Module Name: xsrc
Committed By: snj
Date: Sun Nov 5 21:03:26 UTC 2017
Modified Files:
xsrc/external/mit/xorg-server/dist/Xext [netbsd-7-1]: panoramiX.c
saver.c xvdisp.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-7-1]: xichangehierarchy.c
xsrc/external/mit/xorg-server/dist/dbe [netbsd-7-1]: dbe.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-7-1]: dispatch.c
xsrc/external/mit/xorg-server/dist/hw/dmx [netbsd-7-1]: dmxpict.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod
[netbsd-7-1]:
xf86dga2.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri [netbsd-7-1]:
xf86dri.c
xsrc/external/mit/xorg-server/dist/render [netbsd-7-1]: render.c
xsrc/external/mit/xorg-server/dist/xfixes [netbsd-7-1]: cursor.c
region.c saveset.c xfixes.c
xsrc/xfree/xc/programs/Xserver/Xext [netbsd-7-1]: panoramiX.c saver.c
xf86dga2.c xvdisp.c
xsrc/xfree/xc/programs/Xserver/dbe [netbsd-7-1]: dbe.c
xsrc/xfree/xc/programs/Xserver/dix [netbsd-7-1]: dispatch.c
xsrc/xfree/xc/programs/Xserver/hw/dmx [netbsd-7-1]: dmxpict.c
xsrc/xfree/xc/programs/Xserver/render [netbsd-7-1]: render.c
Log Message:
Apply patch (requested by mrg in ticket #1523):
apply fixes for CVEs 2017-12176 to 2017-12187
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.14.1 \
xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.8.1 \
xsrc/external/mit/xorg-server/dist/Xext/saver.c
cvs rdiff -u -r1.4.4.1 -r1.4.4.1.4.1 \
xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.1.4.1 \
xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
cvs rdiff -u -r1.1.1.4.10.1 -r1.1.1.4.10.1.4.1 \
xsrc/external/mit/xorg-server/dist/dbe/dbe.c
cvs rdiff -u -r1.1.1.7.4.1 -r1.1.1.7.4.1.4.1 \
xsrc/external/mit/xorg-server/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.14.1 \
xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.14.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.14.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c
cvs rdiff -u -r1.1.1.7.10.1 -r1.1.1.7.10.1.4.1 \
xsrc/external/mit/xorg-server/dist/render/render.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.8.1 \
xsrc/external/mit/xorg-server/dist/xfixes/cursor.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.14.1 \
xsrc/external/mit/xorg-server/dist/xfixes/region.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.14.1 \
xsrc/external/mit/xorg-server/dist/xfixes/saveset.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.14.1 \
xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.28.1 \
xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.28.1 \
xsrc/xfree/xc/programs/Xserver/Xext/saver.c \
xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c
cvs rdiff -u -r1.1.1.5.36.1 -r1.1.1.5.36.1.4.1 \
xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c
cvs rdiff -u -r1.2.18.1 -r1.2.18.1.4.1 \
xsrc/xfree/xc/programs/Xserver/dbe/dbe.c
cvs rdiff -u -r1.1.1.7.24.1 -r1.1.1.7.24.1.4.1 \
xsrc/xfree/xc/programs/Xserver/dix/dispatch.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.30.1 \
xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c
cvs rdiff -u -r1.3.18.1 -r1.3.18.1.4.1 \
xsrc/xfree/xc/programs/Xserver/render/render.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5.14.1
--- xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5 Tue Aug 2 06:57:05 2011
+++ xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c Sun Nov 5 21:03:25 2017
@@ -990,10 +990,11 @@ ProcPanoramiXGetScreenSize(ClientPtr cli
xPanoramiXGetScreenSizeReply rep;
int n, rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
Index: xsrc/external/mit/xorg-server/dist/Xext/saver.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.6.8.1
--- xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.6 Mon Jun 3 07:34:30 2013
+++ xsrc/external/mit/xorg-server/dist/Xext/saver.c Sun Nov 5 21:03:25 2017
@@ -1282,6 +1282,8 @@ ProcScreenSaverUnsetAttributes (ClientPt
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((pointer *)&draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
Index: xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4.4.1 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4.4.1.4.1
--- xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.4.4.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c Sun Nov 5 21:03:25 2017
@@ -1676,12 +1676,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((pointer *)&draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
Index: xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3.4.1 xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3.4.1.4.1
--- xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.1.1.3.4.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c Sun Nov 5 21:03:25 2017
@@ -449,7 +449,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (stuff->length > (INT_MAX >> 2))
return BadAlloc;
- len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = (stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo*)&stuff[1];
while(stuff->num_changes--)
Index: xsrc/external/mit/xorg-server/dist/dbe/dbe.c
diff -u xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4.10.1 xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4.10.1.4.1
--- xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.1.1.4.10.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/dbe/dbe.c Sun Nov 5 21:03:25 2017
@@ -666,6 +666,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -1046,7 +1049,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n, n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
Index: xsrc/external/mit/xorg-server/dist/dix/dispatch.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7.4.1 xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7.4.1.4.1
--- xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.1.1.7.4.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/dix/dispatch.c Sun Nov 5 21:03:25 2017
@@ -3683,7 +3683,12 @@ ProcEstablishConnection(ClientPtr client
prefix = (xConnClientPrefix *)((char *)stuff + sz_xReq);
auth_proto = (char *)prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
Index: xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c
diff -u xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.4.14.1
--- xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.4 Tue Aug 2 06:56:48 2011
+++ xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c Sun Nov 5 21:03:25 2017
@@ -686,6 +686,8 @@ static int dmxProcRenderSetPictureFilter
filter = (char *)(stuff + 1);
params = (XFixed *)(filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *)stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict,
Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.5.14.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.5 Tue Aug 2 06:56:55 2011
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c Sun Nov 5 21:03:25 2017
@@ -95,6 +95,9 @@ static int
ProcXDGAOpenFramebuffer(ClientPtr client)
{
REQUEST(xXDGAOpenFramebufferReq);
+
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
xXDGAOpenFramebufferReply rep;
char *deviceName;
int nameSize;
@@ -105,7 +108,6 @@ ProcXDGAOpenFramebuffer(ClientPtr client
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -133,14 +135,14 @@ ProcXDGACloseFramebuffer(ClientPtr clien
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -155,10 +157,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -274,11 +277,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -363,14 +367,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -383,14 +387,14 @@ ProcXDGAInstallColormap(ClientPtr client
int rc;
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((pointer *)&cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -405,14 +409,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if(DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -425,14 +429,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if(Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -445,14 +449,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if(Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty))
return BadMatch;
@@ -466,14 +470,14 @@ ProcXDGACopyTransparentArea(ClientPtr cl
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if(Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty, stuff->key))
return BadMatch;
@@ -486,6 +490,9 @@ static int
ProcXDGAGetViewportStatus(ClientPtr client)
{
REQUEST(xXDGAGetViewportStatusReq);
+
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
xXDGAGetViewportStatusReply rep;
if (stuff->screen >= screenInfo.numScreens)
@@ -494,7 +501,6 @@ ProcXDGAGetViewportStatus(ClientPtr clie
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -509,6 +515,9 @@ static int
ProcXDGASync(ClientPtr client)
{
REQUEST(xXDGASyncReq);
+
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
xXDGASyncReply rep;
if (stuff->screen >= screenInfo.numScreens)
@@ -517,7 +526,6 @@ ProcXDGASync(ClientPtr client)
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -556,13 +564,14 @@ ProcXDGAChangePixmapMode(ClientPtr clien
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -587,14 +596,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if(!stuff->mode)
return BadValue;
@@ -625,10 +634,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -664,9 +674,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
ClientPtr owner;
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -715,13 +726,15 @@ ProcXF86DGAGetViewPortSize(ClientPtr cli
{
int num;
XDGAModeRec mode;
- REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST(xXF86DGAGetViewPortSizeReq);
+
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -746,14 +759,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -773,10 +786,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -792,11 +806,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -808,16 +822,17 @@ ProcXF86DGAInstallColormap(ClientPtr cli
{
ColormapPtr pcmp;
int rc;
+
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -835,12 +850,14 @@ static int
ProcXF86DGAQueryDirectVideo(ClientPtr client)
{
REQUEST(xXF86DGAQueryDirectVideoReq);
+
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
