Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
xorg-x11-server.16221
U_0004-Fix-XRecordRegisterClients-Integer-under...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_0004-Fix-XRecordRegisterClients-Integer-underflow.patch of Package xorg-x11-server.16221
From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001 From: Matthieu Herrb <matthieu@herrb.eu> Date: Tue, 18 Aug 2020 14:55:01 +0200 Subject: [PATCH 4/4] Fix XRecordRegisterClients() Integer underflow CVE-2020-14362 ZDI-CAN-11574 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> --- record/record.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) Index: xorg-server-1.19.6/record/record.c =================================================================== --- xorg-server-1.19.6.orig/record/record.c +++ xorg-server-1.19.6/record/record.c @@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client } /* SProcRecordQueryVersion */ static int -SwapCreateRegister(xRecordRegisterClientsReq * stuff) +SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) { int i; XID *pClientID; @@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClient swapl(&stuff->nRanges); pClientID = (XID *) &stuff[1]; if (stuff->nClients > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)) return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID); } if (stuff->nRanges > - stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) + client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - stuff->nClients) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); @@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr clien swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr cli swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - if ((status = SwapCreateRegister((void *) stuff)) != Success) + if ((status = SwapCreateRegister(client, (void *) stuff)) != Success) return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor