summaryrefslogtreecommitdiff
path: root/Xi/xiallowev.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-26 10:54:41 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2014-12-08 18:09:48 -0800
commit73c63afb93c0af1bfd1969bf6e71c9edca586c77 (patch)
treee368f1f7c6b6bc8ecdcb28323f337092cbd0d4a4 /Xi/xiallowev.c
parent2ef42519c41e793579c9cea699c866fee3d9321f (diff)
Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]
Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'Xi/xiallowev.c')
-rw-r--r--Xi/xiallowev.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
index ebef23344..ca263ef1f 100644
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@@ -48,6 +48,7 @@ int
SProcXIAllowEvents(ClientPtr client)
{
REQUEST(xXIAllowEventsReq);
+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
if (stuff->length > 3) {
xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
swapl(&req_xi22->touchid);
swapl(&req_xi22->grab_window);
}