|
|
fac0ec |
From 5b384e7678c5a155dd8752f018c8292153c1295e Mon Sep 17 00:00:00 2001
|
|
|
fac0ec |
From: Matthieu Herrb <matthieu@herrb.eu>
|
|
|
fac0ec |
Date: Tue, 18 Aug 2020 14:52:29 +0200
|
|
|
fac0ec |
Subject: [PATCH xserver] Fix XkbSelectEvents() integer underflow
|
|
|
fac0ec |
MIME-Version: 1.0
|
|
|
fac0ec |
Content-Type: text/plain; charset=UTF-8
|
|
|
fac0ec |
Content-Transfer-Encoding: 8bit
|
|
|
fac0ec |
|
|
|
fac0ec |
CVE-2020-14361 ZDI-CAN 11573
|
|
|
fac0ec |
|
|
|
fac0ec |
This vulnerability was discovered by:
|
|
|
fac0ec |
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
fac0ec |
|
|
|
fac0ec |
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
|
fac0ec |
(cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
|
|
|
fac0ec |
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
|
fac0ec |
---
|
|
|
fac0ec |
xkb/xkbSwap.c | 2 +-
|
|
|
fac0ec |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
fac0ec |
|
|
|
fac0ec |
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
|
|
|
fac0ec |
index 1c1ed5ff4..50cabb90e 100644
|
|
|
fac0ec |
--- a/xkb/xkbSwap.c
|
|
|
fac0ec |
+++ b/xkb/xkbSwap.c
|
|
|
fac0ec |
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
|
|
|
fac0ec |
register unsigned bit, ndx, maskLeft, dataLeft, size;
|
|
|
fac0ec |
|
|
|
fac0ec |
from.c8 = (CARD8 *) &stuff[1];
|
|
|
fac0ec |
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
|
|
|
fac0ec |
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
|
|
|
fac0ec |
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
|
|
|
fac0ec |
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
|
|
|
fac0ec |
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
|
|
|
fac0ec |
--
|
|
|
fac0ec |
2.28.0
|
|
|
fac0ec |
|