openbsd/xenocara
1
0
Fork 0
mirror of https://github.com/openbsd/xenocara.git synced 2025-12-09 18:59:00 +00:00
Code Issues Projects Releases Wiki Activity

MFC: xfixes: unvalidated lengths (CVE-2017-12183)

Browse Source 
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
This commit is contained in:
matthieu
2017-10-14 09:22:49 +00:00
parent 3b3c79f0b0
commit d62483048a
4 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
xserver/xfixes/cursor.c
View File

@@ -280,6 +280,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -413,7 +414,7 @@ ProcXFixesSetCursorName(ClientPtr client)
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1006,6 +1007,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
int i;
CARD16 *in_devices = (CARD16 *) &stuff[1];
REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));

3
xserver/xfixes/region.c
View File

@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);

1
xserver/xfixes/saveset.c
View File

@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);

1
xserver/xfixes/xfixes.c
View File

@@ -160,6 +160,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);