andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]

Browse Source 
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Alan Coopersmith 2014-01-26 19:33:34 -08:00
parent 0a6085aaf3
commit d155b7a8e3
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
present/present_request.c
View File

@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
RRCrtcPtr crtc = NULL; RRCrtcPtr crtc = NULL;
int r; int r;
REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess); r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
switch (r) { switch (r) {
case Success: case Success:
@ -254,6 +255,7 @@ static int
sproc_present_query_version(ClientPtr client) sproc_present_query_version(ClientPtr client)
{ {
REQUEST(xPresentQueryVersionReq); REQUEST(xPresentQueryVersionReq);
REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->majorVersion); swapl(&stuff->majorVersion);
@ -265,6 +267,7 @@ static int
sproc_present_pixmap(ClientPtr client) sproc_present_pixmap(ClientPtr client)
{ {
REQUEST(xPresentPixmapReq); REQUEST(xPresentPixmapReq);
REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->window); swapl(&stuff->window);
@ -284,6 +287,7 @@ static int
sproc_present_notify_msc(ClientPtr client) sproc_present_notify_msc(ClientPtr client)
{ {
REQUEST(xPresentNotifyMSCReq); REQUEST(xPresentNotifyMSCReq);
REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->window); swapl(&stuff->window);
@ -297,6 +301,7 @@ static int
sproc_present_select_input (ClientPtr client) sproc_present_select_input (ClientPtr client)
{ {
REQUEST(xPresentSelectInputReq); REQUEST(xPresentSelectInputReq);
REQUEST_SIZE_MATCH(xPresentSelectInputReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->window); swapl(&stuff->window);
@ -308,6 +313,7 @@ static int
sproc_present_query_capabilities (ClientPtr client) sproc_present_query_capabilities (ClientPtr client)
{ {
REQUEST(xPresentQueryCapabilitiesReq); REQUEST(xPresentQueryCapabilitiesReq);
REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->target); swapl(&stuff->target);
return (*proc_present_vector[stuff->presentReqType]) (client); return (*proc_present_vector[stuff->presentReqType]) (client);