Fix XRecordRegisterClients() Integer underflow

CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
2020-08-18 14:55:01 +02:00 · 2020-08-18 14:55:01 +02:00 · 2902b78535
parent 144849ea27
commit 2902b78535
1 changed files with 5 additions and 5 deletions
--- a/record/record.c
+++ b/record/record.c
@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
 }                               /* SProcRecordQueryVersion */

 static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
 {
    int i;
    XID *pClientID;
@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
    swapl(&stuff->nRanges);
    pClientID = (XID *) &stuff[1];
    if (stuff->nClients >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
        return BadLength;
    for (i = 0; i < stuff->nClients; i++, pClientID++) {
        swapl(pClientID);
    }
    if (stuff->nRanges >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
        - stuff->nClients)
        return BadLength;
    RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)

    swaps(&stuff->length);
    REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
        return status;
    return ProcRecordCreateContext(client);
 }                               /* SProcRecordCreateContext */
@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)

    swaps(&stuff->length);
    REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
        return status;
    return ProcRecordRegisterClients(client);
 }                               /* SProcRecordRegisterClients */