frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() 

ZDI-CAN-14950, CVE-2021-4009

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit b519675009)
This commit is contained in:
Povilas Kanapickas 2021-12-15 10:41:19 +02:00
parent a82d523edb
commit 6f09e7d391
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
xfixes/cursor.c
View File

@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{ {
REQUEST(xXFixesCreatePointerBarrierReq); REQUEST(xXFixesCreatePointerBarrierReq);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client); LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff); return XICreatePointerBarrier(client, stuff);
@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length); swaps(&stuff->length);
swaps(&stuff->num_devices); swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier); swapl(&stuff->barrier);
swapl(&stuff->window); swapl(&stuff->window);