XLibre/xserver
1
1
Fork 0
mirror of https://github.com/X11Libre/xserver.git synced 2026-03-24 08:04:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()

Browse Source 
ZDI-CAN-14950, CVE-2021-4009

This vulnerability was discovered and the fix was suggested by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
This commit is contained in:
Povilas Kanapickas
2021-12-14 15:00:01 +02:00
parent e56f61c79f
commit b519675009
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
xfixes/cursor.c
View File

@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length);
swaps(&stuff->num_devices);
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier);
swapl(&stuff->window);