summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@herrb.eu>2020-08-18 14:49:04 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2020-08-25 17:13:31 +0200
commiteff3f6cdd398bfac040351e99e64baf3bf64fa2e (patch)
treeb57220065d0c65668aaef59d1d0a772b8d5f2f8c
parent1d3a1092c30af660b1366fcd344af745590aa29f (diff)
Fix XIChangeHierarchy() integer underflow
CVE-2020-14346 / ZDI-CAN-11429 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 1e3392b07923987c6c9d09cf75b24f397b59bd5e)
-rw-r--r--Xi/xichangehierarchy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index cbdd91258..504defe56 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ len = ((size_t)client->req_len << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {