X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch;h=d5cd34e837c8104135056ddb5711275cb82effa2;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch b/debian/patches/CVE-2014-8xxx/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
new file mode 100644
index 0000000..d5cd34e
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0015-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
@@ -0,0 +1,140 @@
+From c21e46f03bd2096aaed666d91a3188a5676f6222 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:51:29 -0800
+Subject: [PATCH 15/33] render: unvalidated lengths in Render extn. swapped
+ procs [CVE-2014-8100 2/2]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ render/render.c |   16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/render/render.c b/render/render.c
+index 200e0c8..723f380 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1995,7 +1995,7 @@ static int
+ SProcRenderQueryVersion(ClientPtr client)
+ {
+     REQUEST(xRenderQueryVersionReq);
+-
++    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+     swaps(&stuff->length);
+     swapl(&stuff->majorVersion);
+     swapl(&stuff->minorVersion);
+@@ -2006,6 +2006,7 @@ static int
+ SProcRenderQueryPictFormats(ClientPtr client)
+ {
+     REQUEST(xRenderQueryPictFormatsReq);
++    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
+     swaps(&stuff->length);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+@@ -2014,6 +2015,7 @@ static int
+ SProcRenderQueryPictIndexValues(ClientPtr client)
+ {
+     REQUEST(xRenderQueryPictIndexValuesReq);
++    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->format);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2029,6 +2031,7 @@ static int
+ SProcRenderCreatePicture(ClientPtr client)
+ {
+     REQUEST(xRenderCreatePictureReq);
++    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->pid);
+     swapl(&stuff->drawable);
+@@ -2042,6 +2045,7 @@ static int
+ SProcRenderChangePicture(ClientPtr client)
+ {
+     REQUEST(xRenderChangePictureReq);
++    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     swapl(&stuff->mask);
+@@ -2053,6 +2057,7 @@ static int
+ SProcRenderSetPictureClipRectangles(ClientPtr client)
+ {
+     REQUEST(xRenderSetPictureClipRectanglesReq);
++    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     swaps(&stuff->xOrigin);
+@@ -2065,6 +2070,7 @@ static int
+ SProcRenderFreePicture(ClientPtr client)
+ {
+     REQUEST(xRenderFreePictureReq);
++    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2074,6 +2080,7 @@ static int
+ SProcRenderComposite(ClientPtr client)
+ {
+     REQUEST(xRenderCompositeReq);
++    REQUEST_SIZE_MATCH(xRenderCompositeReq);
+     swaps(&stuff->length);
+     swapl(&stuff->src);
+     swapl(&stuff->mask);
+@@ -2093,6 +2100,7 @@ static int
+ SProcRenderScale(ClientPtr client)
+ {
+     REQUEST(xRenderScaleReq);
++    REQUEST_SIZE_MATCH(xRenderScaleReq);
+     swaps(&stuff->length);
+     swapl(&stuff->src);
+     swapl(&stuff->dst);
+@@ -2193,6 +2201,7 @@ static int
+ SProcRenderCreateGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderCreateGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->gsid);
+     swapl(&stuff->format);
+@@ -2203,6 +2212,7 @@ static int
+ SProcRenderReferenceGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderReferenceGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->gsid);
+     swapl(&stuff->existing);
+@@ -2213,6 +2223,7 @@ static int
+ SProcRenderFreeGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderFreeGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
+     xGlyphInfo *gi;
+ 
+     REQUEST(xRenderAddGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     swapl(&stuff->nglyphs);
+@@ -2261,6 +2273,7 @@ static int
+ SProcRenderFreeGlyphs(ClientPtr client)
+ {
+     REQUEST(xRenderFreeGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     SwapRestL(stuff);
+@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+     int size;
+ 
+     REQUEST(xRenderCompositeGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+ 
+     switch (stuff->renderReqType) {
+     default:
+-- 
+1.7.9.2
+