Imported Debian patch 2:1.15.1-0ubuntu2.6

[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0012-present-unvalidated-lengths-in-Present-extension-pro.patch

diff --git a/debian/patches/CVE-2014-8xxx/0012-present-unvalidated-lengths-in-Present-extension-pro.patch b/debian/patches/CVE-2014-8xxx/0012-present-unvalidated-lengths-in-Present-extension-pro.patch
new file mode 100644 (file)
index 0000000..3fca050
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0012-present-unvalidated-lengths-in-Present-extension-pro.patch
@@ -0,0 +1,68 @@
+From e4bde707b4972a03ffc7737bb8e70eed830670ca Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:33:34 -0800
+Subject: [PATCH 12/33] present: unvalidated lengths in Present extension
+ procs [CVE-2014-8103 2/2]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ present/present_request.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/present/present_request.c b/present/present_request.c
+index 835890d..7c53e72 100644
+--- a/present/present_request.c
++++ b/present/present_request.c
+@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
+     RRCrtcPtr   crtc = NULL;
+     int         r;
+ 
++    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
+     r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
+     switch (r) {
+     case Success:
+@@ -254,6 +255,7 @@ static int
+ sproc_present_query_version(ClientPtr client)
+ {
+     REQUEST(xPresentQueryVersionReq);
++    REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->majorVersion);
+@@ -265,6 +267,7 @@ static int
+ sproc_present_pixmap(ClientPtr client)
+ {
+     REQUEST(xPresentPixmapReq);
++    REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+@@ -284,6 +287,7 @@ static int
+ sproc_present_notify_msc(ClientPtr client)
+ {
+     REQUEST(xPresentNotifyMSCReq);
++    REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+@@ -297,6 +301,7 @@ static int
+ sproc_present_select_input (ClientPtr client)
+ {
+     REQUEST(xPresentSelectInputReq);
++    REQUEST_SIZE_MATCH(xPresentSelectInputReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+@@ -308,6 +313,7 @@ static int
+ sproc_present_query_capabilities (ClientPtr client)
+ {
+     REQUEST(xPresentQueryCapabilitiesReq);
++    REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->target);
+     return (*proc_present_vector[stuff->presentReqType]) (client);
+-- 
+1.7.9.2
+