From f8d54fefd98dd2ffd8d5680a6b7b5276b683e3e0 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:28:05 -0800
Subject: [PATCH 11/33] dri3: unvalidated lengths in DRI3 extension swapped
procs [CVE-2014-8103 1/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
dri3/dri3_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
index 4e1408f..2d05066 100644
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -311,6 +311,7 @@ static int
sproc_dri3_query_version(ClientPtr client)
{
REQUEST(xDRI3QueryVersionReq);
+ REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -322,6 +323,7 @@ static int
sproc_dri3_open(ClientPtr client)
{
REQUEST(xDRI3OpenReq);
+ REQUEST_SIZE_MATCH(xDRI3OpenReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -333,6 +335,7 @@ static int
sproc_dri3_pixmap_from_buffer(ClientPtr client)
{
REQUEST(xDRI3PixmapFromBufferReq);
+ REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -348,6 +351,7 @@ static int
sproc_dri3_buffer_from_pixmap(ClientPtr client)
{
REQUEST(xDRI3BufferFromPixmapReq);
+ REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -358,6 +362,7 @@ static int
sproc_dri3_fence_from_fd(ClientPtr client)
{
REQUEST(xDRI3FenceFromFDReq);
+ REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -369,6 +374,7 @@ static int
sproc_dri3_fd_from_fence(ClientPtr client)
{
REQUEST(xDRI3FDFromFenceReq);
+ REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
--
1.9.3