diff options
author | Olivier Fourdan <ofourdan@redhat.com> | 2015-01-16 20:08:59 +0100 |
---|---|---|
committer | Keith Packard <keithp@keithp.com> | 2015-02-10 14:39:59 -0800 |
commit | 29be310c303914090298ddda93a5bd5d00a94945 (patch) | |
tree | db4729e1e7743b033733fa79112c524f78963a20 /xkb | |
parent | 28f6427aec1f5a1982e1c01eff45af0d401bf659 (diff) |
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
Diffstat (limited to 'xkb')
-rw-r--r-- | xkb/xkb.c | 35 |
1 files changed, 19 insertions, 16 deletions
@@ -4961,14 +4961,13 @@ static char * _GetCountedString(char **wire_inout, Bool swap) { char *wire, *str; - CARD16 len, *plen; + CARD16 len; wire = *wire_inout; - plen = (CARD16 *) wire; + len = *(CARD16 *) wire; if (swap) { - swaps(plen); + swaps(&len); } - len = *plen; str = malloc(len + 1); if (str) { memcpy(str, &wire[2], len); @@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout, { char *wire; xkbDoodadWireDesc *dWire; + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; wire = (char *) &dWire[1]; if (client->swapped) { - swapl(&dWire->any.name); - swaps(&dWire->any.top); - swaps(&dWire->any.left); - swaps(&dWire->any.angle); + swapl(&any.name); + swaps(&any.top); + swaps(&any.left); + swaps(&any.angle); } CHK_ATOM_ONLY(dWire->any.name); - doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type = dWire->any.type; doodad->any.priority = dWire->any.priority; - doodad->any.top = dWire->any.top; - doodad->any.left = dWire->any.left; - doodad->any.angle = dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout, dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { - swaps(&dWire->text.width); - swaps(&dWire->text.height); + swaps(&text.width); + swaps(&text.height); } - doodad->text.width = dWire->text.width; - doodad->text.height = dWire->text.height; + doodad->text.width = text.width; + doodad->text.height = text.height; doodad->text.color_ndx = dWire->text.colorNdx; doodad->text.text = _GetCountedString(&wire, client->swapped); doodad->text.font = _GetCountedString(&wire, client->swapped); |