rpms / xorg-x11-server

Clone
Source Code
GIT

Files

  1.   0fd9596437a827b198e323235f1033bc5150cae6
  2.   SOURCES
  3.   0012-present-unvalidated-lengths-in-Present-extension-pro.patch
Blob Blame History Raw 
From a2ae01b5777b94b1e7bf7319223365f57c213a57 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:33:34 -0800
Subject: [PATCH 12/33] present: unvalidated lengths in Present extension procs
 [CVE-2014-8103 2/2]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
 present/present_request.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/present/present_request.c b/present/present_request.c
index 1064dcb..1a60c8a 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
     RRCrtcPtr   crtc = NULL;
     int         r;
 
+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
     r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
     switch (r) {
     case Success:
@@ -254,6 +255,7 @@ static int
 sproc_present_query_version(ClientPtr client)
 {
     REQUEST(xPresentQueryVersionReq);
+    REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
 sproc_present_pixmap(ClientPtr client)
 {
     REQUEST(xPresentPixmapReq);
+    REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
 sproc_present_notify_msc(ClientPtr client)
 {
     REQUEST(xPresentNotifyMSCReq);
+    REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
 sproc_present_select_input (ClientPtr client)
 {
     REQUEST(xPresentSelectInputReq);
+    REQUEST_SIZE_MATCH(xPresentSelectInputReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
 sproc_present_query_capabilities (ClientPtr client)
 {
     REQUEST(xPresentQueryCapabilitiesReq);
+    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
     swaps(&stuff->length);
     swapl(&stuff->target);
     return (*proc_present_vector[stuff->presentReqType]) (client);
-- 
1.9.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation