Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This commit is contained in:
Matthieu Herrb
parent
f7cd1276bb
commit
c940cc8b6c
|
|
@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
|
|||
if (!stuff->num_changes)
|
||||
return rc;
|
||||
|
||||
len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
|
||||
len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
|
||||
|
||||
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
||||
while (stuff->num_changes--) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue