| 1 | From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001 |
| 2 | From: Julien Cristau <jcristau@debian.org> |
| 3 | Date: Tue, 28 Oct 2014 10:30:04 +0100 |
| 4 | Subject: [PATCH 14/33] render: check request size before reading it |
| 5 | [CVE-2014-8100 1/2] |
| 6 | |
| 7 | Otherwise we may be reading outside of the client request. |
| 8 | |
| 9 | Signed-off-by: Julien Cristau <jcristau@debian.org> |
| 10 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 12 | --- |
| 13 | render/render.c | 4 ++-- |
| 14 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 15 | |
| 16 | --- a/render/render.c |
| 17 | +++ b/render/render.c |
| 18 | @@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client) |
| 19 | |
| 20 | REQUEST(xRenderQueryVersionReq); |
| 21 | |
| 22 | + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); |
| 23 | + |
| 24 | pRenderClient->major_version = stuff->majorVersion; |
| 25 | pRenderClient->minor_version = stuff->minorVersion; |
| 26 | |
| 27 | - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); |
| 28 | - |
| 29 | if ((stuff->majorVersion * 1000 + stuff->minorVersion) < |
| 30 | (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) { |
| 31 | rep.majorVersion = stuff->majorVersion; |