From 1257561577cd8227f3534fc44b72a1239aba363c Mon Sep 17 00:00:00 2001 From: Mike Gabriel Date: Fri, 15 Jan 2021 17:00:42 +0100 Subject: Revert "CVE-2020-14360: Check SetMap request length carefully." This reverts commit 4eba4f53ad8c62c27c12835e58184d66121ff636. --- nx-X11/programs/Xserver/xkb/xkb.c | 91 --------------------------------------- 1 file changed, 91 deletions(-) diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c index 654b33fe7..7b392fa09 100644 --- a/nx-X11/programs/Xserver/xkb/xkb.c +++ b/nx-X11/programs/Xserver/xkb/xkb.c @@ -2202,92 +2202,6 @@ XkbServerMapPtr srv = xkbi->desc->server; return (char *)wire; } -#define _add_check_len(new) \ - if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ - else len += new - -/** - * Check the length of the SetMap request - */ -static int -_XkbSetMapCheckLength(xkbSetMapReq *req) -{ - size_t len = sz_xkbSetMapReq, req_len = req->length << 2; - xkbKeyTypeWireDesc *keytype; - xkbSymMapWireDesc *symmap; - BOOL preserve; - int i, map_count, nSyms; - - if (req_len < len) - goto bad; - /* types */ - if (req->present & XkbKeyTypesMask) { - keytype = (xkbKeyTypeWireDesc *)(req + 1); - for (i = 0; i < req->nTypes; i++) { - _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); - if (req->flags & XkbSetMapResizeTypes) { - _add_check_len(keytype->nMapEntries - * sz_xkbKTSetMapEntryWireDesc); - preserve = keytype->preserve; - map_count = keytype->nMapEntries; - if (preserve) { - _add_check_len(map_count * sz_xkbModsWireDesc); - } - keytype += 1; - keytype = (xkbKeyTypeWireDesc *) - ((xkbKTSetMapEntryWireDesc *)keytype + map_count); - if (preserve) - keytype = (xkbKeyTypeWireDesc *) - ((xkbModsWireDesc *)keytype + map_count); - } - } - } - /* syms */ - if (req->present & XkbKeySymsMask) { - symmap = (xkbSymMapWireDesc *)((char *)req + len); - for (i = 0; i < req->nKeySyms; i++) { - _add_check_len(sz_xkbSymMapWireDesc); - nSyms = symmap->nSyms; - _add_check_len(nSyms*sizeof(CARD32)); - symmap += 1; - symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms); - } - } - /* actions */ - if (req->present & XkbKeyActionsMask) { - _add_check_len(req->totalActs * sz_xkbActionWireDesc - + XkbPaddedSize(req->nKeyActs)); - } - /* behaviours */ - if (req->present & XkbKeyBehaviorsMask) { - _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc); - } - /* vmods */ - if (req->present & XkbVirtualModsMask) { - _add_check_len(XkbPaddedSize(Ones(req->virtualMods))); - } - /* explicit */ - if (req->present & XkbExplicitComponentsMask) { - /* two bytes per non-zero explicit componen */ - _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16))); - } - /* modmap */ - if (req->present & XkbModifierMapMask) { - /* two bytes per non-zero modmap component */ - _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16))); - } - /* vmodmap */ - if (req->present & XkbVirtualModMapMask) { - _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc); - } - if (len == req_len) - return Success; -bad: - ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n", - len, req_len); - return BadLength; -} - int ProcXkbSetMap(ClientPtr client) { @@ -2311,11 +2225,6 @@ ProcXkbSetMap(ClientPtr client) CHK_KBD_DEVICE(dev,stuff->deviceSpec); CHK_MASK_LEGAL(0x01,stuff->present,XkbAllMapComponentsMask); - /* first verify the request length carefully */ - rc = _XkbSetMapCheckLength(stuff); - if (rc != Success) - return rc; - XkbSetCauseXkbReq(&cause,X_kbSetMap,client); xkbi= dev->key->xkbInfo; xkb = xkbi->desc; -- cgit v1.2.3