X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0014-render-check-request-size-before-reading-it-CVE-2014.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0014-render-check-request-size-before-reading-it-CVE-2014.patch;h=b712c7b040e4400e466c65332c126da35ead1cf9;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f diff --git a/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch b/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch new file mode 100644 index 0000000..b712c7b --- /dev/null +++ b/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch @@ -0,0 +1,36 @@ +From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Tue, 28 Oct 2014 10:30:04 +0100 +Subject: [PATCH 14/33] render: check request size before reading it + [CVE-2014-8100 1/2] + +Otherwise we may be reading outside of the client request. + +Signed-off-by: Julien Cristau +Reviewed-by: Alan Coopersmith +Signed-off-by: Alan Coopersmith +--- + render/render.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/render/render.c b/render/render.c +index e3031da..200e0c8 100644 +--- a/render/render.c ++++ b/render/render.c +@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client) + + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); +- + if ((stuff->majorVersion * 1000 + stuff->minorVersion) < + (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) { + rep.majorVersion = stuff->majorVersion; +-- +1.7.9.2 +