87b77835e5
Resolves: rhbz#2038067 Resolves: rhbz#2038070 Resolves: rhbz#2038072 Resolves: rhbz#2038074
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From a8644465d98beb08759546711b77bb617861c67f Mon Sep 17 00:00:00 2001
|
|
From: Povilas Kanapickas <povilas@radix.lt>
|
|
Date: Tue, 14 Dec 2021 15:00:00 +0200
|
|
Subject: [PATCH xserver 1/4] record: Fix out of bounds access in
|
|
SwapCreateRegister()
|
|
|
|
ZDI-CAN-14952, CVE-2021-4011
|
|
|
|
This vulnerability was discovered and the fix was suggested by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
|
|
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
|
|
---
|
|
record/record.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/record/record.c b/record/record.c
|
|
index be154525d..e123867a7 100644
|
|
--- a/record/record.c
|
|
+++ b/record/record.c
|
|
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
|
swapl(pClientID);
|
|
}
|
|
if (stuff->nRanges >
|
|
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
- - stuff->nClients)
|
|
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
|
return BadLength;
|
|
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
|
return Success;
|
|
--
|
|
2.33.1
|
|
|