Commit ebce7e2d authored by Povilas Kanapickas's avatar Povilas Kanapickas
Browse files

render: Fix out of bounds access in SProcRenderCompositeGlyphs()



ZDI-CAN-14192, CVE-2021-4008

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas's avatarPovilas Kanapickas <povilas@radix.lt>
parent 6c4c5301
Pipeline #465760 passed with stages
in 4 minutes and 8 seconds
...@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) ...@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len; i = elt->len;
if (i == 0xff) { if (i == 0xff) {
if (buffer + 4 > end) {
return BadLength;
}
swapl((int *) buffer); swapl((int *) buffer);
buffer += 4; buffer += 4;
} }
...@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) ...@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i; buffer += i;
break; break;
case 2: case 2:
if (buffer + i * 2 > end) {
return BadLength;
}
while (i--) { while (i--) {
swaps((short *) buffer); swaps((short *) buffer);
buffer += 2; buffer += 2;
} }
break; break;
case 4: case 4:
if (buffer + i * 4 > end) {
return BadLength;
}
while (i--) { while (i--) {
swapl((int *) buffer); swapl((int *) buffer);
buffer += 4; buffer += 4;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment