summaryrefslogtreecommitdiff
path: root/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
diff options
context:
space:
mode:
Diffstat (limited to 'poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch')
-rw-r--r--poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
new file mode 100644
index 0000000000..2103e9c198
--- /dev/null
+++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
@@ -0,0 +1,70 @@
+From 2902b78535ecc6821cc027351818b28a5c7fdbdc Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue, 18 Aug 2020 14:55:01 +0200
+Subject: [PATCH] Fix XRecordRegisterClients() Integer underflow
+
+CVE-2020-14362 ZDI-CAN-11574
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/xorg/xserver/-/commit/2902b78535ecc6821cc027351818b28a5c7fdbdc]
+CVE: CVE-2020-14362
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ record/record.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index f2d38c877..be154525d 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2500,7 +2500,7 @@ SProcRecordQueryVersion(ClientPtr client)
+ } /* SProcRecordQueryVersion */
+
+ static int _X_COLD
+-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
++SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ {
+ int i;
+ XID *pClientID;
+@@ -2510,13 +2510,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+ swapl(&stuff->nRanges);
+ pClientID = (XID *) &stuff[1];
+ if (stuff->nClients >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
+ return BadLength;
+ for (i = 0; i < stuff->nClients; i++, pClientID++) {
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients)
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+@@ -2531,7 +2531,7 @@ SProcRecordCreateContext(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordCreateContext(client);
+ } /* SProcRecordCreateContext */
+@@ -2544,7 +2544,7 @@ SProcRecordRegisterClients(ClientPtr client)
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
+- if ((status = SwapCreateRegister((void *) stuff)) != Success)
++ if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
+ return status;
+ return ProcRecordRegisterClients(client);
+ } /* SProcRecordRegisterClients */
+--
+2.17.1
+
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-03 02:24:04 +0300