Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame^] | 1 | From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001 |
| 2 | From: Matthieu Herrb <matthieu@herrb.eu> |
| 3 | Date: Sun, 21 Mar 2021 18:38:57 +0100 |
| 4 | Subject: [PATCH] Fix XChangeFeedbackControl() request underflow |
| 5 | |
| 6 | CVE-2021-3472 / ZDI-CAN-1259 |
| 7 | |
| 8 | This vulnerability was discovered by: |
| 9 | Jan-Niklas Sohn working with Trend Micro Zero Day Initiative |
| 10 | |
| 11 | Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> |
| 12 | |
| 13 | Upstream-Status: Backport |
| 14 | CVE: CVE-2021-3472 |
| 15 | |
| 16 | Reference to upstream patch: |
| 17 | [https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd] |
| 18 | |
| 19 | Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> |
| 20 | --- |
| 21 | Xi/chgfctl.c | 5 ++++- |
| 22 | 1 file changed, 4 insertions(+), 1 deletion(-) |
| 23 | |
| 24 | diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c |
| 25 | index 1de4da9..7a597e4 100644 |
| 26 | --- a/Xi/chgfctl.c |
| 27 | +++ b/Xi/chgfctl.c |
| 28 | @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) |
| 29 | break; |
| 30 | case StringFeedbackClass: |
| 31 | { |
| 32 | - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); |
| 33 | + xStringFeedbackCtl *f; |
| 34 | |
| 35 | + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, |
| 36 | + sizeof(xStringFeedbackCtl)); |
| 37 | + f = ((xStringFeedbackCtl *) &stuff[1]); |
| 38 | if (client->swapped) { |
| 39 | if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) |
| 40 | return BadLength; |
| 41 | -- |
| 42 | 2.17.1 |
| 43 | |