Module Name: xsrc
Committed By: snj
Date: Mon Nov 6 09:43:03 UTC 2017
Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xext [netbsd-8]: panoramiX.c
saver.c xvdisp.c
xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]:
xichangehierarchy.c
xsrc/external/mit/xorg-server.old/dist/dbe [netbsd-8]: dbe.c
xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: dispatch.c
xsrc/external/mit/xorg-server.old/dist/hw/dmx [netbsd-8]: dmxpict.c
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod
[netbsd-8]:
xf86dga2.c
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri [netbsd-8]:
xf86dri.c
xsrc/external/mit/xorg-server.old/dist/render [netbsd-8]: render.c
xsrc/external/mit/xorg-server.old/dist/xfixes [netbsd-8]: cursor.c
region.c saveset.c xfixes.c
xsrc/external/mit/xorg-server/dist/Xext [netbsd-8]: panoramiX.c saver.c
vidmode.c xres.c xvdisp.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: xibarriers.c
xichangehierarchy.c
xsrc/external/mit/xorg-server/dist/dbe [netbsd-8]: dbe.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: dispatch.c
xsrc/external/mit/xorg-server/dist/hw/dmx [netbsd-8]: dmxpict.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/common [netbsd-8]:
xf86DGA.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri [netbsd-8]: xf86dri.c
xsrc/external/mit/xorg-server/dist/pseudoramiX [netbsd-8]:
pseudoramiX.c
xsrc/external/mit/xorg-server/dist/render [netbsd-8]: render.c
xsrc/external/mit/xorg-server/dist/xfixes [netbsd-8]: cursor.c region.c
saveset.c xfixes.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #346):
external/mit/xorg-server.old/dist/Xext/panoramiX.c: 1.2
external/mit/xorg-server.old/dist/Xext/saver.c: 1.2
external/mit/xorg-server.old/dist/Xext/xvdisp.c: 1.2
external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c: 1.2
external/mit/xorg-server.old/dist/dbe/dbe.c: 1.2
external/mit/xorg-server.old/dist/dix/dispatch.c: 1.2
external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c: 1.2
external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:
1.2
external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c: 1.2
external/mit/xorg-server.old/dist/render/render.c: 1.2
external/mit/xorg-server.old/dist/xfixes/cursor.c: 1.2
external/mit/xorg-server.old/dist/xfixes/region.c: 1.2
external/mit/xorg-server.old/dist/xfixes/saveset.c: 1.2
external/mit/xorg-server.old/dist/xfixes/xfixes.c: 1.2
external/mit/xorg-server/dist/Xext/panoramiX.c: 1.2
external/mit/xorg-server/dist/Xext/saver.c: 1.2
external/mit/xorg-server/dist/Xext/vidmode.c: 1.2
external/mit/xorg-server/dist/Xext/xres.c: 1.2
external/mit/xorg-server/dist/Xext/xvdisp.c: 1.7
external/mit/xorg-server/dist/Xi/xibarriers.c: 1.2
external/mit/xorg-server/dist/Xi/xichangehierarchy.c: 1.4
external/mit/xorg-server/dist/dbe/dbe.c: 1.4
external/mit/xorg-server/dist/dix/dispatch.c: 1.4
external/mit/xorg-server/dist/hw/dmx/dmxpict.c: 1.2
external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c: 1.2
external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c: 1.2
external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c: 1.2
external/mit/xorg-server/dist/render/render.c: 1.4
external/mit/xorg-server/dist/xfixes/cursor.c: 1.2
external/mit/xorg-server/dist/xfixes/region.c: 1.2
external/mit/xorg-server/dist/xfixes/saveset.c: 1.2
external/mit/xorg-server/dist/xfixes/xfixes.c: 1.2
apply fixes for CVEs 2017-12176 to 2017-12187.
--
>From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd%opentext.com@localhost>
Date: Sun, 21 Dec 2014 01:10:03 -0500
Subject: hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
--
>From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb%suse.com@localhost>
Date: Fri, 7 Jul 2017 17:21:46 +0200
Subject: Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or
swapping of values on heap behind the receive buffer.
--
>From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd%opentext.com@localhost>
Date: Fri, 9 Jan 2015 10:09:14 -0500
Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
(CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
--
>From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd%opentext.com@localhost>
Date: Fri, 9 Jan 2015 11:43:05 -0500
Subject: xfixes: unvalidated lengths (CVE-2017-12183)
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
--
>From 859b08d523307eebde7724fd1a0789c44813e821 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd%opentext.com@localhost>
Date: Wed, 24 Dec 2014 16:22:18 -0500
Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
(CVE-2017-12178)
--
>From 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb%suse.com@localhost>
Date: Fri, 7 Jul 2017 17:04:03 +0200
Subject: os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
--
>From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd%opentext.com@localhost>
Date: Fri, 9 Jan 2015 10:15:46 -0500
Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c \
xsrc/external/mit/xorg-server.old/dist/Xext/saver.c \
xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/render/render.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c \
xsrc/external/mit/xorg-server.old/dist/xfixes/region.c \
xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c \
xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.2.1 \
xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.2.1 \
xsrc/external/mit/xorg-server/dist/Xext/saver.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server/dist/Xext/vidmode.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \
xsrc/external/mit/xorg-server/dist/Xext/xres.c
cvs rdiff -u -r1.6 -r1.6.2.1 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c
cvs rdiff -u -r1.3 -r1.3.2.1 \
xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/dbe/dbe.c
cvs rdiff -u -r1.3 -r1.3.2.1 \
xsrc/external/mit/xorg-server/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \
xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.2.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c
cvs rdiff -u -r1.3 -r1.3.2.1 \
xsrc/external/mit/xorg-server/dist/render/render.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.2.1 \
xsrc/external/mit/xorg-server/dist/xfixes/cursor.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.2.1 \
xsrc/external/mit/xorg-server/dist/xfixes/region.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \
xsrc/external/mit/xorg-server/dist/xfixes/saveset.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \
xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xext/panoramiX.c Mon Nov 6 09:43:02 2017
@@ -990,10 +990,11 @@ ProcPanoramiXGetScreenSize(ClientPtr cli
xPanoramiXGetScreenSizeReply rep;
int n, rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
Index: xsrc/external/mit/xorg-server.old/dist/Xext/saver.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xext/saver.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xext/saver.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xext/saver.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xext/saver.c Mon Nov 6 09:43:02 2017
@@ -1282,6 +1282,8 @@ ProcScreenSaverUnsetAttributes (ClientPt
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((pointer *)&draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
Index: xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xext/xvdisp.c Mon Nov 6 09:43:03 2017
@@ -1676,12 +1676,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((pointer *)&draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
Index: xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c Mon Nov 6 09:43:03 2017
@@ -449,7 +449,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (stuff->length > (INT_MAX >> 2))
return BadAlloc;
- len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = (stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo*)&stuff[1];
while(stuff->num_changes--)
Index: xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c
diff -u xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dbe/dbe.c Mon Nov 6 09:43:03 2017
@@ -666,6 +666,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -1046,7 +1049,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n, n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0)
Index: xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c:1.1.1.1 Thu Jun 9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/dispatch.c Mon Nov 6 09:43:03 2017
@@ -3683,7 +3683,12 @@ ProcEstablishConnection(ClientPtr client
prefix = (xConnClientPrefix *)((char *)stuff + sz_xReq);
auth_proto = (char *)prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
Index: xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c
diff -u xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c:1.1.1.1 Thu Jun 9 09:07:57 2016
+++ xsrc/external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c Mon Nov 6 09:43:03 2017
@@ -686,6 +686,8 @@ static int dmxProcRenderSetPictureFilter
filter = (char *)(stuff + 1);
params = (XFixed *)(filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *)stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict,
Index: xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c
diff -u xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c:1.1.1.1 Thu Jun 9 09:07:58 2016
+++ xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c Mon Nov 6 09:43:03 2017
@@ -95,6 +95,9 @@ static int
ProcXDGAOpenFramebuffer(ClientPtr client)
{
REQUEST(xXDGAOpenFramebufferReq);
+
