CVE-2006-6101 CVE-2006-6102 CVE-2006-6103: The ProcDbeGetVisualInfo(),

ProcDbeSwapBuffer() and ProcRenderAddGlyphs() functions in the X server,
implementing requests for the dbe and render extensions, may be used
to overwrite data on the stack or in other parts of the X server memory.

2 files changed, 34 insertions, 15 deletions

diff --git a/xserver/dbe/dbe.c b/xserver/dbe/dbe.c
index 5b43dd1bd..6a2ed6a2d 100644
--- a/xserver/dbe/dbe.c
+++ b/xserver/dbe/dbe.c
@@ -39,6 +39,11 @@
 #endif
 
 #include <string.h>
+#if HAVE_STDINT_T
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
 
 #include <X11/X.h>
 #include <X11/Xproto.h>
@@ -713,11 +718,14 @@ ProcDbeSwapBuffers(ClientPtr client)
         return(Success);
     }
 
+    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+	    return BadAlloc;
+
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
 
     /* Allocate array to record swap information. */ 
-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
     if (swapInfo == NULL)
     {
         return(BadAlloc);
@@ -732,14 +740,14 @@ ProcDbeSwapBuffers(ClientPtr client)
         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
 					  SecurityWriteAccess)))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
 	    return(BadWindow);
         }
 
         /* Each window must be double-buffered - BadMatch. */
         if (DBE_WINDOW_PRIV(pWin) == NULL)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadMatch);
         }
 
@@ -748,7 +756,7 @@ ProcDbeSwapBuffers(ClientPtr client)
         {
             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
             {
-                DEALLOCATE_LOCAL(swapInfo);
+                Xfree(swapInfo);
                 return(BadMatch);
 	    }
         }
@@ -759,7 +767,7 @@ ProcDbeSwapBuffers(ClientPtr client)
             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadValue);
         }
 
@@ -789,12 +797,12 @@ ProcDbeSwapBuffers(ClientPtr client)
         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
         if (error != Success)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(error);
         }
     }
     
-    DEALLOCATE_LOCAL(swapInfo);
+    Xfree(swapInfo);
     return(Success);
 
 } /* ProcDbeSwapBuffers() */
@@ -876,10 +884,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
 
+    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+	    return BadAlloc;
     /* Make sure any specified drawables are valid. */
     if (stuff->n != 0)
     {
-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
                                                  sizeof(DrawablePtr))))
         {
             return(BadAlloc);
@@ -892,7 +902,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
 				drawables[i], client, SecurityReadAccess)))
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
                 return(BadDrawable);
             }
         }
@@ -904,7 +914,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
     {
         if (pDrawables)
         {
-            DEALLOCATE_LOCAL(pDrawables);
+            Xfree(pDrawables);
         }
 
         return(BadAlloc);
@@ -931,7 +941,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
             /* Free pDrawables if we needed to allocate it above. */
             if (pDrawables)
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
             }
 
             return(BadAlloc);
@@ -1012,7 +1022,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
 
     if (pDrawables)
     {
-        DEALLOCATE_LOCAL(pDrawables);
+        Xfree(pDrawables);
     }
 
     return(client->noClientException);
diff --git a/xserver/render/render.c b/xserver/render/render.c
index e4d8d6b32..55f360a44 100644
--- a/xserver/render/render.c
+++ b/xserver/render/render.c
@@ -47,6 +47,12 @@
 #include <X11/Xfuncproto.h>
 #include "cursorstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static int ProcRenderQueryVersion (ClientPtr pClient);
 static int ProcRenderQueryPictFormats (ClientPtr pClient);
 static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1103,11 +1109,14 @@ ProcRenderAddGlyphs (ClientPtr client)
     }
 
     nglyphs = stuff->nglyphs;
+    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+	    return BadAlloc;
+
     if (nglyphs <= NLOCALGLYPH)
 	glyphsBase = glyphsLocal;
     else
     {
-	glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+	glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
 	if (!glyphsBase)
 	    return BadAlloc;
     }
@@ -1164,7 +1173,7 @@ ProcRenderAddGlyphs (ClientPtr client)
     }
 
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return client->noClientException;
 bail:
     while (glyphs != glyphsBase)
@@ -1173,7 +1182,7 @@ bail:
 	xfree (glyphs->glyph);
     }
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return err;
 }