frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix for CVE-2007-6427 - Xinput extension memory corruption.

This commit is contained in:
Matthieu Herrb 2008-01-17 15:27:34 +01:00
parent bbde5b62a1
commit dd5e0f5cd5
8 changed files with 33 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Xi/chgfctl.c
View File

@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
xStringFeedbackCtl * f) xStringFeedbackCtl * f)
{ {
char n; char n;
long *p;
int i, j; int i, j;
KeySym *syms, *sup_syms; KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1); syms = (KeySym *) (f + 1);
if (client->swapped) { if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */ swaps(&f->length, n); /* swapped num_keysyms in calling proc */
p = (long *)(syms); SwapLongs((CARD32 *) syms, f->num_keysyms);
for (i = 0; i < f->num_keysyms; i++) {
swapl(p, n);
p++;
}
} }
if (f->num_keysyms > s->ctrl.max_symbols) if (f->num_keysyms > s->ctrl.max_symbols)

14
Xi/chgkmap.c
View File

@ -75,18 +75,14 @@ int
SProcXChangeDeviceKeyMapping(ClientPtr client) SProcXChangeDeviceKeyMapping(ClientPtr client)
{ {
char n; char n;
long *p; unsigned int count;
int i, count;
REQUEST(xChangeDeviceKeyMappingReq); REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode; count = stuff->keyCodes * stuff->keySymsPerKeyCode;
for (i = 0; i < count; i++) { REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
swapl(p, n); SwapLongs((CARD32 *) (&stuff[1]), count);
p++;
}
return (ProcXChangeDeviceKeyMapping(client)); return (ProcXChangeDeviceKeyMapping(client));
} }
@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret; int ret;
unsigned len; unsigned len;
DeviceIntPtr dev; DeviceIntPtr dev;
unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq); REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
if (ret != Success) if (ret != Success)
return ret; return ret;

10
Xi/chgprop.c
View File

@ -77,19 +77,15 @@ int
SProcXChangeDeviceDontPropagateList(ClientPtr client) SProcXChangeDeviceDontPropagateList(ClientPtr client)
{ {
char n; char n;
long *p;
int i;
REQUEST(xChangeDeviceDontPropagateListReq); REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n); swapl(&stuff->window, n);
swaps(&stuff->count, n); swaps(&stuff->count, n);
p = (long *)&stuff[1]; REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
for (i = 0; i < stuff->count; i++) { stuff->count * sizeof(CARD32));
swapl(p, n); SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
p++;
}
return (ProcXChangeDeviceDontPropagateList(client)); return (ProcXChangeDeviceDontPropagateList(client));
} }

12
Xi/grabdev.c
View File

@ -78,8 +78,6 @@ int
SProcXGrabDevice(ClientPtr client) SProcXGrabDevice(ClientPtr client)
{ {
char n; char n;
long *p;
int i;
REQUEST(xGrabDeviceReq); REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n); swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n); swapl(&stuff->time, n);
swaps(&stuff->event_count, n); swaps(&stuff->event_count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->event_count; i++) { if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
swapl(p, n); return BadLength;
p++;
} SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client)); return (ProcXGrabDevice(client));
} }

10
Xi/grabdevb.c
View File

@ -77,8 +77,6 @@ int
SProcXGrabDeviceButton(ClientPtr client) SProcXGrabDeviceButton(ClientPtr client)
{ {
char n; char n;
long *p;
int i;
REQUEST(xGrabDeviceButtonReq); REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
swapl(&stuff->grabWindow, n); swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n); swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n); swaps(&stuff->event_count, n);
p = (long *)&stuff[1]; REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
for (i = 0; i < stuff->event_count; i++) { stuff->event_count * sizeof(CARD32));
swapl(p, n); SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
p++;
}
return (ProcXGrabDeviceButton(client)); return (ProcXGrabDeviceButton(client));
} }

9
Xi/grabdevk.c
View File

@ -77,8 +77,6 @@ int
SProcXGrabDeviceKey(ClientPtr client) SProcXGrabDeviceKey(ClientPtr client)
{ {
char n; char n;
long *p;
int i;
REQUEST(xGrabDeviceKeyReq); REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n); swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n); swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n); swaps(&stuff->event_count, n);
p = (long *)&stuff[1]; REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
for (i = 0; i < stuff->event_count; i++) { SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
swapl(p, n);
p++;
}
return (ProcXGrabDeviceKey(client)); return (ProcXGrabDeviceKey(client));
} }

11
Xi/selectev.c
View File

@ -127,19 +127,16 @@ int
SProcXSelectExtensionEvent(ClientPtr client) SProcXSelectExtensionEvent(ClientPtr client)
{ {
char n; char n;
long *p;
int i;
REQUEST(xSelectExtensionEventReq); REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n); swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n); swapl(&stuff->window, n);
swaps(&stuff->count, n); swaps(&stuff->count, n);
p = (long *)&stuff[1]; REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
for (i = 0; i < stuff->count; i++) { stuff->count * sizeof(CARD32));
swapl(p, n); SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
p++;
}
return (ProcXSelectExtensionEvent(client)); return (ProcXSelectExtensionEvent(client));
} }

14
Xi/sendexev.c
View File

@ -80,7 +80,7 @@ int
SProcXSendExtensionEvent(ClientPtr client) SProcXSendExtensionEvent(ClientPtr client)
{ {
char n; char n;
long *p; CARD32 *p;
int i; int i;
xEvent eventT; xEvent eventT;
xEvent *eventP; xEvent *eventP;
@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n); swapl(&stuff->destination, n);
swaps(&stuff->count, n); swaps(&stuff->count, n);
if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
(stuff->num_events * (sizeof(xEvent) >> 2)))
return BadLength;
eventP = (xEvent *) & stuff[1]; eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) { for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177]; proc = EventSwapVector[eventP->u.u.type & 0177];
@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT; *eventP = eventT;
} }
p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
for (i = 0; i < stuff->count; i++) { SwapLongs(p, stuff->count);
swapl(p, n);
p++;
}
return (ProcXSendExtensionEvent(client)); return (ProcXSendExtensionEvent(client));
} }