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
xXDGAOpenFramebufferReply rep;
char *deviceName;
int nameSize;
@@ -105,7 +108,6 @@ ProcXDGAOpenFramebuffer(ClientPtr client
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -133,14 +135,14 @@ ProcXDGACloseFramebuffer(ClientPtr clien
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -155,10 +157,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -274,11 +277,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -363,14 +367,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -383,14 +387,14 @@ ProcXDGAInstallColormap(ClientPtr client
int rc;
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((pointer *)&cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -405,14 +409,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if(DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -425,14 +429,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if(Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -445,14 +449,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if(Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty))
return BadMatch;
@@ -466,14 +470,14 @@ ProcXDGACopyTransparentArea(ClientPtr cl
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if(Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx, stuff->dsty, stuff->key))
return BadMatch;
@@ -486,6 +490,9 @@ static int
ProcXDGAGetViewportStatus(ClientPtr client)
{
REQUEST(xXDGAGetViewportStatusReq);
+
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
xXDGAGetViewportStatusReply rep;
if (stuff->screen >= screenInfo.numScreens)
@@ -494,7 +501,6 @@ ProcXDGAGetViewportStatus(ClientPtr clie
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -509,6 +515,9 @@ static int
ProcXDGASync(ClientPtr client)
{
REQUEST(xXDGASyncReq);
+
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
xXDGASyncReply rep;
if (stuff->screen >= screenInfo.numScreens)
@@ -517,7 +526,6 @@ ProcXDGASync(ClientPtr client)
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -556,13 +564,14 @@ ProcXDGAChangePixmapMode(ClientPtr clien
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -587,14 +596,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if(DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if(!stuff->mode)
return BadValue;
@@ -625,10 +634,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -664,9 +674,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
ClientPtr owner;
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -715,13 +726,15 @@ ProcXF86DGAGetViewPortSize(ClientPtr cli
{
int num;
XDGAModeRec mode;
- REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST(xXF86DGAGetViewPortSizeReq);
+
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -746,14 +759,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -773,10 +786,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -792,11 +806,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -808,16 +822,17 @@ ProcXF86DGAInstallColormap(ClientPtr cli
{
ColormapPtr pcmp;
int rc;
+
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -835,12 +850,14 @@ static int
ProcXF86DGAQueryDirectVideo(ClientPtr client)
{
REQUEST(xXF86DGAQueryDirectVideoReq);
+
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
xXF86DGAQueryDirectVideoReply rep;
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -859,14 +876,14 @@ ProcXF86DGAViewPortChanged(ClientPtr cli
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
Index: xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c
diff -u xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c:1.1.1.1 Thu Jun 9 09:07:58 2016
+++ xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c Mon Nov 6 09:43:03 2017
@@ -609,6 +609,7 @@ SProcXF86DRIQueryDirectRenderingCapable(
{
register int n;
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length, n);
swapl(&stuff->screen, n);
return ProcXF86DRIQueryDirectRenderingCapable(client);
Index: xsrc/external/mit/xorg-server.old/dist/render/render.c
diff -u xsrc/external/mit/xorg-server.old/dist/render/render.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/render/render.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/render/render.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/render/render.c Mon Nov 6 09:43:03 2017
@@ -1848,6 +1848,9 @@ ProcRenderSetPictureFilter (ClientPtr cl
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter (pPicture, name, stuff->nbytes, params, nparams);
return result;
}
Index: xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c
diff -u xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/xfixes/cursor.c Mon Nov 6 09:43:03 2017
@@ -295,6 +295,7 @@ SProcXFixesSelectCursorInput (ClientPtr
{
register int n;
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
@@ -437,7 +438,7 @@ ProcXFixesSetCursorName (ClientPtr clien
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom (tchar, stuff->nbytes, TRUE);
Index: xsrc/external/mit/xorg-server.old/dist/xfixes/region.c
diff -u xsrc/external/mit/xorg-server.old/dist/xfixes/region.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xfixes/region.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/xfixes/region.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/xfixes/region.c Mon Nov 6 09:43:03 2017
@@ -376,6 +376,7 @@ ProcXFixesCopyRegion (ClientPtr client)
{
RegionPtr pSource, pDestination;
REQUEST (xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -393,7 +394,7 @@ SProcXFixesCopyRegion (ClientPtr client)
REQUEST (xXFixesCopyRegionReq);
swaps (&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl (&stuff->source, n);
