Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From c21e46f03bd2096aaed666d91a3188a5676f6222 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Sun, 26 Jan 2014 19:51:29 -0800 | |
4 | Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped | |
5 | procs [CVE-2014-8100 2/2] | |
6 | ||
7 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
8 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
9 | --- | |
10 | render/render.c | 16 +++++++++++++++- | |
11 | 1 file changed, 15 insertions(+), 1 deletion(-) | |
12 | ||
13 | diff --git a/render/render.c b/render/render.c | |
14 | index 200e0c8..723f380 100644 | |
15 | --- a/render/render.c | |
16 | +++ b/render/render.c | |
17 | @@ -1995,7 +1995,7 @@ static int | |
18 | SProcRenderQueryVersion(ClientPtr client) | |
19 | { | |
20 | REQUEST(xRenderQueryVersionReq); | |
21 | - | |
22 | + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); | |
23 | swaps(&stuff->length); | |
24 | swapl(&stuff->majorVersion); | |
25 | swapl(&stuff->minorVersion); | |
26 | @@ -2006,6 +2006,7 @@ static int | |
27 | SProcRenderQueryPictFormats(ClientPtr client) | |
28 | { | |
29 | REQUEST(xRenderQueryPictFormatsReq); | |
30 | + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); | |
31 | swaps(&stuff->length); | |
32 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
33 | } | |
34 | @@ -2014,6 +2015,7 @@ static int | |
35 | SProcRenderQueryPictIndexValues(ClientPtr client) | |
36 | { | |
37 | REQUEST(xRenderQueryPictIndexValuesReq); | |
38 | + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); | |
39 | swaps(&stuff->length); | |
40 | swapl(&stuff->format); | |
41 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
42 | @@ -2029,6 +2031,7 @@ static int | |
43 | SProcRenderCreatePicture(ClientPtr client) | |
44 | { | |
45 | REQUEST(xRenderCreatePictureReq); | |
46 | + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); | |
47 | swaps(&stuff->length); | |
48 | swapl(&stuff->pid); | |
49 | swapl(&stuff->drawable); | |
50 | @@ -2042,6 +2045,7 @@ static int | |
51 | SProcRenderChangePicture(ClientPtr client) | |
52 | { | |
53 | REQUEST(xRenderChangePictureReq); | |
54 | + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); | |
55 | swaps(&stuff->length); | |
56 | swapl(&stuff->picture); | |
57 | swapl(&stuff->mask); | |
58 | @@ -2053,6 +2057,7 @@ static int | |
59 | SProcRenderSetPictureClipRectangles(ClientPtr client) | |
60 | { | |
61 | REQUEST(xRenderSetPictureClipRectanglesReq); | |
62 | + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); | |
63 | swaps(&stuff->length); | |
64 | swapl(&stuff->picture); | |
65 | swaps(&stuff->xOrigin); | |
66 | @@ -2065,6 +2070,7 @@ static int | |
67 | SProcRenderFreePicture(ClientPtr client) | |
68 | { | |
69 | REQUEST(xRenderFreePictureReq); | |
70 | + REQUEST_SIZE_MATCH(xRenderFreePictureReq); | |
71 | swaps(&stuff->length); | |
72 | swapl(&stuff->picture); | |
73 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
74 | @@ -2074,6 +2080,7 @@ static int | |
75 | SProcRenderComposite(ClientPtr client) | |
76 | { | |
77 | REQUEST(xRenderCompositeReq); | |
78 | + REQUEST_SIZE_MATCH(xRenderCompositeReq); | |
79 | swaps(&stuff->length); | |
80 | swapl(&stuff->src); | |
81 | swapl(&stuff->mask); | |
82 | @@ -2093,6 +2100,7 @@ static int | |
83 | SProcRenderScale(ClientPtr client) | |
84 | { | |
85 | REQUEST(xRenderScaleReq); | |
86 | + REQUEST_SIZE_MATCH(xRenderScaleReq); | |
87 | swaps(&stuff->length); | |
88 | swapl(&stuff->src); | |
89 | swapl(&stuff->dst); | |
90 | @@ -2193,6 +2201,7 @@ static int | |
91 | SProcRenderCreateGlyphSet(ClientPtr client) | |
92 | { | |
93 | REQUEST(xRenderCreateGlyphSetReq); | |
94 | + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); | |
95 | swaps(&stuff->length); | |
96 | swapl(&stuff->gsid); | |
97 | swapl(&stuff->format); | |
98 | @@ -2203,6 +2212,7 @@ static int | |
99 | SProcRenderReferenceGlyphSet(ClientPtr client) | |
100 | { | |
101 | REQUEST(xRenderReferenceGlyphSetReq); | |
102 | + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); | |
103 | swaps(&stuff->length); | |
104 | swapl(&stuff->gsid); | |
105 | swapl(&stuff->existing); | |
106 | @@ -2213,6 +2223,7 @@ static int | |
107 | SProcRenderFreeGlyphSet(ClientPtr client) | |
108 | { | |
109 | REQUEST(xRenderFreeGlyphSetReq); | |
110 | + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); | |
111 | swaps(&stuff->length); | |
112 | swapl(&stuff->glyphset); | |
113 | return (*ProcRenderVector[stuff->renderReqType]) (client); | |
114 | @@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) | |
115 | xGlyphInfo *gi; | |
116 | ||
117 | REQUEST(xRenderAddGlyphsReq); | |
118 | + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); | |
119 | swaps(&stuff->length); | |
120 | swapl(&stuff->glyphset); | |
121 | swapl(&stuff->nglyphs); | |
122 | @@ -2261,6 +2273,7 @@ static int | |
123 | SProcRenderFreeGlyphs(ClientPtr client) | |
124 | { | |
125 | REQUEST(xRenderFreeGlyphsReq); | |
126 | + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); | |
127 | swaps(&stuff->length); | |
128 | swapl(&stuff->glyphset); | |
129 | SwapRestL(stuff); | |
130 | @@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client) | |
131 | int size; | |
132 | ||
133 | REQUEST(xRenderCompositeGlyphsReq); | |
134 | + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); | |
135 | ||
136 | switch (stuff->renderReqType) { | |
137 | default: | |
138 | -- | |
139 | 1.7.9.2 | |
140 |