Commit ebce7e2d authored by Povilas Kanapickas's avatar Povilas Kanapickas
Browse files

render: Fix out of bounds access in SProcRenderCompositeGlyphs()



ZDI-CAN-14192, CVE-2021-4008

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas's avatarPovilas Kanapickas <povilas@radix.lt>
parent 6c4c5301
Pipeline #465760 passed with stages
in 4 minutes and 8 seconds
......@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len;
if (i == 0xff) {
if (buffer + 4 > end) {
return BadLength;
}
swapl((int *) buffer);
buffer += 4;
}
......@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i;
break;
case 2:
if (buffer + i * 2 > end) {
return BadLength;
}
while (i--) {
swaps((short *) buffer);
buffer += 2;
}
break;
case 4:
if (buffer + i * 4 > end) {
return BadLength;
}
while (i--) {
swapl((int *) buffer);
buffer += 4;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment