debian/patches/1104-xkb-Check-strings-length-against-request-size.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

From d7258444a876a65986212c10ddcaa1783af558bf Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Fri, 16 Jan 2015 08:44:45 +0100
Subject: [PATCH 4/4] xkb: Check strings length against request size

Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.

v3: backport to nx-libs 3.6.x because this is
the CVE-2015-0255 fix (Mike DePaulo)

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 nx-X11/programs/Xserver/xkb/xkb.c | 66 ++++++++++++++++++++++++---------------
 1 file changed, 41 insertions(+), 25 deletions(-)

diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c
index d8b5b2c..778269f 100644
--- a/nx-X11/programs/Xserver/xkb/xkb.c
+++ b/nx-X11/programs/Xserver/xkb/xkb.c
@@ -4437,26 +4437,30 @@ ProcXkbGetGeometry(ClientPtr client)
 
 /***====================================================================***/
 
-static char *
-_GetCountedString(char **wire_inout,Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
 {
-char *	wire,*str;
+char *	wire, *next;
 CARD16	len;
 
     wire= *wire_inout;
     len= (CARD16 *)wire;
-    if (swap) {
+    if (client->swapped) {
 	register int n;
 	swaps(&len, n);
     }
-    str= (char *)_XkbAlloc(len+1);
-    if (str) {
-	memcpy(str,&wire[2],len);
-	str[len]= '\0';
-    }
-    wire+= XkbPaddedSize(len+2);
-    *wire_inout= wire;
-    return str;
+    next = wire + XkbPaddedSize(len + 2);
+    /* Check we're still within the size of the request */
+    if (client->req_len <
+	bytes_to_int32(next - (char *) client->requestBuffer))
+	return BadValue;
+    *str = malloc(len + 1);
+    if (!*str)
+	return BadAlloc;
+    memcpy(*str, &wire[2], len);
+    *(*str + len) = '\0';
+    *wire_inout = next;
+    return Success;
 }
 
 static Status
@@ -4470,6 +4474,7 @@ xkbDoodadWireDesc *	dWire;
 xkbAnyDoodadWireDesc	any;
 xkbTextDoodadWireDesc	text;
 XkbDoodadPtr		doodad;
+Status			status;
 
     dWire= (xkbDoodadWireDesc *)(*wire_inout);
     any = dWire->any;
@@ -4521,8 +4526,14 @@ XkbDoodadPtr		doodad;
 	    doodad->text.width= text.width;
 	    doodad->text.height= text.height;
 	    doodad->text.color_ndx= dWire->text.colorNdx;
-	    doodad->text.text= _GetCountedString(&wire,client->swapped);
-	    doodad->text.font= _GetCountedString(&wire,client->swapped);
+	    status = _GetCountedString(&wire, client, &doodad->text.text);
+	    if (status != Success)
+		return status;
+	    status = _GetCountedString(&wire, client, &doodad->text.font);
+	    if (status != Success) {
+		free (doodad->text.text);
+		return status;
+	    }
 	    break;
 	case XkbIndicatorDoodad:
 	    if (dWire->indicator.onColorNdx>=geom->num_colors) {
@@ -4557,7 +4568,9 @@ XkbDoodadPtr		doodad;
 	    }
 	    doodad->logo.color_ndx= dWire->logo.colorNdx;
 	    doodad->logo.shape_ndx= dWire->logo.shapeNdx;
-	    doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
+	    status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+	    if (status != Success)
+		return status;
 	    break;
 	default:
 	    client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
@@ -4792,17 +4805,19 @@ Status		status;
 char *		wire;
 
     wire= (char *)&req[1];
-    geom->label_font= _GetCountedString(&wire,client->swapped);
+    status = _GetCountedString(&wire, client, &geom->label_font);
+    if (status != Success)
+	return status;
 
     for (i=0;i<req->nProperties;i++) {
 	char *name,*val;
-	name= _GetCountedString(&wire,client->swapped);
-        if (!name)
-            return BadAlloc;
-	val= _GetCountedString(&wire,client->swapped);
-        if (!val) {
+	status = _GetCountedString(&wire, client, &name);
+	if (status != Success)
+	    return status;
+	status = _GetCountedString(&wire, client, &val);
+	if (status != Success) {
             xfree(name);
-            return BadAlloc;
+            return status;
         }
 	if (XkbAddGeomProperty(geom,name,val)==NULL) {
             xfree(name);
@@ -4833,9 +4848,10 @@ char *		wire;
 
     for (i=0;i<req->nColors;i++) {
 	char *name;
-	name= _GetCountedString(&wire,client->swapped);
-	if (!name)
-            return BadAlloc;
+
+	status = _GetCountedString(&wire, client, &name);
+	if (status != Success)
+	    return status;
         if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
             xfree(name);
 	    return BadAlloc;
-- 
1.9.1