andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

xkb: Don't swap XkbSetGeometry data in the input buffer

Browse Source 
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.

_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.

However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.

To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Olivier Fourdan 2015-01-16 20:08:59 +01:00 committed by Keith Packard
parent 28f6427aec
commit 81c90dc8f0
1 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
xkb/xkb.c
View File

@ -4961,14 +4961,13 @@ static char *
_GetCountedString(char **wire_inout, Bool swap) _GetCountedString(char **wire_inout, Bool swap)
{ {
char *wire, *str; char *wire, *str;
CARD16 len, *plen; CARD16 len;
wire = *wire_inout; wire = *wire_inout;
plen = (CARD16 *) wire; len = *(CARD16 *) wire;
if (swap) { if (swap) {
swaps(plen); swaps(&len);
} }
len = *plen;
str = malloc(len + 1); str = malloc(len + 1);
if (str) { if (str) {
memcpy(str, &wire[2], len); memcpy(str, &wire[2], len);
@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout,
{ {
char *wire; char *wire;
xkbDoodadWireDesc *dWire; xkbDoodadWireDesc *dWire;
xkbAnyDoodadWireDesc any;
xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad; XkbDoodadPtr doodad;
dWire = (xkbDoodadWireDesc *) (*wire_inout); dWire = (xkbDoodadWireDesc *) (*wire_inout);
any = dWire->any;
wire = (char *) &dWire[1]; wire = (char *) &dWire[1];
if (client->swapped) { if (client->swapped) {
swapl(&dWire->any.name); swapl(&any.name);
swaps(&dWire->any.top); swaps(&any.top);
swaps(&dWire->any.left); swaps(&any.left);
swaps(&dWire->any.angle); swaps(&any.angle);
} }
CHK_ATOM_ONLY(dWire->any.name); CHK_ATOM_ONLY(dWire->any.name);
doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); doodad = XkbAddGeomDoodad(geom, section, any.name);
if (!doodad) if (!doodad)
return BadAlloc; return BadAlloc;
doodad->any.type = dWire->any.type; doodad->any.type = dWire->any.type;
doodad->any.priority = dWire->any.priority; doodad->any.priority = dWire->any.priority;
doodad->any.top = dWire->any.top; doodad->any.top = any.top;
doodad->any.left = dWire->any.left; doodad->any.left = any.left;
doodad->any.angle = dWire->any.angle; doodad->any.angle = any.angle;
switch (doodad->any.type) { switch (doodad->any.type) {
case XkbOutlineDoodad: case XkbOutlineDoodad:
case XkbSolidDoodad: case XkbSolidDoodad:
@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout,
dWire->text.colorNdx); dWire->text.colorNdx);
return BadMatch; return BadMatch;
} }
text = dWire->text;
if (client->swapped) { if (client->swapped) {
swaps(&dWire->text.width); swaps(&text.width);
swaps(&dWire->text.height); swaps(&text.height);
} }
doodad->text.width = dWire->text.width; doodad->text.width = text.width;
doodad->text.height = dWire->text.height; doodad->text.height = text.height;
doodad->text.color_ndx = dWire->text.colorNdx; doodad->text.color_ndx = dWire->text.colorNdx;
doodad->text.text = _GetCountedString(&wire, client->swapped); doodad->text.text = _GetCountedString(&wire, client->swapped);
doodad->text.font = _GetCountedString(&wire, client->swapped); doodad->text.font = _GetCountedString(&wire, client->swapped);