Ray Strode
parent
fcb1551174
commit
3ef73b1463
|
|
@ -0,0 +1,118 @@
|
|||
From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001
|
||||
From: Ray Strode <rstrode@redhat.com>
|
||||
Date: Mon, 4 Oct 2021 14:27:54 -0400
|
||||
Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes
|
||||
|
||||
Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to
|
||||
prevalidate the size of incoming SetMap requests.
|
||||
|
||||
That commit checks for the XkbSetMapResizeTypes flag to be set before
|
||||
allowing key types data to be processed.
|
||||
|
||||
key types data can be changed or even just sent wholesale unchanged
|
||||
without the number of key types changing, however. The check for
|
||||
XkbSetMapResizeTypes rejects those legitimate requests. In particular,
|
||||
XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now
|
||||
any time XkbKeyTypesMask is in the changed mask.
|
||||
|
||||
This commit drops the check for XkbSetMapResizeTypes in flags when
|
||||
prevalidating the request length.
|
||||
---
|
||||
xkb/xkb.c | 26 ++++++++++++--------------
|
||||
1 file changed, 12 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
||||
index 183d6ffa1..62dee9cb6 100644
|
||||
--- a/xkb/xkb.c
|
||||
+++ b/xkb/xkb.c
|
||||
@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
|
||||
}
|
||||
changes->map.first_vmodmap_key = first;
|
||||
changes->map.num_vmodmap_keys = (last - first) + 1;
|
||||
}
|
||||
return (char *) wire;
|
||||
}
|
||||
|
||||
#define _add_check_len(new) \
|
||||
if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
|
||||
else len += new
|
||||
|
||||
/**
|
||||
* Check the length of the SetMap request
|
||||
*/
|
||||
static int
|
||||
_XkbSetMapCheckLength(xkbSetMapReq *req)
|
||||
{
|
||||
size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
|
||||
xkbKeyTypeWireDesc *keytype;
|
||||
xkbSymMapWireDesc *symmap;
|
||||
BOOL preserve;
|
||||
int i, map_count, nSyms;
|
||||
|
||||
if (req_len < len)
|
||||
goto bad;
|
||||
/* types */
|
||||
if (req->present & XkbKeyTypesMask) {
|
||||
keytype = (xkbKeyTypeWireDesc *)(req + 1);
|
||||
for (i = 0; i < req->nTypes; i++) {
|
||||
_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
|
||||
- if (req->flags & XkbSetMapResizeTypes) {
|
||||
- _add_check_len(keytype->nMapEntries
|
||||
- * sz_xkbKTSetMapEntryWireDesc);
|
||||
- preserve = keytype->preserve;
|
||||
- map_count = keytype->nMapEntries;
|
||||
- if (preserve) {
|
||||
- _add_check_len(map_count * sz_xkbModsWireDesc);
|
||||
- }
|
||||
- keytype += 1;
|
||||
- keytype = (xkbKeyTypeWireDesc *)
|
||||
- ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
|
||||
- if (preserve)
|
||||
- keytype = (xkbKeyTypeWireDesc *)
|
||||
- ((xkbModsWireDesc *)keytype + map_count);
|
||||
+ _add_check_len(keytype->nMapEntries
|
||||
+ * sz_xkbKTSetMapEntryWireDesc);
|
||||
+ preserve = keytype->preserve;
|
||||
+ map_count = keytype->nMapEntries;
|
||||
+ if (preserve) {
|
||||
+ _add_check_len(map_count * sz_xkbModsWireDesc);
|
||||
}
|
||||
+ keytype += 1;
|
||||
+ keytype = (xkbKeyTypeWireDesc *)
|
||||
+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
|
||||
+ if (preserve)
|
||||
+ keytype = (xkbKeyTypeWireDesc *)
|
||||
+ ((xkbModsWireDesc *)keytype + map_count);
|
||||
}
|
||||
}
|
||||
/* syms */
|
||||
if (req->present & XkbKeySymsMask) {
|
||||
symmap = (xkbSymMapWireDesc *)((char *)req + len);
|
||||
for (i = 0; i < req->nKeySyms; i++) {
|
||||
_add_check_len(sz_xkbSymMapWireDesc);
|
||||
nSyms = symmap->nSyms;
|
||||
_add_check_len(nSyms*sizeof(CARD32));
|
||||
symmap += 1;
|
||||
symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
|
||||
}
|
||||
}
|
||||
/* actions */
|
||||
if (req->present & XkbKeyActionsMask) {
|
||||
_add_check_len(req->totalActs * sz_xkbActionWireDesc
|
||||
+ XkbPaddedSize(req->nKeyActs));
|
||||
}
|
||||
/* behaviours */
|
||||
if (req->present & XkbKeyBehaviorsMask) {
|
||||
_add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
|
||||
}
|
||||
/* vmods */
|
||||
if (req->present & XkbVirtualModsMask) {
|
||||
_add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
|
||||
}
|
||||
/* explicit */
|
||||
if (req->present & XkbExplicitComponentsMask) {
|
||||
/* two bytes per non-zero explicit componen */
|
||||
_add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -46,7 +46,7 @@
|
|||
Summary: X.Org X11 X server
|
||||
Name: xorg-x11-server
|
||||
Version: 1.20.11
|
||||
Release: 3%{?gitdate:.%{gitdate}}%{?dist}
|
||||
Release: 4%{?gitdate:.%{gitdate}}%{?dist}
|
||||
URL: http://www.x.org
|
||||
License: MIT
|
||||
|
||||
|
|
@ -92,6 +92,9 @@ Patch5: 0001-autobind-GPUs-to-the-screen.patch
|
|||
# because the display-managers are not ready yet, do not upstream
|
||||
Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
|
||||
|
||||
# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/761
|
||||
Patch7: 0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch
|
||||
|
||||
# Backports from current stable "server-1.20-branch":
|
||||
# <empty>
|
||||
|
||||
|
|
@ -512,6 +515,10 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 26 2021 Ray Strode <rstrode@redhat.com> - 1.20.11-4
|
||||
- Fix XkbChangeMap
|
||||
Resolves: #2009928
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.20.11-3
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
|
|
|||
Loading…
Reference in New Issue