xXF86DGAQueryDirectVideoReply rep;
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -859,14 +876,14 @@ ProcXF86DGAViewPortChanged(ClientPtr cli
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.4.14.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.4 Tue Aug 2 06:56:55 2011
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c Sun Nov 5 21:03:25 2017
@@ -609,6 +609,7 @@ SProcXF86DRIQueryDirectRenderingCapable(
{
register int n;
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length, n);
swapl(&stuff->screen, n);
return ProcXF86DRIQueryDirectRenderingCapable(client);
Index: xsrc/external/mit/xorg-server/dist/render/render.c
diff -u xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7.10.1 xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7.10.1.4.1
--- xsrc/external/mit/xorg-server/dist/render/render.c:1.1.1.7.10.1 Tue Dec 9 19:36:57 2014
+++ xsrc/external/mit/xorg-server/dist/render/render.c Sun Nov 5 21:03:25 2017
@@ -1848,6 +1848,9 @@ ProcRenderSetPictureFilter (ClientPtr cl
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter (pPicture, name, stuff->nbytes, params, nparams);
return result;
}
Index: xsrc/external/mit/xorg-server/dist/xfixes/cursor.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.6.8.1
--- xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.6 Mon Jun 3 07:34:30 2013
+++ xsrc/external/mit/xorg-server/dist/xfixes/cursor.c Sun Nov 5 21:03:25 2017
@@ -295,6 +295,7 @@ SProcXFixesSelectCursorInput (ClientPtr
{
register int n;
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
@@ -437,7 +438,7 @@ ProcXFixesSetCursorName (ClientPtr clien
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom (tchar, stuff->nbytes, TRUE);
Index: xsrc/external/mit/xorg-server/dist/xfixes/region.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.5.14.1
--- xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.5 Tue Aug 2 06:57:06 2011
+++ xsrc/external/mit/xorg-server/dist/xfixes/region.c Sun Nov 5 21:03:26 2017
@@ -376,6 +376,7 @@ ProcXFixesCopyRegion (ClientPtr client)
{
RegionPtr pSource, pDestination;
REQUEST (xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -393,7 +394,7 @@ SProcXFixesCopyRegion (ClientPtr client)
REQUEST (xXFixesCopyRegionReq);
swaps (&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl (&stuff->source, n);
swapl (&stuff->destination, n);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
Index: xsrc/external/mit/xorg-server/dist/xfixes/saveset.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.3 xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.3.14.1
--- xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.3 Tue Nov 23 05:22:16 2010
+++ xsrc/external/mit/xorg-server/dist/xfixes/saveset.c Sun Nov 5 21:03:26 2017
@@ -65,6 +65,7 @@ SProcXFixesChangeSaveSet(ClientPtr clien
{
register int n;
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
Index: xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.4.14.1
--- xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.4 Tue Aug 2 06:57:06 2011
+++ xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c Sun Nov 5 21:03:26 2017
@@ -162,6 +162,7 @@ SProcXFixesQueryVersion(ClientPtr client
{
register int n;
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
Index: xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c:1.1.1.7 xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c:1.1.1.7.28.1
--- xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c:1.1.1.7 Fri Mar 18 13:09:58 2005
+++ xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c Sun Nov 5 21:03:26 2017
@@ -1055,6 +1055,8 @@ ProcPanoramiXGetScreenSize(ClientPtr cli
register int n;
REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ if (stuff->screen >= PanoramiXNumScreens)
+ return BadMatch;
pWin = LookupWindow (stuff->window, client);
if (!pWin)
return BadWindow;
Index: xsrc/xfree/xc/programs/Xserver/Xext/saver.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/saver.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/Xext/saver.c:1.1.1.6.28.1
--- xsrc/xfree/xc/programs/Xserver/Xext/saver.c:1.1.1.6 Fri Mar 18 13:09:58 2005
+++ xsrc/xfree/xc/programs/Xserver/Xext/saver.c Sun Nov 5 21:03:26 2017
@@ -1324,6 +1324,8 @@ ProcScreenSaverUnsetAttributes (ClientPt
PanoramiXRes *draw;
int i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
if(!(draw = (PanoramiXRes *)SecurityLookupIDByClass(
client, stuff->drawable, XRC_DRAWABLE, SecurityWriteAccess)))
return BadDrawable;
Index: xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c:1.1.1.6.28.1
--- xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c:1.1.1.6 Fri Mar 18 13:09:59 2005
+++ xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c Sun Nov 5 21:03:26 2017
@@ -152,13 +152,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client
char *deviceName;
int nameSize;
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = rep.mem1 = rep.mem2 = rep.size = rep.offset = rep.extra = 0;
rep.sequenceNumber = client->sequence;
@@ -187,14 +188,14 @@ ProcXDGACloseFramebuffer(ClientPtr clien
