[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0014-render-check-request-size-before-reading-it-CVE-2014.patch

From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 28 Oct 2014 10:30:04 +0100
Subject: [PATCH 14/33] render: check request size before reading it
 [CVE-2014-8100 1/2]

Otherwise we may be reading outside of the client request.

Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 render/render.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/render/render.c b/render/render.c
index e3031da..200e0c8 100644
--- a/render/render.c
+++ b/render/render.c
@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
 
     REQUEST(xRenderQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
     pRenderClient->major_version = stuff->majorVersion;
     pRenderClient->minor_version = stuff->minorVersion;
 
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-
     if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
         (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
         rep.majorVersion = stuff->majorVersion;
-- 
1.7.9.2
Commit	Line	Data
7217e0ca ML	1	From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
	2	From: Julien Cristau <jcristau@debian.org>
	3	Date: Tue, 28 Oct 2014 10:30:04 +0100
	4	Subject: [PATCH 14/33] render: check request size before reading it
	5	[CVE-2014-8100 1/2]
	6
	7	Otherwise we may be reading outside of the client request.
	8
	9	Signed-off-by: Julien Cristau <jcristau@debian.org>
	10	Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	12	---
	13	render/render.c \| 4 ++--
	14	1 file changed, 2 insertions(+), 2 deletions(-)
	15
	16	diff --git a/render/render.c b/render/render.c
	17	index e3031da..200e0c8 100644
	18	--- a/render/render.c
	19	+++ b/render/render.c
	20	@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
	21
	22	REQUEST(xRenderQueryVersionReq);
	23
	24	+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
	25	+
	26	pRenderClient->major_version = stuff->majorVersion;
	27	pRenderClient->minor_version = stuff->minorVersion;
	28
	29	- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
	30	-
	31	if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
	32	(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
	33	rep.majorVersion = stuff->majorVersion;
	34	--
	35	1.7.9.2
	36