Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server
Commits:
-
6321383c
by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
-
83f8b3a6
by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
-
92a6c39a
by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
-
b0ca9791
by Povilas Kanapickas at 2021-12-14T14:34:27+01:00
-
40a2a9bd
by Julien Cristau at 2021-12-14T14:38:47+01:00
5 changed files:
Changes:
... | ... | @@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client) |
1351 | 1351 |
REQUEST(xScreenSaverSuspendReq);
|
1352 | 1352 |
|
1353 | 1353 |
swaps(&stuff->length);
|
1354 |
- swapl(&stuff->suspend);
|
|
1355 | 1354 |
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
|
1355 |
+ swapl(&stuff->suspend);
|
|
1356 | 1356 |
return ProcScreenSaverSuspend(client);
|
1357 | 1357 |
}
|
1358 | 1358 |
|
1 |
+xorg-server (2:1.20.13-3) unstable; urgency=high
|
|
2 |
+ |
|
3 |
+ * Team upload.
|
|
4 |
+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
|
|
5 |
+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
|
|
6 |
+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
|
|
7 |
+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]
|
|
8 |
+ |
|
9 |
+ -- Julien Cristau <jcristau@debian.org> Tue, 14 Dec 2021 14:38:21 +0100
|
|
10 |
+ |
|
1 | 11 |
xorg-server (2:1.20.13-2) unstable; urgency=medium
|
2 | 12 |
|
3 | 13 |
* Upload to unstable.
|
... | ... | @@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff) |
2515 | 2515 |
swapl(pClientID);
|
2516 | 2516 |
}
|
2517 | 2517 |
if (stuff->nRanges >
|
2518 |
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
2519 |
- - stuff->nClients)
|
|
2518 |
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
|
|
2519 |
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
|
|
2520 | 2520 |
return BadLength;
|
2521 | 2521 |
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
|
2522 | 2522 |
return Success;
|
... | ... | @@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client) |
2309 | 2309 |
|
2310 | 2310 |
i = elt->len;
|
2311 | 2311 |
if (i == 0xff) {
|
2312 |
+ if (buffer + 4 > end) {
|
|
2313 |
+ return BadLength;
|
|
2314 |
+ }
|
|
2312 | 2315 |
swapl((int *) buffer);
|
2313 | 2316 |
buffer += 4;
|
2314 | 2317 |
}
|
... | ... | @@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client) |
2319 | 2322 |
buffer += i;
|
2320 | 2323 |
break;
|
2321 | 2324 |
case 2:
|
2325 |
+ if (buffer + i * 2 > end) {
|
|
2326 |
+ return BadLength;
|
|
2327 |
+ }
|
|
2322 | 2328 |
while (i--) {
|
2323 | 2329 |
swaps((short *) buffer);
|
2324 | 2330 |
buffer += 2;
|
2325 | 2331 |
}
|
2326 | 2332 |
break;
|
2327 | 2333 |
case 4:
|
2334 |
+ if (buffer + i * 4 > end) {
|
|
2335 |
+ return BadLength;
|
|
2336 |
+ }
|
|
2328 | 2337 |
while (i--) {
|
2329 | 2338 |
swapl((int *) buffer);
|
2330 | 2339 |
buffer += 4;
|
... | ... | @@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client) |
1010 | 1010 |
{
|
1011 | 1011 |
REQUEST(xXFixesCreatePointerBarrierReq);
|
1012 | 1012 |
|
1013 |
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
|
1013 |
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
|
1014 |
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
|
1014 | 1015 |
LEGAL_NEW_RESOURCE(stuff->barrier, client);
|
1015 | 1016 |
|
1016 | 1017 |
return XICreatePointerBarrier(client, stuff);
|
... | ... | @@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) |
1027 | 1028 |
|
1028 | 1029 |
swaps(&stuff->length);
|
1029 | 1030 |
swaps(&stuff->num_devices);
|
1030 |
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
|
|
1031 |
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
|
|
1032 |
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
|
|
1031 | 1033 |
|
1032 | 1034 |
swapl(&stuff->barrier);
|
1033 | 1035 |
swapl(&stuff->window);
|