added xorg-server-1.3.0.0-r5.ebuild

Signed-off-by: Zhang Le <robert.zhangle@gmail.com>
author: Zhang Le <robert.zhangle@gmail.com> 2008-02-18 17:32:30 +0800
committer: Zhang Le <robert.zhangle@gmail.com> 2008-02-18 17:32:30 +0800
commit: da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e (patch)
tree: f9f024d21c37cca098ddcca7a9e062208dd3a2ee /x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
parent: re-generate binutils' manifest (diff)
download: loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.tar.gz
loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.tar.bz2
loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.zip
1 files changed, 244 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch b/x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
new file mode 100644
index 0000000..18075a6
--- /dev/null
+++ b/x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
@@ -0,0 +1,244 @@
+Index: xorg-server-1.3.0.0/Xi/chgfctl.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/chgfctl.c
++++ xorg-server-1.3.0.0/Xi/chgfctl.c
+@@ -451,18 +451,13 @@ ChangeStringFeedback(ClientPtr client, D
+ 		     xStringFeedbackCtl * f)
+ {
+     register char n;
+-    register long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
++	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols) {
+Index: xorg-server-1.3.0.0/Xi/chgkmap.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/chgkmap.c
++++ xorg-server-1.3.0.0/Xi/chgkmap.c
+@@ -79,18 +79,14 @@ int
+ SProcXChangeDeviceKeyMapping(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i, count;
++    register unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -106,10 +102,14 @@ ProcXChangeDeviceKeyMapping(register Cli
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
++    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++
+     dev = LookupDeviceIntRec(stuff->deviceid);
+     if (dev == NULL) {
+ 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
+Index: xorg-server-1.3.0.0/Xi/chgprop.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/chgprop.c
++++ xorg-server-1.3.0.0/Xi/chgprop.c
+@@ -81,19 +81,15 @@ int
+ SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xChangeDeviceDontPropagateListReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++                      stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXChangeDeviceDontPropagateList(client));
+ }
+ 
+Index: xorg-server-1.3.0.0/Xi/grabdev.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/grabdev.c
++++ xorg-server-1.3.0.0/Xi/grabdev.c
+@@ -82,8 +82,6 @@ int
+ SProcXGrabDevice(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceReq);
+     swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@ SProcXGrabDevice(register ClientPtr clie
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++
++    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++       return BadLength;
++    
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDevice(client));
+ }
+Index: xorg-server-1.3.0.0/Xi/grabdevb.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/grabdevb.c
++++ xorg-server-1.3.0.0/Xi/grabdevb.c
+@@ -80,8 +80,6 @@ int
+ SProcXGrabDeviceButton(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceButtonReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(register ClientPt
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++                      stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDeviceButton(client));
+ }
+Index: xorg-server-1.3.0.0/Xi/grabdevk.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/grabdevk.c
++++ xorg-server-1.3.0.0/Xi/grabdevk.c
+@@ -80,8 +80,6 @@ int
+ SProcXGrabDeviceKey(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(register ClientPtr c
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
+Index: xorg-server-1.3.0.0/Xi/selectev.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/selectev.c
++++ xorg-server-1.3.0.0/Xi/selectev.c
+@@ -84,19 +84,16 @@ int
+ SProcXSelectExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xSelectExtensionEventReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++                      stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+     return (ProcXSelectExtensionEvent(client));
+ }
+ 
+Index: xorg-server-1.3.0.0/Xi/sendexev.c
+===================================================================
+--- xorg-server-1.3.0.0.orig/Xi/sendexev.c
++++ xorg-server-1.3.0.0/Xi/sendexev.c
+@@ -83,7 +83,7 @@ int
+ SProcXSendExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
++    register CARD32 *p;
+     register int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(register Client
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
++
++    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++       (stuff->num_events * (sizeof(xEvent) >> 2)))
++       return BadLength;
++
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(register Client
+ 	*eventP = eventT;
+     }
+ 
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+
author	Zhang Le <robert.zhangle@gmail.com>	2008-02-18 17:32:30 +0800
committer	Zhang Le <robert.zhangle@gmail.com>	2008-02-18 17:32:30 +0800
commit	da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e (patch)
tree	f9f024d21c37cca098ddcca7a9e062208dd3a2ee /x11-base/xorg-server/files/1.3-0003-Fix-for-CVE-2007-6427-Xinput-extension-memory-corr.patch
parent	re-generate binutils' manifest (diff)
download	loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.tar.gz loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.tar.bz2 loongson-da89d3e3526bb72ded0cf7f2e5fcc30d8a18c77e.zip