frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xext: vidmode: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:59:38 +02:00 committed by Marge Bot
parent dab1299745
commit c3e1f6fccf
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Xext/vidmode.c
View File

@ -469,7 +469,7 @@ ProcVidModeAddModeLine(ClientPtr client)
if (ver < 2) { if (ver < 2) {
/* convert from old format */ /* convert from old format */
stuff = &newstuff; stuff = &newstuff;
stuff->length = oldstuff->length; stuff->length = client->req_len;
stuff->screen = oldstuff->screen; stuff->screen = oldstuff->screen;
stuff->dotclock = oldstuff->dotclock; stuff->dotclock = oldstuff->dotclock;
stuff->hdisplay = oldstuff->hdisplay; stuff->hdisplay = oldstuff->hdisplay;
@ -639,7 +639,7 @@ ProcVidModeDeleteModeLine(ClientPtr client)
if (ver < 2) { if (ver < 2) {
/* convert from old format */ /* convert from old format */
stuff = &newstuff; stuff = &newstuff;
stuff->length = oldstuff->length; stuff->length = client->req_len;
stuff->screen = oldstuff->screen; stuff->screen = oldstuff->screen;
stuff->dotclock = oldstuff->dotclock; stuff->dotclock = oldstuff->dotclock;
stuff->hdisplay = oldstuff->hdisplay; stuff->hdisplay = oldstuff->hdisplay;
@ -668,7 +668,7 @@ ProcVidModeDeleteModeLine(ClientPtr client)
"len = %d, length = %d\n", "len = %d, length = %d\n",
(unsigned long) client->req_len, (unsigned long) client->req_len,
(int) sizeof(xXF86VidModeDeleteModeLineReq) >> 2, (int) sizeof(xXF86VidModeDeleteModeLineReq) >> 2,
(unsigned long) stuff->privsize, len, stuff->length); (unsigned long) stuff->privsize, len, client->req_len);
return BadLength; return BadLength;
} }
@ -763,7 +763,7 @@ ProcVidModeModModeLine(ClientPtr client)
if (ver < 2) { if (ver < 2) {
/* convert from old format */ /* convert from old format */
stuff = &newstuff; stuff = &newstuff;
stuff->length = oldstuff->length; stuff->length = client->req_len;
stuff->screen = oldstuff->screen; stuff->screen = oldstuff->screen;
stuff->hdisplay = oldstuff->hdisplay; stuff->hdisplay = oldstuff->hdisplay;
stuff->hsyncstart = oldstuff->hsyncstart; stuff->hsyncstart = oldstuff->hsyncstart;
@ -897,7 +897,7 @@ ProcVidModeValidateModeLine(ClientPtr client)
if (ver < 2) { if (ver < 2) {
/* convert from old format */ /* convert from old format */
stuff = &newstuff; stuff = &newstuff;
stuff->length = oldstuff->length; stuff->length = client->req_len;
stuff->screen = oldstuff->screen; stuff->screen = oldstuff->screen;
stuff->dotclock = oldstuff->dotclock; stuff->dotclock = oldstuff->dotclock;
stuff->hdisplay = oldstuff->hdisplay; stuff->hdisplay = oldstuff->hdisplay;
@ -1050,7 +1050,7 @@ ProcVidModeSwitchToMode(ClientPtr client)
if (ver < 2) { if (ver < 2) {
/* convert from old format */ /* convert from old format */
stuff = &newstuff; stuff = &newstuff;
stuff->length = oldstuff->length; stuff->length = client->req_len;
stuff->screen = oldstuff->screen; stuff->screen = oldstuff->screen;
stuff->dotclock = oldstuff->dotclock; stuff->dotclock = oldstuff->dotclock;
stuff->hdisplay = oldstuff->hdisplay; stuff->hdisplay = oldstuff->hdisplay;