[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0034-CVE-2014-8097-additional.patch

From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Tue, 9 Dec 2014 09:30:57 -0800
Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned
 int [CVE-2014-8097 pt. 2]

When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.

At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.

Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
     int error;
     unsigned int i, j;
     unsigned int nStuff;
+    int nStuff_i;       /* DDX API requires int for nStuff */
 
     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
     nStuff = stuff->n;          /* use local variable for performance. */
@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
      * could deal with cross-screen synchronization.
      */
 
-    while (nStuff > 0) {
+    nStuff_i = nStuff;
+    while (nStuff_i > 0) {
         pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
-        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
         if (error != Success) {
             free(swapInfo);
             return error;
Commit	Line	Data
7217e0ca ML	1	From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
	2	From: Keith Packard <keithp@keithp.com>
	3	Date: Tue, 9 Dec 2014 09:30:57 -0800
	4	Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned
	5	int [CVE-2014-8097 pt. 2]
	6
	7	When the local types used to walk the DBE request were changed, this
	8	changed the type of the parameter passed to the DDX SwapBuffers API,
	9	but there wasn't a matching change in the API definition.
	10
	11	At this point, with the API frozen, I just stuck a new variable in
	12	with the correct type. Because we've already bounds-checked nStuff to
	13	be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
	14	fit in a signed int without overflow.
	15
	16	Signed-off-by: Keith Packard <keithp@keithp.com
	17	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	19
7217e0ca ML	20	--- a/dbe/dbe.c
	21	+++ b/dbe/dbe.c
	22	@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
	23	int error;
	24	unsigned int i, j;
	25	unsigned int nStuff;
	26	+ int nStuff_i; /* DDX API requires int for nStuff */
	27
	28	REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
	29	nStuff = stuff->n; /* use local variable for performance. */
	30	@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
	31	* could deal with cross-screen synchronization.
	32	*/
	33
	34	- while (nStuff > 0) {
	35	+ nStuff_i = nStuff;
	36	+ while (nStuff_i > 0) {
	37	pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
	38	- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
	39	+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
	40	if (error != Success) {
	41	free(swapInfo);
	42	return error;