diff options
author | Matthieu Herrb <matthieu@herrb.eu> | 2021-03-21 18:38:57 +0100 |
---|---|---|
committer | Matthieu Herrb <matthieu.herrb@laas.fr> | 2021-04-13 15:55:03 +0200 |
commit | a1a1aa2c14636284669b28a956d756d5705dcf15 (patch) | |
tree | fc476ceb3ade8be39f6ec203119ad7e88f0b368e | |
parent | 8890c44a75304097667ac7d42e83e2d78b105cb5 (diff) |
Fix XChangeFeedbackControl() request underflow
CVE-2021-3472 / ZDI-CAN-1259
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r-- | Xi/chgfctl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 1de4da9ef..7a597e43d 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) break; case StringFeedbackClass: { - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + xStringFeedbackCtl *f; + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, + sizeof(xStringFeedbackCtl)); + f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength; |