[Git][xorg-team/xserver/xorg-server][debian-unstable] 5 commits: record: Fix out of bounds access in SwapCreateRegister()

["Julien Cristau (@jcristau)" <jcristau@debian.org>]

Title: GitLab

Julien Cristau pushed to branch debian-unstable at X Strike Force / xserver / xorg-server

Commits:

• 6321383c
  by Povilas Kanapickas at 2021-12-14T14:34:27+01:00

  record: Fix out of bounds access in SwapCreateRegister()
  
  ZDI-CAN-14952, CVE-2021-4011
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit e56f61c79fc3cee26d83cda0f84ae56d5979f768)
  

• 83f8b3a6
  by Povilas Kanapickas at 2021-12-14T14:34:27+01:00

  xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier()
  
  ZDI-CAN-14950, CVE-2021-4009
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit b5196750099ae6ae582e1f46bd0a6dad29550e02)
  

• 92a6c39a
  by Povilas Kanapickas at 2021-12-14T14:34:27+01:00

  Xext: Fix out of bounds access in SProcScreenSaverSuspend()
  
  ZDI-CAN-14951, CVE-2021-4010
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit 6c4c53010772e3cb4cb8acd54950c8eec9c00d21)
  

• b0ca9791
  by Povilas Kanapickas at 2021-12-14T14:34:27+01:00

  render: Fix out of bounds access in SProcRenderCompositeGlyphs()
  
  ZDI-CAN-14192, CVE-2021-4008
  
  This vulnerability was discovered and the fix was suggested by:
  Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
  
  Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
  (cherry picked from commit ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60)
  

• 40a2a9bd
  by Julien Cristau at 2021-12-14T14:38:47+01:00

  Add changelog entry
  

5 changed files:

• Xext/saver.c
• debian/changelog
• record/record.c
• render/render.c
• xfixes/cursor.c

Changes:

Xext/saver.c

---

...	...	@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
1351	1351	REQUEST(xScreenSaverSuspendReq);
1352	1352
1353	1353	swaps(&stuff->length);
1354		- swapl(&stuff->suspend);
1355	1354	REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
	1355	+ swapl(&stuff->suspend);
1356	1356	return ProcScreenSaverSuspend(client);
1357	1357	}
1358	1358

debian/changelog

---

	1	+xorg-server (2:1.20.13-3) unstable; urgency=high
	2	+
	3	+ * Team upload.
	4	+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
	5	+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
	6	+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
	7	+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]
	8	+
	9	+ -- Julien Cristau <jcristau@debian.org> Tue, 14 Dec 2021 14:38:21 +0100
	10	+
1	11	xorg-server (2:1.20.13-2) unstable; urgency=medium
2	12
3	13	* Upload to unstable.

record/record.c

---

...	...	@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
2515	2515	swapl(pClientID);
2516	2516	}
2517	2517	if (stuff->nRanges >
2518		- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
2519		- - stuff->nClients)
	2518	+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
	2519	+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
2520	2520	return BadLength;
2521	2521	RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
2522	2522	return Success;

render/render.c

---

...	...	@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
2309	2309
2310	2310	i = elt->len;
2311	2311	if (i == 0xff) {
	2312	+ if (buffer + 4 > end) {
	2313	+ return BadLength;
	2314	+ }
2312	2315	swapl((int *) buffer);
2313	2316	buffer += 4;
2314	2317	}
...	...	@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
2319	2322	buffer += i;
2320	2323	break;
2321	2324	case 2:
	2325	+ if (buffer + i * 2 > end) {
	2326	+ return BadLength;
	2327	+ }
2322	2328	while (i--) {
2323	2329	swaps((short *) buffer);
2324	2330	buffer += 2;
2325	2331	}
2326	2332	break;
2327	2333	case 4:
	2334	+ if (buffer + i * 4 > end) {
	2335	+ return BadLength;
	2336	+ }
2328	2337	while (i--) {
2329	2338	swapl((int *) buffer);
2330	2339	buffer += 4;

xfixes/cursor.c

---

...	...	@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
1010	1010	{
1011	1011	REQUEST(xXFixesCreatePointerBarrierReq);
1012	1012
1013		- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
	1013	+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
	1014	+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
1014	1015	LEGAL_NEW_RESOURCE(stuff->barrier, client);
1015	1016
1016	1017	return XICreatePointerBarrier(client, stuff);
...	...	@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
1027	1028
1028	1029	swaps(&stuff->length);
1029	1030	swaps(&stuff->num_devices);
1030		- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
	1031	+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
	1032	+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
1031	1033
1032	1034	swapl(&stuff->barrier);
1033	1035	swapl(&stuff->window);

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.