CVS commit: xsrc/external/mit/xorg-server.old/dist

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: xsrc/external/mit/xorg-server.old/dist
From: "matthew green" <mrg%netbsd.org@localhost>
Date: Sat, 2 Nov 2024 08:12:57 +0000

Module Name:    xsrc
Committed By:   mrg
Date:           Sat Nov  2 08:12:57 UTC 2024

Modified Files:
        xsrc/external/mit/xorg-server.old/dist/Xi: xiproperty.c
        xsrc/external/mit/xorg-server.old/dist/dix: property.c

Log Message:
merge upstream change 8f454b793e1f13c99872c15f0eed1d7f3b823fe8:

Subject: [PATCH] Xi: avoid integer truncation in length check of
 ProcXIChangeProperty

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->num_items value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->num_items bytes, i.e. 4GB.

The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty,
so let's fix that too.

CVE-2022-46344, ZDI-CAN 19405


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
    xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
    xsrc/external/mit/xorg-server.old/dist/dix/property.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/include
Next by Date: CVS commit: xsrc/external/mit/xorg-server.old/dist/randr
Previous by Thread: CVS commit: src/include
Next by Thread: CVS commit: xsrc/external/mit/xorg-server.old/dist/randr
Indexes:

Home | Main Index | Thread Index | Old Index