diff options
author | Olivier Fourdan <ofourdan@redhat.com> | 2015-01-16 20:08:59 +0100 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-02-17 21:24:28 -0500 |
commit | 9308c79ba2757cb1a64e0040176b8290b435544f (patch) | |
tree | d409f4e736836ca755e8745b0c2b9e00171c34cd /nxcomp/ServerReadBuffer.cpp | |
parent | 3937db18a203f9936387286b95328f27013a5ffe (diff) | |
download | nx-libs-9308c79ba2757cb1a64e0040176b8290b435544f.tar.gz nx-libs-9308c79ba2757cb1a64e0040176b8290b435544f.tar.bz2 nx-libs-9308c79ba2757cb1a64e0040176b8290b435544f.zip |
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
v3: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
index 2405090..7db0959 100644
Diffstat (limited to 'nxcomp/ServerReadBuffer.cpp')
0 files changed, 0 insertions, 0 deletions