Module Name: xsrc
Committed By: martin
Date: Wed Feb 11 15:24:52 UTC 2015
Modified Files:
xsrc/external/mit/xorg-server/dist/xkb [netbsd-5]: xkb.c
xsrc/xfree/xc/programs/Xserver/xkb [netbsd-5]: xkb.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1949):
external/mit/xorg-server/dist/xkb/xkb.c: revision 1.2
xfree/xc/programs/Xserver/xkb/xkb.c: revision 1.2
apply fixes for CVE-2015-0255:
Information leak in the XkbSetGeometry request of X servers
http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
ported to xorg-server 1.10 and xfree myself.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.2 \
xsrc/external/mit/xorg-server/dist/xkb/xkb.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.20.1 \
xsrc/xfree/xc/programs/Xserver/xkb/xkb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.2
--- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1 Thu Sep 17 03:35:48 2009
+++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c Wed Feb 11 15:24:52 2015
@@ -4820,27 +4820,30 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout,Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
-char * wire,*str;
-CARD16 len,*plen;
+ char *wire, *next;
+ CARD16 len;
- wire= *wire_inout;
- plen= (CARD16 *)wire;
- if (swap) {
- register int n;
- swaps(plen,n);
- }
- len= *plen;
- str= (char *)_XkbAlloc(len+1);
- if (str) {
- memcpy(str,&wire[2],len);
- str[len]= '\0';
+ wire = *wire_inout;
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ int n;
+ swaps(&len, n);
}
- wire+= XkbPaddedSize(len+2);
- *wire_inout= wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4852,6 +4855,7 @@ _CheckSetDoodad( char ** wire_inout,
char * wire;
xkbDoodadWireDesc * dWire;
XkbDoodadPtr doodad;
+ Status status;
dWire= (xkbDoodadWireDesc *)(*wire_inout);
wire= (char *)&dWire[1];
@@ -4901,8 +4905,14 @@ XkbDoodadPtr doodad;
doodad->text.width= dWire->text.width;
doodad->text.height= dWire->text.height;
doodad->text.color_ndx= dWire->text.colorNdx;
- doodad->text.text= _GetCountedString(&wire,client->swapped);
- doodad->text.font= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx>=geom->num_colors) {
@@ -4937,7 +4947,9 @@ XkbDoodadPtr doodad;
}
doodad->logo.color_ndx= dWire->logo.colorNdx;
doodad->logo.shape_ndx= dWire->logo.shapeNdx;
- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
@@ -5172,17 +5184,19 @@ Status status;
char * wire;
wire= (char *)&req[1];
- geom->label_font= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
- for (i=0;i<req->nProperties;i++) {
- char *name,*val;
- name= _GetCountedString(&wire,client->swapped);
- if (!name)
- return BadAlloc;
- val= _GetCountedString(&wire,client->swapped);
- if (!val) {
+ for (i = 0; i < req->nProperties; i++) {
+ char *name, *val;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
xfree(name);
- return BadAlloc;
+ return status;
}
if (XkbAddGeomProperty(geom,name,val)==NULL) {
xfree(name);
@@ -5211,11 +5225,11 @@ char * wire;
return BadMatch;
}
- for (i=0;i<req->nColors;i++) {
+ for (i = 0; i < req->nColors; i++) {
char *name;
- name= _GetCountedString(&wire,client->swapped);
- if (!name)
- return BadAlloc;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
xfree(name);
return BadAlloc;
Index: xsrc/xfree/xc/programs/Xserver/xkb/xkb.c
diff -u xsrc/xfree/xc/programs/Xserver/xkb/xkb.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/xkb/xkb.c:1.1.1.6.20.1
--- xsrc/xfree/xc/programs/Xserver/xkb/xkb.c:1.1.1.6 Fri Mar 5 14:29:44 2004
+++ xsrc/xfree/xc/programs/Xserver/xkb/xkb.c Wed Feb 11 15:24:52 2015
@@ -4434,27 +4434,30 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout,Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
-char * wire,*str;
-CARD16 len,*plen;
+ char *wire, *next;
+ CARD16 len;
- wire= *wire_inout;
- plen= (CARD16 *)wire;
- if (swap) {
- register int n;
- swaps(plen,n);
- }
- len= *plen;
- str= (char *)_XkbAlloc(len+1);
- if (str) {
- memcpy(str,&wire[2],len);
- str[len]= '\0';
+ wire = *wire_inout;
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ int n;
+ swaps(&len, n);
}
- wire+= XkbPaddedSize(len+2);
- *wire_inout= wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4466,6 +4469,7 @@ _CheckSetDoodad( char ** wire_inout,
char * wire;
xkbDoodadWireDesc * dWire;
XkbDoodadPtr doodad;
+ Status status;
dWire= (xkbDoodadWireDesc *)(*wire_inout);
wire= (char *)&dWire[1];
@@ -4515,8 +4519,14 @@ XkbDoodadPtr doodad;
doodad->text.width= dWire->text.width;
doodad->text.height= dWire->text.height;
doodad->text.color_ndx= dWire->text.colorNdx;
- doodad->text.text= _GetCountedString(&wire,client->swapped);
- doodad->text.font= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx>=geom->num_colors) {
@@ -4551,7 +4561,9 @@ XkbDoodadPtr doodad;
}
doodad->logo.color_ndx= dWire->logo.colorNdx;
doodad->logo.shape_ndx= dWire->logo.shapeNdx;
- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
@@ -4786,14 +4798,26 @@ Status status;
char * wire;
wire= (char *)&req[1];
- geom->label_font= _GetCountedString(&wire,client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
- for (i=0;i<req->nProperties;i++) {
+ for (i = 0; i < req->nProperties; i++) {
char *name,*val;
- name= _GetCountedString(&wire,client->swapped);
- val= _GetCountedString(&wire,client->swapped);
- if ((!name)||(!val)||(XkbAddGeomProperty(geom,name,val)==NULL))
+
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
+ free(name);
+ return status;
+ }
+ if (XkbAddGeomProperty(geom,name,val)==NULL) {
+ free(val);
+ free(name);
return BadAlloc;
+ }
}
if (req->nColors<2) {
@@ -4814,11 +4838,15 @@ char * wire;
return BadMatch;
}
- for (i=0;i<req->nColors;i++) {
+ for (i = 0; i < req->nColors; i++) {
char *name;
- name= _GetCountedString(&wire,client->swapped);
- if ((!name)||(!XkbAddGeomColor(geom,name,geom->num_colors)))
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ if (!XkbAddGeomColor(geom,name,geom->num_colors)) {
+ free(name);
return BadAlloc;
+ }
}
if (req->nColors!=geom->num_colors) {
client->errorValue= _XkbErrCode3(0x05,req->nColors,geom->num_colors);
