frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xfixes: unvalidated lengths (CVE-2017-12183) 

v2: Use before swap (Jeremy Huddleston Sequoia)

v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Nathan Kidd 2015-01-09 11:43:05 -05:00 committed by Julien Cristau
parent cad5a1050b
commit 55caa8b08c
4 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
xfixes/cursor.c
View File

@ -281,6 +281,7 @@ int _X_COLD
SProcXFixesSelectCursorInput(ClientPtr client) SProcXFixesSelectCursorInput(ClientPtr client)
{ {
REQUEST(xXFixesSelectCursorInputReq); REQUEST(xXFixesSelectCursorInputReq);
REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->window); swapl(&stuff->window);
@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq); REQUEST(xXFixesSetCursorNameReq);
Atom atom; Atom atom;
REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1]; tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE); atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
int i; int i;
CARD16 *in_devices = (CARD16 *) &stuff[1]; CARD16 *in_devices = (CARD16 *) &stuff[1];
REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
swaps(&stuff->length); swaps(&stuff->length);
swaps(&stuff->num_devices); swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));

3
xfixes/region.c
View File

@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination; RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq); REQUEST(xXFixesCopyRegionReq);
REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq); REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source); swapl(&stuff->source);
swapl(&stuff->destination); swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client); return (*ProcXFixesVector[stuff->xfixesReqType]) (client);

1
xfixes/saveset.c
View File

@ -62,6 +62,7 @@ int _X_COLD
SProcXFixesChangeSaveSet(ClientPtr client) SProcXFixesChangeSaveSet(ClientPtr client)
{ {
REQUEST(xXFixesChangeSaveSetReq); REQUEST(xXFixesChangeSaveSetReq);
REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->window); swapl(&stuff->window);

1
xfixes/xfixes.c
View File

@ -160,6 +160,7 @@ static _X_COLD int
SProcXFixesQueryVersion(ClientPtr client) SProcXFixesQueryVersion(ClientPtr client)
{ {
REQUEST(xXFixesQueryVersionReq); REQUEST(xXFixesQueryVersionReq);
REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length); swaps(&stuff->length);
swapl(&stuff->majorVersion); swapl(&stuff->majorVersion);