xkb: Don't swap XkbSetGeometry data in the input buffer

The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau <jcristau@debian.org> index 2405090..7db0959 100644

xkb: Don't swap XkbSetGeometry data in the input buffer
9308c79b · Olivier Fourdan · Mike DePaulo · 3937db18 · 9308c79b
Commit 9308c79b authored Jan 16, 2015 by Olivier Fourdan Committed by Mike DePaulo Feb 17, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 16 deletions

xkb.c nx-X11/programs/Xserver/xkb/xkb.c +19 -16

No files found.
--- a/nx-X11/programs/Xserver/xkb/xkb.c
+++ b/nx-X11/programs/Xserver/xkb/xkb.c
@@ -4441,15 +4441,14 @@ static char *
 _GetCountedString(char **wire_inout,Bool swap)
 {
 char *	wire,*str;
-CARD16	len,*plen;
+CARD16	len;
    wire= *wire_inout;
-    plen= (CARD16 *)wire;
+    len= (CARD16 *)wire;
    if (swap) {
 	register int n;
-	swaps(plen,n);
+	swaps(&len, n);
    }
-    len= *plen;
    str= (char *)_XkbAlloc(len+1);
    if (str) {
 	memcpy(str,&wire[2],len);
@@ -4468,26 +4467,29 @@ _CheckSetDoodad(	char **		wire_inout,
 {
 char *			wire;
 xkbDoodadWireDesc *	dWire;
+xkbAnyDoodadWireDesc	any;
+xkbTextDoodadWireDesc	text;
 XkbDoodadPtr		doodad;
    dWire= (xkbDoodadWireDesc *)(*wire_inout);
+    any = dWire->any;
    wire= (char *)&dWire[1];
    if (client->swapped) {
 	register int n;
-	swapl(&dWire->any.name,n);
+	swapl(&any.name, n);
-	swaps(&dWire->any.top,n);
+	swaps(&any.top, n);
-	swaps(&dWire->any.left,n);
+	swaps(&any.left, n);
-	swaps(&dWire->any.angle,n);
+	swaps(&any.angle, n);
    }
    CHK_ATOM_ONLY(dWire->any.name);
-    doodad= XkbAddGeomDoodad(geom,section,dWire->any.name);
+    doodad = XkbAddGeomDoodad(geom, section, any.name);
    if (!doodad)
 	return BadAlloc;
    doodad->any.type= dWire->any.type;
    doodad->any.priority= dWire->any.priority;
-    doodad->any.top= dWire->any.top;
+    doodad->any.top = any.top;
-    doodad->any.left= dWire->any.left;
+    doodad->any.left = any.left;
-    doodad->any.angle= dWire->any.angle;
+    doodad->any.angle = any.angle;
    switch (doodad->any.type) {
 	case XkbOutlineDoodad:
 	case XkbSolidDoodad:
@@ -4510,13 +4512,14 @@ XkbDoodadPtr		doodad;
 							dWire->text.colorNdx);
 		return BadMatch;
 	    }
+	    text = dWire->text;
 	    if (client->swapped) {
 		register int n;
-		swaps(&dWire->text.width,n);
+		swaps(&text.width, n);
-		swaps(&dWire->text.height,n);
+		swaps(&text.height, n);
 	    }
-	    doodad->text.width= dWire->text.width;
+	    doodad->text.width= text.width;
-	    doodad->text.height= dWire->text.height;
+	    doodad->text.height= text.height;
 	    doodad->text.color_ndx= dWire->text.colorNdx;
 	    doodad->text.text= _GetCountedString(&wire,client->swapped);
 	    doodad->text.font= _GetCountedString(&wire,client->swapped);