From d1ca2119a25e60f9577d2b709a9cee8677e1a3fe Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 26 Jan 2014 19:23:17 -0800 Subject: Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099] v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: Xext/xvdisp.c --- nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c index b8543f7a6..cfce34463 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c @@ -1423,6 +1423,7 @@ SProcXvQueryExtension(ClientPtr client) { register char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return ProcXvQueryExtension(client); } @@ -1432,6 +1433,7 @@ SProcXvQueryAdaptors(ClientPtr client) { register char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcXvQueryAdaptors(client); @@ -1442,6 +1444,7 @@ SProcXvQueryEncodings(ClientPtr client) { register char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryEncodings(client); @@ -1452,6 +1455,7 @@ SProcXvGrabPort(ClientPtr client) { register char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1463,6 +1467,7 @@ SProcXvUngrabPort(ClientPtr client) { register char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1474,6 +1479,7 @@ SProcXvPutVideo(ClientPtr client) { register char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1494,6 +1500,7 @@ SProcXvPutStill(ClientPtr client) { register char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1514,6 +1521,7 @@ SProcXvGetVideo(ClientPtr client) { register char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1534,6 +1542,7 @@ SProcXvGetStill(ClientPtr client) { register char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1554,6 +1563,7 @@ SProcXvPutImage(ClientPtr client) { register char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1578,6 +1588,7 @@ SProcXvShmPutImage(ClientPtr client) { register char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1605,6 +1616,7 @@ SProcXvSelectVideoNotify(ClientPtr client) { register char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return ProcXvSelectVideoNotify(client); @@ -1615,6 +1627,7 @@ SProcXvSelectPortNotify(ClientPtr client) { register char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvSelectPortNotify(client); @@ -1625,6 +1638,7 @@ SProcXvStopVideo(ClientPtr client) { register char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1636,6 +1650,7 @@ SProcXvSetPortAttribute(ClientPtr client) { register char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1647,6 +1662,7 @@ SProcXvGetPortAttribute(ClientPtr client) { register char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1658,6 +1674,7 @@ SProcXvQueryBestSize(ClientPtr client) { register char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1672,6 +1689,7 @@ SProcXvQueryPortAttributes(ClientPtr client) { register char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryPortAttributes(client); @@ -1682,6 +1700,7 @@ SProcXvQueryImageAttributes(ClientPtr client) { register char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->id, n); swaps(&stuff->width, n); @@ -1694,6 +1713,7 @@ SProcXvListImageFormats(ClientPtr client) { register char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); -- cgit v1.2.3