1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
From: Julien Cristau <jcristau@debian.org>
Date: Sun Aug 22 16:20:45 2010 +0100
Subject: [PATCH] glx: swap the request arrays entirely, not just half of them
Patch-Mainline: Upstream
Git-commit: 62319e8381ebd645ae36b25e5fc3c0e9b098387b
References: bnc #648278, CVE-2010-4818
Signed-off-by: Egbert Eich <eich@suse.de>
Various glx requests include a list of pairs of attributes. We were
only swapping the first half.
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
glx/glxcmdsswap.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- xorg-server-1.6.5.orig/glx/glxcmdsswap.c
+++ xorg-server-1.6.5/glx/glxcmdsswap.c
@@ -324,7 +324,7 @@ int __glXDispSwap_CreatePixmap(__GLXclie
REQUEST_FIXED_SIZE(xGLXCreatePixmapReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePixmap(cl, pc);
}
@@ -405,7 +405,7 @@ int __glXDispSwap_CreatePbuffer(__GLXcli
REQUEST_FIXED_SIZE(xGLXCreatePbufferReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreatePbuffer(cl, pc);
}
@@ -470,7 +470,7 @@ int __glXDispSwap_ChangeDrawableAttribut
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributes(cl, pc);
}
@@ -492,7 +492,7 @@ int __glXDispSwap_ChangeDrawableAttribut
REQUEST_FIXED_SIZE(xGLXChangeDrawableAttributesSGIXReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_ChangeDrawableAttributesSGIX(cl, pc);
}
@@ -515,7 +515,7 @@ int __glXDispSwap_CreateWindow(__GLXclie
REQUEST_FIXED_SIZE(xGLXCreateWindowReq, req->numAttribs << 3);
attribs = (CARD32*)(req + 1);
- __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs);
+ __GLX_SWAP_INT_ARRAY(attribs, req->numAttribs << 1);
return __glXDisp_CreateWindow(cl, pc);
}
|
