6526192 [X.Org Bug #10001] *Xorg* XC-MISC Extension ProcXCMiscGetXIDList Memory Corruption Vulnerability
--- a/open-src/xserver/xorg/Makefile Wed Mar 21 16:50:07 2007 -0700
+++ b/open-src/xserver/xorg/Makefile Wed Mar 21 16:58:54 2007 -0700
@@ -30,7 +30,7 @@
# or other dealings in this Software without prior written authorization
# of the copyright holder.
#
-# @(#)Makefile 1.36 07/03/19
+# @(#)Makefile 1.37 07/03/21
#
PWD:sh=pwd
@@ -61,6 +61,7 @@
dtrace.patch \
client-privates-leak.patch,-p1 \
ddc.patch,-p1 \
+ xcmisc-security.patch \
ast-driver.patch \
sun-paths.patch \
sun-extramodes.patch \
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xorg/xcmisc-security.patch Wed Mar 21 16:58:54 2007 -0700
@@ -0,0 +1,41 @@
+Index: Xext/xcmisc.c
+===================================================================
+RCS file: /cvs/xenocara/xserver/Xext/xcmisc.c,v
+retrieving revision 1.1.1.1
+diff -u -r1.1.1.1 xcmisc.c
+--- Xext/xcmisc.c 26 Nov 2006 18:14:51 -0000 1.1.1.1
++++ Xext/xcmisc.c 16 Feb 2007 21:59:51 -0000
+@@ -42,6 +42,12 @@
+ #include <X11/extensions/xcmiscstr.h>
+ #include "modinit.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ #if 0
+ static unsigned char XCMiscCode;
+ #endif
+@@ -143,7 +149,10 @@
+
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+
+- pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
++ if (stuff->count > UINT32_MAX / sizeof(XID))
++ return BadAlloc;
++
++ pids = (XID *)Xalloc(stuff->count * sizeof(XID));
+ if (!pids)
+ {
+ return BadAlloc;
+@@ -164,7 +173,7 @@
+ client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
+ WriteSwappedDataToClient(client, count * sizeof(XID), pids);
+ }
+- DEALLOCATE_LOCAL(pids);
++ Xfree(pids);
+ return(client->noClientException);
+ }
+