xfixes: unvalidated lengths (CVE-2017-12183)

v2: Use before swap (Jeremy Huddleston Sequoia) v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
2026-03-24 03:44:06 +00:00 · 2015-01-09 11:43:05 -05:00
parent cad5a1050b
commit 55caa8b08c
4 changed files with 8 additions and 2 deletions
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -281,6 +281,7 @@ int _X_COLD
 SProcXFixesSelectCursorInput(ClientPtr client)
 {
    REQUEST(xXFixesSelectCursorInputReq);
+    REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);

    swaps(&stuff->length);
    swapl(&stuff->window);
@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
    REQUEST(xXFixesSetCursorNameReq);
    Atom atom;

-    REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
+    REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
    VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
    tchar = (char *) &stuff[1];
    atom = MakeAtom(tchar, stuff->nbytes, TRUE);
@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
    int i;
    CARD16 *in_devices = (CARD16 *) &stuff[1];

+    REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
+
    swaps(&stuff->length);
    swaps(&stuff->num_devices);
    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));