diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2022-07-05 12:06:20 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2022-07-13 14:37:51 +1000 |
commit | 11beef0b7f1ed290348e45618e5fa0d2bffcb72e (patch) | |
tree | cb5d9657548e36a9e283d180e22159ed3ffb8e36 | |
parent | 1bb7767f19969ee6b109f7424ff97738752d18c9 (diff) |
xkb: proof GetCountedString against request length attacks
GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r-- | xkb/xkb.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) CARD16 len; wire = *wire_inout; + + if (client->req_len < + bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) + return BadValue; + len = *(CARD16 *) wire; if (client->swapped) { swaps(&len); |