aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1027-render-check-request-size-before-reading-it-CVE.full.patch
blob: 9540ddedad6af85703133d5484a59f285e8bdbe7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 28 Oct 2014 10:30:04 +0100
Subject: [PATCH 27/40] render: check request size before reading it
 [CVE-2014-8100 1/2]

Otherwise we may be reading outside of the client request.

v2: backport to nx-libs 3.6.x (Mike DePaulo)

Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Conflicts:
	render/render.c
---
 nx-X11/programs/Xserver/render/render.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
index d25d497..ebbce81 100644
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client)
     register int n;
     REQUEST(xRenderQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
     pRenderClient->major_version = stuff->majorVersion;
     pRenderClient->minor_version = stuff->minorVersion;
 
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
     rep.type = X_Reply;
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
-- 
2.1.4