1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
From 81c90dc8f0aae3b65730409b1b615b5fa7280ebd Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 16 Jan 2015 20:08:59 +0100
Subject: xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 15c7f34..b9a3ac4 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -4961,14 +4961,13 @@ static char *
_GetCountedString(char **wire_inout, Bool swap)
{
char *wire, *str;
- CARD16 len, *plen;
+ CARD16 len;
wire = *wire_inout;
- plen = (CARD16 *) wire;
+ len = *(CARD16 *) wire;
if (swap) {
- swaps(plen);
+ swaps(&len);
}
- len = *plen;
str = malloc(len + 1);
if (str) {
memcpy(str, &wire[2], len);
@@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
{
char *wire;
xkbDoodadWireDesc *dWire;
+ xkbAnyDoodadWireDesc any;
+ xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
+ any = dWire->any;
wire = (char *) &dWire[1];
if (client->swapped) {
- swapl(&dWire->any.name);
- swaps(&dWire->any.top);
- swaps(&dWire->any.left);
- swaps(&dWire->any.angle);
+ swapl(&any.name);
+ swaps(&any.top);
+ swaps(&any.left);
+ swaps(&any.angle);
}
CHK_ATOM_ONLY(dWire->any.name);
- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
+ doodad = XkbAddGeomDoodad(geom, section, any.name);
if (!doodad)
return BadAlloc;
doodad->any.type = dWire->any.type;
doodad->any.priority = dWire->any.priority;
- doodad->any.top = dWire->any.top;
- doodad->any.left = dWire->any.left;
- doodad->any.angle = dWire->any.angle;
+ doodad->any.top = any.top;
+ doodad->any.left = any.left;
+ doodad->any.angle = any.angle;
switch (doodad->any.type) {
case XkbOutlineDoodad:
case XkbSolidDoodad:
@@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
dWire->text.colorNdx);
return BadMatch;
}
+ text = dWire->text;
if (client->swapped) {
- swaps(&dWire->text.width);
- swaps(&dWire->text.height);
+ swaps(&text.width);
+ swaps(&text.height);
}
- doodad->text.width = dWire->text.width;
- doodad->text.height = dWire->text.height;
+ doodad->text.width = text.width;
+ doodad->text.height = text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
doodad->text.text = _GetCountedString(&wire, client->swapped);
doodad->text.font = _GetCountedString(&wire, client->swapped);
--
cgit v0.10.2
|
GitWeb