frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

render: Fix out of bounds access in SProcRenderCompositeGlyphs() 

ZDI-CAN-14192, CVE-2021-4008

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit ebce7e2d80)
This commit is contained in:
Povilas Kanapickas 2021-12-14 15:00:03 +02:00 committed by Matt Turner
parent 67425fcab5
commit 35b4681c79
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
render/render.c
View File

@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len; i = elt->len;
if (i == 0xff) { if (i == 0xff) {
if (buffer + 4 > end) {
return BadLength;
}
swapl((int *) buffer); swapl((int *) buffer);
buffer += 4; buffer += 4;
} }
@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i; buffer += i;
break; break;
case 2: case 2:
if (buffer + i * 2 > end) {
return BadLength;
}
while (i--) { while (i--) {
swaps((short *) buffer); swaps((short *) buffer);
buffer += 2; buffer += 2;
} }
break; break;
case 4: case 4:
if (buffer + i * 4 > end) {
return BadLength;
}
while (i--) { while (i--) {
swapl((int *) buffer); swapl((int *) buffer);
buffer += 4; buffer += 4;