1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch b/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch
new file mode 100644
index 000000000..9540ddeda
--- /dev/null
+++ b/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch
@@ -0,0 +1,40 @@
+From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Tue, 28 Oct 2014 10:30:04 +0100
+Subject: [PATCH 27/40] render: check request size before reading it
+ [CVE-2014-8100 1/2]
+
+Otherwise we may be reading outside of the client request.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Conflicts:
+	render/render.c
+---
+ nx-X11/programs/Xserver/render/render.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
+index d25d497..ebbce81 100644
+--- a/nx-X11/programs/Xserver/render/render.c
++++ b/nx-X11/programs/Xserver/render/render.c
+@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client)
+     register int n;
+     REQUEST(xRenderQueryVersionReq);
+ 
++    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+     pRenderClient->major_version = stuff->majorVersion;
+     pRenderClient->minor_version = stuff->minorVersion;
+ 
+-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+-- 
+2.1.4
+