diff options
author | Matthieu Herrb <matthieu@herrb.eu> | 2021-04-13 15:55:41 +0200 |
---|---|---|
committer | Michel Dänzer <mdaenzer@redhat.com> | 2021-04-13 15:55:41 +0200 |
commit | 1e4bf85df1be285e70a9c9fd52e6cf887600d4e4 (patch) | |
tree | a0cfab9ddddf307bb602295a8db80e92c0c0167e | |
parent | 2a327e58609e2bf53a9043eab4b36bc64168197a (diff) |
Fix XChangeFeedbackControl() request underflow
CVE-2021-3472 / ZDI-CAN-1259
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit 7aaf54a1884f71dc363f0b884e57bcb67407a6cd)
-rw-r--r-- | Xi/chgfctl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 1de4da9ef..7a597e43d 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) break; case StringFeedbackClass: { - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + xStringFeedbackCtl *f; + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, + sizeof(xStringFeedbackCtl)); + f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength; |