| 1 |
From d244c8272e0ac47c41a9416e37293903b842a78b Mon Sep 17 00:00:00 2001
|
| 2 |
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
|
| 3 |
Date: Thu, 17 Jan 2008 15:27:34 +0100
|
| 4 |
Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption.
|
| 5 |
|
| 6 |
---
|
| 7 |
Xi/chgfctl.c | 7 +------
|
| 8 |
Xi/chgkmap.c | 13 ++++++-------
|
| 9 |
Xi/chgprop.c | 10 +++-------
|
| 10 |
Xi/grabdev.c | 12 +++++-------
|
| 11 |
Xi/grabdevb.c | 10 +++-------
|
| 12 |
Xi/grabdevk.c | 9 ++-------
|
| 13 |
Xi/selectev.c | 11 ++++-------
|
| 14 |
Xi/sendexev.c | 14 ++++++++------
|
| 15 |
8 files changed, 32 insertions(+), 54 deletions(-)
|
| 16 |
|
| 17 |
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
|
| 18 |
index 2e0e13c..235d659 100644
|
| 19 |
--- a/Xi/chgfctl.c
|
| 20 |
+++ b/Xi/chgfctl.c
|
| 21 |
@@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
|
| 22 |
xStringFeedbackCtl * f)
|
| 23 |
{
|
| 24 |
char n;
|
| 25 |
- long *p;
|
| 26 |
int i, j;
|
| 27 |
KeySym *syms, *sup_syms;
|
| 28 |
|
| 29 |
syms = (KeySym *) (f + 1);
|
| 30 |
if (client->swapped) {
|
| 31 |
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
|
| 32 |
- p = (long *)(syms);
|
| 33 |
- for (i = 0; i < f->num_keysyms; i++) {
|
| 34 |
- swapl(p, n);
|
| 35 |
- p++;
|
| 36 |
- }
|
| 37 |
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
|
| 38 |
}
|
| 39 |
|
| 40 |
if (f->num_keysyms > s->ctrl.max_symbols) {
|
| 41 |
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
|
| 42 |
index eac520f..f8f85bc 100644
|
| 43 |
--- a/Xi/chgkmap.c
|
| 44 |
+++ b/Xi/chgkmap.c
|
| 45 |
@@ -79,18 +79,14 @@ int
|
| 46 |
SProcXChangeDeviceKeyMapping(ClientPtr client)
|
| 47 |
{
|
| 48 |
char n;
|
| 49 |
- long *p;
|
| 50 |
- int i, count;
|
| 51 |
+ unsigned int count;
|
| 52 |
|
| 53 |
REQUEST(xChangeDeviceKeyMappingReq);
|
| 54 |
swaps(&stuff->length, n);
|
| 55 |
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
| 56 |
- p = (long *)&stuff[1];
|
| 57 |
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
| 58 |
- for (i = 0; i < count; i++) {
|
| 59 |
- swapl(p, n);
|
| 60 |
- p++;
|
| 61 |
- }
|
| 62 |
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
| 63 |
+ SwapLongs((CARD32 *) (&stuff[1]), count);
|
| 64 |
return (ProcXChangeDeviceKeyMapping(client));
|
| 65 |
}
|
| 66 |
|
| 67 |
@@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
|
| 68 |
int ret;
|
| 69 |
unsigned len;
|
| 70 |
DeviceIntPtr dev;
|
| 71 |
+ unsigned int count;
|
| 72 |
|
| 73 |
REQUEST(xChangeDeviceKeyMappingReq);
|
| 74 |
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
|
| 75 |
|
| 76 |
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
|
| 77 |
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
|
| 78 |
dev = LookupDeviceIntRec(stuff->deviceid);
|
| 79 |
if (dev == NULL) {
|
| 80 |
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
|
| 81 |
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
|
| 82 |
index 59a93c6..21bda5b 100644
|
| 83 |
--- a/Xi/chgprop.c
|
| 84 |
+++ b/Xi/chgprop.c
|
| 85 |
@@ -81,19 +81,15 @@ int
|
| 86 |
SProcXChangeDeviceDontPropagateList(ClientPtr client)
|
| 87 |
{
|
| 88 |
char n;
|
| 89 |
- long *p;
|
| 90 |
- int i;
|
| 91 |
|
| 92 |
REQUEST(xChangeDeviceDontPropagateListReq);
|
| 93 |
swaps(&stuff->length, n);
|
| 94 |
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
|
| 95 |
swapl(&stuff->window, n);
|
| 96 |
swaps(&stuff->count, n);
|
| 97 |
- p = (long *)&stuff[1];
|
| 98 |
- for (i = 0; i < stuff->count; i++) {
|
| 99 |
- swapl(p, n);
|
| 100 |
- p++;
|
| 101 |
- }
|
| 102 |
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
|
| 103 |
+ stuff->count * sizeof(CARD32));
|
| 104 |
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
| 105 |
return (ProcXChangeDeviceDontPropagateList(client));
|
| 106 |
}
|
| 107 |
|
| 108 |
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
|
| 109 |
index e2809ef..d0b4ae7 100644
|
| 110 |
--- a/Xi/grabdev.c
|
| 111 |
+++ b/Xi/grabdev.c
|
| 112 |
@@ -82,8 +82,6 @@ int
|
| 113 |
SProcXGrabDevice(ClientPtr client)
|
| 114 |
{
|
| 115 |
char n;
|
| 116 |
- long *p;
|
| 117 |
- int i;
|
| 118 |
|
| 119 |
REQUEST(xGrabDeviceReq);
|
| 120 |
swaps(&stuff->length, n);
|
| 121 |
@@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client)
|
| 122 |
swapl(&stuff->grabWindow, n);
|
| 123 |
swapl(&stuff->time, n);
|
| 124 |
swaps(&stuff->event_count, n);
|
| 125 |
- p = (long *)&stuff[1];
|
| 126 |
- for (i = 0; i < stuff->event_count; i++) {
|
| 127 |
- swapl(p, n);
|
| 128 |
- p++;
|
| 129 |
- }
|
| 130 |
+
|
| 131 |
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
|
| 132 |
+ return BadLength;
|
| 133 |
+
|
| 134 |
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
| 135 |
|
| 136 |
return (ProcXGrabDevice(client));
|
| 137 |
}
|
| 138 |
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
|
| 139 |
index df62d0c..18db1f7 100644
|
| 140 |
--- a/Xi/grabdevb.c
|
| 141 |
+++ b/Xi/grabdevb.c
|
| 142 |
@@ -80,8 +80,6 @@ int
|
| 143 |
SProcXGrabDeviceButton(ClientPtr client)
|
| 144 |
{
|
| 145 |
char n;
|
| 146 |
- long *p;
|
| 147 |
- int i;
|
| 148 |
|
| 149 |
REQUEST(xGrabDeviceButtonReq);
|
| 150 |
swaps(&stuff->length, n);
|
| 151 |
@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client)
|
| 152 |
swapl(&stuff->grabWindow, n);
|
| 153 |
swaps(&stuff->modifiers, n);
|
| 154 |
swaps(&stuff->event_count, n);
|
| 155 |
- p = (long *)&stuff[1];
|
| 156 |
- for (i = 0; i < stuff->event_count; i++) {
|
| 157 |
- swapl(p, n);
|
| 158 |
- p++;
|
| 159 |
- }
|
| 160 |
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
|
| 161 |
+ stuff->event_count * sizeof(CARD32));
|
| 162 |
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
| 163 |
|
| 164 |
return (ProcXGrabDeviceButton(client));
|
| 165 |
}
|
| 166 |
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
|
| 167 |
index b74592f..429b2f7 100644
|
| 168 |
--- a/Xi/grabdevk.c
|
| 169 |
+++ b/Xi/grabdevk.c
|
| 170 |
@@ -80,8 +80,6 @@ int
|
| 171 |
SProcXGrabDeviceKey(ClientPtr client)
|
| 172 |
{
|
| 173 |
char n;
|
| 174 |
- long *p;
|
| 175 |
- int i;
|
| 176 |
