diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-26 19:51:29 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-08 18:09:48 -0800 |
commit | 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 (patch) | |
tree | b5cbf93a3eb2cc304203a27c7024c85c795636b4 /render | |
parent | b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 (diff) |
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'render')
-rw-r--r-- | render/render.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/render/render.c b/render/render.c index 200e0c826..723f380c2 100644 --- a/render/render.c +++ b/render/render.c @@ -1995,7 +1995,7 @@ static int SProcRenderQueryVersion(ClientPtr client) { REQUEST(xRenderQueryVersionReq); - + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); swapl(&stuff->minorVersion); @@ -2006,6 +2006,7 @@ static int SProcRenderQueryPictFormats(ClientPtr client) { REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2014,6 +2015,7 @@ static int SProcRenderQueryPictIndexValues(ClientPtr client) { REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length); swapl(&stuff->format); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2029,6 +2031,7 @@ static int SProcRenderCreatePicture(ClientPtr client) { REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length); swapl(&stuff->pid); swapl(&stuff->drawable); @@ -2042,6 +2045,7 @@ static int SProcRenderChangePicture(ClientPtr client) { REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length); swapl(&stuff->picture); swapl(&stuff->mask); @@ -2053,6 +2057,7 @@ static int SProcRenderSetPictureClipRectangles(ClientPtr client) { REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length); swapl(&stuff->picture); swaps(&stuff->xOrigin); @@ -2065,6 +2070,7 @@ static int SProcRenderFreePicture(ClientPtr client) { REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length); swapl(&stuff->picture); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2074,6 +2080,7 @@ static int SProcRenderComposite(ClientPtr client) { REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->mask); @@ -2093,6 +2100,7 @@ static int SProcRenderScale(ClientPtr client) { REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->dst); @@ -2193,6 +2201,7 @@ static int SProcRenderCreateGlyphSet(ClientPtr client) { REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->format); @@ -2203,6 +2212,7 @@ static int SProcRenderReferenceGlyphSet(ClientPtr client) { REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->existing); @@ -2213,6 +2223,7 @@ static int SProcRenderFreeGlyphSet(ClientPtr client) { REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length); swapl(&stuff->glyphset); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); swapl(&stuff->nglyphs); @@ -2261,6 +2273,7 @@ static int SProcRenderFreeGlyphs(ClientPtr client) { REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); SwapRestL(stuff); @@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client) int size; REQUEST(xRenderCompositeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); switch (stuff->renderReqType) { default: |