frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

randr: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:54:22 +02:00 committed by Marge Bot
parent fc9f8f8d3c
commit 4b2115a182
5 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
randr/rrcrtc.c
View File

@ -1305,7 +1305,7 @@ ProcRRSetCrtcConfig(ClientPtr client)
CARD8 status; CARD8 status;
REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq); REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq);
numOutputs = (stuff->length - bytes_to_int32(SIZEOF(xRRSetCrtcConfigReq))); numOutputs = (client->req_len - bytes_to_int32(sizeof(xRRSetCrtcConfigReq)));
VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess); VERIFY_RR_CRTC(stuff->crtc, crtc, DixSetAttrAccess);

2
randr/rrmode.c
View File

@ -304,7 +304,7 @@ ProcRRCreateMode(ClientPtr client)
modeInfo = &stuff->modeInfo; modeInfo = &stuff->modeInfo;
name = (char *) (stuff + 1); name = (char *) (stuff + 1);
units_after = (stuff->length - bytes_to_int32(sizeof(xRRCreateModeReq))); units_after = (client->req_len - bytes_to_int32(sizeof(xRRCreateModeReq)));
/* check to make sure requested name fits within the data provided */ /* check to make sure requested name fits within the data provided */
if (bytes_to_int32(modeInfo->nameLength) > units_after) if (bytes_to_int32(modeInfo->nameLength) > units_after)

2
randr/rrmonitor.c
View File

@ -672,7 +672,7 @@ ProcRRSetMonitor(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq); REQUEST_AT_LEAST_SIZE(xRRSetMonitorReq);
if (stuff->monitor.noutput != stuff->length - (SIZEOF(xRRSetMonitorReq) >> 2)) if (stuff->monitor.noutput != client->req_len - (sizeof(xRRSetMonitorReq) >> 2))
return BadLength; return BadLength;
r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess); r = dixLookupWindow(&window, stuff->window, client, DixGetAttrAccess);

2
randr/rrproperty.c
View File

@ -520,7 +520,7 @@ ProcRRConfigureOutputProperty(ClientPtr client)
return BadAccess; return BadAccess;
num_valid = num_valid =
stuff->length - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq)); client->req_len - bytes_to_int32(sizeof(xRRConfigureOutputPropertyReq));
return RRConfigureOutputProperty(output, stuff->property, stuff->pending, return RRConfigureOutputProperty(output, stuff->property, stuff->pending,
stuff->range, FALSE, num_valid, stuff->range, FALSE, num_valid,
(INT32 *) (stuff + 1)); (INT32 *) (stuff + 1));

2
randr/rrproviderproperty.c
View File

@ -487,7 +487,7 @@ ProcRRConfigureProviderProperty(ClientPtr client)
VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess); VERIFY_RR_PROVIDER(stuff->provider, provider, DixReadAccess);
num_valid = num_valid =
stuff->length - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq)); client->req_len - bytes_to_int32(sizeof(xRRConfigureProviderPropertyReq));
return RRConfigureProviderProperty(provider, stuff->property, stuff->pending, return RRConfigureProviderProperty(provider, stuff->property, stuff->pending,
stuff->range, FALSE, num_valid, stuff->range, FALSE, num_valid,
(INT32 *) (stuff + 1)); (INT32 *) (stuff + 1));