diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2017-07-07 06:22:21 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2017-07-07 06:22:21 +0000 |
| commit | f86dccd6467c3716e47309643970a780d9ea2423 (patch) | |
| tree | d95965d32f8849b649df0f39c82ac3051aa06eb0 /xserver/dix | |
| parent | 3afac8f5edd0cfe6382090499d48b935bb79f2dd (diff) | |
Merge upstream fixes to the X event swapping code.
(CVE-2017-10971 and CVE-2017-10972).
Diffstat (limited to 'xserver/dix')
| -rw-r--r-- | xserver/dix/events.c | 6 | ||||
| -rw-r--r-- | xserver/dix/swapreq.c | 7 |
2 files changed, 13 insertions, 0 deletions
diff --git a/xserver/dix/events.c b/xserver/dix/events.c index efaf91d2b..0591f8fcb 100644 --- a/xserver/dix/events.c +++ b/xserver/dix/events.c @@ -5355,6 +5355,12 @@ ProcSendEvent(ClientPtr client) client->errorValue = stuff->event.u.u.type; return BadValue; } + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } if (stuff->event.u.u.type == ClientMessage && stuff->event.u.u.detail != 8 && stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { diff --git a/xserver/dix/swapreq.c b/xserver/dix/swapreq.c index 61d3ce0f4..8cc64b6ed 100644 --- a/xserver/dix/swapreq.c +++ b/xserver/dix/swapreq.c @@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client) swapl(&stuff->destination); swapl(&stuff->eventMask); + /* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ + if (stuff->event.u.u.type == GenericEvent) { + client->errorValue = stuff->event.u.u.type; + return BadValue; + } + /* Swap event */ proc = EventSwapVector[stuff->event.u.u.type & 0177]; if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ |