fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-26 17:00:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

xkb: length-check XkbGetKbdByName before accessing the fields

Browse source 
This request accessed &stuff[1] before length-checking everything. The
check was performed afterwards so invalid requests would return
BadLength anyway, but let's do this before we actually access the
memory.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 44ae6f4419)
This commit is contained in:
Peter Hutterer 2022-07-13 11:33:00 +10:00 committed by Olivier Fourdan
parent baad076c4d
commit bd7b4cf64d
1 changed files with 16 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
xkb/xkb.c
View file

@ -5795,7 +5795,8 @@ static unsigned char componentExprLegal[] = {
};
static char *
GetComponentSpec(unsigned char **pWire, Bool allowExpr, int *errRtrn)
GetComponentSpec(ClientPtr client, xkbGetKbdByNameReq *stuff,
unsigned char **pWire, Bool allowExpr, int *errRtrn)
{
int len;
register int i;
@ -5807,7 +5808,15 @@ GetComponentSpec(unsigned char **pWire, Bool allowExpr, int *errRtrn)
legal = &componentSpecLegal[0];
wire = *pWire;
if (!_XkbCheckRequestBounds(client, stuff, wire, wire + 1)) {
*errRtrn = BadLength;
return NULL;
}
len = (*(unsigned char *) wire++);
if (!_XkbCheckRequestBounds(client, stuff, wire, wire + len)) {
*errRtrn = BadLength;
return NULL;
}
if (len > 0) {
str = calloc(1, len + 1);
if (str) {
@ -5937,17 +5946,17 @@ ProcXkbGetKbdByName(ClientPtr client)
status = Success;
str = (unsigned char *) &stuff[1];
{
char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
char *keymap = GetComponentSpec(client, stuff, &str, TRUE, &status); /* keymap, unsupported */
if (keymap) {
free(keymap);
return BadMatch;
}
}
names.keycodes = GetComponentSpec(&str, TRUE, &status);
names.types = GetComponentSpec(&str, TRUE, &status);
names.compat = GetComponentSpec(&str, TRUE, &status);
names.symbols = GetComponentSpec(&str, TRUE, &status);
names.geometry = GetComponentSpec(&str, TRUE, &status);
names.keycodes = GetComponentSpec(client, stuff, &str, TRUE, &status);
names.types = GetComponentSpec(client, stuff, &str, TRUE, &status);
names.compat = GetComponentSpec(client, stuff, &str, TRUE, &status);
names.symbols = GetComponentSpec(client, stuff, &str, TRUE, &status);
names.geometry = GetComponentSpec(client, stuff, &str, TRUE, &status);
if (status == Success) {
len = str - ((unsigned char *) stuff);
if ((XkbPaddedSize(len) / 4) != stuff->length)