summaryrefslogtreecommitdiff
path: root/xserver/dbe/dbe.c
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2007-01-09 14:24:32 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2007-01-09 14:24:32 +0000
commit407dc8877a24549077d731df4b63d77286da142a (patch)
tree8d98dfc657e2be9022a1bf1b23534db1cb07e5cd /xserver/dbe/dbe.c
parentada3f51a1dca1dfdca365b3bcc0f17c7108f1094 (diff)
CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(),
ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server, implementing requests for the dbe and render extensions, may be used to overwrite data on the stack or in other parts of the X server memory.
Diffstat (limited to 'xserver/dbe/dbe.c')
-rw-r--r--xserver/dbe/dbe.c34
1 files changed, 22 insertions, 12 deletions
diff --git a/xserver/dbe/dbe.c b/xserver/dbe/dbe.c
index 5b43dd1bd..6a2ed6a2d 100644
--- a/xserver/dbe/dbe.c
+++ b/xserver/dbe/dbe.c
@@ -39,6 +39,11 @@
#endif
#include <string.h>
+#if HAVE_STDINT_T
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
#include <X11/X.h>
#include <X11/Xproto.h>
@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client)
return(Success);
}
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
/* Allocate array to record swap information. */
- swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+ swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
if (swapInfo == NULL)
{
return(BadAlloc);
@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client)
if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
SecurityWriteAccess)))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadWindow);
}
/* Each window must be double-buffered - BadMatch. */
if (DBE_WINDOW_PRIV(pWin) == NULL)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client)
{
if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadMatch);
}
}
@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client)
(dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
(dbeSwapInfo[i].swapAction != XdbeCopied ))
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(BadValue);
}
@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client)
error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
if (error != Success)
{
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(error);
}
}
- DEALLOCATE_LOCAL(swapInfo);
+ Xfree(swapInfo);
return(Success);
} /* ProcDbeSwapBuffers() */
@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
/* Make sure any specified drawables are valid. */
if (stuff->n != 0)
{
- if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+ if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
sizeof(DrawablePtr))))
{
return(BadAlloc);
@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
drawables[i], client, SecurityReadAccess)))
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
return(BadDrawable);
}
}
@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
{
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
/* Free pDrawables if we needed to allocate it above. */
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(BadAlloc);
@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
if (pDrawables)
{
- DEALLOCATE_LOCAL(pDrawables);
+ Xfree(pDrawables);
}
return(client->noClientException);