[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0014-render-check-request-size-before-reading-it-CVE-2014.patch

From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 28 Oct 2014 10:30:04 +0100
Subject: [PATCH 14/33] render: check request size before reading it
 [CVE-2014-8100 1/2]

Otherwise we may be reading outside of the client request.

Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 render/render.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/render/render.c
+++ b/render/render.c
@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
 
     REQUEST(xRenderQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
     pRenderClient->major_version = stuff->majorVersion;
     pRenderClient->minor_version = stuff->minorVersion;
 
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-
     if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
         (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
         rep.majorVersion = stuff->majorVersion;
Commit	Line	Data
7217e0ca ML	1	From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
	2	From: Julien Cristau <jcristau@debian.org>
	3	Date: Tue, 28 Oct 2014 10:30:04 +0100
	4	Subject: [PATCH 14/33] render: check request size before reading it
	5	[CVE-2014-8100 1/2]
	6
	7	Otherwise we may be reading outside of the client request.
	8
	9	Signed-off-by: Julien Cristau <jcristau@debian.org>
	10	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	12	---
	13	render/render.c \| 4 ++--
	14	1 file changed, 2 insertions(+), 2 deletions(-)
	15
7217e0ca ML	16	--- a/render/render.c
	17	+++ b/render/render.c
	18	@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
	19
	20	REQUEST(xRenderQueryVersionReq);
	21
	22	+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
	23	+
	24	pRenderClient->major_version = stuff->majorVersion;
	25	pRenderClient->minor_version = stuff->minorVersion;
	26
	27	- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
	28	-
	29	if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
	30	(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
	31	rep.majorVersion = stuff->majorVersion;