diff options
author | Adam Jackson <ajax@redhat.com> | 2014-11-10 12:13:44 -0500 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-08 18:09:50 -0800 |
commit | c91e4abc3b892f42802efa20fef7ada442c2d3f5 (patch) | |
tree | ea9184a76a317e99e7c149e18b32b745a459a1e6 /glx/glxcmdsswap.c | |
parent | a33a939e6abb255b14d8dbc85fcbd2c55b958bae (diff) |
glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'glx/glxcmdsswap.c')
-rw-r--r-- | glx/glxcmdsswap.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 5d179f317..9ec1222f8 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); req = (xGLXVendorPrivateReq *) pc; __GLX_SWAP_SHORT(&req->length); @@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); req = (xGLXVendorPrivateWithReplyReq *) pc; __GLX_SWAP_SHORT(&req->length); |