MFC: Unvalidated lengths

v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:20:43 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:20:43 +0000
commit: ef3dccc55e2d4ae4570905b59e15b660f4bb940d (patch)
tree: 9c76c4190dc17eeeed5f395af8627dd6be59a75e /xserver/Xext
parent: b029c472bc655a08ca6e0ef2184950f44d2f7aca (diff)
4 files changed, 10 insertions, 3 deletions
diff --git a/xserver/Xext/panoramiX.c b/xserver/Xext/panoramiX.c
index 209df292c..844ea49ce 100644
--- a/xserver/Xext/panoramiX.c
+++ b/xserver/Xext/panoramiX.c
@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
     xPanoramiXGetScreenSizeReply rep;
     int rc;
 
+    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
     if (stuff->screen >= PanoramiXNumScreens)
         return BadMatch;
 
-    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
     rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
     if (rc != Success)
         return rc;
diff --git a/xserver/Xext/saver.c b/xserver/Xext/saver.c
index 750b8b965..45ac4d2c9 100644
--- a/xserver/Xext/saver.c
+++ b/xserver/Xext/saver.c
@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
         PanoramiXRes *draw;
         int rc, i;
 
+        REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
         rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
                                       XRC_DRAWABLE, client, DixWriteAccess);
         if (rc != Success)
diff --git a/xserver/Xext/xres.c b/xserver/Xext/xres.c
index 83cc6913a..2dbdd4738 100644
--- a/xserver/Xext/xres.c
+++ b/xserver/Xext/xres.c
@@ -1039,6 +1039,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
     ConstructResourceBytesCtx    ctx;
 
     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+    if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
+        return BadLength;
     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
                        stuff->numSpecs * sizeof(ctx.specs[0]));
 
@@ -1144,8 +1146,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
     int c;
     xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
 
-    swapl(&stuff->numSpecs);
     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+    swapl(&stuff->numSpecs);
     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
                        stuff->numSpecs * sizeof(specs[0]));
 
diff --git a/xserver/Xext/xvdisp.c b/xserver/Xext/xvdisp.c
index c2d0fc9c1..bfeabfd3b 100644
--- a/xserver/Xext/xvdisp.c
+++ b/xserver/Xext/xvdisp.c
@@ -1496,12 +1496,14 @@ XineramaXvShmPutImage(ClientPtr client)
 {
     REQUEST(xvShmPutImageReq);
     PanoramiXRes *draw, *gc, *port;
-    Bool send_event = stuff->send_event;
+    Bool send_event;
     Bool isRoot;
     int result, i, x, y;
 
     REQUEST_SIZE_MATCH(xvShmPutImageReq);
 
+    send_event = stuff->send_event;
+
     result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
                                       XRC_DRAWABLE, client, DixWriteAccess);
     if (result != Success)
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:20:43 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:20:43 +0000
commit	ef3dccc55e2d4ae4570905b59e15b660f4bb940d (patch)
tree	9c76c4190dc17eeeed5f395af8627dd6be59a75e /xserver/Xext
parent	b029c472bc655a08ca6e0ef2184950f44d2f7aca (diff)