Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
This commit is contained in:
Matthieu Herrb
parent
1d3a1092c3
commit
eff3f6cdd3
|
|
@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||||
if (!stuff->num_changes)
|
if (!stuff->num_changes)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
|
len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
|
||||||
|
|
||||||
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
||||||
while (stuff->num_changes--) {
|
while (stuff->num_changes--) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue