From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 26 Jan 2014 19:23:17 -0800 Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099] v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: Xext/xvdisp.c --- nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- a/nx-X11/programs/Xserver/Xext/xvdisp.c +++ b/nx-X11/programs/Xserver/Xext/xvdisp.c @@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client) { register char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return ProcXvQueryExtension(client); } @@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client) { register char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcXvQueryAdaptors(client); @@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client) { register char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryEncodings(client); @@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client) { register char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client) { register char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client) { register char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client) { register char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client) { register char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client) { register char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client) { register char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client) { register char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr clien { register char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return ProcXvSelectVideoNotify(client); @@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client { register char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvSelectPortNotify(client); @@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client) { register char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client { register char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client { register char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client) { register char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr cli { register char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryPortAttributes(client); @@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr cl { register char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->id, n); swaps(&stuff->width, n); @@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client { register char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client); --- a/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXxvdisp.c @@ -1401,6 +1401,7 @@ SProcXvQueryExtension(ClientPtr client) { register char n; REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length, n); return ProcXvQueryExtension(client); } @@ -1410,6 +1411,7 @@ SProcXvQueryAdaptors(ClientPtr client) { register char n; REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length, n); swapl(&stuff->window, n); return ProcXvQueryAdaptors(client); @@ -1420,6 +1422,7 @@ SProcXvQueryEncodings(ClientPtr client) { register char n; REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryEncodings(client); @@ -1430,6 +1433,7 @@ SProcXvGrabPort(ClientPtr client) { register char n; REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1441,6 +1445,7 @@ SProcXvUngrabPort(ClientPtr client) { register char n; REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->time, n); @@ -1452,6 +1457,7 @@ SProcXvPutVideo(ClientPtr client) { register char n; REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1472,6 +1478,7 @@ SProcXvPutStill(ClientPtr client) { register char n; REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1492,6 +1499,7 @@ SProcXvGetVideo(ClientPtr client) { register char n; REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1512,6 +1520,7 @@ SProcXvGetStill(ClientPtr client) { register char n; REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1532,6 +1541,7 @@ SProcXvPutImage(ClientPtr client) { register char n; REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1556,6 +1566,7 @@ SProcXvShmPutImage(ClientPtr client) { register char n; REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1583,6 +1594,7 @@ SProcXvSelectVideoNotify(ClientPtr clien { register char n; REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length, n); swapl(&stuff->drawable, n); return ProcXvSelectVideoNotify(client); @@ -1593,6 +1605,7 @@ SProcXvSelectPortNotify(ClientPtr client { register char n; REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvSelectPortNotify(client); @@ -1603,6 +1616,7 @@ SProcXvStopVideo(ClientPtr client) { register char n; REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->drawable, n); @@ -1614,6 +1628,7 @@ SProcXvSetPortAttribute(ClientPtr client { register char n; REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1625,6 +1640,7 @@ SProcXvGetPortAttribute(ClientPtr client { register char n; REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swapl(&stuff->attribute, n); @@ -1636,6 +1652,7 @@ SProcXvQueryBestSize(ClientPtr client) { register char n; REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length, n); swapl(&stuff->port, n); swaps(&stuff->vid_w, n); @@ -1650,6 +1667,7 @@ SProcXvQueryPortAttributes(ClientPtr cli { register char n; REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvQueryPortAttributes(client); @@ -1660,6 +1678,7 @@ SProcXvQueryImageAttributes(ClientPtr cl { register char n; REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length, n); swapl(&stuff->id, n); swaps(&stuff->width, n); @@ -1672,6 +1691,7 @@ SProcXvListImageFormats(ClientPtr client { register char n; REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length, n); swapl(&stuff->port, n); return ProcXvListImageFormats(client);