summaryrefslogblamecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff
blob: b88ba950e4884ef99bba298f94ed2b5225addb0f (plain) (tree) 
8ff4f2f51































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95































































































                                                                                          
From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 11:43:05 -0500
Subject: xfixes: unvalidated lengths (CVE-2017-12183)

v2: Use before swap (Jeremy Huddleston Sequoia)

v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index c1ab3be..dc447ed 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -281,6 +281,7 @@ int _X_COLD
 SProcXFixesSelectCursorInput(ClientPtr client)
 {
     REQUEST(xXFixesSelectCursorInputReq);
+    REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
     REQUEST(xXFixesSetCursorNameReq);
     Atom atom;
 
-    REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+    REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
     VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
     tchar = (char *) &stuff[1];
     atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
     int i;
     CARD16 *in_devices = (CARD16 *) &stuff[1];
 
+    REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
     swaps(&stuff->length);
     swaps(&stuff->num_devices);
     REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
diff --git a/xfixes/region.c b/xfixes/region.c
index e773701..7c0a7d2 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
     RegionPtr pSource, pDestination;
 
     REQUEST(xXFixesCopyRegionReq);
+    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
 
     VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
     VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
     REQUEST(xXFixesCopyRegionReq);
 
     swaps(&stuff->length);
-    REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
     swapl(&stuff->source);
     swapl(&stuff->destination);
     return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index 2043153..fd9c7a1 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int _X_COLD
 SProcXFixesChangeSaveSet(ClientPtr client)
 {
     REQUEST(xXFixesChangeSaveSetReq);
+    REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index 77efd64..248bf02 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -160,6 +160,7 @@ static _X_COLD int
 SProcXFixesQueryVersion(ClientPtr client)
 {
     REQUEST(xXFixesQueryVersionReq);
+    REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
-- 
cgit v0.10.2
generated by cgit v1.2.3 (git 2.26.2) at 2024-04-23 15:22:31 +0000