xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia) v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Nathan Kidd
Julien Cristau
parent
cad5a1050b
commit
55caa8b08c
|
|
@ -281,6 +281,7 @@ int _X_COLD
|
|||
SProcXFixesSelectCursorInput(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesSelectCursorInputReq);
|
||||
REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->window);
|
||||
|
|
@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
|
|||
REQUEST(xXFixesSetCursorNameReq);
|
||||
Atom atom;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
|
||||
REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
|
||||
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
|
||||
tchar = (char *) &stuff[1];
|
||||
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
|
||||
|
|
@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
|||
int i;
|
||||
CARD16 *in_devices = (CARD16 *) &stuff[1];
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swaps(&stuff->num_devices);
|
||||
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
||||
|
|
|
|||
|
|
@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
|
|||
RegionPtr pSource, pDestination;
|
||||
|
||||
REQUEST(xXFixesCopyRegionReq);
|
||||
REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
|
||||
|
||||
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
|
||||
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
|
||||
|
|
@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
|
|||
REQUEST(xXFixesCopyRegionReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
|
||||
REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
|
||||
swapl(&stuff->source);
|
||||
swapl(&stuff->destination);
|
||||
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ int _X_COLD
|
|||
SProcXFixesChangeSaveSet(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesChangeSaveSetReq);
|
||||
REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->window);
|
||||
|
|
|
|||
|
|
@ -160,6 +160,7 @@ static _X_COLD int
|
|||
SProcXFixesQueryVersion(ClientPtr client)
|
||||
{
|
||||
REQUEST(xXFixesQueryVersionReq);
|
||||
REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
|
||||
|
||||
swaps(&stuff->length);
|
||||
swapl(&stuff->majorVersion);
|
||||
|
|
|
|||
Loading…
Reference in New Issue