source.dussan.org Git - tigervnc.git/blob

   1 From: Julien Cristau <jcristau@debian.org>
   2 Date: Sun Aug 22 16:20:45 2010 +0100
   3 Subject: [PATCH] glx: swap the request arrays entirely, not just half of them
   4 Patch-Mainline: Upstream
   5 Git-commit: 62319e8381ebd645ae36b25e5fc3c0e9b098387b
   6 References: bnc #648278, CVE-2010-4818
   7 Signed-off-by: Egbert Eich <eich@suse.de>
   8
   9 Various glx requests include a list of pairs of attributes.  We were
  10 only swapping the first half.
  11
  12 Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
  13 Reviewed-by: Daniel Stone <daniel@fooishbar.org>
  14 Signed-off-by: Julien Cristau <jcristau@debian.org>
  15 ---
  16  glx/glxcmdsswap.c |   10 +++++-----
  17  1 file changed, 5 insertions(+), 5 deletions(-)
  18
  19 --- xorg-server-1.6.5.orig/glx/glxcmdsswap.c
  20 +++ xorg-server-1.6.5/glx/glxcmdsswap.c
  21 @@ -324,7 +324,7 @@ int __glXDispSwap_CreatePixmap(__GLXclie
  22
  23      REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
  24      attribs = (CARD32*)(req + 1);
  25 -    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
  26 +    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
  27
  28      return __glXDisp_CreatePixmap(cl, pc);
  29  }
  30 @@ -405,7 +405,7 @@ int __glXDispSwap_CreatePbuffer(__GLXcli
  31
  32      REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
  33      attribs = (CARD32*)(req + 1);
  34 -    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
  35 +    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
  36
  37      return __glXDisp_CreatePbuffer(cl, pc);
  38  }
  39 @@ -470,7 +470,7 @@ int __glXDispSwap_ChangeDrawableAttribut
  40
  41      REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
  42      attribs = (CARD32*)(req + 1);
  43 -    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
  44 +    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
  45
  46      return __glXDisp_ChangeDrawableAttributes(cl, pc);
  47  }
  48 @@ -492,7 +492,7 @@ int __glXDispSwap_ChangeDrawableAttribut
  49
  50      REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
  51      attribs = (CARD32*)(req + 1);
  52 -    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
  53 +    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
  54
  55      return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
  56  }
  57 @@ -515,7 +515,7 @@ int __glXDispSwap_CreateWindow(__GLXclie
  58
  59      REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
  60      attribs = (CARD32*)(req + 1);
  61 -    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
  62 +    __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
  63
  64      return __glXDisp_CreateWindow(cl, pc);
  65  }