From 9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 26 Jan 2014 19:51:29 -0800 Subject: [PATCH 28/40] render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2] v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: render/render.c --- nx-X11/programs/Xserver/render/render.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) --- a/nx-X11/programs/Xserver/render/render.c +++ b/nx-X11/programs/Xserver/render/render.c @@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr clien { register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); @@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr c { register int n; REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length, n); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientP { register int n; REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length, n); swapl(&stuff->format, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr clie { register int n; REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length, n); swapl(&stuff->pid, n); swapl(&stuff->drawable, n); @@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr clie { register int n; REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swapl(&stuff->mask, n); @@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (Cli { register int n; REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); SwapRestS(stuff); @@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client { register int n; REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client) { register int n; REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->mask, n); @@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client) { register int n; REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->dst, n); @@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli { register int n; REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->format, n); @@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr { register int n; REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->existing, n); @@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien { register int n; REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client) void *end; xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); swapl(&stuff->nglyphs, n); @@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); SwapRestL(stuff); @@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr cl int size; REQUEST(xRenderCompositeGlyphsReq); - + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + switch (stuff->renderReqType) { default: size = 1; break; case X_RenderCompositeGlyphs16: size = 2; break; --- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c @@ -2256,6 +2256,7 @@ SProcRenderQueryVersion (ClientPtr clien { register int n; REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length, n); swapl(&stuff->majorVersion, n); @@ -2268,6 +2269,7 @@ SProcRenderQueryPictFormats (ClientPtr c { register int n; REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length, n); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2277,6 +2279,7 @@ SProcRenderQueryPictIndexValues (ClientP { register int n; REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length, n); swapl(&stuff->format, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2293,6 +2296,7 @@ SProcRenderCreatePicture (ClientPtr clie { register int n; REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length, n); swapl(&stuff->pid, n); swapl(&stuff->drawable, n); @@ -2307,6 +2311,7 @@ SProcRenderChangePicture (ClientPtr clie { register int n; REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); swapl(&stuff->mask, n); @@ -2319,6 +2324,7 @@ SProcRenderSetPictureClipRectangles (Cli { register int n; REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); SwapRestS(stuff); @@ -2330,6 +2336,7 @@ SProcRenderFreePicture (ClientPtr client { register int n; REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length, n); swapl(&stuff->picture, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2340,6 +2347,7 @@ SProcRenderComposite (ClientPtr client) { register int n; REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->mask, n); @@ -2360,6 +2368,7 @@ SProcRenderScale (ClientPtr client) { register int n; REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length, n); swapl(&stuff->src, n); swapl(&stuff->dst, n); @@ -2465,6 +2474,7 @@ SProcRenderCreateGlyphSet (ClientPtr cli { register int n; REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->format, n); @@ -2476,6 +2486,7 @@ SProcRenderReferenceGlyphSet (ClientPtr { register int n; REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->gsid, n); swapl(&stuff->existing, n); @@ -2487,6 +2498,7 @@ SProcRenderFreeGlyphSet (ClientPtr clien { register int n; REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2501,6 +2513,7 @@ SProcRenderAddGlyphs (ClientPtr client) void *end; xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); swapl(&stuff->nglyphs, n); @@ -2537,6 +2550,7 @@ SProcRenderFreeGlyphs (ClientPtr client) { register int n; REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length, n); swapl(&stuff->glyphset, n); SwapRestL(stuff); @@ -2555,7 +2569,8 @@ SProcRenderCompositeGlyphs (ClientPtr cl int size; REQUEST(xRenderCompositeGlyphsReq); - + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + switch (stuff->renderReqType) { default: size = 1; break; case X_RenderCompositeGlyphs16: size = 2; break;