|
 |
fac0ec |
From 705d7213935820d9f56563ee9e17aa9beb365c1e Mon Sep 17 00:00:00 2001
|
|
|
fac0ec |
From: Matthieu Herrb <matthieu@herrb.eu>
|
|
|
fac0ec |
Date: Tue, 18 Aug 2020 14:55:01 +0200
|
|
|
fac0ec |
Subject: [PATCH xserver] Fix XRecordRegisterClients() Integer underflow
|
|
|
fac0ec |
MIME-Version: 1.0
|
|
|
fac0ec |
Content-Type: text/plain; charset=UTF-8
|
|
|
fac0ec |
Content-Transfer-Encoding: 8bit
|
|
|
fac0ec |
|
|
|
fac0ec |
CVE-2020-14362 ZDI-CAN-11574
|
|
|
fac0ec |
|
|
|
fac0ec |
This vulnerability was discovered by:
|
|
|
fac0ec |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
fac0ec |
|
|
|
fac0ec |
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
|
fac0ec |
(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
|
|
|
fac0ec |
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
|
fac0ec |
---
|
|
|
fac0ec |
record/record.c | 10 +++++-----
|
|
|
fac0ec |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
fac0ec |
|
|
|
fac0ec |
diff --git a/record/record.c b/record/record.c
|
|
|
fac0ec |
index f0b739b0c..05d751ac2 100644
|
|
|
fac0ec |
--- a/record/record.c
|
|
|
fac0ec |
+++ b/record/record.c
|
|
|
fac0ec |
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
|
|
|
fac0ec |
} /* SProcRecordQueryVersion */
|
|
|
fac0ec |
|
|
|
fac0ec |
static int _X_COLD
|
|
|
fac0ec |
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
|
|
|
fac0ec |
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
|
|
fac0ec |
{
|
|
|
fac0ec |
int i;
|
|
|
fac0ec |
XID *pClientID;
|
|
|
fac0ec |
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
|
|
|
fac0ec |
swapl(&stuff->nRanges);
|
|
|
fac0ec |
pClientID = (XID *) &stuff[1];
|
|
|
fac0ec |
if (stuff->nClients >
|
|
|
fac0ec |
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
|
|
fac0ec |
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
|
|
fac0ec |
return BadLength;
|
|
|
fac0ec |
for (i = 0; i < stuff->nClients; i++, pClientID++) {
|
|
|
fac0ec |
swapl(pClientID);
|
|
|
fac0ec |
}
|
|
|
fac0ec |
if (stuff->nRanges >
|
|
|
fac0ec |
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
|
fac0ec |
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
|
fac0ec |
- stuff->nClients)
|
|
|
fac0ec |
return BadLength;
|
|
|
fac0ec |
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
|
|
fac0ec |
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
|
|
|
fac0ec |
|
|
|
fac0ec |
swaps(&stuff->length);
|
|
|
fac0ec |
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
|
|
fac0ec |
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
|
|
fac0ec |
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
|
|
fac0ec |
return status;
|
|
|
fac0ec |
return ProcRecordCreateContext(client);
|
|
|
fac0ec |
} /* SProcRecordCreateContext */
|
|
|
fac0ec |
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
|
|
|
fac0ec |
|
|
|
fac0ec |
swaps(&stuff->length);
|
|
|
fac0ec |
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
|
|
fac0ec |
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
|
|
fac0ec |
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
|
|
fac0ec |
return status;
|
|
|
fac0ec |
return ProcRecordRegisterClients(client);
|
|
|
fac0ec |
} /* SProcRecordRegisterClients */
|
|
|
fac0ec |
--
|
|
|
fac0ec |
2.28.0
|
|
|
fac0ec |
|