From 0402e58cf3a2db5be8f6e9aaa8c1372b46ef9a38 Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Tue, 6 Aug 2024 15:54:22 +0200 Subject: [PATCH] (!1639) randr: fix length checking with bigreq The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult --- randr/rrcrtc.c | 2 +- randr/rrmode.c | 2 +- randr/rrmonitor.c | 2 +- randr/rrproperty.c | 2 +- randr/rrproviderproperty.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c index b47f0aeac..42421b1ce 100644 --- a/randr/rrcrtc.c +++ b/randr/rrcrtc.c @@ -1305,7 +1305,7 @@ ProcRRSetCrtcConfig(ClientPtr client) CARD8 status; REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq); - numOutputs = (stuff->length - bytes_to_int32(SIZEOF(xRRSetCrtcConfigReq))); + numOutputs = (client->req_len - bytes_to_int32(sizeof(xRRSetCrtcConfigReq))); VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess); diff --git a/randr/rrmode.c b/randr/rrmode.c index 23d5c70d8..20ff4525d 100644 --- a/randr/rrmode.c +++ b/randr/rrmode.c @@ -304,7 +304,7 @@ ProcRRCreateMode(ClientPtr client) modeInfo = &stuff->modeInfo; name = (char *) (stuff + 1); - units_after = (stuff->length - bytes_to_int32(sizeof(xRRCreateModeReq))); + units_after = (client->req_len - bytes_to_int32(sizeof(xRRCreateModeReq))); /* check to make sure requested name fits within the data provided */ if (bytes_to_int32(modeInfo->nameLength) > units_after) diff --git a/randr/rrmonitor.c b/randr/rrmonitor.c index 9280061ff..b3712c0ca 100644 --- a/randr/rrmonitor.c +++ b/randr/rrmonitor.c @@ -672,7 +672,7 @@ ProcRRSetMonitor(ClientPtr client) REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq); - if (stuff->monitor.noutput != stuff->length - (SIZEOF(xRRSetMonitorReq) >> 2)) + if (stuff->monitor.noutput != client->req_len - (sizeof(xRRSetMonitorReq) >> 2)) return BadLength; r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess); diff --git a/randr/rrproperty.c b/randr/rrproperty.c index 6f8cbb8bb..f97c3464f 100644 --- a/randr/rrproperty.c +++ b/randr/rrproperty.c @@ -520,7 +520,7 @@ ProcRRConfigureOutputProperty(ClientPtr client) return BadAccess; num_valid = - stuff->length - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq)); + client->req_len - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq)); return RRConfigureOutputProperty(output, stuff->property, stuff->pending, stuff->range, FALSE, num_valid, (INT32 *) (stuff + 1)); diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c index d26cf598d..69f66ed27 100644 --- a/randr/rrproviderproperty.c +++ b/randr/rrproviderproperty.c @@ -487,7 +487,7 @@ ProcRRConfigureProviderProperty(ClientPtr client) VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess); num_valid = - stuff->length - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq)); + client->req_len - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq)); return RRConfigureProviderProperty(provider, stuff->property, stuff->pending, stuff->range, FALSE, num_valid, (INT32 *) (stuff + 1));