Xi: Zero target buffer in SProcXSendExtensionEvent.
Make sure that the xEvent eventT is initialized with zeros, the same way as in SProcSendEvent. Some event swapping functions do not overwrite all 32 bytes of xEvent structure, for example XSecurityAuthorizationRevoked. Two cooperating clients, one swapped and the other not, can send XSecurityAuthorizationRevoked event to each other to retrieve old stack data from X server. This can be potentialy misused to go around ASLR or stack-protector. Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
parent
d82c3cee02
commit
05442de962
|
@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
|
|||
{
|
||||
CARD32 *p;
|
||||
int i;
|
||||
xEvent eventT;
|
||||
xEvent eventT = { .u.u.type = 0 };
|
||||
xEvent *eventP;
|
||||
EventSwapPtr proc;
|
||||
|
||||
|
|
Loading…
Reference in New Issue