xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()

ZDI-CAN-14950, CVE-2021-4009 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
author: Povilas Kanapickas <povilas@radix.lt> 2021-12-14 15:00:01 +0200
committer: Povilas Kanapickas <povilas@radix.lt> 2021-12-14 15:00:01 +0200
commit: b5196750099ae6ae582e1f46bd0a6dad29550e02 (patch)
tree: fad0fcdfc058ccb47eb08ebe25b19c465c9d155a /xfixes
parent: e56f61c79fc3cee26d83cda0f84ae56d5979f768 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index 60580b88f..c5d4554b2 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
 {
     REQUEST(xXFixesCreatePointerBarrierReq);
 
-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
     LEGAL_NEW_RESOURCE(stuff->barrier, client);
 
     return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
 
     swaps(&stuff->length);
     swaps(&stuff->num_devices);
-    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+    REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+                       pad_to_int32(stuff->num_devices * sizeof(CARD16)));
 
     swapl(&stuff->barrier);
     swapl(&stuff->window);
author	Povilas Kanapickas <povilas@radix.lt>	2021-12-14 15:00:01 +0200
committer	Povilas Kanapickas <povilas@radix.lt>	2021-12-14 15:00:01 +0200
commit	b5196750099ae6ae582e1f46bd0a6dad29550e02 (patch)
tree	fad0fcdfc058ccb47eb08ebe25b19c465c9d155a /xfixes
parent	e56f61c79fc3cee26d83cda0f84ae56d5979f768 (diff)