From a510fb811100bc27f0bfafe5d073998551161819 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Fri, 28 Jul 2017 16:27:10 +0200 Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721) Otherwise it can belong to a non-existing client and abort X server with FatalError "client not in use", or overwrite existing segment of another existing client. Signed-off-by: Julien Cristau (cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1) --- Xext/shm.c | 1 + 1 file changed, 1 insertion(+) (limited to 'Xext') diff --git a/Xext/shm.c b/Xext/shm.c index 1b622e353..c98d4a0c3 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client) }; REQUEST_SIZE_MATCH(xShmCreateSegmentReq); + LEGAL_NEW_RESOURCE(stuff->shmseg, client); if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) { client->errorValue = stuff->readOnly; return BadValue; -- cgit v1.2.3