Various functions calls in DRI3 & Present extensions do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself. Affected functions: sproc_dri3_query_version(), sproc_dri3_open(), sproc_dri3_pixmap_from_buffer(), sproc_dri3_buffer_from_pixmap(), sproc_dri3_fence_from_fd(), sproc_dri3_fd_from_fence(), proc_present_query_capabilities(), sproc_present_query_version(), sproc_present_pixmap(), sproc_present_notify_msc(), sproc_present_select_input(), sproc_present_query_capabilities() Introduced in xorg-server-1.15.0 (2013).
Created attachment 962154 [details] 0011-dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs_CVE-2014-8103_1-2.patch
Created attachment 962155 [details] 0012-present_unvalidated_lengths_in_Present_extension_procs_CVE-2014-8103_2-2.patch
OOB read leading to crash.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html