fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-26 20:30:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

xkb: proof GetCountedString against request length attacks

Browse source 
GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11beef0b7f)
This commit is contained in:
Peter Hutterer 2022-07-05 12:06:20 +10:00 committed by Olivier Fourdan
parent eed7f2b1c8
commit cb4fd4d06e
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
xkb/xkb.c
View file

@ -5138,6 +5138,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
CARD16 len;
wire = *wire_inout;
if (client->req_len <
bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
return BadValue;
len = *(CARD16 *) wire;
if (client->swapped) {
swaps(&len);