randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-01-26 19:38:09 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-12-08 18:09:48 -0800
commit: 3df2fcf12499ebdb26b9b67419ea485a42041f33 (patch)
tree: 2945294b0d0cd05f2252ddf193ca5a5f9bcd7e83
parent: d155b7a8e38e74aee96bf52c20c8b6a330d7d462 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
index 08c3b6abe..47558cf75 100644
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
 {
     REQUEST(xRRQueryVersionReq);
 
+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);
     swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
 {
     REQUEST(xRRGetScreenInfoReq);
 
+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
 {
     REQUEST(xRRSelectInputReq);
 
+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
     swaps(&stuff->length);
     swapl(&stuff->window);
     swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
 {
     REQUEST(xRRConfigureOutputPropertyReq);
 
+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
     swaps(&stuff->length);
     swapl(&stuff->output);
     swapl(&stuff->property);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-01-26 19:38:09 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-12-08 18:09:48 -0800
commit	3df2fcf12499ebdb26b9b67419ea485a42041f33 (patch)
tree	2945294b0d0cd05f2252ddf193ca5a5f9bcd7e83
parent	d155b7a8e38e74aee96bf52c20c8b6a330d7d462 (diff)