Skip to content

N
nx-libs
Commit a0c90ad3 authored by Alan Coopersmith's avatar Alan Coopersmith Committed by Mike DePaulo
Browse files
Options

render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]

v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: 's avatarAlan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: 's avatarPeter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
parent e469cff0
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 1 deletion
nx-X11/programs/Xserver/hw/nxagent/NXrender.c
View file @ a0c90ad3
...@@ -2532,6 +2532,7 @@ SProcRenderQueryVersion (ClientPtr client) ...@@ -2532,6 +2532,7 @@ SProcRenderQueryVersion (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderQueryVersionReq); REQUEST(xRenderQueryVersionReq);
REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n); swapl(&stuff->majorVersion, n);
...@@ -2544,6 +2545,7 @@ SProcRenderQueryPictFormats (ClientPtr client) ...@@ -2544,6 +2545,7 @@ SProcRenderQueryPictFormats (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderQueryPictFormatsReq); REQUEST(xRenderQueryPictFormatsReq);
REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
return (*ProcRenderVector[stuff->renderReqType]) (client); return (*ProcRenderVector[stuff->renderReqType]) (client);
} }
...@@ -2553,6 +2555,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client) ...@@ -2553,6 +2555,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderQueryPictIndexValuesReq); REQUEST(xRenderQueryPictIndexValuesReq);
REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->format, n); swapl(&stuff->format, n);
return (*ProcRenderVector[stuff->renderReqType]) (client); return (*ProcRenderVector[stuff->renderReqType]) (client);
...@@ -2569,6 +2572,7 @@ SProcRenderCreatePicture (ClientPtr client) ...@@ -2569,6 +2572,7 @@ SProcRenderCreatePicture (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderCreatePictureReq); REQUEST(xRenderCreatePictureReq);
REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->pid, n); swapl(&stuff->pid, n);
swapl(&stuff->drawable, n); swapl(&stuff->drawable, n);
...@@ -2583,6 +2587,7 @@ SProcRenderChangePicture (ClientPtr client) ...@@ -2583,6 +2587,7 @@ SProcRenderChangePicture (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderChangePictureReq); REQUEST(xRenderChangePictureReq);
REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->picture, n); swapl(&stuff->picture, n);
swapl(&stuff->mask, n); swapl(&stuff->mask, n);
...@@ -2595,6 +2600,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client) ...@@ -2595,6 +2600,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderSetPictureClipRectanglesReq); REQUEST(xRenderSetPictureClipRectanglesReq);
REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->picture, n); swapl(&stuff->picture, n);
SwapRestS(stuff); SwapRestS(stuff);
...@@ -2606,6 +2612,7 @@ SProcRenderFreePicture (ClientPtr client) ...@@ -2606,6 +2612,7 @@ SProcRenderFreePicture (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderFreePictureReq); REQUEST(xRenderFreePictureReq);
REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->picture, n); swapl(&stuff->picture, n);
return (*ProcRenderVector[stuff->renderReqType]) (client); return (*ProcRenderVector[stuff->renderReqType]) (client);
...@@ -2616,6 +2623,7 @@ SProcRenderComposite (ClientPtr client) ...@@ -2616,6 +2623,7 @@ SProcRenderComposite (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderCompositeReq); REQUEST(xRenderCompositeReq);
REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->src, n); swapl(&stuff->src, n);
swapl(&stuff->mask, n); swapl(&stuff->mask, n);
...@@ -2636,6 +2644,7 @@ SProcRenderScale (ClientPtr client) ...@@ -2636,6 +2644,7 @@ SProcRenderScale (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderScaleReq); REQUEST(xRenderScaleReq);
REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->src, n); swapl(&stuff->src, n);
swapl(&stuff->dst, n); swapl(&stuff->dst, n);
...@@ -2741,6 +2750,7 @@ SProcRenderCreateGlyphSet (ClientPtr client) ...@@ -2741,6 +2750,7 @@ SProcRenderCreateGlyphSet (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderCreateGlyphSetReq); REQUEST(xRenderCreateGlyphSetReq);
REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->gsid, n); swapl(&stuff->gsid, n);
swapl(&stuff->format, n); swapl(&stuff->format, n);
...@@ -2752,6 +2762,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client) ...@@ -2752,6 +2762,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderReferenceGlyphSetReq); REQUEST(xRenderReferenceGlyphSetReq);
REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->gsid, n); swapl(&stuff->gsid, n);
swapl(&stuff->existing, n); swapl(&stuff->existing, n);
...@@ -2763,6 +2774,7 @@ SProcRenderFreeGlyphSet (ClientPtr client) ...@@ -2763,6 +2774,7 @@ SProcRenderFreeGlyphSet (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderFreeGlyphSetReq); REQUEST(xRenderFreeGlyphSetReq);
REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->glyphset, n); swapl(&stuff->glyphset, n);
return (*ProcRenderVector[stuff->renderReqType]) (client); return (*ProcRenderVector[stuff->renderReqType]) (client);
...@@ -2777,6 +2789,7 @@ SProcRenderAddGlyphs (ClientPtr client) ...@@ -2777,6 +2789,7 @@ SProcRenderAddGlyphs (ClientPtr client)
void *end; void *end;
xGlyphInfo *gi; xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq); REQUEST(xRenderAddGlyphsReq);
REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->glyphset, n); swapl(&stuff->glyphset, n);
swapl(&stuff->nglyphs, n); swapl(&stuff->nglyphs, n);
...@@ -2813,6 +2826,7 @@ SProcRenderFreeGlyphs (ClientPtr client) ...@@ -2813,6 +2826,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
{ {
register int n; register int n;
REQUEST(xRenderFreeGlyphsReq); REQUEST(xRenderFreeGlyphsReq);
REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
swapl(&stuff->glyphset, n); swapl(&stuff->glyphset, n);
SwapRestL(stuff); SwapRestL(stuff);
...@@ -2831,7 +2845,8 @@ SProcRenderCompositeGlyphs (ClientPtr client) ...@@ -2831,7 +2845,8 @@ SProcRenderCompositeGlyphs (ClientPtr client)
int size; int size;
REQUEST(xRenderCompositeGlyphsReq); REQUEST(xRenderCompositeGlyphsReq);
REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) { switch (stuff->renderReqType) {
default: size = 1; break; default: size = 1; break;
case X_RenderCompositeGlyphs16: size = 2; break; case X_RenderCompositeGlyphs16: size = 2; break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment