diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2017-10-14 09:22:50 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2017-10-14 09:22:50 +0000 |
| commit | c1c1edc23ddc3a957e8899b73bb933a2028988fb (patch) | |
| tree | 4ecc6c5da9582520264eb53e2a3448c4b3dac050 | |
| parent | ef3dccc55e2d4ae4570905b59e15b660f4bb940d (diff) | |
MFC: xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
| -rw-r--r-- | xserver/xfixes/cursor.c | 5 | ||||
| -rw-r--r-- | xserver/xfixes/region.c | 3 | ||||
| -rw-r--r-- | xserver/xfixes/saveset.c | 1 | ||||
| -rw-r--r-- | xserver/xfixes/xfixes.c | 1 |
4 files changed, 8 insertions, 2 deletions
diff --git a/xserver/xfixes/cursor.c b/xserver/xfixes/cursor.c index 10f9b2346..f241ffa73 100644 --- a/xserver/xfixes/cursor.c +++ b/xserver/xfixes/cursor.c @@ -280,6 +280,7 @@ int SProcXFixesSelectCursorInput(ClientPtr client) { REQUEST(xXFixesSelectCursorInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); swaps(&stuff->length); swapl(&stuff->window); @@ -413,7 +414,7 @@ ProcXFixesSetCursorName(ClientPtr client) REQUEST(xXFixesSetCursorNameReq); Atom atom; - REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); + REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); tchar = (char *) &stuff[1]; atom = MakeAtom(tchar, stuff->nbytes, TRUE); @@ -1006,6 +1007,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) int i; CARD16 *in_devices = (CARD16 *) &stuff[1]; + REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); + swaps(&stuff->length); swaps(&stuff->num_devices); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); diff --git a/xserver/xfixes/region.c b/xserver/xfixes/region.c index dd74d7f7e..f300d2b6e 100644 --- a/xserver/xfixes/region.c +++ b/xserver/xfixes/region.c @@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) RegionPtr pSource, pDestination; REQUEST(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); @@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) REQUEST(xXFixesCopyRegionReq); swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); swapl(&stuff->source); swapl(&stuff->destination); return (*ProcXFixesVector[stuff->xfixesReqType]) (client); diff --git a/xserver/xfixes/saveset.c b/xserver/xfixes/saveset.c index eb3f6589e..aa365cfe5 100644 --- a/xserver/xfixes/saveset.c +++ b/xserver/xfixes/saveset.c @@ -62,6 +62,7 @@ int SProcXFixesChangeSaveSet(ClientPtr client) { REQUEST(xXFixesChangeSaveSetReq); + REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); swaps(&stuff->length); swapl(&stuff->window); diff --git a/xserver/xfixes/xfixes.c b/xserver/xfixes/xfixes.c index 3307f874b..1c254e0d2 100644 --- a/xserver/xfixes/xfixes.c +++ b/xserver/xfixes/xfixes.c @@ -160,6 +160,7 @@ static int SProcXFixesQueryVersion(ClientPtr client) { REQUEST(xXFixesQueryVersionReq); + REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); |