shm: Also censor images returned by ShmGetImage

We currently censor images from dix's GetImage, but not from ShmGetImage. This is a method to bypass XACE, creating a potential leak. We should censor in both methods. Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Andrew Eikum <aeikum@codeweavers.com>
2016-07-06 14:13:09 -05:00 · 2016-07-06 14:13:09 -05:00 · 4926845a57
commit 4926845a57
parent 9fcb554e9b
1 changed files with 17 additions and 0 deletions
--- a/Xext/shm.c
+++ b/Xext/shm.c
@ -618,6 +618,7 @@ ProcShmGetImage(ClientPtr client)
    xShmGetImageReply xgi;
    ShmDescPtr shmdesc;
    VisualID visual = None;
+    RegionPtr pVisibleRegion = NULL;
    int rc;

    REQUEST(xShmGetImageReq);
@ -649,6 +650,9 @@ ProcShmGetImage(ClientPtr client)
               wBorderWidth((WindowPtr) pDraw) + (int) pDraw->height)
            return BadMatch;
        visual = wVisual(((WindowPtr) pDraw));
+        pVisibleRegion = NotClippedByChildren((WindowPtr) pDraw);
+        if (pVisibleRegion)
+            RegionTranslate(pVisibleRegion, -pDraw->x, -pDraw->y);
    }
    else {
        if (stuff->x < 0 ||
@ -685,6 +689,11 @@ ProcShmGetImage(ClientPtr client)
                                     stuff->width, stuff->height,
                                     stuff->format, stuff->planeMask,
                                     shmdesc->addr + stuff->offset);
+        if (pVisibleRegion)
+            XaceCensorImage(client, pVisibleRegion,
+                    PixmapBytePad(stuff->width, pDraw->depth), pDraw,
+                    stuff->x, stuff->y, stuff->width, stuff->height,
+                    stuff->format, shmdesc->addr + stuff->offset);
    }
    else {

@ -696,11 +705,19 @@ ProcShmGetImage(ClientPtr client)
                                             stuff->width, stuff->height,
                                             stuff->format, plane,
                                             shmdesc->addr + length);
+                if (pVisibleRegion)
+                    XaceCensorImage(client, pVisibleRegion,
+                            BitmapBytePad(stuff->width), pDraw,
+                            stuff->x, stuff->y, stuff->width, stuff->height,
+                            stuff->format, shmdesc->addr + length);
                length += lenPer;
            }
        }
    }

+    if (pVisibleRegion)
+        RegionDestroy(pVisibleRegion);
+
    if (client->swapped) {
        swaps(&xgi.sequenceNumber);
        swapl(&xgi.length);