| From 8caed4df36b1f802b4992edcfd282cbeeec35d9d Mon Sep 17 00:00:00 2001 |
| From: Michal Srb <msrb@suse.com> |
| Date: Wed, 24 May 2017 15:54:41 +0300 |
| Subject: [PATCH] Xi: Verify all events in ProcXSendExtensionEvent. |
| |
| The requirement is that events have type in range |
| EXTENSION_EVENT_BASE..lastEvent, but it was tested |
| only for first event of all. |
| |
| Signed-off-by: Michal Srb <msrb@suse.com> |
| Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> |
| |
| CVE: CVE-2017-10971 |
| |
| Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d] |
| |
| Signed-off-by: Jackie Huang <jackie.huang@windriver.com> |
| --- |
| Xi/sendexev.c | 12 +++++++----- |
| 1 file changed, 7 insertions(+), 5 deletions(-) |
| |
| diff --git a/Xi/sendexev.c b/Xi/sendexev.c |
| index 1cf118a..5e63bfc 100644 |
| --- a/Xi/sendexev.c |
| +++ b/Xi/sendexev.c |
| @@ -117,7 +117,7 @@ SProcXSendExtensionEvent(ClientPtr client) |
| int |
| ProcXSendExtensionEvent(ClientPtr client) |
| { |
| - int ret; |
| + int ret, i; |
| DeviceIntPtr dev; |
| xEvent *first; |
| XEventClass *list; |
| @@ -141,10 +141,12 @@ ProcXSendExtensionEvent(ClientPtr client) |
| /* The client's event type must be one defined by an extension. */ |
| |
| first = ((xEvent *) &stuff[1]); |
| - if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && |
| - (first->u.u.type < lastEvent))) { |
| - client->errorValue = first->u.u.type; |
| - return BadValue; |
| + for (i = 0; i < stuff->num_events; i++) { |
| + if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && |
| + (first[i].u.u.type < lastEvent))) { |
| + client->errorValue = first[i].u.u.type; |
| + return BadValue; |
| + } |
| } |
| |
| list = (XEventClass *) (first + stuff->num_events); |
| -- |
| 1.7.9.5 |
| |