qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge upstream fixes to the X event swapping code.

Browse Source 
(CVE-2017-10971 and CVE-2017-10972).
This commit is contained in:
matthieu 2017-07-07 06:22:19 +00:00
parent 6849988066
commit 1862f5487a
3 changed files with 31 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
xserver/Xi/sendexev.c
View File

@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
{ {
CARD32 *p; CARD32 *p;
int i; int i;
xEvent eventT; xEvent eventT = { .u.u.type = 0 };
xEvent *eventP; xEvent *eventP;
EventSwapPtr proc; EventSwapPtr proc;
@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
eventP = (xEvent *) &stuff[1]; eventP = (xEvent *) &stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) { for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177]; if (eventP->u.u.type == GenericEvent) {
if (proc == NotImplemented) /* no swapping proc; invalid event type? */ client->errorValue = eventP->u.u.type;
return BadValue; return BadValue;
}
proc = EventSwapVector[eventP->u.u.type & 0177];
/* no swapping proc; invalid event type? */
if (proc == NotImplemented) {
client->errorValue = eventP->u.u.type;
return BadValue;
}
(*proc) (eventP, &eventT); (*proc) (eventP, &eventT);
*eventP = eventT; *eventP = eventT;
} }
@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr client)
int int
ProcXSendExtensionEvent(ClientPtr client) ProcXSendExtensionEvent(ClientPtr client)
{ {
int ret; int ret, i;
DeviceIntPtr dev; DeviceIntPtr dev;
xEvent *first; xEvent *first;
XEventClass *list; XEventClass *list;
@ -141,10 +149,12 @@ ProcXSendExtensionEvent(ClientPtr client)
/* The client's event type must be one defined by an extension. */ /* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]); first = ((xEvent *) &stuff[1]);
if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && for (i = 0; i < stuff->num_events; i++) {
(first->u.u.type < lastEvent))) { if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
client->errorValue = first->u.u.type; (first[i].u.u.type < lastEvent))) {
return BadValue; client->errorValue = first[i].u.u.type;
return BadValue;
}
} }
list = (XEventClass *) (first + stuff->num_events); list = (XEventClass *) (first + stuff->num_events);

6
xserver/dix/events.c
View File

@ -5355,6 +5355,12 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->event.u.u.type; client->errorValue = stuff->event.u.u.type;
return BadValue; return BadValue;
} }
/* Generic events can have variable size, but SendEvent request holds
exactly 32B of event data. */
if (stuff->event.u.u.type == GenericEvent) {
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
if (stuff->event.u.u.type == ClientMessage && if (stuff->event.u.u.type == ClientMessage &&
stuff->event.u.u.detail != 8 && stuff->event.u.u.detail != 8 &&
stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) { stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {

7
xserver/dix/swapreq.c
View File

@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
swapl(&stuff->destination); swapl(&stuff->destination);
swapl(&stuff->eventMask); swapl(&stuff->eventMask);
/* Generic events can have variable size, but SendEvent request holds
exactly 32B of event data. */
if (stuff->event.u.u.type == GenericEvent) {
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
/* Swap event */ /* Swap event */
proc = EventSwapVector[stuff->event.u.u.type & 0177]; proc = EventSwapVector[stuff->event.u.u.type & 0177];
if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */ if (!proc || proc == NotImplemented) /* no swapping proc; invalid event type? */