rpms / xorg-x11-server

Clone
Source Code
GIT

Blame 0001-xkb-proof-GetCountedString-against-request-length-at.patch

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch rawhide
  1.   f38
  2.   0001-xkb-proof-GetCountedString-against-request-length-at.patch
Blob History Raw
9fc1d98 
From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
9fc1d98 
From: Peter Hutterer <peter.hutterer@who-t.net>
9fc1d98 
Date: Tue, 5 Jul 2022 12:06:20 +1000
9fc1d98 
Subject: [PATCH xserver] xkb: proof GetCountedString against request length
9fc1d98 
 attacks
9fc1d98
9fc1d98 
GetCountedString did a check for the whole string to be within the
9fc1d98 
request buffer but not for the initial 2 bytes that contain the length
9fc1d98 
field. A swapped client could send a malformed request to trigger a
9fc1d98 
swaps() on those bytes, writing into random memory.
9fc1d98
9fc1d98 
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
9fc1d98 
---
9fc1d98 
 xkb/xkb.c | 5 +++++
9fc1d98 
 1 file changed, 5 insertions(+)
9fc1d98
9fc1d98 
diff --git a/xkb/xkb.c b/xkb/xkb.c
9fc1d98 
index f42f59ef3..1841cff26 100644
9fc1d98 
--- a/xkb/xkb.c
9fc1d98 
+++ b/xkb/xkb.c
9fc1d98 
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
9fc1d98 
     CARD16 len;
9fc1d98
9fc1d98 
     wire = *wire_inout;
9fc1d98 
+
9fc1d98 
+    if (client->req_len <
9fc1d98 
+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
9fc1d98 
+        return BadValue;
9fc1d98 
+
9fc1d98 
     len = *(CARD16 *) wire;
9fc1d98 
     if (client->swapped) {
9fc1d98 
         swaps(&len;;
9fc1d98 
--
9fc1d98 
2.38.1
9fc1d98
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.