diff options
author | Matthieu Herrb <matthieu@herrb.eu> | 2021-03-21 18:38:57 +0100 |
---|---|---|
committer | Matthieu Herrb <matthieu.herrb@laas.fr> | 2021-04-13 14:28:13 +0200 |
commit | 7aaf54a1884f71dc363f0b884e57bcb67407a6cd (patch) | |
tree | 2add8dd2fbad45e14cf80b96eac9d9002fefba0b | |
parent | 66ce61983db0a067e48143750c4d5557d5638b1c (diff) |
Fix XChangeFeedbackControl() request underflow
CVE-2021-3472 / ZDI-CAN-1259
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r-- | Xi/chgfctl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 1de4da9ef..7a597e43d 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) break; case StringFeedbackClass: { - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + xStringFeedbackCtl *f; + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, + sizeof(xStringFeedbackCtl)); + f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength; |