diff options
| author | Nathan Kidd <nkidd@opentext.com> | 2014-12-21 01:10:03 -0500 |
|---|---|---|
| committer | Adam Jackson <ajax@redhat.com> | 2017-10-12 12:25:19 -0400 |
| commit | d264da92f7f8129b8aad4f0114a6467fc38fc896 (patch) | |
| tree | 1da9792664fcd5957c3db9c7433ad71904bdf94b /Xext | |
| parent | 61502107a30d64f991784648c3228ebc6694a032 (diff) | |
hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
Diffstat (limited to 'Xext')
| -rw-r--r-- | Xext/vidmode.c | 129 |
1 files changed, 70 insertions, 59 deletions
diff --git a/Xext/vidmode.c b/Xext/vidmode.c index ea3ad1320..76055c89a 100644 --- a/Xext/vidmode.c +++ b/Xext/vidmode.c @@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client) DEBUG_P("XF86VidModeAddModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client) stuff->after_vsyncend, stuff->after_vtotal, (unsigned long) stuff->after_flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client) DEBUG_P("XF86VidModeDeleteModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); - } if (len != stuff->privsize) { DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, " "len = %d, length = %d\n", @@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client) DEBUG_P("XF86VidModeModModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client) DEBUG_P("XF86VidModeValidateModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); + len = client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); - len = client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client) DEBUG_P("XF86VidModeSwitchToMode"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); - } if (len != stuff->privsize) return BadLength; @@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client) VidModePtr pVidMode; REQUEST(xXF86VidModeSetGammaRampReq); + REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq); if (stuff->screen >= screenInfo.numScreens) return BadValue; |