swapl (&stuff->destination, n);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
Index: xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c
diff -u xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/xfixes/saveset.c Mon Nov 6 09:43:03 2017
@@ -65,6 +65,7 @@ SProcXFixesChangeSaveSet(ClientPtr clien
{
register int n;
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length, n);
swapl(&stuff->window, n);
Index: xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c
diff -u xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c:1.1.1.1 Thu Jun 9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/xfixes/xfixes.c Mon Nov 6 09:43:03 2017
@@ -162,6 +162,7 @@ SProcXFixesQueryVersion(ClientPtr client
{
register int n;
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length, n);
swapl(&stuff->majorVersion, n);
Index: xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.6.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.6 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c Mon Nov 6 09:43:02 2017
@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr cli
xPanoramiXGetScreenSizeReply rep;
int rc;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
Index: xsrc/external/mit/xorg-server/dist/Xext/saver.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/Xext/saver.c Mon Nov 6 09:43:02 2017
@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr
PanoramiXRes *draw;
int rc, i;
+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)
Index: xsrc/external/mit/xorg-server/dist/Xext/vidmode.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/vidmode.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xext/vidmode.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/vidmode.c:1.1.1.1 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/Xext/vidmode.c Mon Nov 6 09:43:02 2017
@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
DEBUG_P("XF86VidModeAddModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
stuff->after_vsyncend, stuff->after_vtotal,
(unsigned long) stuff->after_flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr clie
DEBUG_P("XF86VidModeDeleteModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr clie
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
- }
if (len != stuff->privsize) {
DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
"len = %d, length = %d\n",
@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
DEBUG_P("XF86VidModeModModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
stuff->vtotal, (unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr cl
DEBUG_P("XF86VidModeValidateModeline");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+ len = client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr cl
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
- len = client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client
DEBUG_P("XF86VidModeSwitchToMode");
ver = ClientMajorVersion(client);
+
+ if (ver < 2) {
+ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+ }
+ else {
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+ len =
+ client->req_len -
+ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+ }
+
if (ver < 2) {
/* convert from old format */
stuff = &newstuff;
@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client
stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
(unsigned long) stuff->flags);
- if (ver < 2) {
- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
- }
- else {
- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
- len =
- client->req_len -
- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
- }
if (len != stuff->privsize)
return BadLength;
@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client
VidModePtr pVidMode;
REQUEST(xXF86VidModeSetGammaRampReq);
+ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
Index: xsrc/external/mit/xorg-server/dist/Xext/xres.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xres.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/Xext/xres.c:1.1.1.4.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/xres.c:1.1.1.4 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/Xext/xres.c Mon Nov 6 09:43:02 2017
@@ -1039,6 +1039,8 @@ ProcXResQueryResourceBytes (ClientPtr cl
ConstructResourceBytesCtx ctx;
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
+ return BadLength;
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(ctx.specs[0]));
@@ -1144,8 +1146,8 @@ SProcXResQueryResourceBytes (ClientPtr c
int c;
xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
- swapl(&stuff->numSpecs);
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+ swapl(&stuff->numSpecs);
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(specs[0]));
Index: xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.6 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.6.2.1
--- xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c:1.6 Thu Aug 11 00:04:26 2016
+++ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c Mon Nov 6 09:43:02 2017
@@ -1496,12 +1496,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
- Bool send_event = stuff->send_event;
+ Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ send_event = stuff->send_event;
+
result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)
Index: xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c:1.1.1.1 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/Xi/xibarriers.c Mon Nov 6 09:43:02 2017
@@ -830,10 +830,15 @@ SProcXIBarrierReleasePointer(ClientPtr c
REQUEST(xXIBarrierReleasePointerReq);
int i;
