Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Sun, 26 Jan 2014 19:38:09 -0800 | |
4 | Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped | |
5 | procs [CVE-2014-8101] | |
6 | ||
7 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
8 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
9 | --- | |
10 | randr/rrsdispatch.c | 4 ++++ | |
11 | 1 file changed, 4 insertions(+) | |
12 | ||
7217e0ca ML |
13 | --- a/randr/rrsdispatch.c |
14 | +++ b/randr/rrsdispatch.c | |
15 | @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) | |
16 | { | |
17 | REQUEST(xRRQueryVersionReq); | |
18 | ||
19 | + REQUEST_SIZE_MATCH(xRRQueryVersionReq); | |
20 | swaps(&stuff->length); | |
21 | swapl(&stuff->majorVersion); | |
22 | swapl(&stuff->minorVersion); | |
23 | @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) | |
24 | { | |
25 | REQUEST(xRRGetScreenInfoReq); | |
26 | ||
27 | + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); | |
28 | swaps(&stuff->length); | |
29 | swapl(&stuff->window); | |
30 | return (*ProcRandrVector[stuff->randrReqType]) (client); | |
31 | @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) | |
32 | { | |
33 | REQUEST(xRRSelectInputReq); | |
34 | ||
35 | + REQUEST_SIZE_MATCH(xRRSelectInputReq); | |
36 | swaps(&stuff->length); | |
37 | swapl(&stuff->window); | |
38 | swaps(&stuff->enable); | |
4db25562 | 39 | @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr |
7217e0ca ML |
40 | { |
41 | REQUEST(xRRConfigureOutputPropertyReq); | |
42 | ||
43 | + REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); | |
44 | swaps(&stuff->length); | |
45 | swapl(&stuff->output); | |
46 | swapl(&stuff->property); |