render: check request size before reading it [CVE-2014-8100 1/2]

Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c

render: check request size before reading it [CVE-2014-8100 1/2]
e469cff0 · Julien Cristau · Mike DePaulo · f7295831 · e469cff0
Commit e469cff0 authored Oct 28, 2014 by Julien Cristau Committed by Mike DePaulo May 24, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

NXrender.c nx-X11/programs/Xserver/hw/nxagent/NXrender.c +2 -1

No files found.
--- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c
@@ -387,10 +387,11 @@ ProcRenderQueryVersion (ClientPtr client)
    register int n;
    REQUEST(xRenderQueryVersionReq);
+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
    pRenderClient->major_version = stuff->majorVersion;
    pRenderClient->minor_version = stuff->minorVersion;
-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
    rep.type = X_Reply;
    rep.length = 0;
    rep.sequenceNumber = client->sequence;