diff options
author | Olivier Fourdan <ofourdan@redhat.com> | 2015-01-16 20:08:59 +0100 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-02-19 20:03:22 -0500 |
commit | 6f11c4ac377676d44324888c834ab6a17d9fe1dd (patch) | |
tree | db669b68988606370efac75d3b776deec84885dd /xorg-server/xkb | |
parent | 50ca778029d5847f8dec48594590d35015ed31d4 (diff) | |
download | vcxsrv-6f11c4ac377676d44324888c834ab6a17d9fe1dd.tar.gz vcxsrv-6f11c4ac377676d44324888c834ab6a17d9fe1dd.tar.bz2 vcxsrv-6f11c4ac377676d44324888c834ab6a17d9fe1dd.zip |
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Diffstat (limited to 'xorg-server/xkb')
-rw-r--r-- | xorg-server/xkb/xkb.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/xorg-server/xkb/xkb.c b/xorg-server/xkb/xkb.c index ae2ca90a3..d1aaa02b2 100644 --- a/xorg-server/xkb/xkb.c +++ b/xorg-server/xkb/xkb.c @@ -4956,14 +4956,13 @@ static char * _GetCountedString(char **wire_inout, Bool swap) { char *wire, *str; - CARD16 len, *plen; + CARD16 len; wire = *wire_inout; - plen = (CARD16 *) wire; + len = *(CARD16 *) wire; if (swap) { - swaps(plen); + swaps(&len); } - len = *plen; str = malloc(len + 1); if (str) { memcpy(str, &wire[2], len); @@ -4980,25 +4979,28 @@ _CheckSetDoodad(char **wire_inout, { char *wire; xkbDoodadWireDesc *dWire; + xkbAnyDoodadWireDesc any; + xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; dWire = (xkbDoodadWireDesc *) (*wire_inout); + any = dWire->any; wire = (char *) &dWire[1]; if (client->swapped) { - swapl(&dWire->any.name); - swaps(&dWire->any.top); - swaps(&dWire->any.left); - swaps(&dWire->any.angle); + swapl(&any.name); + swaps(&any.top); + swaps(&any.left); + swaps(&any.angle); } CHK_ATOM_ONLY(dWire->any.name); - doodad = XkbAddGeomDoodad(geom, section, dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type = dWire->any.type; doodad->any.priority = dWire->any.priority; - doodad->any.top = dWire->any.top; - doodad->any.left = dWire->any.left; - doodad->any.angle = dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -5021,12 +5023,13 @@ _CheckSetDoodad(char **wire_inout, dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { - swaps(&dWire->text.width); - swaps(&dWire->text.height); + swaps(&text.width); + swaps(&text.height); } - doodad->text.width = dWire->text.width; - doodad->text.height = dWire->text.height; + doodad->text.width = text.width; + doodad->text.height = text.height; doodad->text.color_ndx = dWire->text.colorNdx; doodad->text.text = _GetCountedString(&wire, client->swapped); doodad->text.font = _GetCountedString(&wire, client->swapped); |