render: Fix out of bounds access in SProcRenderCompositeGlyphs()

ZDI-CAN-14192, CVE-2021-4008
2025-12-09 10:48:48 +00:00 · 2021-12-14 13:42:47 +00:00
parent d016d47aa9
commit c9b690e680
1 changed files with 6 additions and 0 deletions
--- a/xserver/render/render.c
+++ b/xserver/render/render.c
@@ -2309,6 +2309,8 @@ SProcRenderCompositeGlyphs(ClientPtr client)

        i = elt->len;
        if (i == 0xff) {
+            if (buffer + 4 >= end)
+                return BadLength;
            swapl((int *) buffer);
            buffer += 4;
        }
@@ -2320,12 +2322,16 @@ SProcRenderCompositeGlyphs(ClientPtr client)
                break;
            case 2:
                while (i--) {
+                    if (buffer + 2 >= end)
+                        return BadLength;
                    swaps((short *) buffer);
                    buffer += 2;
                }
                break;
            case 4:
                while (i--) {
+                    if (buffer + 4 >= end)
+                        return BadLength;
                    swapl((int *) buffer);
                    buffer += 4;
                }