Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This commit is contained in:
parent
f7cd1276bb
commit
c940cc8b6c
|
@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
|
||||||
if (!stuff->num_changes)
|
if (!stuff->num_changes)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
|
len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
|
||||||
|
|
||||||
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
|
||||||
while (stuff->num_changes--) {
|
while (stuff->num_changes--) {
|
||||||
|
|
Loading…
Reference in New Issue