X.Org security advisory, January 9th, 2007
Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 

Overview

The ProcDbeGetVisualInfo(), ProcDbeSwapBuffer() and
ProcRenderAddGlyphs() functions in the X server, implementing requests
for the dbe and render extensions, may be used to overwrite data on
the stack or in other parts of the X server memory.

Vulnerability details

iDefense Lab security researchers discovered that the expressions
computing the parameters for ALLOCATE_LOCAL() in those functions are
using client-provided value in an expression that is subject to
integer overflows, which could lead to memory corruption.
 
Moreover since ALLOCATE_LOCAL() is generally implemented using
alloca(), these corruptions happen on the stack. And since
there's no way for alloca() to return failure, a pointer outside the
stack can be reported if the requested size is bigger than the current
stack size, leading to potential corruption in other memory segments. 

The vulnerable requests are only available to an already authenticated
client of the X server. 

Affected versions

All X.Org X server version implementing the X render and dbe
extensions are vulnerable. Other X server implementation based on the
X11R6 sample implementation are probably vulnerable too.

Fix

Apply one of the following patches

X.Org 6.8.2
http://www.freedesktop.org/releases/X11R6.8.2/patches/
MD5 (xorg-68x-dbe-render.patch) = 05f49f63cd2573a587d16e19bca7912e
SHA1 (xorg-68x-dbe-render.patch) = df289636e51151121ef2924b094cb53a88fe936b

X.Org 6.9.0
http://www.freedesktop.org/releases/X11R6.9.0/patches/
MD5 (x11r6.9.0-dbe-render.diff) = 992f91012c2e2f4c8abdbe8bcdf7b0c4
SHA1 (x11r6.9.0-dbe-render.diff) = 4fdb8f910ac98288745a06a8670dd1faaf5fea38

X.Org 7.0
http://www.freedesktop.org/releases/X11R7.0/patches/
MD5 (xorg-xserver-1.0.1-dbe-render.diff) = 03abf171a5c9258bf6921109803f11ae
SHA1 (xorg-xserver-1.0.1-dbe-render.diff) = 9aff9da694e32006ea69a02c7d9da66243ef4f7d

X.Org 7.1
http://www.freedesktop.org/releases/X11R7.1/patches/
MD5 (xorg-xserver-1.1.0-dbe-render.diff) = f4325ae286e238e0fe8bc2d68b41735c
SHA1 (xorg-xserver-1.1.0-dbe-render.diff) = 2c01ee26bac79d71c9925d2b8bbfbc6b73de9396

X.Org 7.2 RC3
MD5 (xorg-xserver-1.1.99.903-dbe-render.diff) = a27da6ea7917b1871b6ec19d4cb6502f
SHA1 (xorg-xserver-1.1.99.903-dbe-render.diff) = d8bfd192089a8d607c3be4fec002b80f0db1275a

A patch has also been commited to the xserver git repository for
development version of the X server.

Thanks 

Sean Larsson of iDefense Labs discovered the vulnerabilities and
provided sample code and advices in fixing them.