During X server security testing, current lucid xserver was terminated on invalid request: ii xserver-xorg 1:7.5+5ubuntu1 the X.Org X server ii xserver-xorg-core 2:1.7.6-2ubuntu7.2 Xorg X server - core server Xext/xvdisp.c: int ProcXvDispatch(ClientPtr client) { REQUEST(xReq); UpdateCurrentTime(); >>>>>>>>>>> should be xv_LastRequest if (stuff->data > xvNumRequests) { SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest); return(BadRequest); } >>>>>>>>>>>> value data=xvNumRequests causes call of null ptr return XvProcVector[stuff->data](client); } See also: /usr/include/X11/extensions/Xvproto.h #define xv_LastRequest xv_ShmPutImage #define xvNumRequests (xv_LastRequest + 1) Credits to me@halfdog.net
Created attachment 36887 [details] [review] Fix off by one by using correct constant definition
this was fixed in 1.12 and the 1.10.x and 1.11.x stable branches. commit 41229392b790f30a0f0ef1f4ed95647c5bca4001 Author: Dave Airlie <airlied@redhat.com> Date: Thu Oct 20 11:00:43 2011 +0100 xv: test correct number of requests. (v2) Pointed out by coverity. v2: fix swapped as well, as pointed out by Alan Signed-off-by: Dave Airlie <airlied@redhat.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.