dri3: unvalidated lengths in DRI3 extension swapped procs [CVE-2014-8103 1/2]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

1 files changed, 6 insertions, 0 deletions

diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
index fe45620c9..2d7558863 100644
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -321,6 +321,7 @@ static int
 sproc_dri3_query_version(ClientPtr client)
 {
     REQUEST(xDRI3QueryVersionReq);
+    REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
@@ -332,6 +333,7 @@ static int
 sproc_dri3_open(ClientPtr client)
 {
     REQUEST(xDRI3OpenReq);
+    REQUEST_SIZE_MATCH(xDRI3OpenReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);
@@ -343,6 +345,7 @@ static int
 sproc_dri3_pixmap_from_buffer(ClientPtr client)
 {
     REQUEST(xDRI3PixmapFromBufferReq);
+    REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
 
     swaps(&stuff->length);
     swapl(&stuff->pixmap);
@@ -358,6 +361,7 @@ static int
 sproc_dri3_buffer_from_pixmap(ClientPtr client)
 {
     REQUEST(xDRI3BufferFromPixmapReq);
+    REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
 
     swaps(&stuff->length);
     swapl(&stuff->pixmap);
@@ -368,6 +372,7 @@ static int
 sproc_dri3_fence_from_fd(ClientPtr client)
 {
     REQUEST(xDRI3FenceFromFDReq);
+    REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);
@@ -379,6 +384,7 @@ static int
 sproc_dri3_fd_from_fence(ClientPtr client)
 {
     REQUEST(xDRI3FDFromFenceReq);
+    REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
 
     swaps(&stuff->length);
     swapl(&stuff->drawable);