xfixes: unvalidated lengths (CVE-2017-12183)

v2: Use before swap (Jeremy Huddleston Sequoia)

v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>

4 files changed, 8 insertions, 2 deletions

diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index c1ab3beda..dc447ed6f 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -281,6 +281,7 @@ int _X_COLD
 SProcXFixesSelectCursorInput(ClientPtr client)
 {
     REQUEST(xXFixesSelectCursorInputReq);
+    REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
     REQUEST(xXFixesSetCursorNameReq);
     Atom atom;
 
-    REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+    REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
     VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
     tchar = (char *) &stuff[1];
     atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
     int i;
     CARD16 *in_devices = (CARD16 *) &stuff[1];
 
+    REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
     swaps(&stuff->length);
     swaps(&stuff->num_devices);
     REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
diff --git a/xfixes/region.c b/xfixes/region.c
index e7737011e..7c0a7d2fe 100644
--- a/xfixes/region.c
+++ b/xfixes/region.c
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
     RegionPtr pSource, pDestination;
 
     REQUEST(xXFixesCopyRegionReq);
+    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
 
     VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
     VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
     REQUEST(xXFixesCopyRegionReq);
 
     swaps(&stuff->length);
-    REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
     swapl(&stuff->source);
     swapl(&stuff->destination);
     return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
diff --git a/xfixes/saveset.c b/xfixes/saveset.c
index 204315317..fd9c7a124 100644
--- a/xfixes/saveset.c
+++ b/xfixes/saveset.c
@@ -62,6 +62,7 @@ int _X_COLD
 SProcXFixesChangeSaveSet(ClientPtr client)
 {
     REQUEST(xXFixesChangeSaveSetReq);
+    REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
 
     swaps(&stuff->length);
     swapl(&stuff->window);
diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
index 77efd64cc..248bf0287 100644
--- a/xfixes/xfixes.c
+++ b/xfixes/xfixes.c
@@ -160,6 +160,7 @@ static _X_COLD int
 SProcXFixesQueryVersion(ClientPtr client)
 {
     REQUEST(xXFixesQueryVersionReq);
+    REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
 
     swaps(&stuff->length);
     swapl(&stuff->majorVersion);