From 659260a0b7c1cef6060bd62a83deb03e3fa472b1 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Fri, 6 Aug 2021 13:23:08 -0400 Subject: [PATCH] More missing version checks in SProcs The bug in XFixes was also found in GenericEvent and Damage. --- Xext/geext.c | 8 +++++++- damageext/damageext.c | 6 +++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Xext/geext.c b/Xext/geext.c index 5009c081a..05988c41a 100644 --- a/Xext/geext.c +++ b/Xext/geext.c @@ -138,9 +138,15 @@ ProcGEDispatch(ClientPtr client) static int _X_COLD SProcGEDispatch(ClientPtr client) { + GEClientInfoPtr pGEClient = GEGetClient(client); + REQUEST(xGEReq); - if (stuff->ReqType >= GENumberRequests) + + if (pGEClient->major_version >= ARRAY_SIZE(version_requests)) return BadRequest; + if (stuff->ReqType > version_requests[pGEClient->major_version]) + return BadRequest; + return (*SProcGEVector[stuff->ReqType]) (client); } diff --git a/damageext/damageext.c b/damageext/damageext.c index ce490cbf2..c8194da07 100644 --- a/damageext/damageext.c +++ b/damageext/damageext.c @@ -561,7 +561,11 @@ static int _X_COLD SProcDamageDispatch(ClientPtr client) { REQUEST(xDamageReq); - if (stuff->damageReqType >= XDamageNumberRequests) + DamageClientPtr pDamageClient = GetDamageClient(client); + + if (pDamageClient->major_version >= ARRAY_SIZE(version_requests)) + return BadRequest; + if (stuff->damageReqType > version_requests[pDamageClient->major_version]) return BadRequest; return (*SProcDamageVector[stuff->damageReqType]) (client); }