Author: fjp Date: 2005-09-19 15:33:19 -0500 (Mon, 19 Sep 2005) New Revision: 2297
Added: branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff Modified: branches/4.3.0/sarge/debian/changelog Log: * Add patch 099za_SECURITY_fix_pixmap_size_overflows.diff: CAN-2005-2495: overflows when allocating size for large pixmaps may allow attackers to execute arbitrary code; with the patches for this issue, pixmap size has been limited to 32767x32767. * Release 4.3.0.dfsg.1-14.sarge1. Modified: branches/4.3.0/sarge/debian/changelog =================================================================== --- branches/4.3.0/sarge/debian/changelog 2005-09-19 20:28:13 UTC (rev 2296) +++ branches/4.3.0/sarge/debian/changelog 2005-09-19 20:33:19 UTC (rev 2297) @@ -1,3 +1,12 @@ +xfree86 (4.3.0.dfsg.1-14sarge1) stable-security; urgency=high + + * Security update release. Resolves the following issue: + + CAN-2005-2495: overflows when allocating size for large pixmaps may + allow attackers to execute arbitrary code; with the patches for + this issue, pixmap size has been limited to 32767x32767. + + -- Frans Pop <[EMAIL PROTECTED]> Sun, 28 Aug 2005 22:35:10 +0200 + xfree86 (4.3.0.dfsg.1-14) unstable; urgency=high Urgency set to high due to fix for security flaw (see below). Added: branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff =================================================================== --- branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff 2005-09-19 20:28:13 UTC (rev 2296) +++ branches/4.3.0/sarge/debian/patches/099za_SECURITY_fix_pixmap_size_overflows.diff 2005-09-19 20:33:19 UTC (rev 2297) @@ -0,0 +1,177 @@ +diff -Nru xc.before099z/programs/Xserver/afb/afbpixmap.c xc/programs/Xserver/afb/afbpixmap.c +--- xc.before099z/programs/Xserver/afb/afbpixmap.c 2005-08-27 23:29:16.000000000 +0200 ++++ xc/programs/Xserver/afb/afbpixmap.c 2005-08-27 23:53:11.000000000 +0200 +@@ -73,10 +73,14 @@ + int depth; + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + + paddedWidth = BitmapBytePad(width); ++ ++ if (paddedWidth > 32767 || height > 32767) ++ return NullPixmap; ++ + datasize = height * paddedWidth * depth; + pPixmap = AllocatePixmap(pScreen, datasize); + if (!pPixmap) +diff -Nru xc.before099z/programs/Xserver/cfb/cfbpixmap.c xc/programs/Xserver/cfb/cfbpixmap.c +--- xc.before099z/programs/Xserver/cfb/cfbpixmap.c 2005-08-27 23:29:16.000000000 +0200 ++++ xc/programs/Xserver/cfb/cfbpixmap.c 2005-08-28 00:29:58.000000000 +0200 +@@ -70,10 +70,13 @@ + int depth; + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + + paddedWidth = PixmapBytePad(width, depth); ++ ++ if (paddedWidth > 32767 || height > 32767) ++ return NullPixmap; + datasize = height * paddedWidth; + pPixmap = AllocatePixmap(pScreen, datasize); + if (!pPixmap) +diff -Nru xc.before099z/programs/Xserver/dix/dispatch.c xc/programs/Xserver/dix/dispatch.c +--- xc.before099z/programs/Xserver/dix/dispatch.c 2005-08-27 23:29:17.000000000 +0200 ++++ xc/programs/Xserver/dix/dispatch.c 2005-08-27 23:44:08.000000000 +0200 +@@ -1492,6 +1492,23 @@ + client->errorValue = 0; + return BadValue; + } ++ if (stuff->width > 32767 || stuff->height > 32767) ++ { ++ /* It is allowed to try and allocate a pixmap which is larger than ++ * 32767 in either dimension. However, all of the framebuffer code ++ * is buggy and does not reliably draw to such big pixmaps, basically ++ * because the Region data structure operates with signed shorts ++ * for the rectangles in it. ++ * ++ * Furthermore, several places in the X server computes the ++ * size in bytes of the pixmap and tries to store it in an ++ * integer. This integer can overflow and cause the allocated size ++ * to be much smaller. ++ * ++ * So, such big pixmaps are rejected here with a BadAlloc ++ */ ++ return BadAlloc; ++ } + if (stuff->depth != 