frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xkb: proof GetCountedString against request length attacks 

GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11beef0b7f)
This commit is contained in:
Peter Hutterer 2022-07-05 12:06:20 +10:00 committed by Olivier Fourdan
parent becf9d51c3
commit 5dbb2b52cf
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
xkb/xkb.c
View File

@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
CARD16 len;
wire = *wire_inout;
if (client->req_len <
bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
return BadValue;
len = *(CARD16 *) wire;
if (client->swapped) {
swaps(&len);