debian/patches/CVE-2014-8xxx/0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch

   1 From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
   2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
   3 Date: Sun, 26 Jan 2014 19:38:09 -0800
   4 Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
   5  procs [CVE-2014-8101]
   6
   7 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
   8 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
   9 ---
  10  randr/rrsdispatch.c |    4 ++++
  11  1 file changed, 4 insertions(+)
  12
  13 --- a/randr/rrsdispatch.c
  14 +++ b/randr/rrsdispatch.c
  15 @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
  16  {
  17      REQUEST(xRRQueryVersionReq);
  18
  19 +    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
  20      swaps(&stuff->length);
  21      swapl(&stuff->majorVersion);
  22      swapl(&stuff->minorVersion);
  23 @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
  24  {
  25      REQUEST(xRRGetScreenInfoReq);
  26
  27 +    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
  28      swaps(&stuff->length);
  29      swapl(&stuff->window);
  30      return (*ProcRandrVector[stuff->randrReqType]) (client);
  31 @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
  32  {
  33      REQUEST(xRRSelectInputReq);
  34
  35 +    REQUEST_SIZE_MATCH(xRRSelectInputReq);
  36      swaps(&stuff->length);
  37      swapl(&stuff->window);
  38      swaps(&stuff->enable);
  39 @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr
  40  {
  41      REQUEST(xRRConfigureOutputPropertyReq);
  42
  43 +    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
  44      swaps(&stuff->length);
  45      swapl(&stuff->output);
  46      swapl(&stuff->property);