diff options
Diffstat (limited to 'source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch')
-rw-r--r-- | source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch b/source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch new file mode 100644 index 00000000..9a5c3feb --- /dev/null +++ b/source/x/x11/patch/xorg-server/xorg-server.CVE-2021-4009.b5196750099ae6ae582e1f46bd0a6dad29550e02.patch @@ -0,0 +1,43 @@ +From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001 +From: Povilas Kanapickas <povilas@radix.lt> +Date: Tue, 14 Dec 2021 15:00:01 +0200 +Subject: [PATCH] xfixes: Fix out of bounds access in + *ProcXFixesCreatePointerBarrier() + +ZDI-CAN-14950, CVE-2021-4009 + +This vulnerability was discovered and the fix was suggested by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Povilas Kanapickas <povilas@radix.lt> +--- + xfixes/cursor.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xfixes/cursor.c b/xfixes/cursor.c +index 60580b88f..c5d4554b2 100644 +--- a/xfixes/cursor.c ++++ b/xfixes/cursor.c +@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) + { + REQUEST(xXFixesCreatePointerBarrierReq); + +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + LEGAL_NEW_RESOURCE(stuff->barrier, client); + + return XICreatePointerBarrier(client, stuff); +@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) + + swaps(&stuff->length); + swaps(&stuff->num_devices); +- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); ++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, ++ pad_to_int32(stuff->num_devices * sizeof(CARD16))); + + swapl(&stuff->barrier); + swapl(&stuff->window); +-- +GitLab + |