diff options
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2017-12183')
-rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2017-12183 | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12183 b/x11-servers/xorg-server/files/patch-CVE-2017-12183 deleted file mode 100644 index 5ccc3760e022..000000000000 --- a/x11-servers/xorg-server/files/patch-CVE-2017-12183 +++ /dev/null @@ -1,95 +0,0 @@ -From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001 -From: Nathan Kidd <nkidd@opentext.com> -Date: Fri, 9 Jan 2015 11:43:05 -0500 -Subject: xfixes: unvalidated lengths (CVE-2017-12183) - -v2: Use before swap (Jeremy Huddleston Sequoia) - -v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) - -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> -Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> -Signed-off-by: Nathan Kidd <nkidd@opentext.com> -Signed-off-by: Julien Cristau <jcristau@debian.org> -(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5) - -diff --git a/xfixes/cursor.c b/xfixes/cursor.c -index f009a78..6e84d71 100644 ---- xfixes/cursor.c -+++ xfixes/cursor.c -@@ -281,6 +281,7 @@ int - SProcXFixesSelectCursorInput(ClientPtr client) - { - REQUEST(xXFixesSelectCursorInputReq); -+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); - - swaps(&stuff->length); - swapl(&stuff->window); -@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) - REQUEST(xXFixesSetCursorNameReq); - Atom atom; - -- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); -+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); - VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); - tchar = (char *) &stuff[1]; - atom = MakeAtom(tchar, stuff->nbytes, TRUE); -@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) - int i; - CARD16 *in_devices = (CARD16 *) &stuff[1]; - -+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); -+ - swaps(&stuff->length); - swaps(&stuff->num_devices); - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); -diff --git a/xfixes/region.c b/xfixes/region.c -index dd74d7f..f300d2b 100644 ---- xfixes/region.c -+++ xfixes/region.c -@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) - RegionPtr pSource, pDestination; - - REQUEST(xXFixesCopyRegionReq); -+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); - - VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); - VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); -@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) - REQUEST(xXFixesCopyRegionReq); - - swaps(&stuff->length); -- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); -+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); - swapl(&stuff->source); - swapl(&stuff->destination); - return (*ProcXFixesVector[stuff->xfixesReqType]) (client); -diff --git a/xfixes/saveset.c b/xfixes/saveset.c -index eb3f658..aa365cf 100644 ---- xfixes/saveset.c -+++ xfixes/saveset.c -@@ -62,6 +62,7 @@ int - SProcXFixesChangeSaveSet(ClientPtr client) - { - REQUEST(xXFixesChangeSaveSetReq); -+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); - - swaps(&stuff->length); - swapl(&stuff->window); -diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c -index 8d1bd4c..8b45c53 100644 ---- xfixes/xfixes.c -+++ xfixes/xfixes.c -@@ -160,6 +160,7 @@ static int - SProcXFixesQueryVersion(ClientPtr client) - { - REQUEST(xXFixesQueryVersionReq); -+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); - - swaps(&stuff->length); - swapl(&stuff->majorVersion); --- -cgit v0.10.2 - |