Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]

v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xext/xvdisp.c

Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]
2abde565 · Alan Coopersmith · Mike Gabriel · 0d53194f · 2abde565
Commit 2abde565 authored Jan 26, 2014 by Alan Coopersmith Committed by Mike Gabriel Feb 14, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

xvdisp.c nx-X11/programs/Xserver/Xext/xvdisp.c +20 -0

No files found.
--- a/nx-X11/programs/Xserver/Xext/xvdisp.c
+++ b/nx-X11/programs/Xserver/Xext/xvdisp.c
@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryExtensionReq);
+  REQUEST_SIZE_MATCH(xvQueryExtensionReq);
  swaps(&stuff->length, n);
  return ProcXvQueryExtension(client);
 }
@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryAdaptorsReq);
+  REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
  swaps(&stuff->length, n);
  swapl(&stuff->window, n);
  return ProcXvQueryAdaptors(client);
@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryEncodingsReq);
+  REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  return ProcXvQueryEncodings(client);
@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client)
 {
  register char n;
  REQUEST(xvGrabPortReq);
+  REQUEST_SIZE_MATCH(xvGrabPortReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->time, n);
@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client)
 {
  register char n;
  REQUEST(xvUngrabPortReq);
+  REQUEST_SIZE_MATCH(xvUngrabPortReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->time, n);
@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client)
 {
  register char n;
  REQUEST(xvPutVideoReq);
+  REQUEST_SIZE_MATCH(xvPutVideoReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client)
 {
  register char n;
  REQUEST(xvPutStillReq);
+  REQUEST_SIZE_MATCH(xvPutStillReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client)
 {
  register char n;
  REQUEST(xvGetVideoReq);
+  REQUEST_SIZE_MATCH(xvGetVideoReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client)
 {
  register char n;
  REQUEST(xvGetStillReq);
+  REQUEST_SIZE_MATCH(xvGetStillReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client)
 {
  register char n;
  REQUEST(xvPutImageReq);
+  REQUEST_AT_LEAST_SIZE(xvPutImageReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client)
 {
  register char n;
  REQUEST(xvShmPutImageReq);
+  REQUEST_SIZE_MATCH(xvShmPutImageReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client)
 {
  register char n;
  REQUEST(xvSelectVideoNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
  swaps(&stuff->length, n);
  swapl(&stuff->drawable, n);
  return ProcXvSelectVideoNotify(client);
@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client)
 {
  register char n;
  REQUEST(xvSelectPortNotifyReq);
+  REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  return ProcXvSelectPortNotify(client);
@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client)
 {
  register char n;
  REQUEST(xvStopVideoReq);
+  REQUEST_SIZE_MATCH(xvStopVideoReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->drawable, n);
@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client)
 {
  register char n;
  REQUEST(xvSetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->attribute, n);
@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client)
 {
  register char n;
  REQUEST(xvGetPortAttributeReq);
+  REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swapl(&stuff->attribute, n);
@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryBestSizeReq);
+  REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  swaps(&stuff->vid_w, n);
@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryPortAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  return ProcXvQueryPortAttributes(client);
@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client)
 {
  register char n;
  REQUEST(xvQueryImageAttributesReq);
+  REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
  swaps(&stuff->length, n);
  swapl(&stuff->id, n);
  swaps(&stuff->width, n);
@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client)
 {
  register char n;
  REQUEST(xvListImageFormatsReq);
+  REQUEST_SIZE_MATCH(xvListImageFormatsReq);
  swaps(&stuff->length, n);
  swapl(&stuff->port, n);
  return ProcXvListImageFormats(client);