diff options
| author | Michal Srb <msrb@suse.com> | 2017-07-28 16:27:10 +0200 |
|---|---|---|
| committer | Adam Jackson <ajax@redhat.com> | 2017-10-04 15:09:13 -0400 |
| commit | a510fb811100bc27f0bfafe5d073998551161819 (patch) | |
| tree | 5a23e26eeaadb340c5c6f28e364f7227001011bf /Xext | |
| parent | 3cea13cc40e2421ebefcf2ee0eb949a7bc4e63fd (diff) | |
Xext/shm: Validate shmseg resource id (CVE-2017-13721)
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)
Diffstat (limited to 'Xext')
| -rw-r--r-- | Xext/shm.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Xext/shm.c b/Xext/shm.c index 1b622e353..c98d4a0c3 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) }; REQUEST_SIZE_MATCH(xShmCreateSegmentReq); + LEGAL_NEW_RESOURCE(stuff->shmseg, client); if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { client->errorValue = stuff->readOnly; return BadValue; |