Fix integer underflow in XRecordRegisterClients()

Reported by Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2020-08-25 15:43:27 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2020-08-25 15:43:27 +0000
commit: 9070f2d35306eaea647327346b38146488c73dc3 (patch)
tree: 84c8701c166ac0faa69ef6e7531403bd734eee0f /xserver/record/record.c
parent: 85b1eaa9ebd264a31dc9c82e0eba24511b0fa93a (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/xserver/record/record.c b/xserver/record/record.c
index f0b739b0c..05d751ac2 100644
--- a/xserver/record/record.c
+++ b/xserver/record/record.c
@@ -2499,7 +2499,7 @@ SProcRecordQueryVersion(ClientPtr client)
 }                               /* SProcRecordQueryVersion */
 
 static int _X_COLD
-SwapCreateRegister(xRecordRegisterClientsReq * stuff)
+SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
 {
     int i;
     XID *pClientID;
@@ -2509,13 +2509,13 @@ SwapCreateRegister(xRecordRegisterClientsReq * stuff)
     swapl(&stuff->nRanges);
     pClientID = (XID *) &stuff[1];
     if (stuff->nClients >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq))
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq))
         return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++) {
         swapl(pClientID);
     }
     if (stuff->nRanges >
-        stuff->length - bytes_to_int32(sz_xRecordRegisterClientsReq)
+        client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
         - stuff->nClients)
         return BadLength;
     RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
@@ -2530,7 +2530,7 @@ SProcRecordCreateContext(ClientPtr client)
 
     swaps(&stuff->length);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
         return status;
     return ProcRecordCreateContext(client);
 }                               /* SProcRecordCreateContext */
@@ -2543,7 +2543,7 @@ SProcRecordRegisterClients(ClientPtr client)
 
     swaps(&stuff->length);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    if ((status = SwapCreateRegister((void *) stuff)) != Success)
+    if ((status = SwapCreateRegister(client, (void *) stuff)) != Success)
         return status;
     return ProcRecordRegisterClients(client);
 }                               /* SProcRecordRegisterClients */
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2020-08-25 15:43:27 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2020-08-25 15:43:27 +0000
commit	9070f2d35306eaea647327346b38146488c73dc3 (patch)
tree	84c8701c166ac0faa69ef6e7531403bd734eee0f /xserver/record/record.c
parent	85b1eaa9ebd264a31dc9c82e0eba24511b0fa93a (diff)