Fix XkbSelectEvents() integer underflow

CVE-2020-14361 ZDI-CAN 11573 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 90304b3c2018a6b8f4a79de86364d2af15cb9ad8)
author: Matthieu Herrb <matthieu@herrb.eu> 2020-08-18 14:52:29 +0200
committer: Matthieu Herrb <matthieu@herrb.eu> 2020-08-25 17:13:31 +0200
commit: 5b384e7678c5a155dd8752f018c8292153c1295e (patch)
tree: 47e73c86b90ee21878e7e15492471b6eabcc6532
parent: eff3f6cdd398bfac040351e99e64baf3bf64fa2e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
index 1c1ed5ff4..50cabb90e 100644
--- a/xkb/xkbSwap.c
+++ b/xkb/xkbSwap.c
@@ -76,7 +76,7 @@ SProcXkbSelectEvents(ClientPtr client)
         register unsigned bit, ndx, maskLeft, dataLeft, size;
 
         from.c8 = (CARD8 *) &stuff[1];
-        dataLeft = (stuff->length * 4) - SIZEOF(xkbSelectEventsReq);
+        dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq);
         maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask));
         for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) {
             if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify))
author	Matthieu Herrb <matthieu@herrb.eu>	2020-08-18 14:52:29 +0200
committer	Matthieu Herrb <matthieu@herrb.eu>	2020-08-25 17:13:31 +0200
commit	5b384e7678c5a155dd8752f018c8292153c1295e (patch)
tree	47e73c86b90ee21878e7e15492471b6eabcc6532
parent	eff3f6cdd398bfac040351e99e64baf3bf64fa2e (diff)