- new; CVE-2006-6101 CVE-2006-6102 CVE-2006-6103

Changed files:
    x11r6.9.0-dbe-render.diff -> 1.1

diff --git a/x11r6.9.0-dbe-render.diff b/x11r6.9.0-dbe-render.diff
new file mode 100644 (file)
index 0000000..9321cc2
--- /dev/null
+++ b/x11r6.9.0-dbe-render.diff
@@ -0,0 +1,186 @@
+Index: dbe/dbe.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/dbe/dbe.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 dbe.c
+--- xc/programs/Xserver/dbe/dbe.c      3 Jul 2005 07:01:17 -0000       1.5
++++ xc/programs/Xserver/dbe/dbe.c      9 Jan 2007 12:45:54 -0000
+@@ -55,6 +55,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ /* GLOBALS */
+ 
+ /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
+@@ -733,11 +737,14 @@
+         return(Success);
+     }
+ 
++    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
++          return BadAlloc;
++
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
+ 
+     /* Allocate array to record swap information. */ 
+-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
++    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
+     if (swapInfo == NULL)
+     {
+         return(BadAlloc);
+@@ -752,14 +759,14 @@
+         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
+                                         SecurityWriteAccess)))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+           return(BadWindow);
+         }
+ 
+         /* Each window must be double-buffered - BadMatch. */
+         if (DBE_WINDOW_PRIV(pWin) == NULL)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadMatch);
+         }
+ 
+@@ -768,7 +775,7 @@
+         {
+             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
+             {
+-                DEALLOCATE_LOCAL(swapInfo);
++                Xfree(swapInfo);
+                 return(BadMatch);
+           }
+         }
+@@ -779,7 +786,7 @@
+             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
+             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(BadValue);
+         }
+ 
+@@ -809,12 +816,12 @@
+         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
+         if (error != Success)
+         {
+-            DEALLOCATE_LOCAL(swapInfo);
++            Xfree(swapInfo);
+             return(error);
+         }
+     }
+     
+-    DEALLOCATE_LOCAL(swapInfo);
++    Xfree(swapInfo);
+     return(Success);
+ 
+ } /* ProcDbeSwapBuffers() */
+@@ -898,10 +905,12 @@
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ 
++    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
++          return BadAlloc;
+     /* Make sure any specified drawables are valid. */
+     if (stuff->n != 0)
+     {
+-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
++        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
+                                                  sizeof(DrawablePtr))))
+         {
+             return(BadAlloc);
+@@ -914,7 +923,7 @@
+             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
+                               drawables[i], client, SecurityReadAccess)))
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+                 return(BadDrawable);
+             }
+         }
+@@ -926,7 +935,7 @@
+     {
+         if (pDrawables)
+         {
+-            DEALLOCATE_LOCAL(pDrawables);
++            Xfree(pDrawables);
+         }
+ 
+         return(BadAlloc);
+@@ -953,7 +962,7 @@
+             /* Free pDrawables if we needed to allocate it above. */
+             if (pDrawables)
+             {
+-                DEALLOCATE_LOCAL(pDrawables);
++                Xfree(pDrawables);
+             }
+ 
+             return(BadAlloc);
+@@ -1034,7 +1043,7 @@
+ 
+     if (pDrawables)
+     {
+-        DEALLOCATE_LOCAL(pDrawables);
++        Xfree(pDrawables);
+     }
+ 
+     return(client->noClientException);
+Index: render/render.c
+===================================================================
+RCS file: /cvs/xorg/xc/programs/Xserver/render/render.c,v
+retrieving revision 1.12
+diff -u -u -r1.12 render.c
+--- xc/programs/Xserver/render/render.c        28 Aug 2005 19:47:39 -0000      1.12
++++ xc/programs/Xserver/render/render.c        9 Jan 2007 12:45:55 -0000
+@@ -52,6 +52,10 @@
+ #include "xf86_ansic.h"
+ #endif
+ 
++#if !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int ProcRenderQueryVersion (ClientPtr pClient);
+ static int ProcRenderQueryPictFormats (ClientPtr pClient);
+ static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
+@@ -1108,11 +1112,14 @@
+     }
+ 
+     nglyphs = stuff->nglyphs;
++    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
++          return BadAlloc;
++
+     if (nglyphs <= NLOCALGLYPH)
+       glyphsBase = glyphsLocal;
+     else
+     {
+-      glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
++      glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
+       if (!glyphsBase)
+           return BadAlloc;
+     }
+@@ -1169,7 +1176,7 @@
+     }
+ 
+     if (glyphsBase != glyphsLocal)
+-      DEALLOCATE_LOCAL (glyphsBase);
++      Xfree (glyphsBase);
+     return client->noClientException;
+ bail:
+     while (glyphs != glyphsBase)
+@@ -1178,7 +1185,7 @@
+       xfree (glyphs->glyph);
+     }
+     if (glyphsBase != glyphsLocal)
+-      DEALLOCATE_LOCAL (glyphsBase);
++      Xfree (glyphsBase);
+     return err;
+ }
+