blob: 8341a3372a106fe3f4c8f70022967718bb14e89c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Fri, 28 Jul 2017 16:27:10 +0200
Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/Xext/shm.c b/Xext/shm.c
index 91ea90b..2f9a788 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
};
REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
+ LEGAL_NEW_RESOURCE(stuff->shmseg, client);
if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
client->errorValue = stuff->readOnly;
return BadValue;
--
cgit v0.10.2
|