From a2ae01b5777b94b1e7bf7319223365f57c213a57 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:33:34 -0800
Subject: [PATCH 12/33] present: unvalidated lengths in Present extension procs
[CVE-2014-8103 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
---
present/present_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/present/present_request.c b/present/present_request.c
index 1064dcb..1a60c8a 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
RRCrtcPtr crtc = NULL;
int r;
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
switch (r) {
case Success:
@@ -254,6 +255,7 @@ static int
sproc_present_query_version(ClientPtr client)
{
REQUEST(xPresentQueryVersionReq);
+ REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
sproc_present_pixmap(ClientPtr client)
{
REQUEST(xPresentPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
sproc_present_notify_msc(ClientPtr client)
{
REQUEST(xPresentNotifyMSCReq);
+ REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
sproc_present_select_input (ClientPtr client)
{
REQUEST(xPresentSelectInputReq);
+ REQUEST_SIZE_MATCH(xPresentSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
sproc_present_query_capabilities (ClientPtr client)
{
REQUEST(xPresentQueryCapabilitiesReq);
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
swaps(&stuff->length);
swapl(&stuff->target);
return (*proc_present_vector[stuff->presentReqType]) (client);
--
1.9.3