forked from pool/xorg-x11-server
Stefan Dirsch
fec607fe57
* Correct bounds checking in XkbSetNames()
[CVE-2020-14345 / ZDI 11428, boo#1174635]
- U_0002-Fix-XIChangeHierarchy-integer-underflow.patch
* Fix XIChangeHierarchy() integer underflow
[CVE-2020-14346 / ZDI-CAN-11429, boo#1174638]
- U_0003-Fix-XkbSelectEvents-integer-underflow.patch
* Fix XkbSelectEvents() integer underflow
[CVE-2020-14361 / ZDI-CAN 11573, boo#1174910]
- U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch
* Fix XRecordRegisterClients() Integer underflow
[CVE-2020-14362 / ZDI-CAN-11574, boo#1174913]
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=773
63 lines
2.5 KiB
Diff
63 lines
2.5 KiB
Diff
From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
|
|
From: Matthieu Herrb <matthieu@herrb.eu>
|
|
Date: Tue, 18 Aug 2020 14:55:01 +0200
|
|
Subject: [PATCH 4/4] Fix XRecordRegisterClients() Integer underflow
|
|
|
|
CVE-2020-14362 ZDI-CAN-11574
|
|
|
|
This vulnerability was discovered by:
|
|
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
|
|
|
|
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
---
|
|
record/record.c | 10 +++++-----
|
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
Index: xserver-1.20.8+0/record/record.c
|
|
===================================================================
|
|
--- xserver-1.20.8+0.orig/record/record.c
|
|
+++ xserver-1.20.8+0/record/record.c
|
|
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client
|
|
} /* SProcRecordQueryVersion */
|
|
|
|
static int _X_COLD
|
|
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
|
|
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
|
|
{
|
|
int i;
|
|
XID *pClientID;
|
|
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClient
|
|
swapl(&stuff->nRanges);
|
|
pClientID = (XID *) &stuff[1];
|
|
if (stuff->nClients >
|
|
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
|
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
|
|
return BadLength;
|
|
for (i = 0; i < stuff->nClients; i++, pClientID++) {
|
|
swapl(pClientID);
|
|
}
|
|
if (stuff->nRanges >
|
|
- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
+ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
- stuff->nClients)
|
|
return BadLength;
|
|
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
|
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr clien
|
|
|
|
swaps(&stuff->length);
|
|
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
|
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
|
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
|
return status;
|
|
return ProcRecordCreateContext(client);
|
|
} /* SProcRecordCreateContext */
|
|
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr cli
|
|
|
|
swaps(&stuff->length);
|
|
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
|
- if ((status = SwapCreateRegister((void *) stuff)) != Success)
|
|
+ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
|
|
return status;
|
|
return ProcRecordRegisterClients(client);
|
|
} /* SProcRecordRegisterClients */
|