From a8644465d98beb08759546711b77bb617861c67f Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Tue, 14 Dec 2021 15:00:00 +0200 Subject: [PATCH xserver 1/4] record: Fix out of bounds access in SwapCreateRegister() ZDI-CAN-14952, CVE-2021-4011 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) --- record/record.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/record/record.c b/record/record.c index be154525d..e123867a7 100644 --- a/record/record.c +++ b/record/record.c @@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) swapl(pClientID); } if (stuff->nRanges > - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); return Success; -- 2.33.1