diff options
author | Povilas Kanapickas <povilas@radix.lt> | 2021-12-14 15:00:03 +0200 |
---|---|---|
committer | Povilas Kanapickas <povilas@radix.lt> | 2021-12-14 15:00:03 +0200 |
commit | ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 (patch) | |
tree | 54c6a8fa4fda2d63b571cafc27012df1e0f8abed /render | |
parent | 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 (diff) |
render: Fix out of bounds access in SProcRenderCompositeGlyphs()
ZDI-CAN-14192, CVE-2021-4008
This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
Diffstat (limited to 'render')
-rw-r--r-- | render/render.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index c376090ca..456f156d4 100644 --- a/render/render.c +++ b/render/render.c @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) i = elt->len; if (i == 0xff) { + if (buffer + 4 > end) { + return BadLength; + } swapl((int *) buffer); buffer += 4; } @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) buffer += i; break; case 2: + if (buffer + i * 2 > end) { + return BadLength; + } while (i--) { swaps((short *) buffer); buffer += 2; } break; case 4: + if (buffer + i * 4 > end) { + return BadLength; + } while (i--) { swapl((int *) buffer); buffer += 4; |