[X2Go-Commits] [nx-libs] 17/40: render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
git-admin at x2go.org
git-admin at x2go.org
Sat Jun 20 00:03:24 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit a0c90ad34fa89e5358893701723bd2f96a4bd3b2
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Jan 26 19:51:29 2014 -0800
render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXrender.c rather than render.c (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Conflicts:
render/render.c
---
nx-X11/programs/Xserver/hw/nxagent/NXrender.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
index 8a00910..c2f6527 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
@@ -2532,6 +2532,7 @@ SProcRenderQueryVersion (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
@@ -2544,6 +2545,7 @@ SProcRenderQueryPictFormats (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2553,6 +2555,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client)
{
register int n;
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n);
swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2569,6 +2572,7 @@ SProcRenderCreatePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->pid, n);
swapl(&stuff->drawable, n);
@@ -2583,6 +2587,7 @@ SProcRenderChangePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
swapl(&stuff->mask, n);
@@ -2595,6 +2600,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client)
{
register int n;
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
SwapRestS(stuff);
@@ -2606,6 +2612,7 @@ SProcRenderFreePicture (ClientPtr client)
{
register int n;
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n);
swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2616,6 +2623,7 @@ SProcRenderComposite (ClientPtr client)
{
register int n;
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->mask, n);
@@ -2636,6 +2644,7 @@ SProcRenderScale (ClientPtr client)
{
register int n;
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n);
swapl(&stuff->src, n);
swapl(&stuff->dst, n);
@@ -2741,6 +2750,7 @@ SProcRenderCreateGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->format, n);
@@ -2752,6 +2762,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->gsid, n);
swapl(&stuff->existing, n);
@@ -2763,6 +2774,7 @@ SProcRenderFreeGlyphSet (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2777,6 +2789,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end;
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n);
@@ -2813,6 +2826,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{
register int n;
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n);
swapl(&stuff->glyphset, n);
SwapRestL(stuff);
@@ -2831,7 +2845,8 @@ SProcRenderCompositeGlyphs (ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
-
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+
switch (stuff->renderReqType) {
default: size = 1; break;
case X_RenderCompositeGlyphs16: size = 2; break;
--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list