From a03f096a85537d9e881cedaa6cb71aca43a97086 Mon Sep 17 00:00:00 2001 From: Jeremy Huddleston Sequoia Date: Wed, 1 Jan 2014 10:47:52 -0800 Subject: [PATCH] XQuartz: Validate length in appledri before swapping Avoids potential memory corruption from bad requests Signed-off-by: Jeremy Huddleston Sequoia --- hw/xquartz/xpr/appledri.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c index d7e9844..7757465 100644 --- a/hw/xquartz/xpr/appledri.c +++ b/hw/xquartz/xpr/appledri.c @@ -406,6 +406,7 @@ SProcAppleDRIQueryDirectRenderingCapable(register ClientPtr client) { REQUEST(xAppleDRIQueryDirectRenderingCapableReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRIQueryDirectRenderingCapableReq); swapl(&stuff->screen); return ProcAppleDRIQueryDirectRenderingCapable(client); } @@ -415,6 +416,7 @@ SProcAppleDRIAuthConnection(register ClientPtr client) { REQUEST(xAppleDRIAuthConnectionReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRIAuthConnectionReq); swapl(&stuff->screen); swapl(&stuff->magic); return ProcAppleDRIAuthConnection(client); @@ -425,6 +427,7 @@ SProcAppleDRICreateSurface(register ClientPtr client) { REQUEST(xAppleDRICreateSurfaceReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRICreateSurfaceReq); swapl(&stuff->screen); swapl(&stuff->drawable); swapl(&stuff->client_id); @@ -436,6 +439,7 @@ SProcAppleDRIDestroySurface(register ClientPtr client) { REQUEST(xAppleDRIDestroySurfaceReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRIDestroySurfaceReq); swapl(&stuff->screen); swapl(&stuff->drawable); return ProcAppleDRIDestroySurface(client); @@ -446,6 +450,7 @@ SProcAppleDRICreatePixmap(register ClientPtr client) { REQUEST(xAppleDRICreatePixmapReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq); swapl(&stuff->screen); swapl(&stuff->drawable); return ProcAppleDRICreatePixmap(client); @@ -456,6 +461,7 @@ SProcAppleDRIDestroyPixmap(register ClientPtr client) { REQUEST(xAppleDRIDestroyPixmapReq); swaps(&stuff->length); + REQUEST_SIZE_MATCH(xAppleDRIDestroyPixmapReq); swapl(&stuff->drawable); return ProcAppleDRIDestroyPixmap(client); } -- 2.7.4