Commit 2902b785 authored by Matthieu Herrb's avatar Matthieu Herrb

Fix XRecordRegisterClients() Integer underflow

CVE-2020-14362 ZDI-CAN-11574

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb's avatarMatthieu Herrb <matthieu@herrb.eu>
parent 144849ea
Pipeline #194622 passed with stages
in 4 minutes and 28 seconds
...@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client) ...@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
} /* SProcRecordQueryVersion */ } /* SProcRecordQueryVersion */
static int _X_COLD static int _X_COLD
SwapCreateRegister(xRecordRegisterClientsReq * stuff) SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
{ {
int i; int i;
XID *pClientID; XID *pClientID;
...@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff) ...@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
swapl(&stuff->nRanges); swapl(&stuff->nRanges);
pClientID = (XID *) &stuff[1]; pClientID = (XID *) &stuff[1];
if (stuff->nClients > if (stuff->nClients >
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)) client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
return BadLength; return BadLength;
for (i = 0; i < stuff->nClients; i++, pClientID++) { for (i = 0; i < stuff->nClients; i++, pClientID++) {
swapl(pClientID); swapl(pClientID);
} }
if (stuff->nRanges > if (stuff->nRanges >
stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq) client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients) - stuff->nClients)
return BadLength; return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
...@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client) ...@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
if ((status = SwapCreateRegister((void *) stuff)) != Success) if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status; return status;
return ProcRecordCreateContext(client); return ProcRecordCreateContext(client);
} /* SProcRecordCreateContext */ } /* SProcRecordCreateContext */
...@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client) ...@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
if ((status = SwapCreateRegister((void *) stuff)) != Success) if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
return status; return status;
return ProcRecordRegisterClients(client); return ProcRecordRegisterClients(client);
} /* SProcRecordRegisterClients */ } /* SProcRecordRegisterClients */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment