From f24c85bdda7c38a5fc7d40fdcc43d56356f15ed1 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Tue, 14 Dec 2021 15:00:00 +0200 Subject: [PATCH 1/4] record: Fix out of bounds access in SwapCreateRegister() ZDI-CAN-14952, CVE-2021-4011 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768) --- record/record.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/record/record.c b/record/record.c index be154525d..e123867a7 100644 --- a/record/record.c +++ b/record/record.c @@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) swapl(pClientID); } if (stuff->nRanges > - client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) - - stuff->nClients) + (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq) + - stuff->nClients) / bytes_to_int32(sz_xRecordRange)) return BadLength; RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges); return Success; -- GitLab From 071e27d2e820aec1c4a7c29ef7af97ce9a020251 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Tue, 14 Dec 2021 15:00:01 +0200 Subject: [PATCH 2/4] xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() ZDI-CAN-14950, CVE-2021-4009 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02) --- xfixes/cursor.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/xfixes/cursor.c b/xfixes/cursor.c index 60580b88f..c5d4554b2 100644 --- a/xfixes/cursor.c +++ b/xfixes/cursor.c @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) { REQUEST(xXFixesCreatePointerBarrierReq); - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, + pad_to_int32(stuff->num_devices * sizeof(CARD16))); LEGAL_NEW_RESOURCE(stuff->barrier, client); return XICreatePointerBarrier(client, stuff); @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) swaps(&stuff->length); swaps(&stuff->num_devices); - REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); + REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, + pad_to_int32(stuff->num_devices * sizeof(CARD16))); swapl(&stuff->barrier); swapl(&stuff->window); -- GitLab From 157f041d565d207837af677fc5acefa16860c619 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Tue, 14 Dec 2021 15:00:02 +0200 Subject: [PATCH 3/4] Xext: Fix out of bounds access in SProcScreenSaverSuspend() ZDI-CAN-14951, CVE-2021-4010 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21) --- Xext/saver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Xext/saver.c b/Xext/saver.c index 1d7e3cadf..f813ba08d 100644 --- a/Xext/saver.c +++ b/Xext/saver.c @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) REQUEST(xScreenSaverSuspendReq); swaps(&stuff->length); - swapl(&stuff->suspend); REQUEST_SIZE_MATCH(xScreenSaverSuspendReq); + swapl(&stuff->suspend); return ProcScreenSaverSuspend(client); } -- GitLab From 57e5992eb70b0506e287e814a2418e10e6af67a3 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Tue, 14 Dec 2021 15:00:03 +0200 Subject: [PATCH 4/4] render: Fix out of bounds access in SProcRenderCompositeGlyphs() ZDI-CAN-14192, CVE-2021-4008 This vulnerability was discovered and the fix was suggested by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Povilas Kanapickas (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60) --- render/render.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/render/render.c b/render/render.c index c376090ca..456f156d4 100644 --- a/render/render.c +++ b/render/render.c @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) i = elt->len; if (i == 0xff) { + if (buffer + 4 > end) { + return BadLength; + } swapl((int *) buffer); buffer += 4; } @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) buffer += i; break; case 2: + if (buffer + i * 2 > end) { + return BadLength; + } while (i--) { swaps((short *) buffer); buffer += 2; } break; case 4: + if (buffer + i * 4 > end) { + return BadLength; + } while (i--) { swapl((int *) buffer); buffer += 4; -- GitLab