You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
1.6 KiB
53 lines
1.6 KiB
From 35b4681c79480d980bd8dcba390146aad7817c47 Mon Sep 17 00:00:00 2001 |
|
From: Povilas Kanapickas <povilas@radix.lt> |
|
Date: Tue, 14 Dec 2021 15:00:03 +0200 |
|
Subject: [PATCH xserver 4/4] render: Fix out of bounds access in |
|
SProcRenderCompositeGlyphs() |
|
|
|
ZDI-CAN-14192, CVE-2021-4008 |
|
|
|
This vulnerability was discovered and the fix was suggested by: |
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
|
|
|
Signed-off-by: Povilas Kanapickas <povilas@radix.lt> |
|
(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) |
|
--- |
|
render/render.c | 9 +++++++++ |
|
1 file changed, 9 insertions(+) |
|
|
|
diff --git a/render/render.c b/render/render.c |
|
index c376090ca..456f156d4 100644 |
|
--- a/render/render.c |
|
+++ b/render/render.c |
|
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) |
|
|
|
i = elt->len; |
|
if (i == 0xff) { |
|
+ if (buffer + 4 > end) { |
|
+ return BadLength; |
|
+ } |
|
swapl((int *) buffer); |
|
buffer += 4; |
|
} |
|
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) |
|
buffer += i; |
|
break; |
|
case 2: |
|
+ if (buffer + i * 2 > end) { |
|
+ return BadLength; |
|
+ } |
|
while (i--) { |
|
swaps((short *) buffer); |
|
buffer += 2; |
|
} |
|
break; |
|
case 4: |
|
+ if (buffer + i * 4 > end) { |
|
+ return BadLength; |
|
+ } |
|
while (i--) { |
|
swapl((int *) buffer); |
|
buffer += 4; |
|
-- |
|
2.33.1 |
|
|
|
|