a lot of xrender questions (buffer overrun, man-pages, accel)

Helge Bahmann hcb at chaoticmind.net
Mon May 21 06:45:36 PDT 2007 

Hi, I have a number of RENDER-related questions. 

1st I think I may have stumbled over a buffer overrun in 
SProcRenderCompositeGlyhps (/xserver/xserver/render/render.c), specifically 
the code that byteswaps the glyph codes, please correct me if I am wrong; in 
particular:

    while (buffer + sizeof (xGlyphElt) < end) <-- checks for end of req here
    {
	elt = (xGlyphElt *) buffer;
	buffer += sizeof (xGlyphElt);

	swaps (&elt->deltax, n);
	swaps (&elt->deltay, n);

	i = elt->len; <-- user supplied data
	if (i == 0xff)
	{
	    swapl (buffer, n);
	    buffer += 4;
	}
	else
	{
	    space = size * i; <-- not checked against end of request
	    switch (size) {
	    case 1:
		buffer += i;
		break;
	    case 2:
		while (i--)
		{
		    swaps (buffer, n);  <-- oops
		    buffer += 2;
		}

the "space" occupied by the glyph codes is never checked against the true 
length of the request; as a consequence the byteswap-operation may run out of 
bounds and touch data that is no longer part of the current request; if the 
request is near the end of client receive buffer, it will overwrite unrelated 
data

It is probably difficult to exploit this for code injection, but a DoS  
(server crash) looks easily possible to me (issue a "large" bigrequest in 
piecemeal to force allocation of a large buffer, then submit the 
compositeglyphs request with the last chunk; with knowledge of the allocation 
strategy you can make sure that it will hit an unmapped page)

The code above is present at least in version 7.1 and current git head (if
webcvs is up-to-date)

2nd are there any man-pages documenting the render xlib functions? 
Even /xlibs/Render/library does not look complete anymore. If there is 
nothing to that extent yet I would volunteer to write it (if there is any 
interest at all)

3rd is there any concise documentation that describes what render operations 
ARE accelerated (and not merely just theoretically acceleratable)? From 
experiments it seems that everything involving affine transforms of the 
source picture is completely unaccelerated, is this correct?

Best regards
Helge Bahmann
--
Mathematicians stand on each other's shoulders while computer scientists
 stand on each other's toes.
-- Richard Hamming

More information about the xorg mailing list