diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch deleted file mode 100644 index b0e2bcad43..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-Check-strings-length-against-request-size.patch +++ /dev/null | |||
@@ -1,145 +0,0 @@ | |||
1 | From 20079c36cf7d377938ca5478447d8b9045cb7d43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Olivier Fourdan <ofourdan@redhat.com> | ||
3 | Date: Fri, 16 Jan 2015 08:44:45 +0100 | ||
4 | Subject: [PATCH] xkb: Check strings length against request size | ||
5 | |||
6 | Ensure that the given strings length in an XkbSetGeometry request remain | ||
7 | within the limits of the size of the request. | ||
8 | |||
9 | Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> | ||
10 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
11 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
12 | |||
13 | Upstream-Status: backport | ||
14 | |||
15 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
16 | --- | ||
17 | xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++------------------------ | ||
18 | 1 file changed, 40 insertions(+), 25 deletions(-) | ||
19 | |||
20 | diff --git a/xkb/xkb.c b/xkb/xkb.c | ||
21 | index b9a3ac4..f3988f9 100644 | ||
22 | --- a/xkb/xkb.c | ||
23 | +++ b/xkb/xkb.c | ||
24 | @@ -4957,25 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) | ||
25 | |||
26 | /***====================================================================***/ | ||
27 | |||
28 | -static char * | ||
29 | -_GetCountedString(char **wire_inout, Bool swap) | ||
30 | +static Status | ||
31 | +_GetCountedString(char **wire_inout, ClientPtr client, char **str) | ||
32 | { | ||
33 | - char *wire, *str; | ||
34 | + char *wire, *next; | ||
35 | CARD16 len; | ||
36 | |||
37 | wire = *wire_inout; | ||
38 | len = *(CARD16 *) wire; | ||
39 | - if (swap) { | ||
40 | + if (client->swapped) { | ||
41 | swaps(&len); | ||
42 | } | ||
43 | - str = malloc(len + 1); | ||
44 | - if (str) { | ||
45 | - memcpy(str, &wire[2], len); | ||
46 | - str[len] = '\0'; | ||
47 | - } | ||
48 | - wire += XkbPaddedSize(len + 2); | ||
49 | - *wire_inout = wire; | ||
50 | - return str; | ||
51 | + next = wire + XkbPaddedSize(len + 2); | ||
52 | + /* Check we're still within the size of the request */ | ||
53 | + if (client->req_len < | ||
54 | + bytes_to_int32(next - (char *) client->requestBuffer)) | ||
55 | + return BadValue; | ||
56 | + *str = malloc(len + 1); | ||
57 | + if (!*str) | ||
58 | + return BadAlloc; | ||
59 | + memcpy(*str, &wire[2], len); | ||
60 | + *(*str + len) = '\0'; | ||
61 | + *wire_inout = next; | ||
62 | + return Success; | ||
63 | } | ||
64 | |||
65 | static Status | ||
66 | @@ -4987,6 +4991,7 @@ _CheckSetDoodad(char **wire_inout, | ||
67 | xkbAnyDoodadWireDesc any; | ||
68 | xkbTextDoodadWireDesc text; | ||
69 | XkbDoodadPtr doodad; | ||
70 | + Status status; | ||
71 | |||
72 | dWire = (xkbDoodadWireDesc *) (*wire_inout); | ||
73 | any = dWire->any; | ||
74 | @@ -5036,8 +5041,14 @@ _CheckSetDoodad(char **wire_inout, | ||
75 | doodad->text.width = text.width; | ||
76 | doodad->text.height = text.height; | ||
77 | doodad->text.color_ndx = dWire->text.colorNdx; | ||
78 | - doodad->text.text = _GetCountedString(&wire, client->swapped); | ||
79 | - doodad->text.font = _GetCountedString(&wire, client->swapped); | ||
80 | + status = _GetCountedString(&wire, client, &doodad->text.text); | ||
81 | + if (status != Success) | ||
82 | + return status; | ||
83 | + status = _GetCountedString(&wire, client, &doodad->text.font); | ||
84 | + if (status != Success) { | ||
85 | + free (doodad->text.text); | ||
86 | + return status; | ||
87 | + } | ||
88 | break; | ||
89 | case XkbIndicatorDoodad: | ||
90 | if (dWire->indicator.onColorNdx >= geom->num_colors) { | ||
91 | @@ -5072,7 +5083,9 @@ _CheckSetDoodad(char **wire_inout, | ||
92 | } | ||
93 | doodad->logo.color_ndx = dWire->logo.colorNdx; | ||
94 | doodad->logo.shape_ndx = dWire->logo.shapeNdx; | ||
95 | - doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); | ||
96 | + status = _GetCountedString(&wire, client, &doodad->logo.logo_name); | ||
97 | + if (status != Success) | ||
98 | + return status; | ||
99 | break; | ||
100 | default: | ||
101 | client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); | ||
102 | @@ -5304,18 +5317,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | ||
103 | char *wire; | ||
104 | |||
105 | wire = (char *) &req[1]; | ||
106 | - geom->label_font = _GetCountedString(&wire, client->swapped); | ||
107 | + status = _GetCountedString(&wire, client, &geom->label_font); | ||
108 | + if (status != Success) | ||
109 | + return status; | ||
110 | |||
111 | for (i = 0; i < req->nProperties; i++) { | ||
112 | char *name, *val; | ||
113 | |||
114 | - name = _GetCountedString(&wire, client->swapped); | ||
115 | - if (!name) | ||
116 | - return BadAlloc; | ||
117 | - val = _GetCountedString(&wire, client->swapped); | ||
118 | - if (!val) { | ||
119 | + status = _GetCountedString(&wire, client, &name); | ||
120 | + if (status != Success) | ||
121 | + return status; | ||
122 | + status = _GetCountedString(&wire, client, &val); | ||
123 | + if (status != Success) { | ||
124 | free(name); | ||
125 | - return BadAlloc; | ||
126 | + return status; | ||
127 | } | ||
128 | if (XkbAddGeomProperty(geom, name, val) == NULL) { | ||
129 | free(name); | ||
130 | @@ -5349,9 +5364,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) | ||
131 | for (i = 0; i < req->nColors; i++) { | ||
132 | char *name; | ||
133 | |||
134 | - name = _GetCountedString(&wire, client->swapped); | ||
135 | - if (!name) | ||
136 | - return BadAlloc; | ||
137 | + status = _GetCountedString(&wire, client, &name); | ||
138 | + if (status != Success) | ||
139 | + return status; | ||
140 | if (!XkbAddGeomColor(geom, name, geom->num_colors)) { | ||
141 | free(name); | ||
142 | return BadAlloc; | ||
143 | -- | ||
144 | 1.7.9.5 | ||
145 | |||