diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-26 19:33:34 -0800 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2014-12-09 17:50:12 +0100 |
| commit | ea45001614b771933590a77fdd281b910c637c1b (patch) | |
| tree | dbef3c694c534c0b2f0ef8248ea90c01ad9d7187 | |
| parent | e3a1255a727518332c4a8d2af30c357aee0d50f0 (diff) | |
present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d155b7a8e38e74aee96bf52c20c8b6a330d7d462)
Signed-off-by: Julien Cristau <jcristau@debian.org>
| -rw-r--r-- | present/present_request.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/present/present_request.c b/present/present_request.c index 835890d28..7c53e7262 100644 --- a/present/present_request.c +++ b/present/present_request.c @@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client) RRCrtcPtr crtc = NULL; int r; + REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq); r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess); switch (r) { case Success: @@ -254,6 +255,7 @@ static int sproc_present_query_version(ClientPtr client) { REQUEST(xPresentQueryVersionReq); + REQUEST_SIZE_MATCH(xPresentQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); @@ -265,6 +267,7 @@ static int sproc_present_pixmap(ClientPtr client) { REQUEST(xPresentPixmapReq); + REQUEST_AT_LEAST_SIZE(xPresentPixmapReq); swaps(&stuff->length); swapl(&stuff->window); @@ -284,6 +287,7 @@ static int sproc_present_notify_msc(ClientPtr client) { REQUEST(xPresentNotifyMSCReq); + REQUEST_SIZE_MATCH(xPresentNotifyMSCReq); swaps(&stuff->length); swapl(&stuff->window); @@ -297,6 +301,7 @@ static int sproc_present_select_input (ClientPtr client) { REQUEST(xPresentSelectInputReq); + REQUEST_SIZE_MATCH(xPresentSelectInputReq); swaps(&stuff->length); swapl(&stuff->window); @@ -308,6 +313,7 @@ static int sproc_present_query_capabilities (ClientPtr client) { REQUEST(xPresentQueryCapabilitiesReq); + REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq); swaps(&stuff->length); swapl(&stuff->target); return (*proc_present_vector[stuff->presentReqType]) (client); |