frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(!1639) randr: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:54:22 +02:00
parent f3520016b2
commit 0402e58cf3
5 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
randr/rrcrtc.c
View File

@ -1305,7 +1305,7 @@ ProcRRSetCrtcConfig(ClientPtr client)
CARD8 status;
REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq);
numOutputs = (stuff->length - bytes_to_int32(SIZEOF(xRRSetCrtcConfigReq)));
numOutputs = (client->req_len - bytes_to_int32(sizeof(xRRSetCrtcConfigReq)));
VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess);

2
randr/rrmode.c
View File

@ -304,7 +304,7 @@ ProcRRCreateMode(ClientPtr client)
modeInfo = &stuff->modeInfo;
name = (char *) (stuff + 1);
units_after = (stuff->length - bytes_to_int32(sizeof(xRRCreateModeReq)));
units_after = (client->req_len - bytes_to_int32(sizeof(xRRCreateModeReq)));
/* check to make sure requested name fits within the data provided */
if (bytes_to_int32(modeInfo->nameLength) > units_after)

2
randr/rrmonitor.c
View File

@ -672,7 +672,7 @@ ProcRRSetMonitor(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq);
if (stuff->monitor.noutput != stuff->length - (SIZEOF(xRRSetMonitorReq) >> 2))
if (stuff->monitor.noutput != client->req_len - (sizeof(xRRSetMonitorReq) >> 2))
return BadLength;
r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess);

2
randr/rrproperty.c
View File

@ -520,7 +520,7 @@ ProcRRConfigureOutputProperty(ClientPtr client)
return BadAccess;
num_valid =
stuff->length - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq));
client->req_len - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq));
return RRConfigureOutputProperty(output, stuff->property, stuff->pending,
stuff->range, FALSE, num_valid,
(INT32 *) (stuff + 1));

2
randr/rrproviderproperty.c
View File

@ -487,7 +487,7 @@ ProcRRConfigureProviderProperty(ClientPtr client)
VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess);
num_valid =
stuff->length - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq));
client->req_len - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq));
return RRConfigureProviderProperty(provider, stuff->property, stuff->pending,
stuff->range, FALSE, num_valid,
(INT32 *) (stuff + 1));