[X2Go-Commits] [nx-libs] 02/02: xkb: Don't swap XkbSetGeometry data in the input buffer
git-admin at x2go.org
git-admin at x2go.org
Tue Feb 17 14:37:24 CET 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch CVE-2015-0255
in repository nx-libs.
commit a1cd16d6d05b197fff110d26b458d8bd6cf3c560
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Jan 16 20:08:59 2015 +0100
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau at debian.org>
index 2405090..7db0959 100644
---
nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c
index 2405090..7db0959 100644
--- a/nx-X11/programs/Xserver/xkb/xkb.c
+++ b/nx-X11/programs/Xserver/xkb/xkb.c
@@ -4441,15 +4441,14 @@ static char *
_GetCountedString(char **wire_inout,Bool swap)
{
char * wire,*str;
-CARD16 len,*plen;
+CARD16 len;
wire= *wire_inout;
- plen= (CARD16 *)wire;
+ len= (CARD16 *)wire;
if (swap) {
register int n;
- swaps(plen,n);
+ swaps(&len, n);
}
- len= *plen;
str= (char *)_XkbAlloc(len+1);
if (str) {
memcpy(str,&wire[2],len);
@@ -4468,26 +4467,29 @@ _CheckSetDoodad( char ** wire_inout,
{
char * wire;
xkbDoodadWireDesc * dWire;
+xkbAnyDoodadWireDesc any;
+xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad;
dWire= (xkbDoodadWireDesc *)(*wire_inout);
+ any = dWire->any;
wire= (char *)&dWire[1];
if (client->swapped) {
register int n;
- swapl(&dWire->any.name,n);
- swaps(&dWire->any.top,n);
- swaps(&dWire->any.left,n);
- swaps(&dWire->any.angle,n);
+ swapl(&any.name, n);
+ swaps(&any.top, n);
+ swaps(&any.left, n);
+ swaps(&any.angle, n);
}
CHK_ATOM_ONLY(dWire->any.name);
- doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
+ doodad = XkbAddGeomDoodad(geom, section, any.name);
if (!doodad)
return BadAlloc;
doodad->any.type= dWire->any.type;
doodad->any.priority= dWire->any.priority;
- doodad->any.top= dWire->any.top;
- doodad->any.left= dWire->any.left;
- doodad->any.angle= dWire->any.angle;
+ doodad->any.top = any.top;
+ doodad->any.left = any.left;
+ doodad->any.angle = any.angle;
switch (doodad->any.type) {
case XkbOutlineDoodad:
case XkbSolidDoodad:
@@ -4510,13 +4512,14 @@ XkbDoodadPtr doodad;
dWire->text.colorNdx);
return BadMatch;
}
+ text = dWire->text;
if (client->swapped) {
register int n;
- swaps(&dWire->text.width,n);
- swaps(&dWire->text.height,n);
+ swaps(&text.width, n);
+ swaps(&text.height, n);
}
- doodad->text.width= dWire->text.width;
- doodad->text.height= dWire->text.height;
+ doodad->text.width= text.width;
+ doodad->text.height= text.height;
doodad->text.color_ndx= dWire->text.colorNdx;
doodad->text.text= _GetCountedString(&wire,client->swapped);
doodad->text.font= _GetCountedString(&wire,client->swapped);
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list