Fix from X.Org for CVE-2007-6428 - TOG-cup extension memory corruption.

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:43:07 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:43:07 +0000
commit: ad2e0382aacd07cfaa9dd0f8abdc9d0876ab0c01 (patch)
tree: 8ff9fd346b43b9ce050fcd6da224b28dec31f4eb /xserver/Xext
parent: bf7b08310c6daa8271502372e02f116f261b83db (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/xserver/Xext/cup.c b/xserver/Xext/cup.c
index 10d13bae0..781b9ce2b 100644
--- a/xserver/Xext/cup.c
+++ b/xserver/Xext/cup.c
@@ -196,6 +196,9 @@ int ProcGetReservedColormapEntries(
 
     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
 
+    if (stuff->screen >= screenInfo.numScreens)
+	return BadValue;
+
 #ifndef HAVE_SPECIAL_DESKTOP_COLORS
     citems[CUP_BLACK_PIXEL].pixel = 
 	screenInfo.screens[stuff->screen]->blackPixel;
@@ -227,7 +230,7 @@ int ProcStoreColors(
 
     REQUEST_AT_LEAST_SIZE (xXcupStoreColorsReq);
     pcmp = (ColormapPtr) SecurityLookupIDByType (client, stuff->cmap,
-						 RT_COLORMAP, SecurityWriteAccess);
+						 RT_COLORMAP, DixWriteAccess);
 
     if (pcmp) {
 	int ncolors, n;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:43:07 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:43:07 +0000
commit	ad2e0382aacd07cfaa9dd0f8abdc9d0876ab0c01 (patch)
tree	8ff9fd346b43b9ce050fcd6da224b28dec31f4eb /xserver/Xext
parent	bf7b08310c6daa8271502372e02f116f261b83db (diff)