Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org>
Date: 2007-01-23
Initial Package Version: 1.1.0
Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/ and
Upstream Status: Applied
Description: Fixes a security vulnerability in the X server.
    See the following advisory:
    http://lists.freedesktop.org/archives/xorg/2007-January/021054.html

diff -pNur xorg-server-1.1.1.orig/dbe/dbe.c xorg-server-1.1.1/dbe/dbe.c
--- xorg-server-1.1.1.orig/dbe/dbe.c	2006-07-05 11:31:36.000000000 -0700
+++ xorg-server-1.1.1/dbe/dbe.c	2007-01-18 21:46:13.000000000 -0800
@@ -42,6 +42,11 @@
 #endif
 
 #include <string.h>
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
 
 #include <X11/X.h>
 #include <X11/Xproto.h>
@@ -716,11 +721,14 @@ ProcDbeSwapBuffers(ClientPtr client)
         return(Success);
     }
 
+    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+	    return BadAlloc;
+
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
 
     /* Allocate array to record swap information. */ 
-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
     if (swapInfo == NULL)
     {
         return(BadAlloc);
@@ -735,14 +743,14 @@ ProcDbeSwapBuffers(ClientPtr client)
         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
 					  SecurityWriteAccess)))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
 	    return(BadWindow);
         }
 
         /* Each window must be double-buffered - BadMatch. */
         if (DBE_WINDOW_PRIV(pWin) == NULL)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadMatch);
         }
 
@@ -751,7 +759,7 @@ ProcDbeSwapBuffers(ClientPtr client)
         {
             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
             {
-                DEALLOCATE_LOCAL(swapInfo);
+                Xfree(swapInfo);
                 return(BadMatch);
 	    }
         }
@@ -762,7 +770,7 @@ ProcDbeSwapBuffers(ClientPtr client)
             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadValue);
         }
 
@@ -792,12 +800,12 @@ ProcDbeSwapBuffers(ClientPtr client)
         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
         if (error != Success)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(error);
         }
     }
     
-    DEALLOCATE_LOCAL(swapInfo);
+    Xfree(swapInfo);
     return(Success);
 
 } /* ProcDbeSwapBuffers() */
@@ -879,10 +887,12 @@ ProcDbeGetVisualInfo(ClientPtr client)
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
 
+    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+	    return BadAlloc;
     /* Make sure any specified drawables are valid. */
     if (stuff->n != 0)
     {
-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
                                                  sizeof(DrawablePtr))))
         {
             return(BadAlloc);
@@ -895,7 +905,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
 				drawables[i], client, SecurityReadAccess)))
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
                 return(BadDrawable);
             }
         }
@@ -907,7 +917,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
     {
         if (pDrawables)
         {
-            DEALLOCATE_LOCAL(pDrawables);
+            Xfree(pDrawables);
         }
 
         return(BadAlloc);
@@ -934,7 +944,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
             /* Free pDrawables if we needed to allocate it above. */
             if (pDrawables)
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
             }
 
             return(BadAlloc);
@@ -1015,7 +1025,7 @@ ProcDbeGetVisualInfo(ClientPtr client)
 
     if (pDrawables)
     {
-        DEALLOCATE_LOCAL(pDrawables);
+        Xfree(pDrawables);
     }
 
     return(client->noClientException);
diff -pNur xorg-server-1.1.1.orig/render/render.c xorg-server-1.1.1/render/render.c
--- xorg-server-1.1.1.orig/render/render.c	2006-07-05 11:31:44.000000000 -0700
+++ xorg-server-1.1.1/render/render.c	2007-01-18 21:46:13.000000000 -0800
@@ -49,6 +49,12 @@
 #include <X11/Xfuncproto.h>
 #include "cursorstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static int ProcRenderQueryVersion (ClientPtr pClient);
 static int ProcRenderQueryPictFormats (ClientPtr pClient);
 static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1105,11 +1111,14 @@ ProcRenderAddGlyphs (ClientPtr client)
     }
 
     nglyphs = stuff->nglyphs;
+    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+	    return BadAlloc;
+
     if (nglyphs <= NLOCALGLYPH)
 	glyphsBase = glyphsLocal;
     else
     {
-	glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+	glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
 	if (!glyphsBase)
 	    return BadAlloc;
     }
@@ -1166,7 +1175,7 @@ ProcRenderAddGlyphs (ClientPtr client)
     }
 
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return client->noClientException;
 bail:
     while (glyphs != glyphsBase)
@@ -1175,7 +1184,7 @@ bail:
 	xfree (glyphs->glyph);
     }
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return err;
 }