qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix from X.Org for CVE-2007-6427 - Xinput extension memory corruption.

Browse Source
This commit is contained in:
matthieu 2008-01-17 15:42:19 +00:00
parent 19e04f544a
commit 868ab3f2e3
8 changed files with 33 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
xserver/Xi/chgfctl.c
View File

@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
xStringFeedbackCtl * f)
{
char n;
long *p;
int i, j;
KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1);
if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
p = (long *)(syms);
for (i = 0; i < f->num_keysyms; i++) {
swapl(p, n);
p++;
}
SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols) {

14
xserver/Xi/chgkmap.c
View File

@ -79,18 +79,14 @@ int
SProcXChangeDeviceKeyMapping(ClientPtr client)
{
char n;
long *p;
int i, count;
unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
for (i = 0; i < count; i++) {
swapl(p, n);
p++;
}
REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
SwapLongs((CARD32 *) (&stuff[1]), count);
return (ProcXChangeDeviceKeyMapping(client));
}
@ -106,10 +102,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret;
unsigned len;
DeviceIntPtr dev;
unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
dev = LookupDeviceIntRec(stuff->deviceid);
if (dev == NULL) {
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,

10
xserver/Xi/chgprop.c
View File

@ -81,19 +81,15 @@ int
SProcXChangeDeviceDontPropagateList(ClientPtr client)
{
char n;
long *p;
int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->count; i++) {
swapl(p, n);
p++;
}
REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
stuff->count * sizeof(CARD32));
SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXChangeDeviceDontPropagateList(client));
}

12
xserver/Xi/grabdev.c
View File

@ -82,8 +82,6 @@ int
SProcXGrabDevice(ClientPtr client)
{
char n;
long *p;
int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->event_count; i++) {
swapl(p, n);
p++;
}
if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
return BadLength;
SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client));
}

10
xserver/Xi/grabdevb.c
View File

@ -80,8 +80,6 @@ int
SProcXGrabDeviceButton(ClientPtr client)
{
char n;
long *p;
int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->event_count; i++) {
swapl(p, n);
p++;
}
REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
stuff->event_count * sizeof(CARD32));
SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceButton(client));
}

9
xserver/Xi/grabdevk.c
View File

@ -80,8 +80,6 @@ int
SProcXGrabDeviceKey(ClientPtr client)
{
char n;
long *p;
int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->event_count; i++) {
swapl(p, n);
p++;
}
REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceKey(client));
}

11
xserver/Xi/selectev.c
View File

@ -131,19 +131,16 @@ int
SProcXSelectExtensionEvent(ClientPtr client)
{
char n;
long *p;
int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
p = (long *)&stuff[1];
for (i = 0; i < stuff->count; i++) {
swapl(p, n);
p++;
}
REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
stuff->count * sizeof(CARD32));
SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXSelectExtensionEvent(client));
}

14
xserver/Xi/sendexev.c
View File

@ -83,7 +83,7 @@ int
SProcXSendExtensionEvent(ClientPtr client)
{
char n;
long *p;
CARD32 *p;
int i;
xEvent eventT;
xEvent *eventP;
@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
(stuff->num_events * (sizeof(xEvent) >> 2)))
return BadLength;
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT;
}
p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
for (i = 0; i < stuff->count; i++) {
swapl(p, n);
p++;
}
p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}