| From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001 |
| From: Matthieu Herrb <matthieu@herrb.eu> |
| Date: Tue, 18 Aug 2020 14:52:29 +0200 |
| Subject: [PATCH] Fix XkbSelectEvents() integer underflow |
| |
| CVE-2020-14361 ZDI-CAN 11573 |
| |
| This vulnerability was discovered by: |
| Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| |
| Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
| |
| Upstream-Status: Backport |
| [https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787] |
| CVE: CVE-2020-14361 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| --- |
| xkb/xkbSwap.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c |
| index 1c1ed5ff4..50cabb90e 100644 |
| --- a/xkb/xkbSwap.c |
| +++ b/xkb/xkbSwap.c |
| @@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client) |
| register unsigned bit, ndx, maskLeft, dataLeft, size; |
| |
| from.c8 = (CARD8 *) &stuff[1]; |
| - dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq); |
| + dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); |
| maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); |
| for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { |
| if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) |
| -- |
| 2.17.1 |
| |