diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-26 19:38:09 -0800 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
commit | cea44678dd6a9418460ead314fb2106924b081f7 (patch) | |
tree | b6e7a30b74dc4724650982ccc5dd204ee6313fd7 | |
parent | c12a473f29cfadb62d38b0fffc36762d8e626676 (diff) | |
download | nx-libs-cea44678dd6a9418460ead314fb2106924b081f7.tar.gz nx-libs-cea44678dd6a9418460ead314fb2106924b081f7.tar.bz2 nx-libs-cea44678dd6a9418460ead314fb2106924b081f7.zip |
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r-- | nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c index 80d16b75a..c4425ec45 100644 --- a/nx-X11/programs/Xserver/randr/rrsdispatch.c +++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c @@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client) register int n; REQUEST(xRRQueryVersionReq); + REQUEST_SIZE_MATCH(xRRQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); swapl(&stuff->minorVersion, n); @@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client) register int n; REQUEST(xRRGetScreenInfoReq); + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return (*ProcRandrVector[stuff->randrReqType]) (client); @@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client) register int n; REQUEST(xRRSelectInputReq); + REQUEST_SIZE_MATCH(xRRSelectInputReq); swaps(&stuff->length, n); swapl(&stuff->window, n); swaps(&stuff->enable, n); |