From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:23:17 -0800
Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped
 procs [CVE-2014-8099]

v2: backport to nx-libs 3.6.x (Mike DePaulo)

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Conflicts:
	Xext/xvdisp.c
---
 nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c
index 21ab0b6..b361c0f 100644
--- a/nx-X11/programs/Xserver/Xext/xvdisp.c
+++ b/nx-X11/programs/Xserver/Xext/xvdisp.c
@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryExtensionReq);
+  REQUEST_SIZE_MATCH(xvQueryExtensionReq);
   swaps(&stuff->length, n);
   return ProcXvQueryExtension(client);
 }
@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryAdaptorsReq);
+  REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->window, n);
   return ProcXvQueryAdaptors(client);
@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryEncodingsReq);
+  REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return ProcXvQueryEncodings(client);
@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client)
 {
   register char n;
   REQUEST(xvGrabPortReq);
+  REQUEST_SIZE_MATCH(xvGrabPortReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->time, n);
@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client)
 {
   register char n;
   REQUEST(xvUngrabPortReq);
+  REQUEST_SIZE_MATCH(xvUngrabPortReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->time, n);
@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client)
 {
   register char n;
   REQUEST(xvPutVideoReq);
+  REQUEST_SIZE_MATCH(xvPutVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client)
 {
   register char n;
   REQUEST(xvPutStillReq);
+  REQUEST_SIZE_MATCH(xvPutStillReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client)
 {
   register char n;
   REQUEST(xvGetVideoReq);
+  REQUEST_SIZE_MATCH(xvGetVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client)
 {
   register char n;
   REQUEST(xvGetStillReq);
+  REQUEST_SIZE_MATCH(xvGetStillReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client)
 {
   register char n;
   REQUEST(xvPutImageReq);
+  REQUEST_AT_LEAST_SIZE(xvPutImageReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client)
 {
   register char n;
   REQUEST(xvShmPutImageReq);
+  REQUEST_SIZE_MATCH(xvShmPutImageReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client)
 {
   register char n;
   REQUEST(xvSelectVideoNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
   swaps(&stuff->length, n);
   swapl(&stuff->drawable, n);
   return ProcXvSelectVideoNotify(client);
@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client)
 {
   register char n;
   REQUEST(xvSelectPortNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return ProcXvSelectPortNotify(client);
@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client)
 {
   register char n;
   REQUEST(xvStopVideoReq);
+  REQUEST_SIZE_MATCH(xvStopVideoReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->drawable, n);
@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client)
 {
   register char n;
   REQUEST(xvSetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->attribute, n);
@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client)
 {
   register char n;
   REQUEST(xvGetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->attribute, n);
@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryBestSizeReq);
+  REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swaps(&stuff->vid_w, n);
@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryPortAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return ProcXvQueryPortAttributes(client);
@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client)
 {
   register char n;
   REQUEST(xvQueryImageAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
   swaps(&stuff->length, n);
   swapl(&stuff->id, n);
   swaps(&stuff->width, n);
@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client)
 {
   register char n;
   REQUEST(xvListImageFormatsReq);
+  REQUEST_SIZE_MATCH(xvListImageFormatsReq);
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   return ProcXvListImageFormats(client);
-- 
2.1.4