diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
commit | 0f3cca7b69ea6711c8f1963eb213ce8f1629091f (patch) | |
tree | 0df630c725acaa3516f27a36ec9c0194fbb132ad /xorg-server/Xi/xigrabdev.c | |
parent | 9380c3137260167265f1b528dd3687517cf9449a (diff) | |
download | vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.tar.gz vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.tar.bz2 vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.zip |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/Xi/xigrabdev.c')
-rw-r--r-- | xorg-server/Xi/xigrabdev.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/xorg-server/Xi/xigrabdev.c b/xorg-server/Xi/xigrabdev.c index 086e275d8..6be9971c9 100644 --- a/xorg-server/Xi/xigrabdev.c +++ b/xorg-server/Xi/xigrabdev.c @@ -47,6 +47,11 @@ int SProcXIGrabDevice(ClientPtr client) { REQUEST(xXIGrabDeviceReq); + /* + * Check here for at least the length of the struct we swap, then + * let ProcXIGrabDevice check the full size after we swap mask_len. + */ + REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client) unsigned int pointer_mode; REQUEST(xXIGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); if (ret != Success) @@ -130,6 +135,7 @@ int SProcXIUngrabDevice(ClientPtr client) { REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -147,6 +153,7 @@ ProcXIUngrabDevice(ClientPtr client) TimeStamp time; REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) |