Xi: fix length checking with bigreq

The authorative source of the request frame size is client->req_len, especially with big requests larger than 2^18 bytes. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
2024-08-06 11:39:09 +02:00 · 2024-08-06 11:39:09 +02:00 · fc9f8f8d3c
parent e1e8ab3ddf
commit fc9f8f8d3c
15 changed files with 19 additions and 19 deletions
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@ -116,7 +116,7 @@ ProcXChangeDeviceControl(ClientPtr client)
    REQUEST(xChangeDeviceControlReq);
    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));

-    len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeDeviceControlReq));
    ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
    if (ret != Success)
        goto out;
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@ -436,7 +436,7 @@ ProcXChangeFeedbackControl(ClientPtr client)
    REQUEST(xChangeFeedbackControlReq);
    REQUEST_AT_LEAST_SIZE(xChangeFeedbackControlReq);

-    len = stuff->length - bytes_to_int32(sizeof(xChangeFeedbackControlReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeFeedbackControlReq));
    rc = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
    if (rc != Success)
        return rc;
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@ -106,7 +106,7 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
    ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
    if (ret != Success)
        return ret;
-    len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceKeyMappingReq));
+    len = client->req_len - bytes_to_int32(sizeof(xChangeDeviceKeyMappingReq));

    ret = ChangeKeyMapping(client, dev, len, DeviceMappingNotify,
                           stuff->firstKeyCode, stuff->keyCodes,
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@ -102,7 +102,7 @@ ProcXChangeDeviceDontPropagateList(ClientPtr client)
    REQUEST(xChangeDeviceDontPropagateListReq);
    REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xChangeDeviceDontPropagateListReq)) +
        stuff->count)
        return BadLength;
--- a/Xi/getvers.c
+++ b/Xi/getvers.c
@ -92,7 +92,7 @@ ProcXGetExtensionVersion(ClientPtr client)
    REQUEST(xGetExtensionVersionReq);
    REQUEST_AT_LEAST_SIZE(xGetExtensionVersionReq);

-    if (stuff->length != bytes_to_int32(sizeof(xGetExtensionVersionReq) +
+    if (client->req_len != bytes_to_int32(sizeof(xGetExtensionVersionReq) +
                                        stuff->nbytes))
        return BadLength;

--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@ -82,7 +82,7 @@ SProcXGrabDevice(ClientPtr client)
    swapl(&stuff->time);
    swaps(&stuff->event_count);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xGrabDeviceReq)) + stuff->event_count)
        return BadLength;

@ -109,7 +109,7 @@ ProcXGrabDevice(ClientPtr client)
    REQUEST(xGrabDeviceReq);
    REQUEST_AT_LEAST_SIZE(xGrabDeviceReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xGrabDeviceReq)) + stuff->event_count)
        return BadLength;

--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@ -106,7 +106,7 @@ ProcXGrabDeviceButton(ClientPtr client)
    REQUEST(xGrabDeviceButtonReq);
    REQUEST_AT_LEAST_SIZE(xGrabDeviceButtonReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xGrabDeviceButtonReq)) + stuff->event_count)
        return BadLength;

--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@ -104,7 +104,7 @@ ProcXGrabDeviceKey(ClientPtr client)
    REQUEST(xGrabDeviceKeyReq);
    REQUEST_AT_LEAST_SIZE(xGrabDeviceKeyReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xGrabDeviceKeyReq)) + stuff->event_count)
        return BadLength;

--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@ -148,7 +148,7 @@ ProcXSelectExtensionEvent(ClientPtr client)
    REQUEST(xSelectExtensionEventReq);
    REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xSelectExtensionEventReq)) + stuff->count)
        return BadLength;

--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@ -87,7 +87,7 @@ SProcXSendExtensionEvent(ClientPtr client)
    swapl(&stuff->destination);
    swaps(&stuff->count);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xSendExtensionEventReq)) + stuff->count +
        bytes_to_int32(stuff->num_events * sizeof(xEvent)))
        return BadLength;
@ -133,7 +133,7 @@ ProcXSendExtensionEvent(ClientPtr client)
    REQUEST(xSendExtensionEventReq);
    REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xSendExtensionEventReq)) + stuff->count +
        (stuff->num_events * bytes_to_int32(sizeof(xEvent))))
        return BadLength;
--- a/Xi/setbmap.c
+++ b/Xi/setbmap.c
@ -92,7 +92,7 @@ ProcXSetDeviceButtonMapping(ClientPtr client)
    REQUEST(xSetDeviceButtonMappingReq);
    REQUEST_AT_LEAST_SIZE(xSetDeviceButtonMappingReq);

-    if (stuff->length !=
+    if (client->req_len !=
        bytes_to_int32(sizeof(xSetDeviceButtonMappingReq) + stuff->map_length))
        return BadLength;

--- a/Xi/setdval.c
+++ b/Xi/setdval.c
@ -100,7 +100,7 @@ ProcXSetDeviceValuators(ClientPtr client)
        .status = Success
    };

-    if (stuff->length != bytes_to_int32(sizeof(xSetDeviceValuatorsReq)) +
+    if (client->req_len != bytes_to_int32(sizeof(xSetDeviceValuatorsReq)) +
        stuff->num_valuators)
        return BadLength;

--- a/Xi/setmmap.c
+++ b/Xi/setmmap.c
@ -94,7 +94,7 @@ ProcXSetDeviceModifierMapping(ClientPtr client)
    REQUEST(xSetDeviceModifierMappingReq);
    REQUEST_AT_LEAST_SIZE(xSetDeviceModifierMappingReq);

-    if (stuff->length != bytes_to_int32(sizeof(xSetDeviceModifierMappingReq)) +
+    if (client->req_len != bytes_to_int32(sizeof(xSetDeviceModifierMappingReq)) +
        (stuff->numKeyPerModifier << 1))
        return BadLength;

--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@ -54,7 +54,7 @@ SProcXIAllowEvents(ClientPtr client)
    swaps(&stuff->length);
    swaps(&stuff->deviceid);
    swapl(&stuff->time);
-    if (stuff->length > 3) {
+    if (client->req_len > 3) {
        xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;

        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@ -125,7 +125,7 @@ SProcXISelectEvents(ClientPtr client)
    swapl(&stuff->win);
    swaps(&stuff->num_masks);

-    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
+    len = client->req_len - bytes_to_int32(sizeof(xXISelectEventsReq));
    evmask = (xXIEventMask *) &stuff[1];
    for (i = 0; i < stuff->num_masks; i++) {
        if (len < bytes_to_int32(sizeof(xXIEventMask)))
@ -172,7 +172,7 @@ ProcXISelectEvents(ClientPtr client)
    while (num_masks--) {
        len += sizeof(xXIEventMask) + evmask->mask_len * 4;

-        if (bytes_to_int32(len) > stuff->length)
+        if (bytes_to_int32(len) > client->req_len)
            return BadLength;

        if (evmask->deviceid != XIAllDevices &&
@ -298,7 +298,7 @@ ProcXISelectEvents(ClientPtr client)
        evmask++;
    }

-    if (bytes_to_int32(len) != stuff->length)
+    if (bytes_to_int32(len) != client->req_len)
        return BadLength;

    /* Set masks on window */