1 From 362ea7ec75543b694ebc8ab7268a2402e80a10bd Mon Sep 17 00:00:00 2001
2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
3 Date: Sun, 26 Jan 2014 19:23:17 -0800
4 Subject: [PATCH 10/33] Xv: unvalidated lengths in XVideo extension swapped
7 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
8 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
10 Xext/xvdisp.c | 20 ++++++++++++++++++++
11 1 file changed, 20 insertions(+)
13 Index: xorg-server-1.16.0/Xext/xvdisp.c
14 ===================================================================
15 --- xorg-server-1.16.0.orig/Xext/xvdisp.c 2014-12-04 11:15:10.726714736 -0500
16 +++ xorg-server-1.16.0/Xext/xvdisp.c 2014-12-04 11:15:10.722714693 -0500
18 SProcXvQueryExtension(ClientPtr client)
20 REQUEST(xvQueryExtensionReq);
21 + REQUEST_SIZE_MATCH(xvQueryExtensionReq);
22 swaps(&stuff->length);
23 return XvProcVector[xv_QueryExtension] (client);
26 SProcXvQueryAdaptors(ClientPtr client)
28 REQUEST(xvQueryAdaptorsReq);
29 + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
30 swaps(&stuff->length);
31 swapl(&stuff->window);
32 return XvProcVector[xv_QueryAdaptors] (client);
34 SProcXvQueryEncodings(ClientPtr client)
36 REQUEST(xvQueryEncodingsReq);
37 + REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
38 swaps(&stuff->length);
40 return XvProcVector[xv_QueryEncodings] (client);
42 SProcXvGrabPort(ClientPtr client)
44 REQUEST(xvGrabPortReq);
45 + REQUEST_SIZE_MATCH(xvGrabPortReq);
46 swaps(&stuff->length);
50 SProcXvUngrabPort(ClientPtr client)
52 REQUEST(xvUngrabPortReq);
53 + REQUEST_SIZE_MATCH(xvUngrabPortReq);
54 swaps(&stuff->length);
58 SProcXvPutVideo(ClientPtr client)
60 REQUEST(xvPutVideoReq);
61 + REQUEST_SIZE_MATCH(xvPutVideoReq);
62 swaps(&stuff->length);
64 swapl(&stuff->drawable);
66 SProcXvPutStill(ClientPtr client)
68 REQUEST(xvPutStillReq);
69 + REQUEST_SIZE_MATCH(xvPutStillReq);
70 swaps(&stuff->length);
72 swapl(&stuff->drawable);
74 SProcXvGetVideo(ClientPtr client)
76 REQUEST(xvGetVideoReq);
77 + REQUEST_SIZE_MATCH(xvGetVideoReq);
78 swaps(&stuff->length);
80 swapl(&stuff->drawable);
82 SProcXvGetStill(ClientPtr client)
84 REQUEST(xvGetStillReq);
85 + REQUEST_SIZE_MATCH(xvGetStillReq);
86 swaps(&stuff->length);
88 swapl(&stuff->drawable);
90 SProcXvPutImage(ClientPtr client)
92 REQUEST(xvPutImageReq);
93 + REQUEST_AT_LEAST_SIZE(xvPutImageReq);
94 swaps(&stuff->length);
96 swapl(&stuff->drawable);
98 SProcXvShmPutImage(ClientPtr client)
100 REQUEST(xvShmPutImageReq);
101 + REQUEST_SIZE_MATCH(xvShmPutImageReq);
102 swaps(&stuff->length);
104 swapl(&stuff->drawable);
105 @@ -1379,6 +1390,7 @@
106 SProcXvSelectVideoNotify(ClientPtr client)
108 REQUEST(xvSelectVideoNotifyReq);
109 + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
110 swaps(&stuff->length);
111 swapl(&stuff->drawable);
112 return XvProcVector[xv_SelectVideoNotify] (client);
113 @@ -1388,6 +1400,7 @@
114 SProcXvSelectPortNotify(ClientPtr client)
116 REQUEST(xvSelectPortNotifyReq);
117 + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
118 swaps(&stuff->length);
120 return XvProcVector[xv_SelectPortNotify] (client);
121 @@ -1397,6 +1410,7 @@
122 SProcXvStopVideo(ClientPtr client)
124 REQUEST(xvStopVideoReq);
125 + REQUEST_SIZE_MATCH(xvStopVideoReq);
126 swaps(&stuff->length);
128 swapl(&stuff->drawable);
129 @@ -1407,6 +1421,7 @@
130 SProcXvSetPortAttribute(ClientPtr client)
132 REQUEST(xvSetPortAttributeReq);
133 + REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
134 swaps(&stuff->length);
136 swapl(&stuff->attribute);
137 @@ -1418,6 +1433,7 @@
138 SProcXvGetPortAttribute(ClientPtr client)
140 REQUEST(xvGetPortAttributeReq);
141 + REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
142 swaps(&stuff->length);
144 swapl(&stuff->attribute);
145 @@ -1428,6 +1444,7 @@
146 SProcXvQueryBestSize(ClientPtr client)
148 REQUEST(xvQueryBestSizeReq);
149 + REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
150 swaps(&stuff->length);
152 swaps(&stuff->vid_w);
153 @@ -1441,6 +1458,7 @@
154 SProcXvQueryPortAttributes(ClientPtr client)
156 REQUEST(xvQueryPortAttributesReq);
157 + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
158 swaps(&stuff->length);
160 return XvProcVector[xv_QueryPortAttributes] (client);
161 @@ -1450,6 +1468,7 @@
162 SProcXvQueryImageAttributes(ClientPtr client)
164 REQUEST(xvQueryImageAttributesReq);
165 + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
166 swaps(&stuff->length);
169 @@ -1462,6 +1481,7 @@
170 SProcXvListImageFormats(ClientPtr client)
172 REQUEST(xvListImageFormatsReq);
173 + REQUEST_SIZE_MATCH(xvListImageFormatsReq);
174 swaps(&stuff->length);
176 return XvProcVector[xv_ListImageFormats] (client);