Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This commit is contained in:
parent
144849ea27
commit
2902b78535
|
@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
|
||||||
} /* SProcRecordQueryVersion */
|
} /* SProcRecordQueryVersion */
|
||||||
|
|
||||||
static int _X_COLD
|
static int _X_COLD
|
||||||
SwapCreateRegister(xRecordRegisterClientsReq * stuff)
|
SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
XID *pClientID;
|
XID *pClientID;
|
||||||
|
@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
|
||||||
swapl(&stuff->nRanges);
|
swapl(&stuff->nRanges);
|
||||||
pClientID = (XID *) &stuff[1];
|
pClientID = (XID *) &stuff[1];
|
||||||
if (stuff->nClients >
|
if (stuff->nClients >
|
||||||
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
for (i = 0; i < stuff->nClients; i++, pClientID++) {
|
for (i = 0; i < stuff->nClients; i++, pClientID++) {
|
||||||
swapl(pClientID);
|
swapl(pClientID);
|
||||||
}
|
}
|
||||||
if (stuff->nRanges >
|
if (stuff->nRanges >
|
||||||
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
||||||
- stuff->nClients)
|
- stuff->nClients)
|
||||||
return BadLength;
|
return BadLength;
|
||||||
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
||||||
|
@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
|
||||||
|
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
||||||
if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
||||||
return status;
|
return status;
|
||||||
return ProcRecordCreateContext(client);
|
return ProcRecordCreateContext(client);
|
||||||
} /* SProcRecordCreateContext */
|
} /* SProcRecordCreateContext */
|
||||||
|
@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
|
||||||
|
|
||||||
swaps(&stuff->length);
|
swaps(&stuff->length);
|
||||||
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
||||||
if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
||||||
return status;
|
return status;
|
||||||
return ProcRecordRegisterClients(client);
|
return ProcRecordRegisterClients(client);
|
||||||
} /* SProcRecordRegisterClients */
|
} /* SProcRecordRegisterClients */
|
||||||
|
|
Loading…
Reference in New Issue