(!1639) randr: fix length checking with bigreq
The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult
parent
f3520016b2
commit
0402e58cf3
|
|
@ -1305,7 +1305,7 @@ ProcRRSetCrtcConfig(ClientPtr client)
|
||||||
CARD8 status;
|
CARD8 status;
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq);
|
REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq);
|
||||||
numOutputs = (stuff->length - bytes_to_int32(SIZEOF(xRRSetCrtcConfigReq)));
|
numOutputs = (client->req_len - bytes_to_int32(sizeof(xRRSetCrtcConfigReq)));
|
||||||
|
|
||||||
VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess);
|
VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -304,7 +304,7 @@ ProcRRCreateMode(ClientPtr client)
|
||||||
|
|
||||||
modeInfo = &stuff->modeInfo;
|
modeInfo = &stuff->modeInfo;
|
||||||
name = (char *) (stuff + 1);
|
name = (char *) (stuff + 1);
|
||||||
units_after = (stuff->length - bytes_to_int32(sizeof(xRRCreateModeReq)));
|
units_after = (client->req_len - bytes_to_int32(sizeof(xRRCreateModeReq)));
|
||||||
|
|
||||||
/* check to make sure requested name fits within the data provided */
|
/* check to make sure requested name fits within the data provided */
|
||||||
if (bytes_to_int32(modeInfo->nameLength) > units_after)
|
if (bytes_to_int32(modeInfo->nameLength) > units_after)
|
||||||
|
|
|
||||||
|
|
@ -672,7 +672,7 @@ ProcRRSetMonitor(ClientPtr client)
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq);
|
REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq);
|
||||||
|
|
||||||
if (stuff->monitor.noutput != stuff->length - (SIZEOF(xRRSetMonitorReq) >> 2))
|
if (stuff->monitor.noutput != client->req_len - (sizeof(xRRSetMonitorReq) >> 2))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
||||||
r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess);
|
r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess);
|
||||||
|
|
|
||||||
|
|
@ -520,7 +520,7 @@ ProcRRConfigureOutputProperty(ClientPtr client)
|
||||||
return BadAccess;
|
return BadAccess;
|
||||||
|
|
||||||
num_valid =
|
num_valid =
|
||||||
stuff->length - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq));
|
client->req_len - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq));
|
||||||
return RRConfigureOutputProperty(output, stuff->property, stuff->pending,
|
return RRConfigureOutputProperty(output, stuff->property, stuff->pending,
|
||||||
stuff->range, FALSE, num_valid,
|
stuff->range, FALSE, num_valid,
|
||||||
(INT32 *) (stuff + 1));
|
(INT32 *) (stuff + 1));
|
||||||
|
|
|
||||||
|
|
@ -487,7 +487,7 @@ ProcRRConfigureProviderProperty(ClientPtr client)
|
||||||
VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess);
|
VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess);
|
||||||
|
|
||||||
num_valid =
|
num_valid =
|
||||||
stuff->length - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq));
|
client->req_len - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq));
|
||||||
return RRConfigureProviderProperty(provider, stuff->property, stuff->pending,
|
return RRConfigureProviderProperty(provider, stuff->property, stuff->pending,
|
||||||
stuff->range, FALSE, num_valid,
|
stuff->range, FALSE, num_valid,
|
||||||
(INT32 *) (stuff + 1));
|
(INT32 *) (stuff + 1));
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue