_P("MiscExtPassMessage");
+    /* should check this in the protocol, but xf86NumScreens isn't exported */
+    if (scrnIndex >= xf86NumScreens)
+	return BadValue;
 
     if (*pScr->HandleMessage == NULL)
 	    return BadImplementation;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:41:19 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:41:19 +0000
commit	2997f26ffb0082b668060c24438e76da502c1c08 (patch)
tree	36e9b2184fa3232b63f2e3e3bb7599162cc46678
parent	8f147aba9bd83bffcdcd9d7c0e1a27db831789a7 (diff)