Skip to content

N
nx-libs
Commit d7258444 authored by Olivier Fourdan's avatar Olivier Fourdan Committed by Mike DePaulo
Browse files
Options

xkb: Check strings length against request size

Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. v3: backport to nx-libs 3.6.x because this is the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: 's avatarOlivier Fourdan <ofourdan@redhat.com> Reviewed-by: 's avatarPeter Hutterer <peter.hutterer@who-t.net> Signed-off-by: 's avatarPeter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) (cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) Signed-off-by: 's avatarJulien Cristau <jcristau@debian.org>
parent 9308c79b
Hide whitespace changes
Inline Side-by-side
Showing with 41 additions and 25 deletions
nx-X11/programs/Xserver/xkb/xkb.c
View file @ d7258444
...@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client) ...@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/ /***====================================================================***/
static char * static Status
_GetCountedString(char **wire_inout,Bool swap) _GetCountedString(char **wire_inout, ClientPtr client, char **str)
{ {
char * wire,*str; char * wire, *next;
CARD16 len; CARD16 len;
wire= *wire_inout; wire= *wire_inout;
len= (CARD16 *)wire; len= (CARD16 *)wire;
if (swap) { if (client->swapped) {
register int n; register int n;
swaps(&len, n); swaps(&len, n);
} }
str= (char *)_XkbAlloc(len+1); next = wire + XkbPaddedSize(len + 2);
if (str) { /* Check we're still within the size of the request */
memcpy(str,&wire[2],len); if (client->req_len <
str[len]= '\0'; bytes_to_int32(next - (char *) client->requestBuffer))
} return BadValue;
wire+= XkbPaddedSize(len+2); *str = malloc(len + 1);
*wire_inout= wire; if (!*str)
return str; return BadAlloc;
memcpy(*str, &wire[2], len);
*(*str + len) = '\0';
*wire_inout = next;
return Success;
} }
static Status static Status
...@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc * dWire; ...@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc * dWire;
xkbAnyDoodadWireDesc any; xkbAnyDoodadWireDesc any;
xkbTextDoodadWireDesc text; xkbTextDoodadWireDesc text;
XkbDoodadPtr doodad; XkbDoodadPtr doodad;
Status status;
dWire= (xkbDoodadWireDesc *)(*wire_inout); dWire= (xkbDoodadWireDesc *)(*wire_inout);
any = dWire->any; any = dWire->any;
...@@ -4521,8 +4526,14 @@ XkbDoodadPtr doodad; ...@@ -4521,8 +4526,14 @@ XkbDoodadPtr doodad;
doodad->text.width= text.width; doodad->text.width= text.width;
doodad->text.height= text.height; doodad->text.height= text.height;
doodad->text.color_ndx= dWire->text.colorNdx; doodad->text.color_ndx= dWire->text.colorNdx;
doodad->text.text= _GetCountedString(&wire,client->swapped); status = _GetCountedString(&wire, client, &doodad->text.text);
doodad->text.font= _GetCountedString(&wire,client->swapped); if (status != Success)
return status;
status = _GetCountedString(&wire, client, &doodad->text.font);
if (status != Success) {
free (doodad->text.text);
return status;
}
break; break;
case XkbIndicatorDoodad: case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx>=geom->num_colors) { if (dWire->indicator.onColorNdx>=geom->num_colors) {
...@@ -4557,7 +4568,9 @@ XkbDoodadPtr doodad; ...@@ -4557,7 +4568,9 @@ XkbDoodadPtr doodad;
} }
doodad->logo.color_ndx= dWire->logo.colorNdx; doodad->logo.color_ndx= dWire->logo.colorNdx;
doodad->logo.shape_ndx= dWire->logo.shapeNdx; doodad->logo.shape_ndx= dWire->logo.shapeNdx;
doodad->logo.logo_name= _GetCountedString(&wire,client->swapped); status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
if (status != Success)
return status;
break; break;
default: default:
client->errorValue= _XkbErrCode2(0x4F,dWire->any.type); client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
...@@ -4792,17 +4805,19 @@ Status status; ...@@ -4792,17 +4805,19 @@ Status status;
char * wire; char * wire;
wire= (char *)&req[1]; wire= (char *)&req[1];
geom->label_font= _GetCountedString(&wire,client->swapped); status = _GetCountedString(&wire, client, &geom->label_font);
if (status != Success)
return status;
for (i=0;i<req->nProperties;i++) { for (i=0;i<req->nProperties;i++) {
char *name,*val; char *name,*val;
name= _GetCountedString(&wire,client->swapped); status = _GetCountedString(&wire, client, &name);
if (!name) if (status != Success)
return BadAlloc; return status;
val= _GetCountedString(&wire,client->swapped); status = _GetCountedString(&wire, client, &val);
if (!val) { if (status != Success) {
xfree(name); xfree(name);
return BadAlloc; return status;
} }
if (XkbAddGeomProperty(geom,name,val)==NULL) { if (XkbAddGeomProperty(geom,name,val)==NULL) {
xfree(name); xfree(name);
...@@ -4833,9 +4848,10 @@ char * wire; ...@@ -4833,9 +4848,10 @@ char * wire;
for (i=0;i<req->nColors;i++) { for (i=0;i<req->nColors;i++) {
char *name; char *name;
name= _GetCountedString(&wire,client->swapped);
if (!name) status = _GetCountedString(&wire, client, &name);
return BadAlloc; if (status != Success)
return status;
if (!XkbAddGeomColor(geom,name,geom->num_colors)) { if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
xfree(name); xfree(name);
return BadAlloc; return BadAlloc;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment