debian/patches/CVE-2014-8xxx/0013-randr-unvalidated-lengths-in-RandR-extension-swapped.patch

   1 From 1322c6ce2a64ca3290ec76144d8443dec50f2183 Mon Sep 17 00:00:00 2001
   2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
   3 Date: Sun, 26 Jan 2014 19:38:09 -0800
   4 Subject: [PATCH 13/33] randr: unvalidated lengths in RandR extension swapped
   5  procs [CVE-2014-8101]
   6
   7 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
   8 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
   9 ---
  10  randr/rrsdispatch.c |    4 ++++
  11  1 file changed, 4 insertions(+)
  12
  13 diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
  14 index 08c3b6a..47558cf 100644
  15 --- a/randr/rrsdispatch.c
  16 +++ b/randr/rrsdispatch.c
  17 @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
  18  {
  19      REQUEST(xRRQueryVersionReq);
  20
  21 +    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
  22      swaps(&stuff->length);
  23      swapl(&stuff->majorVersion);
  24      swapl(&stuff->minorVersion);
  25 @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
  26  {
  27      REQUEST(xRRGetScreenInfoReq);
  28
  29 +    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
  30      swaps(&stuff->length);
  31      swapl(&stuff->window);
  32      return (*ProcRandrVector[stuff->randrReqType]) (client);
  33 @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
  34  {
  35      REQUEST(xRRSelectInputReq);
  36
  37 +    REQUEST_SIZE_MATCH(xRRSelectInputReq);
  38      swaps(&stuff->length);
  39      swapl(&stuff->window);
  40      swaps(&stuff->enable);
  41 @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
  42  {
  43      REQUEST(xRRConfigureOutputPropertyReq);
  44
  45 +    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
  46      swaps(&stuff->length);
  47      swapl(&stuff->output);
  48      swapl(&stuff->property);
  49 --
  50 1.7.9.2
  51