render: check request size before reading it [CVE-2014-8100 1/2]
Otherwise we may be reading outside of the client request. Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
3df2fcf124
commit
b5f9ef03df
|
@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
|
|||
|
||||
REQUEST(xRenderQueryVersionReq);
|
||||
|
||||
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
|
||||
|
||||
pRenderClient->major_version = stuff->majorVersion;
|
||||
pRenderClient->minor_version = stuff->minorVersion;
|
||||
|
||||
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
|
||||
|
||||
if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
|
||||
(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
|
||||
rep.majorVersion = stuff->majorVersion;
|
||||
|
|
Loading…
Reference in New Issue
Block a user