diff options
author | Matthieu Herrb <matthieu@herrb.eu> | 2020-08-18 14:55:01 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2020-08-25 17:13:31 +0200 |
commit | 705d7213935820d9f56563ee9e17aa9beb365c1e (patch) | |
tree | 1888dbff1e36cc1b7578d8c1ed90a0fcda0b9ef2 | |
parent | 5b384e7678c5a155dd8752f018c8292153c1295e (diff) |
Fix XRecordRegisterClients() Integer underflow
CVE-2020-14362 ZDI-CAN-11574
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 24acad216aa0fc2ac451c67b2b86db057a032050)
-rw-r--r-- | record/record.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/record/record.c b/record/record.c index f0b739b0c..05d751ac2 100644 --- a/record/record.c +++ b/record/record.c @@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client) } /* SProcRecordQueryVersion */ static int _X_COLD -SwapCreateRegister(xRecordRegisterClientsReq * stuff) +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) { int i; XID *pClientID; @@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) swapl(&stuff->nRanges); pClientID = (XID *) &stuff[1]; if (stuff->nClients > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID); } if (stuff->nRanges > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - stuff->nClients) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); @@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client) swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client) swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */ |