1ef33079b3
The patches where not ported to 1.7.7 so mark it forbidden. This version is not default anymore and will be removed in the 1.14 update that currently being tested. Obtained from: xserver upstream MFH: 2014Q4 Security: 27b9b2f0-8081-11e4-b4ca-bcaec565249c
179 lines
5.4 KiB
Text
179 lines
5.4 KiB
Text
From 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Date: Sun, 26 Jan 2014 19:23:17 -0800
|
|
Subject: [PATCH 09/40] Xv: unvalidated lengths in XVideo extension swapped
|
|
procs [CVE-2014-8099]
|
|
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
---
|
|
Xext/xvdisp.c | 20 ++++++++++++++++++++
|
|
1 file changed, 20 insertions(+)
|
|
|
|
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
|
|
index 86f982a..c2d0fc9 100644
|
|
--- Xext/xvdisp.c
|
|
+++ Xext/xvdisp.c
|
|
@@ -1121,6 +1121,7 @@ static int
|
|
SProcXvQueryExtension(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryExtensionReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
|
|
swaps(&stuff->length);
|
|
return XvProcVector[xv_QueryExtension] (client);
|
|
}
|
|
@@ -1129,6 +1130,7 @@ static int
|
|
SProcXvQueryAdaptors(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryAdaptorsReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->window);
|
|
return XvProcVector[xv_QueryAdaptors] (client);
|
|
@@ -1138,6 +1140,7 @@ static int
|
|
SProcXvQueryEncodings(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryEncodingsReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
return XvProcVector[xv_QueryEncodings] (client);
|
|
@@ -1147,6 +1150,7 @@ static int
|
|
SProcXvGrabPort(ClientPtr client)
|
|
{
|
|
REQUEST(xvGrabPortReq);
|
|
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->time);
|
|
@@ -1157,6 +1161,7 @@ static int
|
|
SProcXvUngrabPort(ClientPtr client)
|
|
{
|
|
REQUEST(xvUngrabPortReq);
|
|
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->time);
|
|
@@ -1167,6 +1172,7 @@ static int
|
|
SProcXvPutVideo(ClientPtr client)
|
|
{
|
|
REQUEST(xvPutVideoReq);
|
|
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1186,6 +1192,7 @@ static int
|
|
SProcXvPutStill(ClientPtr client)
|
|
{
|
|
REQUEST(xvPutStillReq);
|
|
+ REQUEST_SIZE_MATCH(xvPutStillReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1205,6 +1212,7 @@ static int
|
|
SProcXvGetVideo(ClientPtr client)
|
|
{
|
|
REQUEST(xvGetVideoReq);
|
|
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1224,6 +1232,7 @@ static int
|
|
SProcXvGetStill(ClientPtr client)
|
|
{
|
|
REQUEST(xvGetStillReq);
|
|
+ REQUEST_SIZE_MATCH(xvGetStillReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1243,6 +1252,7 @@ static int
|
|
SProcXvPutImage(ClientPtr client)
|
|
{
|
|
REQUEST(xvPutImageReq);
|
|
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1266,6 +1276,7 @@ static int
|
|
SProcXvShmPutImage(ClientPtr client)
|
|
{
|
|
REQUEST(xvShmPutImageReq);
|
|
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1293,6 +1304,7 @@ static int
|
|
SProcXvSelectVideoNotify(ClientPtr client)
|
|
{
|
|
REQUEST(xvSelectVideoNotifyReq);
|
|
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->drawable);
|
|
return XvProcVector[xv_SelectVideoNotify] (client);
|
|
@@ -1302,6 +1314,7 @@ static int
|
|
SProcXvSelectPortNotify(ClientPtr client)
|
|
{
|
|
REQUEST(xvSelectPortNotifyReq);
|
|
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
return XvProcVector[xv_SelectPortNotify] (client);
|
|
@@ -1311,6 +1324,7 @@ static int
|
|
SProcXvStopVideo(ClientPtr client)
|
|
{
|
|
REQUEST(xvStopVideoReq);
|
|
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->drawable);
|
|
@@ -1321,6 +1335,7 @@ static int
|
|
SProcXvSetPortAttribute(ClientPtr client)
|
|
{
|
|
REQUEST(xvSetPortAttributeReq);
|
|
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->attribute);
|
|
@@ -1332,6 +1347,7 @@ static int
|
|
SProcXvGetPortAttribute(ClientPtr client)
|
|
{
|
|
REQUEST(xvGetPortAttributeReq);
|
|
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->attribute);
|
|
@@ -1342,6 +1358,7 @@ static int
|
|
SProcXvQueryBestSize(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryBestSizeReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swaps(&stuff->vid_w);
|
|
@@ -1355,6 +1372,7 @@ static int
|
|
SProcXvQueryPortAttributes(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryPortAttributesReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
return XvProcVector[xv_QueryPortAttributes] (client);
|
|
@@ -1364,6 +1382,7 @@ static int
|
|
SProcXvQueryImageAttributes(ClientPtr client)
|
|
{
|
|
REQUEST(xvQueryImageAttributesReq);
|
|
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
swapl(&stuff->id);
|
|
@@ -1376,6 +1395,7 @@ static int
|
|
SProcXvListImageFormats(ClientPtr client)
|
|
{
|
|
REQUEST(xvListImageFormatsReq);
|
|
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
|
|
swaps(&stuff->length);
|
|
swapl(&stuff->port);
|
|
return XvProcVector[xv_ListImageFormats] (client);
|
|
--
|
|
2.1.2
|
|
|