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return (client->noClientException);
@@ -209,10 +210,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -334,10 +336,11 @@ ProcXDGASetMode(ClientPtr client)
PixmapPtr pPix;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -423,14 +426,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return (client->noClientException);
@@ -442,13 +445,13 @@ ProcXDGAInstallColormap(ClientPtr client
ColormapPtr cmap;
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
-
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
cmap = (ColormapPtr)LookupIDByType(stuff->cmap, RT_COLORMAP);
if (cmap) {
@@ -466,13 +469,13 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
-
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
if(DGAClients[stuff->screen] == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -486,13 +489,13 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
-
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
if(Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
@@ -506,13 +509,13 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
-
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
if(Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty))
@@ -527,13 +530,13 @@ ProcXDGACopyTransparentArea(ClientPtr cl
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
-
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
if(Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty, stuff->key))
@@ -572,13 +575,14 @@ ProcXDGASync(ClientPtr client)
REQUEST(xXDGASyncReq);
xXDGASyncReply rep;
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -617,13 +621,14 @@ ProcXDGAChangePixmapMode(ClientPtr clien
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -648,14 +653,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen > screenInfo.numScreens)
return BadValue;
if(DGAClients[stuff->screen] != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if(!stuff->mode)
return BadValue;
Index: xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5.36.1 xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5.36.1.4.1
--- xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c:1.1.1.5.36.1 Thu Dec 11 13:33:15 2014
+++ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c Sun Nov 5 21:03:26 2017
@@ -1943,12 +1943,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result = Success, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
if(!(draw = (PanoramiXRes *)SecurityLookupIDByClass(
client, stuff->drawable, XRC_DRAWABLE, SecurityWriteAccess)))
return BadDrawable;
Index: xsrc/xfree/xc/programs/Xserver/dbe/dbe.c
diff -u xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2.18.1 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2.18.1.4.1
--- xsrc/xfree/xc/programs/Xserver/dbe/dbe.c:1.2.18.1 Thu Dec 11 13:33:15 2014
+++ xsrc/xfree/xc/programs/Xserver/dbe/dbe.c Sun Nov 5 21:03:26 2017
@@ -899,6 +899,9 @@ ProcDbeGetVisualInfo(client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > (CARD32)(-1L) / sizeof(DrawablePtr))
return BadAlloc;
@@ -1293,7 +1296,7 @@ SProcDbeSwapBuffers(client)
swapl(&stuff->n, n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
Index: xsrc/xfree/xc/programs/Xserver/dix/dispatch.c
diff -u xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7.24.1 xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7.24.1.4.1
--- xsrc/xfree/xc/programs/Xserver/dix/dispatch.c:1.1.1.7.24.1 Thu Dec 11 13:33:15 2014
+++ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c Sun Nov 5 21:03:26 2017
@@ -4000,7 +4000,11 @@ ProcEstablishConnection(client)
prefix = (xConnClientPrefix *)((char *)stuff + sz_xReq);
auth_proto = (char *)prefix + sz_xConnClientPrefix;
auth_string = auth_proto + ((prefix->nbytesAuthProto + 3) & ~3);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
Index: xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c
diff -u xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c:1.1.1.1 xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c:1.1.1.1.30.1
--- xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c:1.1.1.1 Fri Mar 18 13:10:56 2005
+++ xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c Sun Nov 5 21:03:26 2017
@@ -672,6 +672,8 @@ static int dmxProcRenderSetPictureFilter
filter = (char *)(stuff + 1);
params = (XFixed *)(filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *)stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict,
Index: xsrc/xfree/xc/programs/Xserver/render/render.c
diff -u xsrc/xfree/xc/programs/Xserver/render/render.c:1.3.18.1 xsrc/xfree/xc/programs/Xserver/render/render.c:1.3.18.1.4.1
--- xsrc/xfree/xc/programs/Xserver/render/render.c:1.3.18.1 Thu Dec 11 13:33:15 2014
+++ xsrc/xfree/xc/programs/Xserver/render/render.c Sun Nov 5 21:03:26 2017
@@ -1766,6 +1766,9 @@ ProcRenderSetPictureFilter (ClientPtr cl
name = (char *) (stuff + 1);
params = (xFixed *) (name + ((stuff->nbytes + 3) & ~3));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter (pPicture, name, stuff->nbytes, params, nparams);
return result;
}
