From e469cff02d3093062ce9243185d55c516efdad0b Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Tue, 28 Oct 2014 10:30:04 +0100 Subject: render: check request size before reading it [CVE-2014-8100 1/2] Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Julien Cristau Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith Conflicts: render/render.c --- nx-X11/programs/Xserver/hw/nxagent/NXrender.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c index 89e790135..8a0091042 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c @@ -387,10 +387,11 @@ ProcRenderQueryVersion (ClientPtr client) register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; -- cgit v1.2.3 From a0c90ad34fa89e5358893701723bd2f96a4bd3b2 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 26 Jan 2014 19:51:29 -0800 Subject: render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2] v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: render/render.c --- nx-X11/programs/Xserver/hw/nxagent/NXrender.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c index 8a0091042..c2f6527a6 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c @@ -2532,6 +2532,7 @@ SProcRenderQueryVersion (ClientPtr client) { register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); @@ -2544,6 +2545,7 @@ SProcRenderQueryPictFormats (ClientPtr client) { register int n; REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length, n); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2553,6 +2555,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client) { register int n; REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length, n); swapl(&stuff->format, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2569,6 +2572,7 @@ SProcRenderCreatePicture (ClientPtr client) { register int n; REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length, n); swapl(&stuff->pid, n); swapl(&stuff->drawable, n); @@ -2583,6 +2587,7 @@ SProcRenderChangePicture (ClientPtr client) { register int n; REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swapl(&stuff->mask, n); @@ -2595,6 +2600,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client) { register int n; REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); SwapRestS(stuff); @@ -2606,6 +2612,7 @@ SProcRenderFreePicture (ClientPtr client) { register int n; REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2616,6 +2623,7 @@ SProcRenderComposite (ClientPtr client) { register int n; REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->mask, n); @@ -2636,6 +2644,7 @@ SProcRenderScale (ClientPtr client) { register int n; REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->dst, n); @@ -2741,6 +2750,7 @@ SProcRenderCreateGlyphSet (ClientPtr client) { register int n; REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->format, n); @@ -2752,6 +2762,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client) { register int n; REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->existing, n); @@ -2763,6 +2774,7 @@ SProcRenderFreeGlyphSet (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2777,6 +2789,7 @@ SProcRenderAddGlyphs (ClientPtr client) void *end; xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); swapl(&stuff->nglyphs, n); @@ -2813,6 +2826,7 @@ SProcRenderFreeGlyphs (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); SwapRestL(stuff); @@ -2831,7 +2845,8 @@ SProcRenderCompositeGlyphs (ClientPtr client) int size; REQUEST(xRenderCompositeGlyphsReq); - + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + switch (stuff->renderReqType) { default: size = 1; break; case X_RenderCompositeGlyphs16: size = 2; break; -- cgit v1.2.3