Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
diff options
context:
space:
mode:
Diffstat (limited to 'x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch')
-rw-r--r--x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch262
1 files changed, 0 insertions, 262 deletions
diff --git a/x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch b/x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
deleted file mode 100644
index ffbf8ac..0000000
--- a/x11-base/xorg-server/files/1.4-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
+++ /dev/null
@@ -1,262 +0,0 @@
-From d244c8272e0ac47c41a9416e37293903b842a78b Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@bluenote.herrb.com>
-Date: Thu, 17 Jan 2008 15:27:34 +0100
-Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
-
----
- Xi/chgfctl.c | 7 +------
- Xi/chgkmap.c | 13 ++++++-------
- Xi/chgprop.c | 10 +++-------
- Xi/grabdev.c | 12 +++++-------
- Xi/grabdevb.c | 10 +++-------
- Xi/grabdevk.c | 9 ++-------
- Xi/selectev.c | 11 ++++-------
- Xi/sendexev.c | 14 ++++++++------
- 8 files changed, 32 insertions(+), 54 deletions(-)
-
-diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
-index 2e0e13c..235d659 100644
---- a/Xi/chgfctl.c
-+++ b/Xi/chgfctl.c
-@@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
- xStringFeedbackCtl * f)
- {
- char n;
-- long *p;
- int i, j;
- KeySym *syms, *sup_syms;
-
- syms = (KeySym *) (f + 1);
- if (client->swapped) {
- swaps(&f->length, n); /* swapped num_keysyms in calling proc */
-- p = (long *)(syms);
-- for (i = 0; i < f->num_keysyms; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ SwapLongs((CARD32 *) syms, f->num_keysyms);
- }
-
- if (f->num_keysyms > s->ctrl.max_symbols) {
-diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
-index eac520f..f8f85bc 100644
---- a/Xi/chgkmap.c
-+++ b/Xi/chgkmap.c
-@@ -79,18 +79,14 @@ int
- SProcXChangeDeviceKeyMapping(ClientPtr client)
- {
- char n;
-- long *p;
-- int i, count;
-+ unsigned int count;
-
- REQUEST(xChangeDeviceKeyMappingReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-- p = (long *)&stuff[1];
- count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-- for (i = 0; i < count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), count);
- return (ProcXChangeDeviceKeyMapping(client));
- }
-
-@@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
- int ret;
- unsigned len;
- DeviceIntPtr dev;
-+ unsigned int count;
-
- REQUEST(xChangeDeviceKeyMappingReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-
-+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
- dev = LookupDeviceIntRec(stuff->deviceid);
- if (dev == NULL) {
- SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
-diff --git a/Xi/chgprop.c b/Xi/chgprop.c
-index 59a93c6..21bda5b 100644
---- a/Xi/chgprop.c
-+++ b/Xi/chgprop.c
-@@ -81,19 +81,15 @@ int
- SProcXChangeDeviceDontPropagateList(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xChangeDeviceDontPropagateListReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
- return (ProcXChangeDeviceDontPropagateList(client));
- }
-
-diff --git a/Xi/grabdev.c b/Xi/grabdev.c
-index e2809ef..d0b4ae7 100644
---- a/Xi/grabdev.c
-+++ b/Xi/grabdev.c
-@@ -82,8 +82,6 @@ int
- SProcXGrabDevice(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceReq);
- swaps(&stuff->length, n);
-@@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client)
- swapl(&stuff->grabWindow, n);
- swapl(&stuff->time, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+
-+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
-+ return BadLength;
-+
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-
- return (ProcXGrabDevice(client));
- }
-diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
-index df62d0c..18db1f7 100644
---- a/Xi/grabdevb.c
-+++ b/Xi/grabdevb.c
-@@ -80,8 +80,6 @@ int
- SProcXGrabDeviceButton(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceButtonReq);
- swaps(&stuff->length, n);
-@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client)
- swapl(&stuff->grabWindow, n);
- swaps(&stuff->modifiers, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
-+ stuff->event_count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
-
- return (ProcXGrabDeviceButton(client));
- }
-diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
-index b74592f..429b2f7 100644
---- a/Xi/grabdevk.c
-+++ b/Xi/grabdevk.c
-@@ -80,8 +80,6 @@ int
- SProcXGrabDeviceKey(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xGrabDeviceKeyReq);
- swaps(&stuff->length, n);
-@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client)
- swapl(&stuff->grabWindow, n);
- swaps(&stuff->modifiers, n);
- swaps(&stuff->event_count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->event_count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
- return (ProcXGrabDeviceKey(client));
- }
-
-diff --git a/Xi/selectev.c b/Xi/selectev.c
-index d52db1b..19415c5 100644
---- a/Xi/selectev.c
-+++ b/Xi/selectev.c
-@@ -131,19 +131,16 @@ int
- SProcXSelectExtensionEvent(ClientPtr client)
- {
- char n;
-- long *p;
-- int i;
-
- REQUEST(xSelectExtensionEventReq);
- swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
- swapl(&stuff->window, n);
- swaps(&stuff->count, n);
-- p = (long *)&stuff[1];
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
-+ stuff->count * sizeof(CARD32));
-+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
-+
- return (ProcXSelectExtensionEvent(client));
- }
-
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index eac9abe..9803cf3 100644
---- a/Xi/sendexev.c
-+++ b/Xi/sendexev.c
-@@ -83,7 +83,7 @@ int
- SProcXSendExtensionEvent(ClientPtr client)
- {
- char n;
-- long *p;
-+ CARD32 *p;
- int i;
- xEvent eventT;
- xEvent *eventP;
-@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client)
- REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
- swapl(&stuff->destination, n);
- swaps(&stuff->count, n);
-+
-+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
-+ (stuff->num_events * (sizeof(xEvent) >> 2)))
-+ return BadLength;
-+
- eventP = (xEvent *) & stuff[1];
- for (i = 0; i < stuff->num_events; i++, eventP++) {
- proc = EventSwapVector[eventP->u.u.type & 0177];
-@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client)
- *eventP = eventT;
- }
-
-- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-- for (i = 0; i < stuff->count; i++) {
-- swapl(p, n);
-- p++;
-- }
-+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
-+ SwapLongs(p, stuff->count);
- return (ProcXSendExtensionEvent(client));
- }
-
---
-1.5.3.5
-