Fixes for various integer overflow problems from X.Org:

CVE-2008-2360 - RENDER Extension heap buffer overflow CVE-2008-2361 - RENDER Extension crash CVE-2008-2362 - RENDER Extension memory corruption CVE-2008-1379 - MIT-SHM arbitrary memory read CVE-2008-1377 - RECORD and Security extensions memory corruption
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-06-11 15:39:27 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-06-11 15:39:27 +0000
commit: 879ae0df495e76fe420d171dac567c88d9548efd (patch)
tree: 3b40a6d66424f5be4a5244c70461d257564175f6 /xserver/render
parent: 362affcae887d15bfba9454b386fd1bf4d617276 (diff)
2 files changed, 25 insertions, 11 deletions
diff --git a/xserver/render/glyph.c b/xserver/render/glyph.c
index 6d09a0e52..efc352c23 100644
--- a/xserver/render/glyph.c
+++ b/xserver/render/glyph.c
@@ -77,22 +77,22 @@ static GlyphHashSetRec glyphHashSets[] = {
 
 #define NGLYPHHASHSETS	(sizeof(glyphHashSets)/sizeof(glyphHashSets[0]))
 
-const CARD8	glyphDepths[GlyphFormatNum] = { 1, 4, 8, 16, 32 };
+static const CARD8	glyphDepths[GlyphFormatNum] = { 1, 4, 8, 16, 32 };
 
-GlyphHashRec	globalGlyphs[GlyphFormatNum];
+static GlyphHashRec	globalGlyphs[GlyphFormatNum];
 
-int		globalTotalGlyphPrivateSize = 0;
+static int	globalTotalGlyphPrivateSize = 0;
 
 static int	glyphPrivateCount = 0;
 
 void
-ResetGlyphPrivates ()
+ResetGlyphPrivates (void)
 {
     glyphPrivateCount = 0;
 }
 
 int
-AllocateGlyphPrivateIndex ()
+AllocateGlyphPrivateIndex (void)
 {
     return glyphPrivateCount++;
 }
@@ -626,8 +626,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
     int		     size;
     GlyphPtr	     glyph;
     int		     i;
-
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size_t	     padded_width;
+    
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+	return 0;
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
diff --git a/xserver/render/render.c b/xserver/render/render.c
index b6fa10230..c666d5089 100644
--- a/xserver/render/render.c
+++ b/xserver/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
@@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2491,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
 
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
 {
-    int i;
+    int i, n;
     CARD32 *stops;
     CARD16 *colors;
     stops = (CARD32 *)(stuff);
-    for (i = 0; i < n; ++i) {
+    for (i = 0; i < num; ++i) {
         swapl(stops, n);
         ++stops;
     }
     colors = (CARD16 *)(stops);
-    for (i = 0; i < 4*n; ++i) {
+    for (i = 0; i < 4*num; ++i) {
         swaps(stops, n);
         ++stops;
     }
@@ -2525,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2552,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2576,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-06-11 15:39:27 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-06-11 15:39:27 +0000
commit	879ae0df495e76fe420d171dac567c88d9548efd (patch)
tree	3b40a6d66424f5be4a5244c70461d257564175f6 /xserver/render
parent	362affcae887d15bfba9454b386fd1bf4d617276 (diff)