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@@ -854,6 +859,9 @@ ProcXIBarrierReleasePointer(ClientPtr cl
REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
Index: xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.3 Thu Aug 11 00:04:26 2016
+++ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c Mon Nov 6 09:43:02 2017
@@ -425,7 +425,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (stuff->length > (INT_MAX >> 2))
return BadAlloc;
#endif
- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
Index: xsrc/external/mit/xorg-server/dist/dbe/dbe.c
diff -u xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.3 xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/dbe/dbe.c:1.3 Thu Aug 11 00:04:27 2016
+++ xsrc/external/mit/xorg-server/dist/dbe/dbe.c Mon Nov 6 09:43:02 2017
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
XdbeScreenVisualInfo *pScrVisInfo;
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
Index: xsrc/external/mit/xorg-server/dist/dix/dispatch.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.3 xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/dix/dispatch.c:1.3 Thu Aug 11 00:04:27 2016
+++ xsrc/external/mit/xorg-server/dist/dix/dispatch.c Mon Nov 6 09:43:02 2017
@@ -3654,7 +3654,12 @@ ProcEstablishConnection(ClientPtr client
prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
auth_proto = (char *) prefix + sz_xConnClientPrefix;
auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
- if ((prefix->majorVersion != X_PROTOCOL) ||
+
+ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
+ pad_to_int32(prefix->nbytesAuthProto) +
+ pad_to_int32(prefix->nbytesAuthString))
+ reason = "Bad length";
+ else if ((prefix->majorVersion != X_PROTOCOL) ||
(prefix->minorVersion != X_PROTOCOL_REVISION))
reason = "Protocol version mismatch";
else
Index: xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c
diff -u xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.5.2.1
--- xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c:1.1.1.5 Wed Aug 10 07:44:33 2016
+++ xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c Mon Nov 6 09:43:02 2017
@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr
filter = (char *) (stuff + 1);
params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict, filter, params, nparams);
Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c:1.1.1.7.2.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c:1.1.1.7 Wed Aug 10 07:44:34 2016
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c Mon Nov 6 09:43:02 2017
@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client
char *deviceName;
int nameSize;
+ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr clien
{
REQUEST(xXDGACloseFramebufferReq);
+ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
-
DGACloseFramebuffer(stuff->screen);
return Success;
@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
xXDGAModeInfo info;
XDGAModePtr mode;
+ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
rep.type = X_Reply;
rep.length = 0;
rep.number = 0;
@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
ClientPtr owner;
int size;
+ REQUEST_SIZE_MATCH(xXDGASetModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
owner = DGA_GETCLIENT(stuff->screen);
- REQUEST_SIZE_MATCH(xXDGASetModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.offset = 0;
@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
{
REQUEST(xXDGASetViewportReq);
+ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
-
DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
return Success;
@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client
REQUEST(xXDGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
-
rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
client, DixInstallAccess);
if (rc != Success)
@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
{
REQUEST(xXDGASelectInputReq);
+ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
-
if (DGA_GETCLIENT(stuff->screen) == client)
DGASelectInput(stuff->screen, client, stuff->mask);
@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
{
REQUEST(xXDGAFillRectangleReq);
+ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
-
if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
stuff->width, stuff->height, stuff->color))
return BadMatch;
@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
{
REQUEST(xXDGACopyAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
-
if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty))
@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr cl
{
REQUEST(xXDGACopyTransparentAreaReq);
+ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
-
if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
stuff->width, stuff->height, stuff->dstx,
stuff->dsty, stuff->key))
@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr clie
REQUEST(xXDGAGetViewportStatusReq);
xXDGAGetViewportStatusReply rep;
+ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
REQUEST(xXDGASyncReq);
xXDGASyncReply rep;
+ REQUEST_SIZE_MATCH(xXDGASyncReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGASyncReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr clien
xXDGAChangePixmapModeReply rep;
int x, y;
+ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
REQUEST(xXDGACreateColormapReq);
int result;
+ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
-
if (!stuff->mode)
return BadValue;
@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
int num, offset, flags;
char *name;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
REQUEST(xXF86DGADirectVideoReq);
+ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr cli
REQUEST(xXF86DGAGetViewPortSizeReq);
xXF86DGAGetViewPortSizeReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
{
REQUEST(xXF86DGASetViewPortReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
-
if (!DGAAvailable(stuff->screen))
return DGAErrorBase + XF86DGANoDirectVideoMode;
@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
REQUEST(xXF86DGAGetVidPageReq);
xXF86DGAGetVidPageReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
{
REQUEST(xXF86DGASetVidPageReq);
+ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
-
/* silently fail */
return Success;
@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr cli
REQUEST(xXF86DGAInstallColormapReq);
+ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr cl
REQUEST(xXF86DGAQueryDirectVideoReq);
xXF86DGAQueryDirectVideoReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
rep.type = X_Reply;
rep.length = 0;
rep.sequenceNumber = client->sequence;
@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr cli
REQUEST(xXF86DGAViewPortChangedReq);
xXF86DGAViewPortChangedReply rep;
+ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+
if (stuff->screen >= screenInfo.numScreens)
return BadValue;
if (DGA_GETCLIENT(stuff->screen) != client)
return DGAErrorBase + XF86DGADirectNotActivated;
- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
-
if (!DGAActive(stuff->screen))
return DGAErrorBase + XF86DGADirectNotActivated;
Index: xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c
diff -u xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.5.2.1
--- xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c:1.1.1.5 Wed Aug 10 07:44:34 2016
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c Mon Nov 6 09:43:02 2017
@@ -570,6 +570,7 @@ static int
SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
{
REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
+ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
swaps(&stuff->length);
swapl(&stuff->screen);
return ProcXF86DRIQueryDirectRenderingCapable(client);
Index: xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c
diff -u xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c:1.1.1.1 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c Mon Nov 6 09:43:02 2017
@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr c
TRACE;
+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
if (stuff->screen >= pseudoramiXNumScreens)
return BadMatch;
- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;
Index: xsrc/external/mit/xorg-server/dist/render/render.c
diff -u xsrc/external/mit/xorg-server/dist/render/render.c:1.3 xsrc/external/mit/xorg-server/dist/render/render.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/render/render.c:1.3 Thu Aug 11 00:04:35 2016
+++ xsrc/external/mit/xorg-server/dist/render/render.c Mon Nov 6 09:43:02 2017
@@ -1771,6 +1771,9 @@ ProcRenderSetPictureFilter(ClientPtr cli
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
+ if (nparams < 0)
+ return BadLength;
+
result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
return result;
}
Index: xsrc/external/mit/xorg-server/dist/xfixes/cursor.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.7.2.1
--- xsrc/external/mit/xorg-server/dist/xfixes/cursor.c:1.1.1.7 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/xfixes/cursor.c Mon Nov 6 09:43:02 2017
@@ -280,6 +280,7 @@ int
SProcXFixesSelectCursorInput(ClientPtr client)
{
REQUEST(xXFixesSelectCursorInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -413,7 +414,7 @@ ProcXFixesSetCursorName(ClientPtr client
REQUEST(xXFixesSetCursorNameReq);
Atom atom;
- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
tchar = (char *) &stuff[1];
atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1006,6 +1007,8 @@ SProcXFixesCreatePointerBarrier(ClientPt
int i;
CARD16 *in_devices = (CARD16 *) &stuff[1];
+ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
Index: xsrc/external/mit/xorg-server/dist/xfixes/region.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.6.2.1
--- xsrc/external/mit/xorg-server/dist/xfixes/region.c:1.1.1.6 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/xfixes/region.c Mon Nov 6 09:43:02 2017
@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
RegionPtr pSource, pDestination;
REQUEST(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
REQUEST(xXFixesCopyRegionReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
+ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
swapl(&stuff->source);
swapl(&stuff->destination);
return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
Index: xsrc/external/mit/xorg-server/dist/xfixes/saveset.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.4.2.1
--- xsrc/external/mit/xorg-server/dist/xfixes/saveset.c:1.1.1.4 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/xfixes/saveset.c Mon Nov 6 09:43:02 2017
@@ -62,6 +62,7 @@ int
SProcXFixesChangeSaveSet(ClientPtr client)
{
REQUEST(xXFixesChangeSaveSetReq);
+ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
swaps(&stuff->length);
swapl(&stuff->window);
Index: xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c
diff -u xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.5.2.1
--- xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c:1.1.1.5 Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c Mon Nov 6 09:43:02 2017
@@ -160,6 +160,7 @@ static int
SProcXFixesQueryVersion(ClientPtr client)
{
REQUEST(xXFixesQueryVersionReq);
+ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
