Fix XIChangeHierarchy() integer underflow

CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
2020-08-18 14:49:04 +02:00 · 2020-08-18 14:49:04 +02:00 · eff3f6cdd3
parent 1d3a1092c3
commit eff3f6cdd3
1 changed files with 1 additions and 1 deletions
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
    if (!stuff->num_changes)
        return rc;

-    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+    len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);

    any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
    while (stuff->num_changes--) {