rpms / xorg-x11-server

Clone
Source Code
GIT

Blame SOURCES/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   0fd9596437a827b198e323235f1033bc5150cae6
  2.   SOURCES
  3.   0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
Blob History Raw
0fd959 
From eec950e6fcafd315b5f211c78fc7d4b775df1036 Mon Sep 17 00:00:00 2001
0fd959 
From: Alan Coopersmith <alan.coopersmith@oracle.com>
0fd959 
Date: Sun, 26 Jan 2014 19:51:29 -0800
0fd959 
Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped
0fd959 
 procs [CVE-2014-8100 2/2]
0fd959
0fd959 
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
0fd959 
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
0fd959 
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
0fd959 
---
0fd959 
 render/render.c | 16 +++++++++++++++-
0fd959 
 1 file changed, 15 insertions(+), 1 deletion(-)
0fd959
0fd959 
diff --git a/render/render.c b/render/render.c
0fd959 
index ce03b13..4e47efd 100644
0fd959 
--- a/render/render.c
0fd959 
+++ b/render/render.c
0fd959 
@@ -1995,7 +1995,7 @@ static int
0fd959 
 SProcRenderQueryVersion(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderQueryVersionReq);
0fd959 
-
0fd959 
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->majorVersion);
0fd959 
     swapl(&stuff->minorVersion);
0fd959 
@@ -2006,6 +2006,7 @@ static int
0fd959 
 SProcRenderQueryPictFormats(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderQueryPictFormatsReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     return (*ProcRenderVector[stuff->renderReqType]) (client);
0fd959 
 }
0fd959 
@@ -2014,6 +2015,7 @@ static int
0fd959 
 SProcRenderQueryPictIndexValues(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderQueryPictIndexValuesReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->format);
0fd959 
     return (*ProcRenderVector[stuff->renderReqType]) (client);
0fd959 
@@ -2029,6 +2031,7 @@ static int
0fd959 
 SProcRenderCreatePicture(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderCreatePictureReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->pid);
0fd959 
     swapl(&stuff->drawable);
0fd959 
@@ -2042,6 +2045,7 @@ static int
0fd959 
 SProcRenderChangePicture(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderChangePictureReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->picture);
0fd959 
     swapl(&stuff->mask);
0fd959 
@@ -2053,6 +2057,7 @@ static int
0fd959 
 SProcRenderSetPictureClipRectangles(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderSetPictureClipRectanglesReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->picture);
0fd959 
     swaps(&stuff->xOrigin);
0fd959 
@@ -2065,6 +2070,7 @@ static int
0fd959 
 SProcRenderFreePicture(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderFreePictureReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->picture);
0fd959 
     return (*ProcRenderVector[stuff->renderReqType]) (client);
0fd959 
@@ -2074,6 +2080,7 @@ static int
0fd959 
 SProcRenderComposite(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderCompositeReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderCompositeReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->src);
0fd959 
     swapl(&stuff->mask);
0fd959 
@@ -2093,6 +2100,7 @@ static int
0fd959 
 SProcRenderScale(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderScaleReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderScaleReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->src);
0fd959 
     swapl(&stuff->dst);
0fd959 
@@ -2193,6 +2201,7 @@ static int
0fd959 
 SProcRenderCreateGlyphSet(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderCreateGlyphSetReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->gsid);
0fd959 
     swapl(&stuff->format);
0fd959 
@@ -2203,6 +2212,7 @@ static int
0fd959 
 SProcRenderReferenceGlyphSet(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderReferenceGlyphSetReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->gsid);
0fd959 
     swapl(&stuff->existing);
0fd959 
@@ -2213,6 +2223,7 @@ static int
0fd959 
 SProcRenderFreeGlyphSet(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderFreeGlyphSetReq);
0fd959 
+    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->glyphset);
0fd959 
     return (*ProcRenderVector[stuff->renderReqType]) (client);
0fd959 
@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
0fd959 
     xGlyphInfo *gi;
0fd959
0fd959 
     REQUEST(xRenderAddGlyphsReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->glyphset);
0fd959 
     swapl(&stuff->nglyphs);
0fd959 
@@ -2261,6 +2273,7 @@ static int
0fd959 
 SProcRenderFreeGlyphs(ClientPtr client)
0fd959 
 {
0fd959 
     REQUEST(xRenderFreeGlyphsReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
0fd959 
     swaps(&stuff->length);
0fd959 
     swapl(&stuff->glyphset);
0fd959 
     SwapRestL(stuff);
0fd959 
@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
0fd959 
     int size;
0fd959
0fd959 
     REQUEST(xRenderCompositeGlyphsReq);
0fd959 
+    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
0fd959
0fd959 
     switch (stuff->renderReqType) {
0fd959 
     default:
0fd959 
--
0fd959 
1.9.3
0fd959

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation