[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch

From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 26 Jan 2014 19:38:09 -0800
Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
 procs [CVE-2014-8101]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 randr/rrsdispatch.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
index 08c3b6a..47558cf 100644
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
 {
     REQUEST(xRRQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
     swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
 {
     REQUEST(xRRGetScreenInfoReq);
 
+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
 {
     REQUEST(xRRSelectInputReq);
 
+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
 {
     REQUEST(xRRConfigureOutputPropertyReq);
 
+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
     swaps(&stuff->length);
     swapl(&stuff->output);
     swapl(&stuff->property);
-- 
1.7.9.2
Commit	Line	Data
7217e0ca ML	1	From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Sun, 26 Jan 2014 19:38:09 -0800
	4	Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
	5	procs [CVE-2014-8101]
	6
	7	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	8	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	9	---
	10	randr/rrsdispatch.c \| 4 ++++
	11	1 file changed, 4 insertions(+)
	12
	13	diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
	14	index 08c3b6a..47558cf 100644
	15	--- a/randr/rrsdispatch.c
	16	+++ b/randr/rrsdispatch.c
	17	@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
	18	{
	19	REQUEST(xRRQueryVersionReq);
	20
	21	+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
	22	swaps(&stuff->length);
	23	swapl(&stuff->majorVersion);
	24	swapl(&stuff->minorVersion);
	25	@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
	26	{
	27	REQUEST(xRRGetScreenInfoReq);
	28
	29	+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
	30	swaps(&stuff->length);
	31	swapl(&stuff->window);
	32	return (*ProcRandrVector[stuff->randrReqType]) (client);
	33	@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
	34	{
	35	REQUEST(xRRSelectInputReq);
	36
	37	+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
	38	swaps(&stuff->length);
	39	swapl(&stuff->window);
	40	swaps(&stuff->enable);
	41	@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
	42	{
	43	REQUEST(xRRConfigureOutputPropertyReq);
	44
	45	+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
	46	swaps(&stuff->length);
	47	swapl(&stuff->output);
	48	swapl(&stuff->property);
	49	--
	50	1.7.9.2
	51