present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
0a6085aaf3
commit
d155b7a8e3
|
@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
|
|||
RRCrtcPtr crtc = NULL;
|
||||
int r;
|
||||
|
||||
REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
|
||||
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
|
||||
switch (r) {
|
||||
case Success:
|
||||
|
@ -254,6 +255,7 @@ static int
|
|||
sproc_present_query_version(ClientPtr client)
|
||||
{
|
||||
REQUEST(xPresentQueryVersionReq);
|
||||
REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->majorVersion);
|
||||
|
@ -265,6 +267,7 @@ static int
|
|||
sproc_present_pixmap(ClientPtr client)
|
||||
{
|
||||
REQUEST(xPresentPixmapReq);
|
||||
REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->window);
|
||||
|
@ -284,6 +287,7 @@ static int
|
|||
sproc_present_notify_msc(ClientPtr client)
|
||||
{
|
||||
REQUEST(xPresentNotifyMSCReq);
|
||||
REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->window);
|
||||
|
@ -297,6 +301,7 @@ static int
|
|||
sproc_present_select_input (ClientPtr client)
|
||||
{
|
||||
REQUEST(xPresentSelectInputReq);
|
||||
REQUEST_SIZE_MATCH(xPresentSelectInputReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->window);
|
||||
|
@ -308,6 +313,7 @@ static int
|
|||
sproc_present_query_capabilities (ClientPtr client)
|
||||
{
|
||||
REQUEST(xPresentQueryCapabilitiesReq);
|
||||
REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->target);
|
||||
return (*proc_present_vector[stuff->presentReqType]) (client);
|
||||
|
|
Loading…
Reference in New Issue
Block a user