[X2Go-Commits] [nx-libs] 160/429: Revert "CVE-2020-14360: Check SetMap request length carefully."
git-admin at x2go.org
git-admin at x2go.org
Mon Oct 18 09:36:22 CEST 2021
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit 1257561577cd8227f3534fc44b72a1239aba363c
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Fri Jan 15 17:00:42 2021 +0100
Revert "CVE-2020-14360: Check SetMap request length carefully."
This reverts commit 4eba4f53ad8c62c27c12835e58184d66121ff636.
---
nx-X11/programs/Xserver/xkb/xkb.c | 91 ---------------------------------------
1 file changed, 91 deletions(-)
diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c
index 654b33fe7..7b392fa09 100644
--- a/nx-X11/programs/Xserver/xkb/xkb.c
+++ b/nx-X11/programs/Xserver/xkb/xkb.c
@@ -2202,92 +2202,6 @@ XkbServerMapPtr srv = xkbi->desc->server;
return (char *)wire;
}
-#define _add_check_len(new) \
- if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
- else len += new
-
-/**
- * Check the length of the SetMap request
- */
-static int
-_XkbSetMapCheckLength(xkbSetMapReq *req)
-{
- size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
- xkbKeyTypeWireDesc *keytype;
- xkbSymMapWireDesc *symmap;
- BOOL preserve;
- int i, map_count, nSyms;
-
- if (req_len < len)
- goto bad;
- /* types */
- if (req->present & XkbKeyTypesMask) {
- keytype = (xkbKeyTypeWireDesc *)(req + 1);
- for (i = 0; i < req->nTypes; i++) {
- _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
- if (req->flags & XkbSetMapResizeTypes) {
- _add_check_len(keytype->nMapEntries
- * sz_xkbKTSetMapEntryWireDesc);
- preserve = keytype->preserve;
- map_count = keytype->nMapEntries;
- if (preserve) {
- _add_check_len(map_count * sz_xkbModsWireDesc);
- }
- keytype += 1;
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
- if (preserve)
- keytype = (xkbKeyTypeWireDesc *)
- ((xkbModsWireDesc *)keytype + map_count);
- }
- }
- }
- /* syms */
- if (req->present & XkbKeySymsMask) {
- symmap = (xkbSymMapWireDesc *)((char *)req + len);
- for (i = 0; i < req->nKeySyms; i++) {
- _add_check_len(sz_xkbSymMapWireDesc);
- nSyms = symmap->nSyms;
- _add_check_len(nSyms*sizeof(CARD32));
- symmap += 1;
- symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
- }
- }
- /* actions */
- if (req->present & XkbKeyActionsMask) {
- _add_check_len(req->totalActs * sz_xkbActionWireDesc
- + XkbPaddedSize(req->nKeyActs));
- }
- /* behaviours */
- if (req->present & XkbKeyBehaviorsMask) {
- _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
- }
- /* vmods */
- if (req->present & XkbVirtualModsMask) {
- _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
- }
- /* explicit */
- if (req->present & XkbExplicitComponentsMask) {
- /* two bytes per non-zero explicit componen */
- _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
- }
- /* modmap */
- if (req->present & XkbModifierMapMask) {
- /* two bytes per non-zero modmap component */
- _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
- }
- /* vmodmap */
- if (req->present & XkbVirtualModMapMask) {
- _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
- }
- if (len == req_len)
- return Success;
-bad:
- ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
- len, req_len);
- return BadLength;
-}
-
int
ProcXkbSetMap(ClientPtr client)
{
@@ -2311,11 +2225,6 @@ ProcXkbSetMap(ClientPtr client)
CHK_KBD_DEVICE(dev,stuff->deviceSpec);
CHK_MASK_LEGAL(0x01,stuff->present,XkbAllMapComponentsMask);
- /* first verify the request length carefully */
- rc = _XkbSetMapCheckLength(stuff);
- if (rc != Success)
- return rc;
-
XkbSetCauseXkbReq(&cause,X_kbSetMap,client);
xkbi= dev->key->xkbInfo;
xkb = xkbi->desc;
--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list