From 9308c79ba2757cb1a64e0040176b8290b435544f Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Fri, 16 Jan 2015 20:08:59 +0100 Subject: xkb: Don't swap XkbSetGeometry data in the input buffer The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan Signed-off-by: Peter Hutterer (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau index 2405090..7db0959 100644 --- nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c index 2561c8959..d8b5b2ce1 100644 --- a/nx-X11/programs/Xserver/xkb/xkb.c +++ b/nx-X11/programs/Xserver/xkb/xkb.c @@ -4441,15 +4441,14 @@ static char * _GetCountedString(char **wire_inout,Bool swap) { char * wire,*str; -CARD16 len,*plen; +CARD16 len; wire= *wire_inout; - plen= (CARD16 *)wire; + len= (CARD16 *)wire; if (swap) { register int n; - swaps(plen,n); + swaps(&len, n); } - len= *plen; str= (char *)_XkbAlloc(len+1); if (str) { memcpy(str,&wire[2],len); @@ -4468,26 +4467,29 @@ _CheckSetDoodad( char ** wire_inout, { char * wire; xkbDoodadWireDesc * dWire; +xkbAnyDoodadWireDesc any; +xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; dWire= (xkbDoodadWireDesc *)(*wire_inout); + any = dWire->any; wire= (char *)&dWire[1]; if (client->swapped) { register int n; - swapl(&dWire->any.name,n); - swaps(&dWire->any.top,n); - swaps(&dWire->any.left,n); - swaps(&dWire->any.angle,n); + swapl(&any.name, n); + swaps(&any.top, n); + swaps(&any.left, n); + swaps(&any.angle, n); } CHK_ATOM_ONLY(dWire->any.name); - doodad= XkbAddGeomDoodad(geom,section,dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type= dWire->any.type; doodad->any.priority= dWire->any.priority; - doodad->any.top= dWire->any.top; - doodad->any.left= dWire->any.left; - doodad->any.angle= dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -4510,13 +4512,14 @@ XkbDoodadPtr doodad; dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { register int n; - swaps(&dWire->text.width,n); - swaps(&dWire->text.height,n); + swaps(&text.width, n); + swaps(&text.height, n); } - doodad->text.width= dWire->text.width; - doodad->text.height= dWire->text.height; + doodad->text.width= text.width; + doodad->text.height= text.height; doodad->text.color_ndx= dWire->text.colorNdx; doodad->text.text= _GetCountedString(&wire,client->swapped); doodad->text.font= _GetCountedString(&wire,client->swapped); -- cgit v1.2.3