diff options
| author | Nathan Kidd <nkidd@opentext.com> | 2015-01-09 11:43:05 -0500 |
|---|---|---|
| committer | Adam Jackson <ajax@redhat.com> | 2017-10-12 12:25:10 -0400 |
| commit | 61502107a30d64f991784648c3228ebc6694a032 (patch) | |
| tree | 435b66047a38b73cce6707e96cd1aec5c3b8c17b /xfixes | |
| parent | c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 (diff) | |
xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
Diffstat (limited to 'xfixes')
| -rw-r--r-- | xfixes/cursor.c | 5 | ||||
| -rw-r--r-- | xfixes/region.c | 3 | ||||
| -rw-r--r-- | xfixes/saveset.c | 1 | ||||
| -rw-r--r-- | xfixes/xfixes.c | 1 |
4 files changed, 8 insertions, 2 deletions
diff --git a/xfixes/cursor.c b/xfixes/cursor.c index f009a78b9..6e84d71f1 100644 --- a/xfixes/cursor.c +++ b/xfixes/cursor.c @@ -281,6 +281,7 @@ int SProcXFixesSelectCursorInput(ClientPtr client) { REQUEST(xXFixesSelectCursorInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); swaps(&stuff->length); swapl(&stuff->window); @@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) REQUEST(xXFixesSetCursorNameReq); Atom atom; - REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); + REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); tchar = (char *) &stuff[1]; atom = MakeAtom(tchar, stuff->nbytes, TRUE); @@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) int i; CARD16 *in_devices = (CARD16 *) &stuff[1]; + REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); + swaps(&stuff->length); swaps(&stuff->num_devices); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); diff --git a/xfixes/region.c b/xfixes/region.c index dd74d7f7e..f300d2b6e 100644 --- a/xfixes/region.c +++ b/xfixes/region.c @@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) RegionPtr pSource, pDestination; REQUEST(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); @@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) REQUEST(xXFixesCopyRegionReq); swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); swapl(&stuff->source); swapl(&stuff->destination); return (*ProcXFixesVector[stuff->xfixesReqType]) (client); diff --git a/xfixes/saveset.c b/xfixes/saveset.c index eb3f6589e..aa365cfe5 100644 --- a/xfixes/saveset.c +++ b/xfixes/saveset.c @@ -62,6 +62,7 @@ int SProcXFixesChangeSaveSet(ClientPtr client) { REQUEST(xXFixesChangeSaveSetReq); + REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); swaps(&stuff->length); swapl(&stuff->window); diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c index 8d1bd4cc6..8b45c5349 100644 --- a/xfixes/xfixes.c +++ b/xfixes/xfixes.c @@ -160,6 +160,7 @@ static int SProcXFixesQueryVersion(ClientPtr client) { REQUEST(xXFixesQueryVersionReq); + REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); |