diff --git a/Xext/saver.c b/Xext/saver.c
index c27a66c8099553b5e248c7faf7cc766af021fcc5..c23907dbb8143210f4744a36e1d1464eb5a868a8 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
REQUEST(xScreenSaverSuspendReq);
swaps(&stuff->length);
- swapl(&stuff->suspend);
REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
+ swapl(&stuff->suspend);
return ProcScreenSaverSuspend(client);
}
diff --git a/debian/changelog b/debian/changelog
index 5a592f04004a27134ac19dd49db81ce451deae9b..49639a3f81055ae59215a32dc263426088a294dd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:1.20.11-1+deb11u1) bullseye-security; urgency=high
+
+ * Team upload.
+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]
+
+ -- Julien Cristau <jcristau@debian.org> Thu, 16 Dec 2021 18:08:23 +0100
+
xorg-server (2:1.20.11-1+apertis1) apertis; urgency=medium
* Sync updates from Debian Bullseye. Remaining Apertis specific changes:
diff --git a/record/record.c b/record/record.c
index 05d751ac20fba271faa3be7709b19f170b05a0ae..a8aec23bd1697cda80b29ac44639018c92c87882 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2515,8 +2515,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
swapl(pClientID);
}
if (stuff->nRanges >
- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
- - stuff->nClients)
+ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
return BadLength;
RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
return Success;
diff --git a/render/render.c b/render/render.c
index c376090cad2a8770eea5c8128e77c43c56151cd4..456f156d43ae12f4a712ce4fdc969ab2761490fd 100644
--- a/render/render.c
+++ b/render/render.c
@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
i = elt->len;
if (i == 0xff) {
+ if (buffer + 4 > end) {
+ return BadLength;
+ }
swapl((int *) buffer);
buffer += 4;
}
@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
buffer += i;
break;
case 2:
+ if (buffer + i * 2 > end) {
+ return BadLength;
+ }
while (i--) {
swaps((short *) buffer);
buffer += 2;
}
break;
case 4:
+ if (buffer + i * 4 > end) {
+ return BadLength;
+ }
while (i--) {
swapl((int *) buffer);
buffer += 4;
diff --git a/xfixes/cursor.c b/xfixes/cursor.c
index d4b68f3af2c11d075ff8ee137f3be07e6aa9c1d7..5f531a89a4c745eb074b1310bebadc59d7ca3541 100644
--- a/xfixes/cursor.c
+++ b/xfixes/cursor.c
@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
{
REQUEST(xXFixesCreatePointerBarrierReq);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
LEGAL_NEW_RESOURCE(stuff->barrier, client);
return XICreatePointerBarrier(client, stuff);
@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
swaps(&stuff->length);
swaps(&stuff->num_devices);
- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
+ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
swapl(&stuff->barrier);
swapl(&stuff->window);