aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-26 19:38:09 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commitcea44678dd6a9418460ead314fb2106924b081f7 (patch)
treeb6e7a30b74dc4724650982ccc5dd204ee6313fd7
parentc12a473f29cfadb62d38b0fffc36762d8e626676 (diff)
downloadnx-libs-cea44678dd6a9418460ead314fb2106924b081f7.tar.gz
nx-libs-cea44678dd6a9418460ead314fb2106924b081f7.tar.bz2
nx-libs-cea44678dd6a9418460ead314fb2106924b081f7.zip
randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r--nx-X11/programs/Xserver/randr/rrsdispatch.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c
index 80d16b75a..c4425ec45 100644
--- a/nx-X11/programs/Xserver/randr/rrsdispatch.c
+++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c
@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
register int n;
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
swapl(&stuff->minorVersion, n);
@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
register int n;
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
register int n;
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
swaps(&stuff->enable, n);