Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From c21e46f03bd2096aaed666d91a3188a5676f6222 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Sun, 26 Jan 2014 19:51:29 -0800 | |
4 | Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped | |
5 | procs [CVE-2014-8100 2/2] | |
6 | ||
7 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
8 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
9 | --- | |
10 | render/render.c | 16 +++++++++++++++- | |
11 | 1 file changed, 15 insertions(+), 1 deletion(-) | |
12 | ||
7217e0ca ML |
13 | --- a/render/render.c |
14 | +++ b/render/render.c | |
15 | @@ -1995,7 +1995,7 @@ static int | |
16 | SProcRenderQueryVersion(ClientPtr client) | |
17 | { | |
18 | REQUEST(xRenderQueryVersionReq); | |
19 | - | |
20 | + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); | |
21 | swaps(&stuff->length); | |
22 | swapl(&stuff->majorVersion); | |
23 | swapl(&stuff->minorVersion); | |
24 | @@ -2006,6 +2006,7 @@ static int | |
25 | SProcRenderQueryPictFormats(ClientPtr client) | |
26 | { | |
27 | REQUEST(xRenderQueryPictFormatsReq); | |
28 | + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); | |
29 | swaps(&stuff->length); | |
30 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
31 | } | |
32 | @@ -2014,6 +2015,7 @@ static int | |
33 | SProcRenderQueryPictIndexValues(ClientPtr client) | |
34 | { | |
35 | REQUEST(xRenderQueryPictIndexValuesReq); | |
36 | + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); | |
37 | swaps(&stuff->length); | |
38 | swapl(&stuff->format); | |
39 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
40 | @@ -2029,6 +2031,7 @@ static int | |
41 | SProcRenderCreatePicture(ClientPtr client) | |
42 | { | |
43 | REQUEST(xRenderCreatePictureReq); | |
44 | + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); | |
45 | swaps(&stuff->length); | |
46 | swapl(&stuff->pid); | |
47 | swapl(&stuff->drawable); | |
48 | @@ -2042,6 +2045,7 @@ static int | |
49 | SProcRenderChangePicture(ClientPtr client) | |
50 | { | |
51 | REQUEST(xRenderChangePictureReq); | |
52 | + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); | |
53 | swaps(&stuff->length); | |
54 | swapl(&stuff->picture); | |
55 | swapl(&stuff->mask); | |
56 | @@ -2053,6 +2057,7 @@ static int | |
57 | SProcRenderSetPictureClipRectangles(ClientPtr client) | |
58 | { | |
59 | REQUEST(xRenderSetPictureClipRectanglesReq); | |
60 | + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); | |
61 | swaps(&stuff->length); | |
62 | swapl(&stuff->picture); | |
63 | swaps(&stuff->xOrigin); | |
64 | @@ -2065,6 +2070,7 @@ static int | |
65 | SProcRenderFreePicture(ClientPtr client) | |
66 | { | |
67 | REQUEST(xRenderFreePictureReq); | |
68 | + REQUEST_SIZE_MATCH(xRenderFreePictureReq); | |
69 | swaps(&stuff->length); | |
70 | swapl(&stuff->picture); | |
71 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
72 | @@ -2074,6 +2080,7 @@ static int | |
73 | SProcRenderComposite(ClientPtr client) | |
74 | { | |
75 | REQUEST(xRenderCompositeReq); | |
76 | + REQUEST_SIZE_MATCH(xRenderCompositeReq); | |
77 | swaps(&stuff->length); | |
78 | swapl(&stuff->src); | |
79 | swapl(&stuff->mask); | |
80 | @@ -2093,6 +2100,7 @@ static int | |
81 | SProcRenderScale(ClientPtr client) | |
82 | { | |
83 | REQUEST(xRenderScaleReq); | |
84 | + REQUEST_SIZE_MATCH(xRenderScaleReq); | |
85 | swaps(&stuff->length); | |
86 | swapl(&stuff->src); | |
87 | swapl(&stuff->dst); | |
88 | @@ -2193,6 +2201,7 @@ static int | |
89 | SProcRenderCreateGlyphSet(ClientPtr client) | |
90 | { | |
91 | REQUEST(xRenderCreateGlyphSetReq); | |
92 | + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); | |
93 | swaps(&stuff->length); | |
94 | swapl(&stuff->gsid); | |
95 | swapl(&stuff->format); | |
96 | @@ -2203,6 +2212,7 @@ static int | |
97 | SProcRenderReferenceGlyphSet(ClientPtr client) | |
98 | { | |
99 | REQUEST(xRenderReferenceGlyphSetReq); | |
100 | + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); | |
101 | swaps(&stuff->length); | |
102 | swapl(&stuff->gsid); | |
103 | swapl(&stuff->existing); | |
104 | @@ -2213,6 +2223,7 @@ static int | |
105 | SProcRenderFreeGlyphSet(ClientPtr client) | |
106 | { | |
107 | REQUEST(xRenderFreeGlyphSetReq); | |
108 | + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); | |
109 | swaps(&stuff->length); | |
110 | swapl(&stuff->glyphset); | |
111 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
112 | @@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) | |
113 | xGlyphInfo *gi; | |
114 | ||
115 | REQUEST(xRenderAddGlyphsReq); | |
116 | + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); | |
117 | swaps(&stuff->length); | |
118 | swapl(&stuff->glyphset); | |
119 | swapl(&stuff->nglyphs); | |
120 | @@ -2261,6 +2273,7 @@ static int | |
121 | SProcRenderFreeGlyphs(ClientPtr client) | |
122 | { | |
123 | REQUEST(xRenderFreeGlyphsReq); | |
124 | + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); | |
125 | swaps(&stuff->length); | |
126 | swapl(&stuff->glyphset); | |
127 | SwapRestL(stuff); | |
4db25562 | 128 | @@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr cli |
7217e0ca ML |
129 | int size; |
130 | ||
131 | REQUEST(xRenderCompositeGlyphsReq); | |
132 | + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); | |
133 | ||
134 | switch (stuff->renderReqType) { | |
135 | default: |