frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

record: Fix out of bounds access in SwapCreateRegister() 

ZDI-CAN-14952, CVE-2021-4011

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit e56f61c79f)
This commit is contained in:
Povilas Kanapickas 2021-12-14 15:00:00 +02:00 committed by Matt Turner
parent 5ff3310b69
commit acc50e6097
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
record/record.c
View File

@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
swapl(pClientID); swapl(pClientID);
} }
if (stuff->nRanges > if (stuff->nRanges >
client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients) - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength; return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success; return Success;