frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XRecordRegisterClients() Integer underflow 

CVE-2020-14362 ZDI-CAN-11574

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This commit is contained in:
Matthieu Herrb 2020-08-18 14:55:01 +02:00
parent 144849ea27
commit 2902b78535
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
record/record.c
View File

@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */ } /* SProcRecordQueryVersion */
static int _X_COLD static int _X_COLD
SwapCreateRegister(xRecordRegisterClientsReq * stuff) SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{ {
int i; int i;
XID *pClientID; XID *pClientID;
@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges); swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1]; pClientID = (XID *) &stuff[1];
if (stuff->nClients > if (stuff->nClients >
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength; return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) { for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID); swapl(pClientID);
} }
if (stuff->nRanges > if (stuff->nRanges >
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients) - stuff->nClients)
return BadLength; return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
if ((status = SwapCreateRegister((void *) stuff)) != Success) if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status; return status;
return ProcRecordCreateContext(client); return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */ } /* SProcRecordCreateContext */
@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
if ((status = SwapCreateRegister((void *) stuff)) != Success) if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status; return status;
return ProcRecordRegisterClients(client); return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */ } /* SProcRecordRegisterClients */