render: check request size before reading it [CVE-2014-8100 1/2]

Otherwise we may be reading outside of the client request.

Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
Julien Cristau 2014-10-28 10:30:04 +01:00 committed by Alan Coopersmith
parent 3df2fcf124
commit b5f9ef03df

View File

@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
REQUEST(xRenderQueryVersionReq);
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
rep.majorVersion = stuff->majorVersion;