X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch;h=dccaa0301faa5675738f774b0957dad9b32d2e14;hp=421f07084b741738027d4ccd3bab5a10758f41bf;hb=4db25562fe97995f20b8adc0f2e6959ed82e8635;hpb=7217e0ca50bba73dad94782e67980aeeb24ab693 diff --git a/debian/patches/CVE-2014-8xxx/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch b/debian/patches/CVE-2014-8xxx/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch index 421f070..dccaa03 100644 --- a/debian/patches/CVE-2014-8xxx/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch +++ b/debian/patches/CVE-2014-8xxx/0008-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch @@ -37,11 +37,9 @@ Reviewed-by: Peter Hutterer include/dix.h | 4 ++++ 17 files changed, 94 insertions(+), 18 deletions(-) -diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c -index d078aa2..b3ee867 100644 --- a/Xi/chgdctl.c +++ b/Xi/chgdctl.c -@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client) +@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr clie REQUEST(xChangeDeviceControlReq); swaps(&stuff->length); @@ -50,7 +48,7 @@ index d078aa2..b3ee867 100644 swaps(&stuff->control); ctl = (xDeviceCtl *) &stuff[1]; swaps(&ctl->control); -@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client) +@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr clien xDeviceEnableCtl *e; REQUEST(xChangeDeviceControlReq); @@ -59,7 +57,7 @@ index d078aa2..b3ee867 100644 len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); -@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client) +@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr clien break; case DEVICE_ENABLE: e = (xDeviceEnableCtl *) &stuff[1]; @@ -70,11 +68,9 @@ index d078aa2..b3ee867 100644 if (IsXTestDevice(dev, NULL)) status = !Success; -diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c -index 6dcf60c..224c2ba 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c -@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client) +@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr cli xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { @@ -83,11 +79,9 @@ index 6dcf60c..224c2ba 100644 swaps(&f->num_keysyms); } if (len != -diff --git a/Xi/sendexev.c b/Xi/sendexev.c -index 3c21386..183f88d 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c -@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client) +@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client if (ret != Success) return ret; @@ -97,8 +91,6 @@ index 3c21386..183f88d 100644 /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); -diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c -index ebef233..ca263ef 100644 --- a/Xi/xiallowev.c +++ b/Xi/xiallowev.c @@ -48,6 +48,7 @@ int @@ -117,8 +109,6 @@ index ebef233..ca263ef 100644 swapl(&req_xi22->touchid); swapl(&req_xi22->grab_window); } -diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c -index 7a1bb7a..8e6255b 100644 --- a/Xi/xichangecursor.c +++ b/Xi/xichangecursor.c @@ -57,11 +57,11 @@ int @@ -134,8 +124,6 @@ index 7a1bb7a..8e6255b 100644 return (ProcXIChangeCursor(client)); } -diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c -index 9e36354..2732445 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c @@ -411,7 +411,7 @@ int @@ -228,8 +216,6 @@ index 9e36354..2732445 100644 any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); } -diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c -index 3c90d58..306dd39 100644 --- a/Xi/xigetclientpointer.c +++ b/Xi/xigetclientpointer.c @@ -50,6 +50,7 @@ int @@ -240,8 +226,6 @@ index 3c90d58..306dd39 100644 swaps(&stuff->length); swapl(&stuff->win); -diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c -index 63d95bc..e2a2ae3 100644 --- a/Xi/xigrabdev.c +++ b/Xi/xigrabdev.c @@ -47,6 +47,11 @@ int @@ -281,11 +265,9 @@ index 63d95bc..e2a2ae3 100644 ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) -diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c -index 700622d..9241ffd 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c -@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client) +@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien uint32_t *mods; REQUEST(xXIPassiveGrabDeviceReq); @@ -293,7 +275,7 @@ index 700622d..9241ffd 100644 swaps(&stuff->length); swaps(&stuff->deviceid); -@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client) +@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien swaps(&stuff->mask_len); swaps(&stuff->num_modifiers); @@ -302,7 +284,7 @@ index 700622d..9241ffd 100644 mods = (uint32_t *) &stuff[1] + stuff->mask_len; for (i = 0; i < stuff->num_modifiers; i++, mods++) { -@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) +@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client int mask_len; REQUEST(xXIPassiveGrabDeviceReq); @@ -312,7 +294,7 @@ index 700622d..9241ffd 100644 if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; -@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client) +@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli uint32_t *modifiers; REQUEST(xXIPassiveUngrabDeviceReq); @@ -320,7 +302,7 @@ index 700622d..9241ffd 100644 swaps(&stuff->length); swapl(&stuff->grab_window); -@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client) +@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli swapl(&stuff->detail); swaps(&stuff->num_modifiers); @@ -329,7 +311,7 @@ index 700622d..9241ffd 100644 modifiers = (uint32_t *) &stuff[1]; for (i = 0; i < stuff->num_modifiers; i++, modifiers++) -@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client) +@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie int i, rc; REQUEST(xXIPassiveUngrabDeviceReq); @@ -339,8 +321,6 @@ index 700622d..9241ffd 100644 if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; -diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c -index 463607d..8e8e4b0 100644 --- a/Xi/xiproperty.c +++ b/Xi/xiproperty.c @@ -1013,10 +1013,9 @@ int @@ -424,8 +404,6 @@ index 463607d..8e8e4b0 100644 return (ProcXIGetProperty(client)); } -diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c -index 4e544f0..67a9a4f 100644 --- a/Xi/xiquerydevice.c +++ b/Xi/xiquerydevice.c @@ -54,6 +54,7 @@ int @@ -436,8 +414,6 @@ index 4e544f0..67a9a4f 100644 swaps(&stuff->length); swaps(&stuff->deviceid); -diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c -index e9bdd42..7ec0c85 100644 --- a/Xi/xiquerypointer.c +++ b/Xi/xiquerypointer.c @@ -63,6 +63,8 @@ int @@ -449,8 +425,6 @@ index e9bdd42..7ec0c85 100644 swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->win); -diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c -index 45a996e..168579f 100644 --- a/Xi/xiselectev.c +++ b/Xi/xiselectev.c @@ -114,6 +114,7 @@ int @@ -479,8 +453,6 @@ index 45a996e..168579f 100644 evmask = (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); } -diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c -index 38ff51e..24d4a53 100644 --- a/Xi/xisetclientpointer.c +++ b/Xi/xisetclientpointer.c @@ -51,10 +51,11 @@ int @@ -496,8 +468,6 @@ index 38ff51e..24d4a53 100644 return (ProcXISetClientPointer(client)); } -diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c -index 372ec24..96a9a16 100644 --- a/Xi/xisetdevfocus.c +++ b/Xi/xisetdevfocus.c @@ -44,6 +44,8 @@ int @@ -518,8 +488,6 @@ index 372ec24..96a9a16 100644 swaps(&stuff->length); swaps(&stuff->deviceid); -diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c -index 3f051f7..780758a 100644 --- a/Xi/xiwarppointer.c +++ b/Xi/xiwarppointer.c @@ -56,6 +56,8 @@ int @@ -531,8 +499,6 @@ index 3f051f7..780758a 100644 swaps(&stuff->length); swapl(&stuff->src_win); swapl(&stuff->dst_win); -diff --git a/include/dix.h b/include/dix.h -index e0c6ed8..21176a8 100644 --- a/include/dix.h +++ b/include/dix.h @@ -74,6 +74,10 @@ SOFTWARE. @@ -546,6 +512,3 @@ index e0c6ed8..21176a8 100644 #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ ((n >> 2) >= client->req_len) || \ --- -1.7.9.2 -