[23444] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Crashing X

daemon@ATHENA.MIT.EDU (Matthieu Herrb)
Sat Dec 8 15:45:46 2001

From: Matthieu Herrb <matthieu.herrb@laas.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15378.29792.674348.267895@laas.fr>
Date: Sat, 8 Dec 2001 21:13:20 +0100
To: bugtraq@securityfocus.com
In-Reply-To: <20011207165533.M7800@wirex.com>
Reply-To: herrb@xfree86.org

You wrote (in your message from Friday 7)
 > 
 > The vuln-dev Message-ID is <3B822F5F.99227A5F@snosoft.com>. I saw a fix
 > for it on September 16th, so I'm rather hoping XFree86 releases newer
 > than that have the fix integrated.
 > 

This has indeed been reported several time to XFree86 since last
september. 

The patch that is in current XFree86 and in the 4_1_0 branch is
appended below. I have reports that it does not fix all possible cases
of crashes, but I can not reproduce any crashes with this patch. 
May be someone can provide more details here (stack trace,...) ? 

				Matthieu Herrb

Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c	2001/05/29 04:54:09	1.11
+++ fbglyph.c	2001/09/07 15:16:00	1.12
@@ -34,9 +34,19 @@
 	   int		height)
 {
     BoxRec  box;
+    BoxPtr  pExtents = REGION_EXTENTS (0, pRegion);
 
-    if (x + width < 0) return FALSE;
-    if (y + height < 0) return FALSE;
+    /*
+     * Check extents by hand to avoid 16 bit overflows
+     */
+    if (x < (int) pExtents->x1) 
+	return FALSE;
+    if ((int) pExtents->x2 < x + width) 
+	return FALSE;
+    if (y < (int) pExtents->y1)
+	return FALSE;
+    if ((int) pExtents->y2 < y + height)
+	return FALSE;
     box.x1 = x;
     box.x2 = x + width;
     box.y1 = y;
@@ -261,10 +271,10 @@
 			      FbBits,
 			      int,
 			      int);
-    FbBits	    *dst;
-    FbStride	    dstStride;
-    int		    dstBpp;
-    int		    dstXoff, dstYoff;
+    FbBits	    *dst = 0;
+    FbStride	    dstStride = 0;
+    int		    dstBpp = 0;
+    int		    dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
 			      FbBits,
 			      int,
 			      int);
-    FbBits	    *dst;
-    FbStride	    dstStride;
-    int		    dstBpp;
-    int		    dstXoff, dstYoff;
+    FbBits	    *dst = 0;
+    FbStride	    dstStride = 0;
+    int		    dstBpp = 0;
+    int		    dstXoff = 0, dstYoff = 0;
     
     glyph = 0;
     if (pPriv->and == 0)
home help back first fref pref prev next nref lref last post