Mercurial Mercurial > upstream > oracle > x-cons > x-s12-clone / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6635721 *Xorg* [X.Org Bug 13522] XInput Extension Memory Corruption Vulnerability
authorAlan Coopersmith <Alan.Coopersmith@Sun.COM>
Wed, 19 Dec 2007 18:57:21 -0800
changeset 273 e621d7bdaa53
parent 272 d068fb17319b
child 274 c43a1d4ce6e9
6635721 *Xorg* [X.Org Bug 13522] XInput Extension Memory Corruption Vulnerability
open-src/xserver/xorg/6635721.patch file | annotate | diff | comparison | revisions
open-src/xserver/xorg/patch-list file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xorg/6635721.patch	Wed Dec 19 18:57:21 2007 -0800
@@ -0,0 +1,231 @@
+--- Xi/chgfctl.c-old	Mon Dec 17 07:58:38 2007
++++ Xi/chgfctl.c	Mon Dec 17 08:00:15 2007
+@@ -451,7 +451,6 @@
+ 		     xStringFeedbackCtl * f)
+ {
+     register char n;
+-    register long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+@@ -458,11 +457,7 @@
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
++	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols) {
+--- Xi/chgkmap.c-old	Sun Dec 16 23:44:47 2007
++++ Xi/chgkmap.c	Mon Dec 17 01:54:07 2007
+@@ -79,18 +79,14 @@
+ SProcXChangeDeviceKeyMapping(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i, count;
++    register unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -106,10 +102,14 @@
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
++    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++
+     dev = LookupDeviceIntRec(stuff->deviceid);
+     if (dev == NULL) {
+ 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+--- Xi/chgprop.c-old	Sun Dec 16 23:44:54 2007
++++ Xi/chgprop.c	Mon Dec 17 01:54:16 2007
+@@ -81,8 +81,6 @@
+ SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xChangeDeviceDontPropagateListReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++			stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXChangeDeviceDontPropagateList(client));
+ }
+ 
+--- Xi/grabdev.c-old	Sun Dec 16 23:45:04 2007
++++ Xi/grabdev.c	Mon Dec 17 01:54:30 2007
+@@ -82,8 +82,6 @@
+ SProcXGrabDevice(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceReq);
+     swaps(&stuff->length, n);
+@@ -91,12 +89,11 @@
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
+ 
++    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++	return BadLength;
++
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDevice(client));
+ }
+ 
+--- Xi/grabdevb.c-old	Sun Dec 16 23:45:11 2007
++++ Xi/grabdevb.c	Mon Dec 17 01:54:42 2007
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceButton(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceButtonReq);
+     swaps(&stuff->length, n);
+@@ -89,12 +87,10 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
+ 
++    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++			stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceButton(client));
+ }
+ 
+--- Xi/grabdevk.c-old	Sun Dec 16 23:45:18 2007
++++ Xi/grabdevk.c	Mon Dec 17 01:54:53 2007
+@@ -80,8 +80,6 @@
+ SProcXGrabDeviceKey(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
+--- Xi/selectev.c-old	Sun Dec 16 23:45:24 2007
++++ Xi/selectev.c	Mon Dec 17 01:55:06 2007
+@@ -84,8 +84,6 @@
+ SProcXSelectExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xSelectExtensionEventReq);
+     swaps(&stuff->length, n);
+@@ -92,11 +90,9 @@
+     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++			stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXSelectExtensionEvent(client));
+ }
+ 
+--- Xi/sendexev.c-old	Sun Dec 16 23:45:31 2007
++++ Xi/sendexev.c	Mon Dec 17 01:55:15 2007
+@@ -83,7 +83,7 @@
+ SProcXSendExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
++    register CARD32 *p;
+     register int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -94,6 +94,11 @@
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
++
++    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++	(stuff->num_events * (sizeof(xEvent) >> 2)))
++	return BadLength;
++
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@
+ 	*eventP = eventT;
+     }
+ 
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+ 
--- a/open-src/xserver/xorg/patch-list	Tue Dec 18 17:27:36 2007 -0800
+++ b/open-src/xserver/xorg/patch-list	Wed Dec 19 18:57:21 2007 -0800
@@ -51,3 +51,4 @@
 6635727.patch,-p1
 6636174.patch,-p1
 6635740.patch,-p1
+6635721.patch
upstream/oracle/x-cons/x-s12-clone