--- /dev/null
+From 362ea7ec75543b694ebc8ab7268a2402e80a10bd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:23:17 -0800
+Subject: [PATCH 10/33] Xv: unvalidated lengths in XVideo extension swapped
+ procs [CVE-2014-8099]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/xvdisp.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+Index: xorg-server-1.16.0/Xext/xvdisp.c
+===================================================================
+--- xorg-server-1.16.0.orig/Xext/xvdisp.c 2014-12-04 11:15:10.726714736 -0500
++++ xorg-server-1.16.0/Xext/xvdisp.c 2014-12-04 11:15:10.722714693 -0500
+@@ -1207,6 +1207,7 @@
+ SProcXvQueryExtension(ClientPtr client)
+ {
+ REQUEST(xvQueryExtensionReq);
++ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
+ swaps(&stuff->length);
+ return XvProcVector[xv_QueryExtension] (client);
+ }
+@@ -1215,6 +1216,7 @@
+ SProcXvQueryAdaptors(ClientPtr client)
+ {
+ REQUEST(xvQueryAdaptorsReq);
++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+ return XvProcVector[xv_QueryAdaptors] (client);
+@@ -1224,6 +1226,7 @@
+ SProcXvQueryEncodings(ClientPtr client)
+ {
+ REQUEST(xvQueryEncodingsReq);
++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_QueryEncodings] (client);
+@@ -1233,6 +1236,7 @@
+ SProcXvGrabPort(ClientPtr client)
+ {
+ REQUEST(xvGrabPortReq);
++ REQUEST_SIZE_MATCH(xvGrabPortReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->time);
+@@ -1243,6 +1247,7 @@
+ SProcXvUngrabPort(ClientPtr client)
+ {
+ REQUEST(xvUngrabPortReq);
++ REQUEST_SIZE_MATCH(xvUngrabPortReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->time);
+@@ -1253,6 +1258,7 @@
+ SProcXvPutVideo(ClientPtr client)
+ {
+ REQUEST(xvPutVideoReq);
++ REQUEST_SIZE_MATCH(xvPutVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1272,6 +1278,7 @@
+ SProcXvPutStill(ClientPtr client)
+ {
+ REQUEST(xvPutStillReq);
++ REQUEST_SIZE_MATCH(xvPutStillReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1291,6 +1298,7 @@
+ SProcXvGetVideo(ClientPtr client)
+ {
+ REQUEST(xvGetVideoReq);
++ REQUEST_SIZE_MATCH(xvGetVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1310,6 +1318,7 @@
+ SProcXvGetStill(ClientPtr client)
+ {
+ REQUEST(xvGetStillReq);
++ REQUEST_SIZE_MATCH(xvGetStillReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1329,6 +1338,7 @@
+ SProcXvPutImage(ClientPtr client)
+ {
+ REQUEST(xvPutImageReq);
++ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1352,6 +1362,7 @@
+ SProcXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
++ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1379,6 +1390,7 @@
+ SProcXvSelectVideoNotify(ClientPtr client)
+ {
+ REQUEST(xvSelectVideoNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
+ swaps(&stuff->length);
+ swapl(&stuff->drawable);
+ return XvProcVector[xv_SelectVideoNotify] (client);
+@@ -1388,6 +1400,7 @@
+ SProcXvSelectPortNotify(ClientPtr client)
+ {
+ REQUEST(xvSelectPortNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_SelectPortNotify] (client);
+@@ -1397,6 +1410,7 @@
+ SProcXvStopVideo(ClientPtr client)
+ {
+ REQUEST(xvStopVideoReq);
++ REQUEST_SIZE_MATCH(xvStopVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1407,6 +1421,7 @@
+ SProcXvSetPortAttribute(ClientPtr client)
+ {
+ REQUEST(xvSetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->attribute);
+@@ -1418,6 +1433,7 @@
+ SProcXvGetPortAttribute(ClientPtr client)
+ {
+ REQUEST(xvGetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->attribute);
+@@ -1428,6 +1444,7 @@
+ SProcXvQueryBestSize(ClientPtr client)
+ {
+ REQUEST(xvQueryBestSizeReq);
++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swaps(&stuff->vid_w);
+@@ -1441,6 +1458,7 @@
+ SProcXvQueryPortAttributes(ClientPtr client)
+ {
+ REQUEST(xvQueryPortAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_QueryPortAttributes] (client);
+@@ -1450,6 +1468,7 @@
+ SProcXvQueryImageAttributes(ClientPtr client)
+ {
+ REQUEST(xvQueryImageAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->id);
+@@ -1462,6 +1481,7 @@
+ SProcXvListImageFormats(ClientPtr client)
+ {
+ REQUEST(xvListImageFormatsReq);
++ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_ListImageFormats] (client);
repositories / deb_xorg-server.git / blobdiff