[X2Go-Commits] [nx-libs] 38/52: Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
git-admin at x2go.org
git-admin at x2go.org
Sat Feb 14 17:47:15 CET 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit 2abde565df5de98800cec428fe612cb979063c02
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:23:17 2014 -0800
Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Conflicts:
Xext/xvdisp.c
---
nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c
index 21ab0b6..b361c0f 100644
--- a/nx-X11/programs/Xserver/Xext/xvdisp.c
+++ b/nx-X11/programs/Xserver/Xext/xvdisp.c
@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client)
{
register char n;
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length, n);
return ProcXvQueryExtension(client);
}
@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client)
{
register char n;
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
return ProcXvQueryAdaptors(client);
@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client)
{
register char n;
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryEncodings(client);
@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client)
{
register char n;
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client)
{
register char n;
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->time, n);
@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client)
{
register char n;
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client)
{
register char n;
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client)
{
register char n;
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client)
{
register char n;
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client)
{
register char n;
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client)
{
register char n;
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client)
{
register char n;
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->drawable, n);
return ProcXvSelectVideoNotify(client);
@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client)
{
register char n;
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvSelectPortNotify(client);
@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client)
{
register char n;
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->drawable, n);
@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client)
{
register char n;
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client)
{
register char n;
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swapl(&stuff->attribute, n);
@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client)
{
register char n;
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
swaps(&stuff->vid_w, n);
@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client)
{
register char n;
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvQueryPortAttributes(client);
@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client)
{
register char n;
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length, n);
swapl(&stuff->id, n);
swaps(&stuff->width, n);
@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client)
{
register char n;
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length, n);
swapl(&stuff->port, n);
return ProcXvListImageFormats(client);
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list