Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001 |
2 | From: Keith Packard <keithp@keithp.com> | |
3 | Date: Tue, 9 Dec 2014 09:30:59 -0800 | |
4 | Subject: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] | |
5 | ||
6 | The 'n' parameter must be surrounded by parens in both places to | |
7 | prevent precedence from mis-computing things. | |
8 | ||
9 | Signed-off-by: Keith Packard <keithp@keithp.com> | |
10 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
12 | ||
7217e0ca ML |
13 | --- a/include/dix.h |
14 | +++ b/include/dix.h | |
15 | @@ -80,7 +80,7 @@ SOFTWARE. | |
16 | ||
17 | #define REQUEST_FIXED_SIZE(req, n)\ | |
18 | if (((sizeof(req) >> 2) > client->req_len) || \ | |
19 | - ((n >> 2) >= client->req_len) || \ | |
20 | + (((n) >> 2) >= client->req_len) || \ | |
21 | ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ | |
22 | return(BadLength) | |
23 |