X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0018-Add-request-length-checking-test-cases-for-some-Xinp.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0018-Add-request-length-checking-test-cases-for-some-Xinp.patch;h=20ee8ecf02eac3ba48be555029826e58e025fdf9;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch b/debian/patches/CVE-2014-8xxx/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch
new file mode 100644
index 0000000..20ee8ec
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0018-Add-request-length-checking-test-cases-for-some-Xinp.patch
@@ -0,0 +1,86 @@
+From a8d2ec0a4c11fb5804c073a5b74ba342d59843a8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 9 Feb 2014 21:28:05 -0800
+Subject: [PATCH 18/33] Add request length checking test cases for some Xinput
+ 2.x requests
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ test/xi2/protocol-xigetclientpointer.c  |    5 +++++
+ test/xi2/protocol-xipassivegrabdevice.c |    8 ++++++++
+ test/xi2/protocol-xiquerypointer.c      |    4 ++++
+ test/xi2/protocol-xiwarppointer.c       |    3 +++
+ 4 files changed, 20 insertions(+)
+
+Index: xorg-server-1.15.1/test/xi2/protocol-xigetclientpointer.c
+===================================================================
+--- xorg-server-1.15.1.orig/test/xi2/protocol-xigetclientpointer.c	2014-12-04 11:54:32.024693177 -0500
++++ xorg-server-1.15.1/test/xi2/protocol-xigetclientpointer.c	2014-12-04 11:54:32.020693152 -0500
+@@ -124,6 +124,11 @@
+     request.win = INVALID_WINDOW_ID;
+     request_XIGetClientPointer(&client_request, &request, BadWindow);
+ 
++    printf("Testing invalid length\n");
++    client_request.req_len -= 4;
++    request_XIGetClientPointer(&client_request, &request, BadLength);
++    client_request.req_len += 4;
++
+     test_data.cp_is_set = FALSE;
+ 
+     printf("Testing window None, unset ClientPointer.\n");
+Index: xorg-server-1.15.1/test/xi2/protocol-xipassivegrabdevice.c
+===================================================================
+--- xorg-server-1.15.1.orig/test/xi2/protocol-xipassivegrabdevice.c	2014-12-04 11:54:32.024693177 -0500
++++ xorg-server-1.15.1/test/xi2/protocol-xipassivegrabdevice.c	2014-12-04 11:54:32.020693152 -0500
+@@ -139,6 +139,7 @@
+     int modifiers;
+     int mask_len;
+ 
++    client_request.req_len = req->length;
+     rc = ProcXIPassiveGrabDevice(&client_request);
+     assert(rc == error);
+ 
+@@ -190,6 +191,13 @@
+     request_XIPassiveGrabDevice(&client_request, request, BadDevice,
+                                 request->deviceid);
+ 
++    printf("Testing invalid length\n");
++    request->length -= 2;
++    request_XIPassiveGrabDevice(&client_request, request, BadLength,
++                                client_request.errorValue);
++    /* re-init request since swapped length test leaves some values swapped */
++    request_init(request, XIPassiveGrabDevice);
++    request->grab_window = CLIENT_WINDOW_ID;
+     request->deviceid = XIAllMasterDevices;
+ 
+     printf("Testing invalid grab types\n");
+Index: xorg-server-1.15.1/test/xi2/protocol-xiquerypointer.c
+===================================================================
+--- xorg-server-1.15.1.orig/test/xi2/protocol-xiquerypointer.c	2014-12-04 11:54:32.024693177 -0500
++++ xorg-server-1.15.1/test/xi2/protocol-xiquerypointer.c	2014-12-04 11:54:32.020693152 -0500
+@@ -201,6 +201,10 @@
+     test_data.dev = devices.mouse;
+     request.deviceid = devices.mouse->id;
+     request_XIQueryPointer(&client_request, &request, Success);
++
++    /* test REQUEST_SIZE_MATCH */
++    client_request.req_len -= 4;
++    request_XIQueryPointer(&client_request, &request, BadLength);
+ }
+ 
+ int
+Index: xorg-server-1.15.1/test/xi2/protocol-xiwarppointer.c
+===================================================================
+--- xorg-server-1.15.1.orig/test/xi2/protocol-xiwarppointer.c	2014-12-04 11:54:32.024693177 -0500
++++ xorg-server-1.15.1/test/xi2/protocol-xiwarppointer.c	2014-12-04 11:54:32.020693152 -0500
+@@ -198,6 +198,9 @@
+     request_XIWarpPointer(&client_request, &request, Success);
+ 
+     /* FIXME: src_x/y checks */
++
++    client_request.req_len -= 2; /* invalid length */
++    request_XIWarpPointer(&client_request, &request, BadLength);
+ }
+ 
+ int