|
| 177 |
REQUEST(xGrabDeviceKeyReq);
|
| 178 |
swaps(&stuff->length, n);
|
| 179 |
@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client)
|
| 180 |
swapl(&stuff->grabWindow, n);
|
| 181 |
swaps(&stuff->modifiers, n);
|
| 182 |
swaps(&stuff->event_count, n);
|
| 183 |
- p = (long *)&stuff[1];
|
| 184 |
- for (i = 0; i < stuff->event_count; i++) {
|
| 185 |
- swapl(p, n);
|
| 186 |
- p++;
|
| 187 |
- }
|
| 188 |
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
|
| 189 |
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
|
| 190 |
return (ProcXGrabDeviceKey(client));
|
| 191 |
}
|
| 192 |
|
| 193 |
diff --git a/Xi/selectev.c b/Xi/selectev.c
|
| 194 |
index d52db1b..19415c5 100644
|
| 195 |
--- a/Xi/selectev.c
|
| 196 |
+++ b/Xi/selectev.c
|
| 197 |
@@ -131,19 +131,16 @@ int
|
| 198 |
SProcXSelectExtensionEvent(ClientPtr client)
|
| 199 |
{
|
| 200 |
char n;
|
| 201 |
- long *p;
|
| 202 |
- int i;
|
| 203 |
|
| 204 |
REQUEST(xSelectExtensionEventReq);
|
| 205 |
swaps(&stuff->length, n);
|
| 206 |
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
|
| 207 |
swapl(&stuff->window, n);
|
| 208 |
swaps(&stuff->count, n);
|
| 209 |
- p = (long *)&stuff[1];
|
| 210 |
- for (i = 0; i < stuff->count; i++) {
|
| 211 |
- swapl(p, n);
|
| 212 |
- p++;
|
| 213 |
- }
|
| 214 |
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
|
| 215 |
+ stuff->count * sizeof(CARD32));
|
| 216 |
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
|
| 217 |
+
|
| 218 |
return (ProcXSelectExtensionEvent(client));
|
| 219 |
}
|
| 220 |
|
| 221 |
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
|
| 222 |
index eac9abe..9803cf3 100644
|
| 223 |
--- a/Xi/sendexev.c
|
| 224 |
+++ b/Xi/sendexev.c
|
| 225 |
@@ -83,7 +83,7 @@ int
|
| 226 |
SProcXSendExtensionEvent(ClientPtr client)
|
| 227 |
{
|
| 228 |
char n;
|
| 229 |
- long *p;
|
| 230 |
+ CARD32 *p;
|
| 231 |
int i;
|
| 232 |
xEvent eventT;
|
| 233 |
xEvent *eventP;
|
| 234 |
@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client)
|
| 235 |
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
|
| 236 |
swapl(&stuff->destination, n);
|
| 237 |
swaps(&stuff->count, n);
|
| 238 |
+
|
| 239 |
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
|
| 240 |
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
|
| 241 |
+ return BadLength;
|
| 242 |
+
|
| 243 |
eventP = (xEvent *) & stuff[1];
|
| 244 |
for (i = 0; i < stuff->num_events; i++, eventP++) {
|
| 245 |
proc = EventSwapVector[eventP->u.u.type & 0177];
|
| 246 |
@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client)
|
| 247 |
*eventP = eventT;
|
| 248 |
}
|
| 249 |
|
| 250 |
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
| 251 |
- for (i = 0; i < stuff->count; i++) {
|
| 252 |
- swapl(p, n);
|
| 253 |
- p++;
|
| 254 |
- }
|
| 255 |
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
|
| 256 |
+ SwapLongs(p, stuff->count);
|
| 257 |
return (ProcXSendExtensionEvent(client));
|
| 258 |
}
|
| 259 |
|
| 260 |
--
|
| 261 |
1.5.3.5
|
| 262 |
|
Parent Directory
| 
Revision Log