diff options
author | Povilas Kanapickas <povilas@radix.lt> | 2021-12-14 15:00:03 +0200 |
---|---|---|
committer | Olivier Fourdan <ofourdan@redhat.com> | 2021-12-14 14:51:49 +0100 |
commit | 59c977bff66de77bd93ce8853e33e1b4ca661a49 (patch) | |
tree | fa4d6801e868f5c4e2e99db9b386b5d3a600caf9 | |
parent | fe0c050276c09f43cc1ae80b4553db42398ca84c (diff) |
render: Fix out of bounds access in SProcRenderCompositeGlyphs()
ZDI-CAN-14192, CVE-2021-4008
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
(cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
-rw-r--r-- | render/render.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index c376090ca..456f156d4 100644 --- a/render/render.c +++ b/render/render.c @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) i = elt->len; if (i == 0xff) { + if (buffer + 4 > end) { + return BadLength; + } swapl((int *) buffer); buffer += 4; } @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) buffer += i; break; case 2: + if (buffer + i * 2 > end) { + return BadLength; + } while (i--) { swaps((short *) buffer); buffer += 2; } break; case 4: + if (buffer + i * 4 > end) { + return BadLength; + } while (i--) { swapl((int *) buffer); buffer += 4; |