aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch')
-rw-r--r--debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch143
1 files changed, 0 insertions, 143 deletions
diff --git a/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch b/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch
deleted file mode 100644
index 79f27ab8d..000000000
--- a/debian/patches/1104-xkb-Check-strings-length-against-request-size.full.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From d7258444a876a65986212c10ddcaa1783af558bf Mon Sep 17 00:00:00 2001
-From: Olivier Fourdan <ofourdan@redhat.com>
-Date: Fri, 16 Jan 2015 08:44:45 +0100
-Subject: [PATCH 4/4] xkb: Check strings length against request size
-
-Ensure that the given strings length in an XkbSetGeometry request remain
-within the limits of the size of the request.
-
-v3: backport to nx-libs 3.6.x because this is
-the CVE-2015-0255 fix (Mike DePaulo)
-
-Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
-(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
-Signed-off-by: Julien Cristau <jcristau@debian.org>
----
- nx-X11/programs/Xserver/xkb/xkb.c | 66 ++++++++++++++++++++++++---------------
- 1 file changed, 41 insertions(+), 25 deletions(-)
-
---- a/nx-X11/programs/Xserver/xkb/xkb.c
-+++ b/nx-X11/programs/Xserver/xkb/xkb.c
-@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client)
-
- /***====================================================================***/
-
--static char *
--_GetCountedString(char **wire_inout,Bool swap)
-+static Status
-+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
- {
--char * wire,*str;
-+char * wire, *next;
- CARD16 len;
-
- wire= *wire_inout;
- len= (CARD16 *)wire;
-- if (swap) {
-+ if (client->swapped) {
- register int n;
- swaps(&len, n);
- }
-- str= (char *)_XkbAlloc(len+1);
-- if (str) {
-- memcpy(str,&wire[2],len);
-- str[len]= '\0';
-- }
-- wire+= XkbPaddedSize(len+2);
-- *wire_inout= wire;
-- return str;
-+ next = wire + XkbPaddedSize(len + 2);
-+ /* Check we're still within the size of the request */
-+ if (client->req_len <
-+ bytes_to_int32(next - (char *) client->requestBuffer))
-+ return BadValue;
-+ *str = malloc(len + 1);
-+ if (!*str)
-+ return BadAlloc;
-+ memcpy(*str, &wire[2], len);
-+ *(*str + len) = '\0';
-+ *wire_inout = next;
-+ return Success;
- }
-
- static Status
-@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc * dWire;
- xkbAnyDoodadWireDesc any;
- xkbTextDoodadWireDesc text;
- XkbDoodadPtr doodad;
-+Status status;
-
- dWire= (xkbDoodadWireDesc *)(*wire_inout);
- any = dWire->any;
-@@ -4521,8 +4526,14 @@ XkbDoodadPtr doodad;
- doodad->text.width= text.width;
- doodad->text.height= text.height;
- doodad->text.color_ndx= dWire->text.colorNdx;
-- doodad->text.text= _GetCountedString(&wire,client->swapped);
-- doodad->text.font= _GetCountedString(&wire,client->swapped);
-+ status = _GetCountedString(&wire, client, &doodad->text.text);
-+ if (status != Success)
-+ return status;
-+ status = _GetCountedString(&wire, client, &doodad->text.font);
-+ if (status != Success) {
-+ free (doodad->text.text);
-+ return status;
-+ }
- break;
- case XkbIndicatorDoodad:
- if (dWire->indicator.onColorNdx>=geom->num_colors) {
-@@ -4557,7 +4568,9 @@ XkbDoodadPtr doodad;
- }
- doodad->logo.color_ndx= dWire->logo.colorNdx;
- doodad->logo.shape_ndx= dWire->logo.shapeNdx;
-- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
-+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
-+ if (status != Success)
-+ return status;
- break;
- default:
- client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
-@@ -4792,17 +4805,19 @@ Status status;
- char * wire;
-
- wire= (char *)&req[1];
-- geom->label_font= _GetCountedString(&wire,client->swapped);
-+ status = _GetCountedString(&wire, client, &geom->label_font);
-+ if (status != Success)
-+ return status;
-
- for (i=0;i<req->nProperties;i++) {
- char *name,*val;
-- name= _GetCountedString(&wire,client->swapped);
-- if (!name)
-- return BadAlloc;
-- val= _GetCountedString(&wire,client->swapped);
-- if (!val) {
-+ status = _GetCountedString(&wire, client, &name);
-+ if (status != Success)
-+ return status;
-+ status = _GetCountedString(&wire, client, &val);
-+ if (status != Success) {
- xfree(name);
-- return BadAlloc;
-+ return status;
- }
- if (XkbAddGeomProperty(geom,name,val)==NULL) {
- xfree(name);
-@@ -4833,9 +4848,10 @@ char * wire;
-
- for (i=0;i<req->nColors;i++) {
- char *name;
-- name= _GetCountedString(&wire,client->swapped);
-- if (!name)
-- return BadAlloc;
-+
-+ status = _GetCountedString(&wire, client, &name);
-+ if (status != Success)
-+ return status;
- if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
- xfree(name);
- return BadAlloc;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 22:43:46 +0000