packages/xorg-x11-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xorg-x11-server/CVE-2020-14362.patch

65 lines
2.5 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:55:01 +0200
Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
referencehttps://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
---
record/record.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/record/record.c b/record/record.c
index f0b739b..05d751a 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */
static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{
int i;
XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1];
if (stuff->nClients >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID);
}
if (stuff->nRanges >
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status;
return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink