blob: 7e8fe352fd5ce2c1a34e56eba9e5adeb809b4a70 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 28 Oct 2014 10:30:04 +0100
Subject: [PATCH 27/40] render: check request size before reading it
[CVE-2014-8100 1/2]
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXrender.c rather than render.c (Mike DePaulo)
v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
---
nx-X11/programs/Xserver/render/render.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/nx-X11/programs/Xserver/render/render.c
+++ b/nx-X11/programs/Xserver/render/render.c
@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
--- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
@@ -326,10 +326,11 @@ ProcRenderQueryVersion (ClientPtr client
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
|