1) + { + pDepth = pDraw->pScreen->allowedDepths; +diff -Nru xc.before099z/programs/Xserver/fb/fbpixmap.c xc/programs/Xserver/fb/fbpixmap.c +--- xc.before099z/programs/Xserver/fb/fbpixmap.c 2005-08-27 23:29:17.000000000 +0200 ++++ xc/programs/Xserver/fb/fbpixmap.c 2005-08-27 23:50:00.000000000 +0200 +@@ -32,12 +32,14 @@ + fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp) + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + int adjust; + int base; + + paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits); ++ if (paddedWidth > 32767 || height > 32767) ++ return NullPixmap; + datasize = height * paddedWidth; + #ifdef PIXPRIV + base = pScreen->totalPixmapSize; +diff -Nru xc.before099z/programs/Xserver/hw/xfree86/xaa/xaaInit.c xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c +--- xc.before099z/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-27 23:29:35.000000000 +0200 ++++ xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c 2005-08-28 00:40:38.000000000 +0200 +@@ -480,6 +480,9 @@ + XAAPixmapPtr pPriv; + PixmapPtr pPix = NULL; + int size = w * h; ++ ++ if (w > 32767 || h > 32767) ++ return NullPixmap; + + if (!infoRec->offscreenDepthsInitialized) + XAAInitializeOffscreenDepths (pScreen); +diff -Nru xc.before099z/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c +--- xc.before099z/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-27 23:29:35.000000000 +0200 ++++ xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-27 23:55:49.000000000 +0200 +@@ -85,13 +85,16 @@ + int depth ; + { + register PixmapPtr pPixmap = (PixmapPtr)NULL; +- int size ; ++ size_t size ; + + TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ; + + if ( depth > 8 ) + return (PixmapPtr) NULL ; + ++ if (width > 32767 || height > 32767) ++ return (PixmapPtr) NULL ; ++ + size = PixmapBytePad(width, depth); + pPixmap = AllocatePixmap (pScreen, (height * size)); + +diff -Nru xc.before099z/programs/Xserver/ilbm/ilbmpixmap.c xc/programs/Xserver/ilbm/ilbmpixmap.c +--- xc.before099z/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-27 23:29:36.000000000 +0200 ++++ xc/programs/Xserver/ilbm/ilbmpixmap.c 2005-08-27 23:54:42.000000000 +0200 +@@ -75,10 +75,12 @@ + int depth; + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + + paddedWidth = BitmapBytePad(width); ++ if (paddedWidth > 32767 || height > 32767) ++ return NullPixmap; + datasize = height * paddedWidth * depth; + pPixmap = AllocatePixmap(pScreen, datasize); + if (!pPixmap) +diff -Nru xc.before099z/programs/Xserver/iplan2p4/iplpixmap.c xc/programs/Xserver/iplan2p4/iplpixmap.c +--- xc.before099z/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-27 23:29:36.000000000 +0200 ++++ xc/programs/Xserver/iplan2p4/iplpixmap.c 2005-08-28 00:29:07.000000000 +0200 +@@ -74,12 +74,14 @@ + int depth; + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + int ipad=INTER_PLANES*2 - 1; + + paddedWidth = PixmapBytePad(width, depth); + paddedWidth = (paddedWidth + ipad) & ~ipad; ++ if (paddedWidth > 32767 || height > 32767) ++ return NullPixmap; + datasize = height * paddedWidth; + pPixmap = AllocatePixmap(pScreen, datasize); + if (!pPixmap) +diff -Nru xc.before099z/programs/Xserver/mfb/mfbpixmap.c xc/programs/Xserver/mfb/mfbpixmap.c +--- xc.before099z/programs/Xserver/mfb/mfbpixmap.c 2005-08-27 23:29:36.000000000 +0200 ++++ xc/programs/Xserver/mfb/mfbpixmap.c 2005-08-27 23:57:27.000000000 +0200 +@@ -72,11 +72,13 @@ + int depth; + { + PixmapPtr pPixmap; +- int datasize; +- int paddedWidth; ++ size_t datasize; ++ size_t paddedWidth; + + if (depth != 1) + return NullPixmap; ++ if (width > 32767 || height > 32767) ++ return NullPixmap; + paddedWidth = BitmapBytePad(width); + datasize = height * paddedWidth; + pPixmap = AllocatePixmap(pScreen, datasize); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]