os: restrict display names to digits

We call atoi() on the server's display to get the socket but otherwise use the
unmodified display for log file name, xkb paths, etc. This results in
Xorg :banana being the equivalent of Xorg :0, except for the log files being
in /var/log/Xorg.banana.log. I'm not sure there's a good use-case for this
behaviour.

Check the display for something that looks reasonable, i.e. digits only, but
do allow for :0.0 (i.e. digits, followed by a period, followed by one or two
digits).

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 71baa466b1f6b02fe503f9a3089b7b9d61aa0f80)

1 files changed, 27 insertions, 0 deletions

diff --git a/os/utils.c b/os/utils.c
index 608ee6ab0..3b20a5ccb 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -600,6 +600,10 @@ UseMsg(void)
 static int
 VerifyDisplayName(const char *d)
 {
+    int i;
+    int period_found = FALSE;
+    int after_period = 0;
+
     if (d == (char *) 0)
         return 0;               /*  null  */
     if (*d == '\0')
@@ -610,6 +614,29 @@ VerifyDisplayName(const char *d)
         return 0;               /*  must not equal "." or ".."  */
     if (strchr(d, '/') != (char *) 0)
         return 0;               /*  very important!!!  */
+
+    /* Since we run atoi() on the display later, only allow
+       for digits, or exception of :0.0 and similar (two decimal points max)
+       */
+    for (i = 0; i < strlen(d); i++) {
+        if (!isdigit(d[i])) {
+            if (d[i] != '.' || period_found)
+                return 0;
+            period_found = TRUE;
+        } else if (period_found)
+            after_period++;
+
+        if (after_period > 2)
+            return 0;
+    }
+
+    /* don't allow for :0. */
+    if (period_found && after_period == 0)
+        return 0;
+
+    if (atol(d) > INT_MAX)
+        return 0;
+
     return 1;
 }