[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch

From d7b2f5c06259c7e6ba037909adec4c2a5a8b15ec Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 22:37:15 -0800
Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092
 3/4]

RegionSizeof contains several integer overflows if a large length
value is passed in.  Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition

v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
---
 dix/region.c        |   20 +++++++++++++-------
 include/regionstr.h |   10 +++++++---
 2 files changed, 20 insertions(+), 10 deletions(-)

--- a/dix/region.c
+++ b/dix/region.c
@@ -169,7 +169,6 @@ Equipment Corporation.
         ((r1)->y1 <= (r2)->y1) && \
         ((r1)->y2 >= (r2)->y2) )
 
-#define xallocData(n) malloc(RegionSizeof(n))
 #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
 
 #define RECTALLOC_BAIL(pReg,n,bail) \
@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num
 #define DOWNSIZE(reg,numRects)						 \
 if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
 {									 \
-    RegDataPtr NewData;							 \
-    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
+    size_t NewSize = RegionSizeof(numRects);				 \
+    RegDataPtr NewData =						 \
+        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
     if (NewData)							 \
     {									 \
 	NewData->size = (numRects);					 \
@@ -345,17 +345,20 @@ Bool
 RegionRectAlloc(RegionPtr pRgn, int n)
 {
     RegDataPtr data;
+    size_t rgnSize;
 
     if (!pRgn->data) {
         n++;
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
         if (!pRgn->data)
             return RegionBreak(pRgn);
         pRgn->data->numRects = 1;
         *RegionBoxptr(pRgn) = pRgn->extents;
     }
     else if (!pRgn->data->size) {
-        pRgn->data = xallocData(n);
+        rgnSize = RegionSizeof(n);
+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
         if (!pRgn->data)
             return RegionBreak(pRgn);
         pRgn->data->numRects = 0;
@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
                 n = 250;
         }
         n += pRgn->data->numRects;
-        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+        rgnSize = RegionSizeof(n);
+        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
         if (!data)
             return RegionBreak(pRgn);
         pRgn->data = data;
@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *
 {
 
     RegionPtr pRgn;
+    size_t rgnSize;
     RegDataPtr pData;
     BoxPtr pBox;
     int i;
@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *
         }
         return pRgn;
     }
-    pData = xallocData(nrects);
+    rgnSize = RegionSizeof(nrects);
+    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
     if (!pData) {
         RegionBreak(pRgn);
         return pRgn;
--- a/include/regionstr.h
+++ b/include/regionstr.h
@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
 static inline size_t
 RegionSizeof(size_t n)
 {
-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    else
+        return 0;
 }
 
 static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
         (_pReg)->data = (RegDataPtr) NULL;
     }
     else {
+        size_t rgnSize;
         (_pReg)->extents = RegionEmptyBox;
-        if (((_size) > 1) && ((_pReg)->data =
-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
             (_pReg)->data->size = (_size);
             (_pReg)->data->numRects = 0;
         }
Commit	Line	Data
7217e0ca ML	1	From d7b2f5c06259c7e6ba037909adec4c2a5a8b15ec Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Wed, 22 Jan 2014 22:37:15 -0800
	4	Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092
	5	3/4]
	6
	7	RegionSizeof contains several integer overflows if a large length
	8	value is passed in. Once we fix it to return 0 on overflow, we
	9	also have to fix the callers to handle this error condition
	10
	11	v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
	12
	13	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	14	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	15	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	16	Reviewed-by: Julien Cristau <jcristau@debian.org>
	17	---
	18	dix/region.c \| 20 +++++++++++++-------
	19	include/regionstr.h \| 10 +++++++---
	20	2 files changed, 20 insertions(+), 10 deletions(-)
	21
4db25562 JB	22	--- a/dix/region.c
	23	+++ b/dix/region.c
	24	@@ -169,7 +169,6 @@ Equipment Corporation.
7217e0ca ML	25	((r1)->y1 <= (r2)->y1) && \
	26	((r1)->y2 >= (r2)->y2) )
	27
	28	-#define xallocData(n) malloc(RegionSizeof(n))
	29	#define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
	30
	31	#define RECTALLOC_BAIL(pReg,n,bail) \
4db25562	32	@@ -205,8 +204,9 @@ if (!(pReg)->data \|\| (((pReg)->data->num
7217e0ca ML	33	#define DOWNSIZE(reg,numRects) \
	34	if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
	35	{ \
	36	- RegDataPtr NewData; \
	37	- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
	38	+ size_t NewSize = RegionSizeof(numRects); \
	39	+ RegDataPtr NewData = \
	40	+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
	41	if (NewData) \
	42	{ \
	43	NewData->size = (numRects); \
4db25562	44	@@ -345,17 +345,20 @@ Bool
7217e0ca ML	45	RegionRectAlloc(RegionPtr pRgn, int n)
	46	{
	47	RegDataPtr data;
	48	+ size_t rgnSize;
	49
	50	if (!pRgn->data) {
	51	n++;
	52	- pRgn->data = xallocData(n);
	53	+ rgnSize = RegionSizeof(n);
	54	+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
	55	if (!pRgn->data)
	56	return RegionBreak(pRgn);
	57	pRgn->data->numRects = 1;
	58	*RegionBoxptr(pRgn) = pRgn->extents;
	59	}
	60	else if (!pRgn->data->size) {
	61	- pRgn->data = xallocData(n);
	62	+ rgnSize = RegionSizeof(n);
	63	+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
	64	if (!pRgn->data)
	65	return RegionBreak(pRgn);
	66	pRgn->data->numRects = 0;
4db25562	67	@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
7217e0ca ML	68	n = 250;
	69	}
	70	n += pRgn->data->numRects;
	71	- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
	72	+ rgnSize = RegionSizeof(n);
	73	+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
	74	if (!data)
	75	return RegionBreak(pRgn);
	76	pRgn->data = data;
4db25562	77	@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *
7217e0ca ML	78	{
	79
	80	RegionPtr pRgn;
	81	+ size_t rgnSize;
	82	RegDataPtr pData;
	83	BoxPtr pBox;
	84	int i;
4db25562	85	@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *
7217e0ca ML	86	}
	87	return pRgn;
	88	}
	89	- pData = xallocData(nrects);
	90	+ rgnSize = RegionSizeof(nrects);
	91	+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
	92	if (!pData) {
	93	RegionBreak(pRgn);
	94	return pRgn;
4db25562 JB	95	--- a/include/regionstr.h
	96	+++ b/include/regionstr.h
	97	@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
7217e0ca ML	98	static inline size_t
	99	RegionSizeof(size_t n)
	100	{
	101	- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
	102	+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
	103	+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
	104	+ else
	105	+ return 0;
	106	}
	107
	108	static inline void
4db25562	109	@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
7217e0ca ML	110	(_pReg)->data = (RegDataPtr) NULL;
	111	}
	112	else {
	113	+ size_t rgnSize;
	114	(_pReg)->extents = RegionEmptyBox;
	115	- if (((_size) > 1) && ((_pReg)->data =
	116	- (RegDataPtr) malloc(RegionSizeof(_size)))) {
	117	+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
	118	+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
	119	(_pReg)->data->size = (_size);
	120	(_pReg)->data->numRects = 0;
	121	}