From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Tue, 28 Oct 2014 10:30:04 +0100 Subject: [PATCH 27/40] render: check request size before reading it [CVE-2014-8100 1/2] Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Signed-off-by: Julien Cristau Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith Conflicts: render/render.c --- nx-X11/programs/Xserver/render/render.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/nx-X11/programs/Xserver/render/render.c +++ b/nx-X11/programs/Xserver/render/render.c @@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; --- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c @@ -326,10 +326,11 @@ ProcRenderQueryVersion (ClientPtr client register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence;