aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch
blob: 6a1757d3c0bcb2f74a01f4f767eb9821a03295c8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
From cea44678dd6a9418460ead314fb2106924b081f7 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:38:09 -0800
Subject: [PATCH 30/40] randr: unvalidated lengths in RandR extension swapped
 procs [CVE-2014-8101]

v2: backport to nx-libs 3.6.x (Mike DePaulo)

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c
index 80d16b7..c4425ec 100644
--- a/nx-X11/programs/Xserver/randr/rrsdispatch.c
+++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c
@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
     register int n;
     REQUEST(xRRQueryVersionReq);
 
+	REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length, n);
     swapl(&stuff->majorVersion, n);
     swapl(&stuff->minorVersion, n);
@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
     register int n;
     REQUEST(xRRGetScreenInfoReq);
 
+	REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length, n);
     swapl(&stuff->window, n);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
     register int n;
     REQUEST(xRRSelectInputReq);
 
+	REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length, n);
     swapl(&stuff->window, n);
     swaps(&stuff->enable, n);
-- 
2.1.4