[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch

From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:38:09 -0800
Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
 procs [CVE-2014-8101]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 randr/rrsdispatch.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
 {
     REQUEST(xRRQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
     swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
 {
     REQUEST(xRRGetScreenInfoReq);
 
+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
 {
     REQUEST(xRRSelectInputReq);
 
+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr
 {
     REQUEST(xRRConfigureOutputPropertyReq);
 
+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
     swaps(&stuff->length);
     swapl(&stuff->output);
     swapl(&stuff->property);
Commit	Line	Data
7217e0ca ML	1	From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Sun, 26 Jan 2014 19:38:09 -0800
	4	Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
	5	procs [CVE-2014-8101]
	6
	7	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	8	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	9	---
	10	randr/rrsdispatch.c \| 4 ++++
	11	1 file changed, 4 insertions(+)
	12
7217e0ca ML	13	--- a/randr/rrsdispatch.c
	14	+++ b/randr/rrsdispatch.c
	15	@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
	16	{
	17	REQUEST(xRRQueryVersionReq);
	18
	19	+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
	20	swaps(&stuff->length);
	21	swapl(&stuff->majorVersion);
	22	swapl(&stuff->minorVersion);
	23	@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
	24	{
	25	REQUEST(xRRGetScreenInfoReq);
	26
	27	+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
	28	swaps(&stuff->length);
	29	swapl(&stuff->window);
	30	return (*ProcRandrVector[stuff->randrReqType]) (client);
	31	@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
	32	{
	33	REQUEST(xRRSelectInputReq);
	34
	35	+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
	36	swaps(&stuff->length);
	37	swapl(&stuff->window);
	38	swaps(&stuff->enable);
4db25562	39	@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr
7217e0ca ML	40	{
	41	REQUEST(xRRConfigureOutputPropertyReq);
	42
	43	+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
	44	swaps(&stuff->length);
	45	swapl(&stuff->output);
	46	swapl(&stuff->property);