CVS commit: xsrc/external/mit/xorg-server.old/dist/randr

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: xsrc/external/mit/xorg-server.old/dist/randr
From: "matthew green" <mrg%netbsd.org@localhost>
Date: Sat, 2 Nov 2024 08:17:49 +0000

Module Name:    xsrc
Committed By:   mrg
Date:           Sat Nov  2 08:17:49 UTC 2024

Modified Files:
        xsrc/external/mit/xorg-server.old/dist/randr: rrproperty.c

Log Message:
merge upstream change 14f480010a93ff962fef66a16412fafff81ad632:

Subject: [PATCH] randr: avoid integer truncation in length check of
 ProcRRChange*Property

Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
See also xserver@8f454b79 where this same bug was fixed for the core
protocol and XI.

This fixes an OOB read and the resulting information disclosure.

Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was
truncated, passing the REQUEST_FIXED_SIZE check.

The server then proceeded with reading at least stuff->num_items bytes
(depending on stuff->format) from the request and stuffing whatever it
finds into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.

CVE-2023-6478, ZDI-CAN-22561

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
    xsrc/external/mit/xorg-server.old/dist/randr/rrproperty.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: xsrc/external/mit/xorg-server.old/dist
Next by Date: CVS commit: [netbsd-10] xsrc/external/mit/xorg-server
Previous by Thread: CVS commit: xsrc/external/mit/xorg-server.old/dist
Next by Thread: CVS commit: [netbsd-10] xsrc/external/mit/xorg-server
Indexes:

Home | Main Index | Thread Index | Old Index