|
 |
d067e9 |
From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001
|
|
|
d067e9 |
From: Ray Strode <rstrode@redhat.com>
|
|
|
d067e9 |
Date: Mon, 4 Oct 2021 14:27:54 -0400
|
|
|
d067e9 |
Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes
|
|
|
d067e9 |
|
|
|
d067e9 |
Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to
|
|
|
d067e9 |
prevalidate the size of incoming SetMap requests.
|
|
|
d067e9 |
|
|
|
d067e9 |
That commit checks for the XkbSetMapResizeTypes flag to be set before
|
|
|
d067e9 |
allowing key types data to be processed.
|
|
|
d067e9 |
|
|
|
d067e9 |
key types data can be changed or even just sent wholesale unchanged
|
|
|
d067e9 |
without the number of key types changing, however. The check for
|
|
|
d067e9 |
XkbSetMapResizeTypes rejects those legitimate requests. In particular,
|
|
|
d067e9 |
XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now
|
|
|
d067e9 |
any time XkbKeyTypesMask is in the changed mask.
|
|
|
d067e9 |
|
|
|
d067e9 |
This commit drops the check for XkbSetMapResizeTypes in flags when
|
|
|
d067e9 |
prevalidating the request length.
|
|
|
d067e9 |
---
|
|
|
d067e9 |
xkb/xkb.c | 26 ++++++++++++--------------
|
|
|
d067e9 |
1 file changed, 12 insertions(+), 14 deletions(-)
|
|
|
d067e9 |
|
|
|
d067e9 |
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
|
d067e9 |
index 183d6ffa1..62dee9cb6 100644
|
|
|
d067e9 |
--- a/xkb/xkb.c
|
|
|
d067e9 |
+++ b/xkb/xkb.c
|
|
|
d067e9 |
@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
|
|
|
d067e9 |
}
|
|
|
d067e9 |
changes->map.first_vmodmap_key = first;
|
|
|
d067e9 |
changes->map.num_vmodmap_keys = (last - first) + 1;
|
|
|
d067e9 |
}
|
|
|
d067e9 |
return (char *) wire;
|
|
|
d067e9 |
}
|
|
|
d067e9 |
|
|
|
d067e9 |
#define _add_check_len(new) \
|
|
|
d067e9 |
if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
|
|
|
d067e9 |
else len += new
|
|
|
d067e9 |
|
|
|
d067e9 |
/**
|
|
|
d067e9 |
* Check the length of the SetMap request
|
|
|
d067e9 |
*/
|
|
|
d067e9 |
static int
|
|
|
d067e9 |
_XkbSetMapCheckLength(xkbSetMapReq *req)
|
|
|
d067e9 |
{
|
|
|
d067e9 |
size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
|
|
|
d067e9 |
xkbKeyTypeWireDesc *keytype;
|
|
|
d067e9 |
xkbSymMapWireDesc *symmap;
|
|
|
d067e9 |
BOOL preserve;
|
|
|
d067e9 |
int i, map_count, nSyms;
|
|
|
d067e9 |
|
|
|
d067e9 |
if (req_len < len)
|
|
|
d067e9 |
goto bad;
|
|
|
d067e9 |
/* types */
|
|
|
d067e9 |
if (req->present & XkbKeyTypesMask) {
|
|
|
d067e9 |
keytype = (xkbKeyTypeWireDesc *)(req + 1);
|
|
|
d067e9 |
for (i = 0; i < req->nTypes; i++) {
|
|
|
d067e9 |
_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
|
|
|
d067e9 |
- if (req->flags & XkbSetMapResizeTypes) {
|
|
|
d067e9 |
- _add_check_len(keytype->nMapEntries
|
|
|
d067e9 |
- * sz_xkbKTSetMapEntryWireDesc);
|
|
|
d067e9 |
- preserve = keytype->preserve;
|
|
|
d067e9 |
- map_count = keytype->nMapEntries;
|
|
|
d067e9 |
- if (preserve) {
|
|
|
d067e9 |
- _add_check_len(map_count * sz_xkbModsWireDesc);
|
|
|
d067e9 |
- }
|
|
|
d067e9 |
- keytype += 1;
|
|
|
d067e9 |
- keytype = (xkbKeyTypeWireDesc *)
|
|
|
d067e9 |
- ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
|
|
|
d067e9 |
- if (preserve)
|
|
|
d067e9 |
- keytype = (xkbKeyTypeWireDesc *)
|
|
|
d067e9 |
- ((xkbModsWireDesc *)keytype + map_count);
|
|
|
d067e9 |
+ _add_check_len(keytype->nMapEntries
|
|
|
d067e9 |
+ * sz_xkbKTSetMapEntryWireDesc);
|
|
|
d067e9 |
+ preserve = keytype->preserve;
|
|
|
d067e9 |
+ map_count = keytype->nMapEntries;
|
|
|
d067e9 |
+ if (preserve) {
|
|
|
d067e9 |
+ _add_check_len(map_count * sz_xkbModsWireDesc);
|
|
|
d067e9 |
}
|
|
|
d067e9 |
+ keytype += 1;
|
|
|
d067e9 |
+ keytype = (xkbKeyTypeWireDesc *)
|
|
|
d067e9 |
+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
|
|
|
d067e9 |
+ if (preserve)
|
|
|
d067e9 |
+ keytype = (xkbKeyTypeWireDesc *)
|
|
|
d067e9 |
+ ((xkbModsWireDesc *)keytype + map_count);
|
|
|
d067e9 |
}
|
|
|
d067e9 |
}
|
|
|
d067e9 |
/* syms */
|
|
|
d067e9 |
if (req->present & XkbKeySymsMask) {
|
|
|
d067e9 |
symmap = (xkbSymMapWireDesc *)((char *)req + len);
|
|
|
d067e9 |
for (i = 0; i < req->nKeySyms; i++) {
|
|
|
d067e9 |
_add_check_len(sz_xkbSymMapWireDesc);
|
|
|
d067e9 |
nSyms = symmap->nSyms;
|
|
|
d067e9 |
_add_check_len(nSyms*sizeof(CARD32));
|
|
|
d067e9 |
symmap += 1;
|
|
|
d067e9 |
symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
|
|
|
d067e9 |
}
|
|
|
d067e9 |
}
|
|
|
d067e9 |
/* actions */
|
|
|
d067e9 |
if (req->present & XkbKeyActionsMask) {
|
|
|
d067e9 |
_add_check_len(req->totalActs * sz_xkbActionWireDesc
|
|
|
d067e9 |
+ XkbPaddedSize(req->nKeyActs));
|
|
|
d067e9 |
}
|
|
|
d067e9 |
/* behaviours */
|
|
|
d067e9 |
if (req->present & XkbKeyBehaviorsMask) {
|
|
|
d067e9 |
_add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
|
|
|
d067e9 |
}
|
|
|
d067e9 |
/* vmods */
|
|
|
d067e9 |
if (req->present & XkbVirtualModsMask) {
|
|
|
d067e9 |
_add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
|
|
|
d067e9 |
}
|
|
|
d067e9 |
/* explicit */
|
|
|
d067e9 |
if (req->present & XkbExplicitComponentsMask) {
|
|
|
d067e9 |
/* two bytes per non-zero explicit componen */
|
|
|
d067e9 |
_add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
|
|
|
d067e9 |
--
|
|
|
d067e9 |
2.32.0
|
|
|
d067e9 |
|