blob: 710cc3873c68b1fea7e6fcc23c68f61d2f9ac45f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
From 144849ea27230962227e62a943b399e2ab304787 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Tue, 18 Aug 2020 14:52:29 +0200
Subject: [PATCH] Fix XkbSelectEvents() integer underflow
CVE-2020-14361 ZDI-CAN 11573
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/144849ea27230962227e62a943b399e2ab304787]
CVE: CVE-2020-14361
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
xkb/xkbSwap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5ff4..50cabb90e 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
register unsigned bit, ndx, maskLeft, dataLeft, size;
from.c8 = (CARD8 *) &stuff[1];
- dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+ dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
--
2.17.1
|
