| 1 | From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001 |
| 2 | From: Keith Packard <keithp@keithp.com> |
| 3 | Date: Tue, 9 Dec 2014 09:30:59 -0800 |
| 4 | Subject: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] |
| 5 | |
| 6 | The 'n' parameter must be surrounded by parens in both places to |
| 7 | prevent precedence from mis-computing things. |
| 8 | |
| 9 | Signed-off-by: Keith Packard <keithp@keithp.com> |
| 10 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 12 | |
| 13 | --- a/include/dix.h |
| 14 | +++ b/include/dix.h |
| 15 | @@ -80,7 +80,7 @@ SOFTWARE. |
| 16 | |
| 17 | #define REQUEST_FIXED_SIZE(req, n)\ |
| 18 | if (((sizeof(req) >> 2) > client->req_len) || \ |
| 19 | - ((n >> 2) >= client->req_len) || \ |
| 20 | + (((n) >> 2) >= client->req_len) || \ |
| 21 | ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ |
| 22 | return(BadLength) |
| 23 | |