summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNathan Kidd <nkidd@opentext.com>2014-12-24 16:22:18 -0500
committerJulien Cristau <jcristau@debian.org>2017-10-10 23:33:44 +0200
commit859b08d523307eebde7724fd1a0789c44813e821 (patch)
tree87fab210322f596cef1635760c18cfbb8de44ebb
parentd088e3c1286b548a58e62afdc70bb40981cdb9e8 (diff)
Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r--Xi/xichangehierarchy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 87f191ffa..cbdd91258 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {