Cross Reference: /xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c

History log of /xsrc/external/mit/xorg-server.old/dist/Xi/xiproperty.c
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
# c8c3bf63	02-Nov-2024	mrg <mrg@NetBSD.org>	merge upstream change 8f454b793e1f13c99872c15f0eed1d7f3b823fe8: Subject: [PATCH] Xi: avoid integer truncation in length check of ProcXIChangeProperty This fixes an OOB read and the resulting information disclosure. Length calculation for the request was clipped to a 32-bit integer. With the correct stuff->num_items value the expected request size was truncated, passing the REQUEST_FIXED_SIZE check. The server then proceeded with reading at least stuff->num_items bytes (depending on stuff->format) from the request and stuffing whatever it finds into the property. In the process it would also allocate at least stuff->num_items bytes, i.e. 4GB. The same bug exists in ProcChangeProperty and ProcXChangeDeviceProperty, so let's fix that too. CVE-2022-46344, ZDI-CAN 19405 /external/mit/xorg-server.old/dist/Xi/xiproperty.c
# bc1411c9	28-Oct-2023	mrg <mrg@NetBSD.org>	merge security fixes from xorg-server 21.1.9 into xorg-server 10. Fixes CVE-2023-5367 and CVE-2023-5380. /external/mit/xorg-server.old/dist/Xi/xiproperty.c
# 706f2543	09-Jun-2016	mrg <mrg@NetBSD.org>	initial import of existing netbsd xorg-server 1.10 sources in the xorg-server.old subdir. /external/mit/xorg-server.old/dist/Xi/xiproperty.c