Commit e56f61c7 authored by Povilas Kanapickas's avatar Povilas Kanapickas
Browse files

record: Fix out of bounds access in SwapCreateRegister()



ZDI-CAN-14952, CVE-2021-4011

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas's avatarPovilas Kanapickas <povilas@radix.lt>
parent 4de9666b
......@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
swapl(pClientID);
}
if (stuff->nRanges >
client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients)
(client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment