summaryrefslogtreecommitdiffstats
path: root/source/x/x11/patch/xorg-server/CVE-2022-3550.patch
diff options
context:
space:
mode:
Diffstat (limited to 'source/x/x11/patch/xorg-server/CVE-2022-3550.patch')
-rw-r--r--source/x/x11/patch/xorg-server/CVE-2022-3550.patch34
1 files changed, 0 insertions, 34 deletions
diff --git a/source/x/x11/patch/xorg-server/CVE-2022-3550.patch b/source/x/x11/patch/xorg-server/CVE-2022-3550.patch
deleted file mode 100644
index 3461b0749..000000000
--- a/source/x/x11/patch/xorg-server/CVE-2022-3550.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 5 Jul 2022 12:06:20 +1000
-Subject: xkb: proof GetCountedString against request length attacks
-
-GetCountedString did a check for the whole string to be within the
-request buffer but not for the initial 2 bytes that contain the length
-field. A swapped client could send a malformed request to trigger a
-swaps() on those bytes, writing into random memory.
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xkb/xkb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f42f59ef3..1841cff26 100644
---- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
- CARD16 len;
-
- wire = *wire_inout;
-+
-+ if (client->req_len <
-+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
-+ return BadValue;
-+
- len = *(CARD16 *) wire;
- if (client->swapped) {
- swaps(&len);
---
-cgit v1.2.1
-
generated by cgit v1.2.3-65-gdbad (git 2.45.1) at 2024-05-27 19:15:11 +0000