xserver: Branch 'server-21.1-branch' - 2 commits

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Dec 14 13:07:44 UTC 2022 

 xkb/xkb.c |   31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

New commits:
commit 69ab3bcaa0f6a5adef6ec19161eb856a4744b32c
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date:   Wed Jul 13 11:23:09 2022 +1000

    xkb: fix some possible memleaks in XkbGetKbdByName
    
    GetComponentByName returns an allocated string, so let's free that if we
    fail somewhere.
    
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit 18f91b950e22c2a342a4fbc55e9ddf7534a707d2)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index 6b5d50137..276dc1938 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5940,18 +5940,32 @@ ProcXkbGetKbdByName(ClientPtr client)
     xkb = dev->key->xkbInfo->desc;
     status = Success;
     str = (unsigned char *) &stuff[1];
-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
-        return BadMatch;
+    {
+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
+        if (keymap) {
+            free(keymap);
+            return BadMatch;
+        }
+    }
     names.keycodes = GetComponentSpec(&str, TRUE, &status);
     names.types = GetComponentSpec(&str, TRUE, &status);
     names.compat = GetComponentSpec(&str, TRUE, &status);
     names.symbols = GetComponentSpec(&str, TRUE, &status);
     names.geometry = GetComponentSpec(&str, TRUE, &status);
-    if (status != Success)
+    if (status == Success) {
+        len = str - ((unsigned char *) stuff);
+        if ((XkbPaddedSize(len) / 4) != stuff->length)
+            status = BadLength;
+    }
+
+    if (status != Success) {
+        free(names.keycodes);
+        free(names.types);
+        free(names.compat);
+        free(names.symbols);
+        free(names.geometry);
         return status;
-    len = str - ((unsigned char *) stuff);
-    if ((XkbPaddedSize(len) / 4) != stuff->length)
-        return BadLength;
+    }
 
     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
commit 5dbb2b52cfeab212b5c9b7e344692a6384efdc4c
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date:   Tue Jul 5 12:06:20 2022 +1000

    xkb: proof GetCountedString against request length attacks
    
    GetCountedString did a check for the whole string to be within the
    request buffer but not for the initial 2 bytes that contain the length
    field. A swapped client could send a malformed request to trigger a
    swaps() on those bytes, writing into random memory.
    
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit 11beef0b7f1ed290348e45618e5fa0d2bffcb72e)

diff --git a/xkb/xkb.c b/xkb/xkb.c
index f0398d2fb..6b5d50137 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
     CARD16 len;
 
     wire = *wire_inout;
+
+    if (client->req_len <
+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
+        return BadValue;
+
     len = *(CARD16 *) wire;
     if (client->swapped) {
         swaps(&len);

More information about the xorg-commit mailing list