From 7017c22c2b5dcacc8e337029f7ed82f4bcafb819 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Mon, 5 Mar 2018 11:01:49 +0100
Subject: Xserver/Xext/saver.c Unvalidated lengths (X.org CVE-2017-12185).

 commit cad5a1050b7184d828aef9c1dd151c3ab649d37e
 Author: Nathan Kidd <nkidd@opentext.com>
 Date:   Fri Jan 9 09:57:23 2015 -0500

    Unvalidated lengths

    v2: Add overflow check and remove unnecessary check (Julien Cristau)

    This addresses:
    CVE-2017-12184 in XINERAMA
    CVE-2017-12185 in MIT-SCREEN-SAVER
    CVE-2017-12186 in X-Resource
    CVE-2017-12187 in RENDER

    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>
    Signed-off-by: Nathan Kidd <nkidd@opentext.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

 Backported-to-NX-by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
---
 nx-X11/programs/Xserver/Xext/saver.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nx-X11/programs/Xserver/Xext/saver.c b/nx-X11/programs/Xserver/Xext/saver.c
index 0b79a002b..89eebd7b1 100644
--- a/nx-X11/programs/Xserver/Xext/saver.c
+++ b/nx-X11/programs/Xserver/Xext/saver.c
@@ -1342,6 +1342,8 @@ ProcScreenSaverUnsetAttributes (ClientPtr client)
        PanoramiXRes *draw;
        int i;
 
+       REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
        if(!(draw = (PanoramiXRes *)SecurityLookupIDByClass(
                    client, stuff->drawable, XRC_DRAWABLE, DixWriteAccess)))
            return BadDrawable;
-- 
cgit v1.2.3