Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001 |
2 | From: Julien Cristau <jcristau@debian.org> | |
3 | Date: Tue, 28 Oct 2014 10:30:04 +0100 | |
4 | Subject: [PATCH 14/33] render: check request size before reading it | |
5 | [CVE-2014-8100 1/2] | |
6 | ||
7 | Otherwise we may be reading outside of the client request. | |
8 | ||
9 | Signed-off-by: Julien Cristau <jcristau@debian.org> | |
10 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
12 | --- | |
13 | render/render.c | 4 ++-- | |
14 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
15 | ||
7217e0ca ML |
16 | --- a/render/render.c |
17 | +++ b/render/render.c | |
18 | @@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client) | |
19 | ||
20 | REQUEST(xRenderQueryVersionReq); | |
21 | ||
22 | + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); | |
23 | + | |
24 | pRenderClient->major_version = stuff->majorVersion; | |
25 | pRenderClient->minor_version = stuff->minorVersion; | |
26 | ||
27 | - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); | |
28 | - | |
29 | if ((stuff->majorVersion * 1000 + stuff->minorVersion) < | |
30 | (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) { | |
31 | rep.majorVersion = stuff->majorVersion; |