Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Sun, 26 Jan 2014 19:38:09 -0800 | |
4 | Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped | |
5 | procs [CVE-2014-8101] | |
6 | ||
7 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
8 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
9 | --- | |
10 | randr/rrsdispatch.c | 4 ++++ | |
11 | 1 file changed, 4 insertions(+) | |
12 | ||
13 | diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c | |
14 | index 08c3b6a..47558cf 100644 | |
15 | --- a/randr/rrsdispatch.c | |
16 | +++ b/randr/rrsdispatch.c | |
17 | @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) | |
18 | { | |
19 | REQUEST(xRRQueryVersionReq); | |
20 | ||
21 | + REQUEST_SIZE_MATCH(xRRQueryVersionReq); | |
22 | swaps(&stuff->length); | |
23 | swapl(&stuff->majorVersion); | |
24 | swapl(&stuff->minorVersion); | |
25 | @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) | |
26 | { | |
27 | REQUEST(xRRGetScreenInfoReq); | |
28 | ||
29 | + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); | |
30 | swaps(&stuff->length); | |
31 | swapl(&stuff->window); | |
32 | return (*ProcRandrVector[stuff->randrReqType]) (client); | |
33 | @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) | |
34 | { | |
35 | REQUEST(xRRSelectInputReq); | |
36 | ||
37 | + REQUEST_SIZE_MATCH(xRRSelectInputReq); | |
38 | swaps(&stuff->length); | |
39 | swapl(&stuff->window); | |
40 | swaps(&stuff->enable); | |
41 | @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client) | |
42 | { | |
43 | REQUEST(xRRConfigureOutputPropertyReq); | |
44 | ||
45 | + REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); | |
46 | swaps(&stuff->length); | |
47 | swapl(&stuff->output); | |
48 | swapl(&stuff->property); | |
49 | -- | |
50 | 1.7.9.2 | |
51 |