shm: Also censor images returned by ShmGetImage
We currently censor images from dix's GetImage, but not from ShmGetImage. This is a method to bypass XACE, creating a potential leak. We should censor in both methods. Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Andrew Eikum <aeikum@codeweavers.com>
This commit is contained in:
parent
9fcb554e9b
commit
4926845a57
17
Xext/shm.c
17
Xext/shm.c
|
@ -618,6 +618,7 @@ ProcShmGetImage(ClientPtr client)
|
|||
xShmGetImageReply xgi;
|
||||
ShmDescPtr shmdesc;
|
||||
VisualID visual = None;
|
||||
RegionPtr pVisibleRegion = NULL;
|
||||
int rc;
|
||||
|
||||
REQUEST(xShmGetImageReq);
|
||||
|
@ -649,6 +650,9 @@ ProcShmGetImage(ClientPtr client)
|
|||
wBorderWidth((WindowPtr) pDraw) + (int) pDraw->height)
|
||||
return BadMatch;
|
||||
visual = wVisual(((WindowPtr) pDraw));
|
||||
pVisibleRegion = NotClippedByChildren((WindowPtr) pDraw);
|
||||
if (pVisibleRegion)
|
||||
RegionTranslate(pVisibleRegion, -pDraw->x, -pDraw->y);
|
||||
}
|
||||
else {
|
||||
if (stuff->x < 0 ||
|
||||
|
@ -685,6 +689,11 @@ ProcShmGetImage(ClientPtr client)
|
|||
stuff->width, stuff->height,
|
||||
stuff->format, stuff->planeMask,
|
||||
shmdesc->addr + stuff->offset);
|
||||
if (pVisibleRegion)
|
||||
XaceCensorImage(client, pVisibleRegion,
|
||||
PixmapBytePad(stuff->width, pDraw->depth), pDraw,
|
||||
stuff->x, stuff->y, stuff->width, stuff->height,
|
||||
stuff->format, shmdesc->addr + stuff->offset);
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -696,11 +705,19 @@ ProcShmGetImage(ClientPtr client)
|
|||
stuff->width, stuff->height,
|
||||
stuff->format, plane,
|
||||
shmdesc->addr + length);
|
||||
if (pVisibleRegion)
|
||||
XaceCensorImage(client, pVisibleRegion,
|
||||
BitmapBytePad(stuff->width), pDraw,
|
||||
stuff->x, stuff->y, stuff->width, stuff->height,
|
||||
stuff->format, shmdesc->addr + length);
|
||||
length += lenPer;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (pVisibleRegion)
|
||||
RegionDestroy(pVisibleRegion);
|
||||
|
||||
if (client->swapped) {
|
||||
swaps(&xgi.sequenceNumber);
|
||||
swapl(&xgi.length);
|
||||
|
|
Loading…
Reference in New Issue
Block a user