Fix XChangeFeedbackControl() request underflow
CVE-2021-3472 / ZDI-CAN-1259
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 7aaf54a188
)
This commit is contained in:
parent
2a327e5860
commit
1e4bf85df1
|
@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client)
|
||||||
break;
|
break;
|
||||||
case StringFeedbackClass:
|
case StringFeedbackClass:
|
||||||
{
|
{
|
||||||
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
|
xStringFeedbackCtl *f;
|
||||||
|
|
||||||
|
REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
|
||||||
|
sizeof(xStringFeedbackCtl));
|
||||||
|
f = ((xStringFeedbackCtl *) &stuff[1]);
|
||||||
if (client->swapped) {
|
if (client->swapped) {
|
||||||
if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
|
if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
Loading…
Reference in New Issue