From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Sun, 21 Mar 2021 18:38:57 +0100 Subject: [PATCH] Fix XChangeFeedbackControl() request underflow CVE-2021-3472 / ZDI-CAN-1259 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb --- Xi/chgfctl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 1de4da9ef..7a597e43d 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) break; case StringFeedbackClass: { - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + xStringFeedbackCtl *f; + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, + sizeof(xStringFeedbackCtl)); + f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength; -- GitLab