You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35 lines
1.2 KiB
35 lines
1.2 KiB
From a8644465d98beb08759546711b77bb617861c67f Mon Sep 17 00:00:00 2001 |
|
From: Povilas Kanapickas <povilas@radix.lt> |
|
Date: Tue, 14 Dec 2021 15:00:00 +0200 |
|
Subject: [PATCH xserver 1/4] record: Fix out of bounds access in |
|
SwapCreateRegister() |
|
|
|
ZDI-CAN-14952, CVE-2021-4011 |
|
|
|
This vulnerability was discovered and the fix was suggested by: |
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
|
|
|
Signed-off-by: Povilas Kanapickas <povilas@radix.lt> |
|
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) |
|
--- |
|
record/record.c | 4 ++-- |
|
1 file changed, 2 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/record/record.c b/record/record.c |
|
index be154525d..e123867a7 100644 |
|
--- a/record/record.c |
|
+++ b/record/record.c |
|
@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) |
|
swapl(pClientID); |
|
} |
|
if (stuff->nRanges > |
|
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) |
|
- - stuff->nClients) |
|
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) |
|
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) |
|
return BadLength; |
|
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); |
|
return Success; |
|
-- |
|
2.33.1 |
|
|
|
|