mirror of
https://git.freebsd.org/ports.git
synced 2025-07-17 17:29:23 -04:00
05d144d761
Bump all the slaves due to not being sure where the shared code is used. MFH: 2017Q4 Security: 7274e0cc-575f-41bc-8619-14a41b3c2ad0
95 lines
3.2 KiB
Text
95 lines
3.2 KiB
Text
From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001
|
|
From: Nathan Kidd <nkidd@opentext.com>
|
|
Date: Fri, 9 Jan 2015 11:43:05 -0500
|
|
Subject: xfixes: unvalidated lengths (CVE-2017-12183)
|
|
|
|
v2: Use before swap (Jeremy Huddleston Sequoia)
|
|
|
|
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
|
|
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
|
|
|
|
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
|
|
index f009a78..6e84d71 100644
|
|
--- xfixes/cursor.c
|
|
+++ xfixes/cursor.c
|
|
@@ -281,6 +281,7 @@ int
|
|
SProcXFixesSelectCursorInput(ClientPtr client)
|
|
{
|
|
REQUEST(xXFixesSelectCursorInputReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
|
|
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->window);
|
|
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
|
|
REQUEST(xXFixesSetCursorNameReq);
|
|
Atom atom;
|
|
|
|
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
|
|
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
|
|
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
|
|
tchar = (char *) &stuff[1];
|
|
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
|
|
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
|
|
int i;
|
|
CARD16 *in_devices = (CARD16 *) &stuff[1];
|
|
|
|
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
|
|
+
|
|
swaps(&stuff->length);
|
|
swaps(&stuff->num_devices);
|
|
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
|
diff --git a/xfixes/region.c b/xfixes/region.c
|
|
index dd74d7f..f300d2b 100644
|
|
--- xfixes/region.c
|
|
+++ xfixes/region.c
|
|
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
|
|
RegionPtr pSource, pDestination;
|
|
|
|
REQUEST(xXFixesCopyRegionReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
|
|
|
|
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
|
|
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
|
|
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
|
|
REQUEST(xXFixesCopyRegionReq);
|
|
|
|
swaps(&stuff->length);
|
|
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
|
|
swapl(&stuff->source);
|
|
swapl(&stuff->destination);
|
|
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
|
|
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
|
|
index eb3f658..aa365cf 100644
|
|
--- xfixes/saveset.c
|
|
+++ xfixes/saveset.c
|
|
@@ -62,6 +62,7 @@ int
|
|
SProcXFixesChangeSaveSet(ClientPtr client)
|
|
{
|
|
REQUEST(xXFixesChangeSaveSetReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
|
|
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->window);
|
|
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
|
|
index 8d1bd4c..8b45c53 100644
|
|
--- xfixes/xfixes.c
|
|
+++ xfixes/xfixes.c
|
|
@@ -160,6 +160,7 @@ static int
|
|
SProcXFixesQueryVersion(ClientPtr client)
|
|
{
|
|
REQUEST(xXFixesQueryVersionReq);
|
|
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
|
|
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->majorVersion);
|
|
--
|
|
cgit v0.10.2
|
|
|