aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-26 19:51:29 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commit9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a (patch)
tree20d8f318a3f41b9e5939081e47a9d54cc9351ab5
parent6c820648ba4be98c94f61516e83f13edf5ed98db (diff)
downloadnx-libs-9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a.tar.gz
nx-libs-9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a.tar.bz2
nx-libs-9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a.zip
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
-rw-r--r--nx-X11/programs/Xserver/render/render.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index ebbce813b..eee21db84 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
@@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n);
swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->pid, n);
swapl(&stuff->drawable, n);
@@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swapl(&stuff->mask, n);
@@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client)
{
register int n;
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
SwapRestS(stuff);
@@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client)
{
register int n;
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->mask, n);
@@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client)
{
register int n;
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->dst, n);
@@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->format, n);
@@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->existing, n);
@@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end;
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n);
@@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
SwapRestL(stuff);
@@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
-
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+
switch (stuff->renderReqType) {
default: size = 1; break;
case X_RenderCompositeGlyphs16: size = 2; break;