aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
blob: e16e7a7bee05840bf0f6e9fb087cf3ba0633ced8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
From 9308c79ba2757cb1a64e0040176b8290b435544f Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 16 Jan 2015 20:08:59 +0100
Subject: [PATCH 3/4] xkb: Don't swap XkbSetGeometry data in the input buffer

The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.

_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.

However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.

To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.

v3: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
index 2405090..7db0959 100644
---
 nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

--- a/nx-X11/programs/Xserver/xkb/xkb.c
+++ b/nx-X11/programs/Xserver/xkb/xkb.c
@@ -4441,15 +4441,14 @@ static char *
 _GetCountedString(char **wire_inout,Bool swap)
 {
 char *	wire,*str;
-CARD16	len,*plen;
+CARD16	len;
 
     wire= *wire_inout;
-    plen= (CARD16 *)wire;
+    len= (CARD16 *)wire;
     if (swap) {
 	register int n;
-	swaps(plen,n);
+	swaps(&len, n);
     }
-    len= *plen;
     str= (char *)_XkbAlloc(len+1);
     if (str) {
 	memcpy(str,&wire[2],len);
@@ -4468,26 +4467,29 @@ _CheckSetDoodad(	char **		wire_inout,
 {
 char *			wire;
 xkbDoodadWireDesc *	dWire;
+xkbAnyDoodadWireDesc	any;
+xkbTextDoodadWireDesc	text;
 XkbDoodadPtr		doodad;
 
     dWire= (xkbDoodadWireDesc *)(*wire_inout);
+    any = dWire->any;
     wire= (char *)&dWire[1];
     if (client->swapped) {
 	register int n;
-	swapl(&dWire->any.name,n);
-	swaps(&dWire->any.top,n);
-	swaps(&dWire->any.left,n);
-	swaps(&dWire->any.angle,n);
+	swapl(&any.name, n);
+	swaps(&any.top, n);
+	swaps(&any.left, n);
+	swaps(&any.angle, n);
     }
     CHK_ATOM_ONLY(dWire->any.name);
-    doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
+    doodad = XkbAddGeomDoodad(geom, section, any.name);
     if (!doodad)
 	return BadAlloc;
     doodad->any.type= dWire->any.type;
     doodad->any.priority= dWire->any.priority;
-    doodad->any.top= dWire->any.top;
-    doodad->any.left= dWire->any.left;
-    doodad->any.angle= dWire->any.angle;
+    doodad->any.top = any.top;
+    doodad->any.left = any.left;
+    doodad->any.angle = any.angle;
     switch (doodad->any.type) {
 	case XkbOutlineDoodad:
 	case XkbSolidDoodad:
@@ -4510,13 +4512,14 @@ XkbDoodadPtr		doodad;
 							dWire->text.colorNdx);
 		return BadMatch;
 	    }
+	    text = dWire->text;
 	    if (client->swapped) {
 		register int n;
-		swaps(&dWire->text.width,n);
-		swaps(&dWire->text.height,n);
+		swaps(&text.width, n);
+		swaps(&text.height, n);
 	    }
-	    doodad->text.width= dWire->text.width;
-	    doodad->text.height= dWire->text.height;
+	    doodad->text.width= text.width;
+	    doodad->text.height= text.height;
 	    doodad->text.color_ndx= dWire->text.colorNdx;
 	    doodad->text.text= _GetCountedString(&wire,client->swapped);
 	    doodad->text.font= _GetCountedString(&wire,client->swapped);