From 29be310c303914090298ddda93a5bd5d00a94945 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Fri, 16 Jan 2015 20:08:59 +0100 Subject: xkb: Don't swap XkbSetGeometry data in the input buffer The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. Signed-off-by: Olivier Fourdan Signed-off-by: Peter Hutterer (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) --- xkb/xkb.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index 15c7f34cf..b9a3ac40a 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -4961,14 +4961,13 @@ static char * _GetCountedString(char **wire_inout, Bool swap) { char *wire, *str; - CARD16 len, *plen; + CARD16 len; wire = *wire_inout; - plen = (CARD16 *) wire; + len = *(CARD16 *) wire; if (swap) { - swaps(plen); + swaps(&len); } - len = *plen; str = malloc(len + 1); if (str) { memcpy(str, &wire[2], len); @@ -4985,25 +4984,28 @@ _CheckSetDoodad(char **wire_inout, { char *wire; xkbDoodadWireDesc *dWire; + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; wire = (char *) &dWire[1]; if (client->swapped) { - swapl(&dWire->any.name); - swaps(&dWire->any.top); - swaps(&dWire->any.left); - swaps(&dWire->any.angle); + swapl(&any.name); + swaps(&any.top); + swaps(&any.left); + swaps(&any.angle); } CHK_ATOM_ONLY(dWire->any.name); - doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type = dWire->any.type; doodad->any.priority = dWire->any.priority; - doodad->any.top = dWire->any.top; - doodad->any.left = dWire->any.left; - doodad->any.angle = dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -5026,12 +5028,13 @@ _CheckSetDoodad(char **wire_inout, dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { - swaps(&dWire->text.width); - swaps(&dWire->text.height); + swaps(&text.width); + swaps(&text.height); } - doodad->text.width = dWire->text.width; - doodad->text.height = dWire->text.height; + doodad->text.width = text.width; + doodad->text.height = text.height; doodad->text.color_ndx = dWire->text.colorNdx; doodad->text.text = _GetCountedString(&wire, client->swapped); doodad->text.font = _GetCountedString(&wire, client->swapped); -- cgit v1.2.3 From f160e722672dbb2b5215870b47bcc51461d96ff1 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Fri, 16 Jan 2015 08:44:45 +0100 Subject: xkb: Check strings length against request size Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. Signed-off-by: Olivier Fourdan Reviewed-by: Peter Hutterer Signed-off-by: Peter Hutterer (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) --- xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/xkb/xkb.c b/xkb/xkb.c index b9a3ac40a..f3988f9a7 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) /***====================================================================***/ -static char * -_GetCountedString(char **wire_inout, Bool swap) +static Status +_GetCountedString(char **wire_inout, ClientPtr client, char **str) { - char *wire, *str; + char *wire, *next; CARD16 len; wire = *wire_inout; len = *(CARD16 *) wire; - if (swap) { + if (client->swapped) { swaps(&len); } - str = malloc(len + 1); - if (str) { - memcpy(str, &wire[2], len); - str[len] = '\0'; - } - wire += XkbPaddedSize(len + 2); - *wire_inout = wire; - return str; + next = wire + XkbPaddedSize(len + 2); + /* Check we're still within the size of the request */ + if (client->req_len < + bytes_to_int32(next - (char *) client->requestBuffer)) + return BadValue; + *str = malloc(len + 1); + if (!*str) + return BadAlloc; + memcpy(*str, &wire[2], len); + *(*str + len) = '\0'; + *wire_inout = next; + return Success; } static Status @@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, xkbAnyDoodadWireDesc any; xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; + Status status; dWire = (xkbDoodadWireDesc *) (*wire_inout); any = dWire->any; @@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, doodad->text.width = text.width; doodad->text.height = text.height; doodad->text.color_ndx = dWire->text.colorNdx; - doodad->text.text = _GetCountedString(&wire, client->swapped); - doodad->text.font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->text.text); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &doodad->text.font); + if (status != Success) { + free (doodad->text.text); + return status; + } break; case XkbIndicatorDoodad: if (dWire->indicator.onColorNdx >= geom->num_colors) { @@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, } doodad->logo.color_ndx = dWire->logo.colorNdx; doodad->logo.shape_ndx = dWire->logo.shapeNdx; - doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->logo.logo_name); + if (status != Success) + return status; break; default: client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); @@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) char *wire; wire = (char *) &req[1]; - geom->label_font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &geom->label_font); + if (status != Success) + return status; for (i = 0; i < req->nProperties; i++) { char *name, *val; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; - val = _GetCountedString(&wire, client->swapped); - if (!val) { + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &val); + if (status != Success) { free(name); - return BadAlloc; + return status; } if (XkbAddGeomProperty(geom, name, val) == NULL) { free(name); @@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) for (i = 0; i < req->nColors; i++) { char *name; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; if (!XkbAddGeomColor(geom, name, geom->num_colors)) { free(name); return BadAlloc; -- cgit v1.2.3 From 3b0d1ba2266d2780bfc111bab74885b90458eca4 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Tue, 10 Feb 2015 14:43:34 -0800 Subject: Release 1.17.1 Signed-off-by: Keith Packard --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 2b4655273..4e47bbcec 100644 --- a/configure.ac +++ b/configure.ac @@ -26,9 +26,9 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.17.0, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) -RELEASE_DATE="2015-02-02" -RELEASE_NAME="Côte de veau" +AC_INIT([xorg-server], 1.17.1, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) +RELEASE_DATE="2015-02-10" +RELEASE_NAME="lambic" AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([foreign dist-bzip2]) -- cgit v1.2.3