diff options
| author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
|---|---|---|
| committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:06:49 -0500 |
| commit | 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch) | |
| tree | f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/Xi/xigrabdev.c | |
| parent | 212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff) | |
| download | vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2 vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip | |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/Xi/xigrabdev.c')
| -rw-r--r-- | xorg-server/Xi/xigrabdev.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/xorg-server/Xi/xigrabdev.c b/xorg-server/Xi/xigrabdev.c index 086e275d8..6be9971c9 100644 --- a/xorg-server/Xi/xigrabdev.c +++ b/xorg-server/Xi/xigrabdev.c @@ -47,6 +47,11 @@ int SProcXIGrabDevice(ClientPtr client) { REQUEST(xXIGrabDeviceReq); + /* + * Check here for at least the length of the struct we swap, then + * let ProcXIGrabDevice check the full size after we swap mask_len. + */ + REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client) unsigned int pointer_mode; REQUEST(xXIGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); if (ret != Success) @@ -130,6 +135,7 @@ int SProcXIUngrabDevice(ClientPtr client) { REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -147,6 +153,7 @@ ProcXIUngrabDevice(ClientPtr client) TimeStamp time; REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) |