[X2Go-Commits] [vcxsrv] 01/06: xkb: Don't swap XkbSetGeometry data in the input buffer

git-admin at x2go.org git-admin at x2go.org
Mon Mar 9 05:12:23 CET 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to tag 1.15.2.3-xp+vc2013+x2go1
in repository vcxsrv.

commit 6f11c4ac377676d44324888c834ab6a17d9fe1dd
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Fri Jan 16 20:08:59 2015 +0100

    xkb: Don't swap XkbSetGeometry data in the input buffer
    
    The XkbSetGeometry request embeds data which needs to be swapped when the
    server and the client have different endianess.
    
    _XkbSetGeometry() invokes functions that swap these data directly in the
    input buffer.
    
    However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
    (if there is more than one keyboard), thus causing on swapped clients the
    same data to be swapped twice in memory, further causing a server crash
    because the strings lengths on the second time are way off bounds.
    
    To allow _XkbSetGeometry() to run reliably more than once with swapped
    clients, do not swap the data in the buffer, use variables instead.
    
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
    (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
    Signed-off-by: Julien Cristau <jcristau at debian.org>
---
 xorg-server/xkb/xkb.c |   35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/xorg-server/xkb/xkb.c b/xorg-server/xkb/xkb.c
index ae2ca90..d1aaa02 100644
--- a/xorg-server/xkb/xkb.c
+++ b/xorg-server/xkb/xkb.c
@@ -4956,14 +4956,13 @@ static char *
 _GetCountedString(char **wire_inout, Bool swap)
 {
     char *wire, *str;
-    CARD16 len, *plen;
+    CARD16 len;
 
     wire = *wire_inout;
-    plen = (CARD16 *) wire;
+    len = *(CARD16 *) wire;
     if (swap) {
-        swaps(plen);
+        swaps(&len);
     }
-    len = *plen;
     str = malloc(len + 1);
     if (str) {
         memcpy(str, &wire[2], len);
@@ -4980,25 +4979,28 @@ _CheckSetDoodad(char **wire_inout,
 {
     char *wire;
     xkbDoodadWireDesc *dWire;
+    xkbAnyDoodadWireDesc any;
+    xkbTextDoodadWireDesc text;
     XkbDoodadPtr doodad;
 
     dWire = (xkbDoodadWireDesc *) (*wire_inout);
+    any = dWire->any;
     wire = (char *) &dWire[1];
     if (client->swapped) {
-        swapl(&dWire->any.name);
-        swaps(&dWire->any.top);
-        swaps(&dWire->any.left);
-        swaps(&dWire->any.angle);
+        swapl(&any.name);
+        swaps(&any.top);
+        swaps(&any.left);
+        swaps(&any.angle);
     }
     CHK_ATOM_ONLY(dWire->any.name);
-    doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
+    doodad = XkbAddGeomDoodad(geom, section, any.name);
     if (!doodad)
         return BadAlloc;
     doodad->any.type = dWire->any.type;
     doodad->any.priority = dWire->any.priority;
-    doodad->any.top = dWire->any.top;
-    doodad->any.left = dWire->any.left;
-    doodad->any.angle = dWire->any.angle;
+    doodad->any.top = any.top;
+    doodad->any.left = any.left;
+    doodad->any.angle = any.angle;
     switch (doodad->any.type) {
     case XkbOutlineDoodad:
     case XkbSolidDoodad:
@@ -5021,12 +5023,13 @@ _CheckSetDoodad(char **wire_inout,
                                               dWire->text.colorNdx);
             return BadMatch;
         }
+        text = dWire->text;
         if (client->swapped) {
-            swaps(&dWire->text.width);
-            swaps(&dWire->text.height);
+            swaps(&text.width);
+            swaps(&text.height);
         }
-        doodad->text.width = dWire->text.width;
-        doodad->text.height = dWire->text.height;
+        doodad->text.width = text.width;
+        doodad->text.height = text.height;
         doodad->text.color_ndx = dWire->text.colorNdx;
         doodad->text.text = _GetCountedString(&wire, client->swapped);
         doodad->text.font = _GetCountedString(&wire, client->swapped);

--
Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git


More information about the x2go-commits mailing list