diff options
author | Povilas Kanapickas <povilas@radix.lt> | 2021-12-14 15:00:00 +0200 |
---|---|---|
committer | Olivier Fourdan <ofourdan@redhat.com> | 2021-12-14 14:51:49 +0100 |
commit | a8644465d98beb08759546711b77bb617861c67f (patch) | |
tree | 42044b0cbc4ed768c022df02e709f279b09fcce2 | |
parent | bdc00ba749ac6cde35c025f5f6b1a5b49c1f4960 (diff) | |
download | xserver-a8644465d98beb08759546711b77bb617861c67f.tar.gz |
record: Fix out of bounds access in SwapCreateRegister()
ZDI-CAN-14952, CVE-2021-4011
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
-rw-r--r-- | record/record.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/record/record.c b/record/record.c index be154525d..e123867a7 100644 --- a/record/record.c +++ b/record/record.c @@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) swapl(pClientID); } if (stuff->nRanges > - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); return Success; |