diff options
author | Julien Cristau <jcristau@debian.org> | 2014-10-28 10:30:04 +0100 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
commit | 6c820648ba4be98c94f61516e83f13edf5ed98db (patch) | |
tree | d989cd42f821f1fbfdc7a719f0552325e2dc8545 | |
parent | 2abde565df5de98800cec428fe612cb979063c02 (diff) | |
download | nx-libs-6c820648ba4be98c94f61516e83f13edf5ed98db.tar.gz nx-libs-6c820648ba4be98c94f61516e83f13edf5ed98db.tar.bz2 nx-libs-6c820648ba4be98c94f61516e83f13edf5ed98db.zip |
render: check request size before reading it [CVE-2014-8100 1/2]
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
-rw-r--r-- | nx-X11/programs/Xserver/render/render.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c index d25d49756..ebbce813b 100644 --- a/nx-X11/programs/Xserver/render/render.c +++ b/nx-X11/programs/Xserver/render/render.c @@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client) register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; |