| 1 | From c21e46f03bd2096aaed666d91a3188a5676f6222 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 3 | Date: Sun, 26 Jan 2014 19:51:29 -0800 |
| 4 | Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped |
| 5 | procs [CVE-2014-8100 2/2] |
| 6 | |
| 7 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 8 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 9 | --- |
| 10 | render/render.c | 16 +++++++++++++++- |
| 11 | 1 file changed, 15 insertions(+), 1 deletion(-) |
| 12 | |
| 13 | --- a/render/render.c |
| 14 | +++ b/render/render.c |
| 15 | @@ -1995,7 +1995,7 @@ static int |
| 16 | SProcRenderQueryVersion(ClientPtr client) |
| 17 | { |
| 18 | REQUEST(xRenderQueryVersionReq); |
| 19 | - |
| 20 | + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); |
| 21 | swaps(&stuff->length); |
| 22 | swapl(&stuff->majorVersion); |
| 23 | swapl(&stuff->minorVersion); |
| 24 | @@ -2006,6 +2006,7 @@ static int |
| 25 | SProcRenderQueryPictFormats(ClientPtr client) |
| 26 | { |
| 27 | REQUEST(xRenderQueryPictFormatsReq); |
| 28 | + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); |
| 29 | swaps(&stuff->length); |
| 30 | return (*ProcRenderVector[stuff->renderReqType]) (client); |
| 31 | } |
| 32 | @@ -2014,6 +2015,7 @@ static int |
| 33 | SProcRenderQueryPictIndexValues(ClientPtr client) |
| 34 | { |
| 35 | REQUEST(xRenderQueryPictIndexValuesReq); |
| 36 | + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); |
| 37 | swaps(&stuff->length); |
| 38 | swapl(&stuff->format); |
| 39 | return (*ProcRenderVector[stuff->renderReqType]) (client); |
| 40 | @@ -2029,6 +2031,7 @@ static int |
| 41 | SProcRenderCreatePicture(ClientPtr client) |
| 42 | { |
| 43 | REQUEST(xRenderCreatePictureReq); |
| 44 | + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); |
| 45 | swaps(&stuff->length); |
| 46 | swapl(&stuff->pid); |
| 47 | swapl(&stuff->drawable); |
| 48 | @@ -2042,6 +2045,7 @@ static int |
| 49 | SProcRenderChangePicture(ClientPtr client) |
| 50 | { |
| 51 | REQUEST(xRenderChangePictureReq); |
| 52 | + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); |
| 53 | swaps(&stuff->length); |
| 54 | swapl(&stuff->picture); |
| 55 | swapl(&stuff->mask); |
| 56 | @@ -2053,6 +2057,7 @@ static int |
| 57 | SProcRenderSetPictureClipRectangles(ClientPtr client) |
| 58 | { |
| 59 | REQUEST(xRenderSetPictureClipRectanglesReq); |
| 60 | + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); |
| 61 | swaps(&stuff->length); |
| 62 | swapl(&stuff->picture); |
| 63 | swaps(&stuff->xOrigin); |
| 64 | @@ -2065,6 +2070,7 @@ static int |
| 65 | SProcRenderFreePicture(ClientPtr client) |
| 66 | { |
| 67 | REQUEST(xRenderFreePictureReq); |
| 68 | + REQUEST_SIZE_MATCH(xRenderFreePictureReq); |
| 69 | swaps(&stuff->length); |
| 70 | swapl(&stuff->picture); |
| 71 | return (*ProcRenderVector[stuff->renderReqType]) (client); |
| 72 | @@ -2074,6 +2080,7 @@ static int |
| 73 | SProcRenderComposite(ClientPtr client) |
| 74 | { |
| 75 | REQUEST(xRenderCompositeReq); |
| 76 | + REQUEST_SIZE_MATCH(xRenderCompositeReq); |
| 77 | swaps(&stuff->length); |
| 78 | swapl(&stuff->src); |
| 79 | swapl(&stuff->mask); |
| 80 | @@ -2093,6 +2100,7 @@ static int |
| 81 | SProcRenderScale(ClientPtr client) |
| 82 | { |
| 83 | REQUEST(xRenderScaleReq); |
| 84 | + REQUEST_SIZE_MATCH(xRenderScaleReq); |
| 85 | swaps(&stuff->length); |
| 86 | swapl(&stuff->src); |
| 87 | swapl(&stuff->dst); |
| 88 | @@ -2193,6 +2201,7 @@ static int |
| 89 | SProcRenderCreateGlyphSet(ClientPtr client) |
| 90 | { |
| 91 | REQUEST(xRenderCreateGlyphSetReq); |
| 92 | + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); |
| 93 | swaps(&stuff->length); |
| 94 | swapl(&stuff->gsid); |
| 95 | swapl(&stuff->format); |
| 96 | @@ -2203,6 +2212,7 @@ static int |
| 97 | SProcRenderReferenceGlyphSet(ClientPtr client) |
| 98 | { |
| 99 | REQUEST(xRenderReferenceGlyphSetReq); |
| 100 | + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); |
| 101 | swaps(&stuff->length); |
| 102 | swapl(&stuff->gsid); |
| 103 | swapl(&stuff->existing); |
| 104 | @@ -2213,6 +2223,7 @@ static int |
| 105 | SProcRenderFreeGlyphSet(ClientPtr client) |
| 106 | { |
| 107 | REQUEST(xRenderFreeGlyphSetReq); |
| 108 | + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); |
| 109 | swaps(&stuff->length); |
| 110 | swapl(&stuff->glyphset); |
| 111 | return (*ProcRenderVector[stuff->renderReqType]) (client); |
| 112 | @@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) |
| 113 | xGlyphInfo *gi; |
| 114 | |
| 115 | REQUEST(xRenderAddGlyphsReq); |
| 116 | + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); |
| 117 | swaps(&stuff->length); |
| 118 | swapl(&stuff->glyphset); |
| 119 | swapl(&stuff->nglyphs); |
| 120 | @@ -2261,6 +2273,7 @@ static int |
| 121 | SProcRenderFreeGlyphs(ClientPtr client) |
| 122 | { |
| 123 | REQUEST(xRenderFreeGlyphsReq); |
| 124 | + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); |
| 125 | swaps(&stuff->length); |
| 126 | swapl(&stuff->glyphset); |
| 127 | SwapRestL(stuff); |
| 128 | @@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr cli |
| 129 | int size; |
| 130 | |
| 131 | REQUEST(xRenderCompositeGlyphsReq); |
| 132 | + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); |
| 133 | |
| 134 | switch (stuff->renderReqType) { |
| 135 | default: |