From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Fri, 28 Jul 2017 16:27:10 +0200
Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)

Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.

Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/Xext/shm.c b/Xext/shm.c
index 91ea90b..2f9a788 100644
--- Xext/shm.c
+++ Xext/shm.c
@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
     };
 
     REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
+    LEGAL_NEW_RESOURCE(stuff->shmseg, client);
     if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
         client->errorValue = stuff->readOnly;
         return BadValue;
-- 
cgit v0.10.2

