Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 859b08d523
)
This commit is contained in:
parent
c77cd08efc
commit
6c15122163
|
@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|||
if (!stuff->num_changes)
|
||||
return rc;
|
||||
|
||||
len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
|
||||
len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
|
||||
|
||||
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
||||
while (stuff->num_changes--) {
|
||||
|
|
Loading…
Reference in New Issue
Block a user