render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Alan Coopersmith
parent
b5f9ef03df
commit
5d3a788aeb
|
|
@ -1995,7 +1995,7 @@ static int
|
||||||
SProcRenderQueryVersion(ClientPtr client)
|
SProcRenderQueryVersion(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderQueryVersionReq);
|
REQUEST(xRenderQueryVersionReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->majorVersion);
|
swapl(&stuff->majorVersion);
|
||||||
swapl(&stuff->minorVersion);
|
swapl(&stuff->minorVersion);
|
||||||
|
|
@ -2006,6 +2006,7 @@ static int
|
||||||
SProcRenderQueryPictFormats(ClientPtr client)
|
SProcRenderQueryPictFormats(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderQueryPictFormatsReq);
|
REQUEST(xRenderQueryPictFormatsReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
||||||
}
|
}
|
||||||
|
|
@ -2014,6 +2015,7 @@ static int
|
||||||
SProcRenderQueryPictIndexValues(ClientPtr client)
|
SProcRenderQueryPictIndexValues(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderQueryPictIndexValuesReq);
|
REQUEST(xRenderQueryPictIndexValuesReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->format);
|
swapl(&stuff->format);
|
||||||
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
||||||
|
|
@ -2029,6 +2031,7 @@ static int
|
||||||
SProcRenderCreatePicture(ClientPtr client)
|
SProcRenderCreatePicture(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderCreatePictureReq);
|
REQUEST(xRenderCreatePictureReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->pid);
|
swapl(&stuff->pid);
|
||||||
swapl(&stuff->drawable);
|
swapl(&stuff->drawable);
|
||||||
|
|
@ -2042,6 +2045,7 @@ static int
|
||||||
SProcRenderChangePicture(ClientPtr client)
|
SProcRenderChangePicture(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderChangePictureReq);
|
REQUEST(xRenderChangePictureReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->picture);
|
swapl(&stuff->picture);
|
||||||
swapl(&stuff->mask);
|
swapl(&stuff->mask);
|
||||||
|
|
@ -2053,6 +2057,7 @@ static int
|
||||||
SProcRenderSetPictureClipRectangles(ClientPtr client)
|
SProcRenderSetPictureClipRectangles(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderSetPictureClipRectanglesReq);
|
REQUEST(xRenderSetPictureClipRectanglesReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->picture);
|
swapl(&stuff->picture);
|
||||||
swaps(&stuff->xOrigin);
|
swaps(&stuff->xOrigin);
|
||||||
|
|
@ -2065,6 +2070,7 @@ static int
|
||||||
SProcRenderFreePicture(ClientPtr client)
|
SProcRenderFreePicture(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderFreePictureReq);
|
REQUEST(xRenderFreePictureReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderFreePictureReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->picture);
|
swapl(&stuff->picture);
|
||||||
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
||||||
|
|
@ -2074,6 +2080,7 @@ static int
|
||||||
SProcRenderComposite(ClientPtr client)
|
SProcRenderComposite(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderCompositeReq);
|
REQUEST(xRenderCompositeReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderCompositeReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->src);
|
swapl(&stuff->src);
|
||||||
swapl(&stuff->mask);
|
swapl(&stuff->mask);
|
||||||
|
|
@ -2093,6 +2100,7 @@ static int
|
||||||
SProcRenderScale(ClientPtr client)
|
SProcRenderScale(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderScaleReq);
|
REQUEST(xRenderScaleReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderScaleReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->src);
|
swapl(&stuff->src);
|
||||||
swapl(&stuff->dst);
|
swapl(&stuff->dst);
|
||||||
|
|
@ -2193,6 +2201,7 @@ static int
|
||||||
SProcRenderCreateGlyphSet(ClientPtr client)
|
SProcRenderCreateGlyphSet(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderCreateGlyphSetReq);
|
REQUEST(xRenderCreateGlyphSetReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->gsid);
|
swapl(&stuff->gsid);
|
||||||
swapl(&stuff->format);
|
swapl(&stuff->format);
|
||||||
|
|
@ -2203,6 +2212,7 @@ static int
|
||||||
SProcRenderReferenceGlyphSet(ClientPtr client)
|
SProcRenderReferenceGlyphSet(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderReferenceGlyphSetReq);
|
REQUEST(xRenderReferenceGlyphSetReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->gsid);
|
swapl(&stuff->gsid);
|
||||||
swapl(&stuff->existing);
|
swapl(&stuff->existing);
|
||||||
|
|
@ -2213,6 +2223,7 @@ static int
|
||||||
SProcRenderFreeGlyphSet(ClientPtr client)
|
SProcRenderFreeGlyphSet(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderFreeGlyphSetReq);
|
REQUEST(xRenderFreeGlyphSetReq);
|
||||||
|
REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->glyphset);
|
swapl(&stuff->glyphset);
|
||||||
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
||||||
|
|
@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
|
||||||
xGlyphInfo *gi;
|
xGlyphInfo *gi;
|
||||||
|
|
||||||
REQUEST(xRenderAddGlyphsReq);
|
REQUEST(xRenderAddGlyphsReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->glyphset);
|
swapl(&stuff->glyphset);
|
||||||
swapl(&stuff->nglyphs);
|
swapl(&stuff->nglyphs);
|
||||||
|
|
@ -2261,6 +2273,7 @@ static int
|
||||||
SProcRenderFreeGlyphs(ClientPtr client)
|
SProcRenderFreeGlyphs(ClientPtr client)
|
||||||
{
|
{
|
||||||
REQUEST(xRenderFreeGlyphsReq);
|
REQUEST(xRenderFreeGlyphsReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
swapl(&stuff->glyphset);
|
swapl(&stuff->glyphset);
|
||||||
SwapRestL(stuff);
|
SwapRestL(stuff);
|
||||||
|
|
@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
|
||||||
int size;
|
int size;
|
||||||
|
|
||||||
REQUEST(xRenderCompositeGlyphsReq);
|
REQUEST(xRenderCompositeGlyphsReq);
|
||||||
|
REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
|
||||||
|
|
||||||
switch (stuff->renderReqType) {
|
switch (stuff->renderReqType) {
|
||||||
default:
|
default:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue