From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Thu, 17 Jan 2008 15:27:34 +0100 Subject: [PATCH] Fix for CVE-2007-6427 - Xinput extension memory corruption. --- Xi/chgfctl.c | 7 +------ Xi/chgkmap.c | 14 +++++++------- Xi/chgprop.c | 10 +++------- Xi/grabdev.c | 12 +++++------- Xi/grabdevb.c | 10 +++------- Xi/grabdevk.c | 9 ++------- Xi/selectev.c | 11 ++++------- Xi/sendexev.c | 14 ++++++++------ 8 files changed, 33 insertions(+), 54 deletions(-) diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 8fc24d5..696b74a 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev, xStringFeedbackCtl * f) { char n; - long *p; int i, j; KeySym *syms, *sup_syms; syms = (KeySym *) (f + 1); if (client->swapped) { swaps(&f->length, n); /* swapped num_keysyms in calling proc */ - p = (long *)(syms); - for (i = 0; i < f->num_keysyms; i++) { - swapl(p, n); - p++; - } + SwapLongs((CARD32 *) syms, f->num_keysyms); } if (f->num_keysyms > s->ctrl.max_symbols) diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c index 3361e98..df334c1 100644 --- a/Xi/chgkmap.c +++ b/Xi/chgkmap.c @@ -75,18 +75,14 @@ int SProcXChangeDeviceKeyMapping(ClientPtr client) { char n; - long *p; - int i, count; + unsigned int count; REQUEST(xChangeDeviceKeyMappingReq); swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); - p = (long *)&stuff[1]; count = stuff->keyCodes * stuff->keySymsPerKeyCode; - for (i = 0; i < count; i++) { - swapl(p, n); - p++; - } + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), count); return (ProcXChangeDeviceKeyMapping(client)); } @@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client) int ret; unsigned len; DeviceIntPtr dev; + unsigned int count; REQUEST(xChangeDeviceKeyMappingReq); REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq); + count = stuff->keyCodes * stuff->keySymsPerKeyCode; + REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32)); + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess); if (ret != Success) return ret; diff --git a/Xi/chgprop.c b/Xi/chgprop.c index 58db886..3fb33e1 100644 --- a/Xi/chgprop.c +++ b/Xi/chgprop.c @@ -77,19 +77,15 @@ int SProcXChangeDeviceDontPropagateList(ClientPtr client) { char n; - long *p; - int i; REQUEST(xChangeDeviceDontPropagateListReq); swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq); swapl(&stuff->window, n); swaps(&stuff->count, n); - p = (long *)&stuff[1]; - for (i = 0; i < stuff->count; i++) { - swapl(p, n); - p++; - } + REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq, + stuff->count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); return (ProcXChangeDeviceDontPropagateList(client)); } diff --git a/Xi/grabdev.c b/Xi/grabdev.c index 110fc6b..0671e0e 100644 --- a/Xi/grabdev.c +++ b/Xi/grabdev.c @@ -78,8 +78,6 @@ int SProcXGrabDevice(ClientPtr client) { char n; - long *p; - int i; REQUEST(xGrabDeviceReq); swaps(&stuff->length, n); @@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client) swapl(&stuff->grabWindow, n); swapl(&stuff->time, n); swaps(&stuff->event_count, n); - p = (long *)&stuff[1]; - for (i = 0; i < stuff->event_count; i++) { - swapl(p, n); - p++; - } + + if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count) + return BadLength; + + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); return (ProcXGrabDevice(client)); } diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c index c2661e8..ce0dcc5 100644 --- a/Xi/grabdevb.c +++ b/Xi/grabdevb.c @@ -77,8 +77,6 @@ int SProcXGrabDeviceButton(ClientPtr client) { char n; - long *p; - int i; REQUEST(xGrabDeviceButtonReq); swaps(&stuff->length, n); @@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client) swapl(&stuff->grabWindow, n); swaps(&stuff->modifiers, n); swaps(&stuff->event_count, n); - p = (long *)&stuff[1]; - for (i = 0; i < stuff->event_count; i++) { - swapl(p, n); - p++; - } + REQUEST_FIXED_SIZE(xGrabDeviceButtonReq, + stuff->event_count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); return (ProcXGrabDeviceButton(client)); } diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c index 43b1928..d4b7fe8 100644 --- a/Xi/grabdevk.c +++ b/Xi/grabdevk.c @@ -77,8 +77,6 @@ int SProcXGrabDeviceKey(ClientPtr client) { char n; - long *p; - int i; REQUEST(xGrabDeviceKeyReq); swaps(&stuff->length, n); @@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client) swapl(&stuff->grabWindow, n); swaps(&stuff->modifiers, n); swaps(&stuff->event_count, n); - p = (long *)&stuff[1]; - for (i = 0; i < stuff->event_count; i++) { - swapl(p, n); - p++; - } + REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count); return (ProcXGrabDeviceKey(client)); } diff --git a/Xi/selectev.c b/Xi/selectev.c index b93618a..d3670ab 100644 --- a/Xi/selectev.c +++ b/Xi/selectev.c @@ -127,19 +127,16 @@ int SProcXSelectExtensionEvent(ClientPtr client) { char n; - long *p; - int i; REQUEST(xSelectExtensionEventReq); swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq); swapl(&stuff->window, n); swaps(&stuff->count, n); - p = (long *)&stuff[1]; - for (i = 0; i < stuff->count; i++) { - swapl(p, n); - p++; - } + REQUEST_FIXED_SIZE(xSelectExtensionEventReq, + stuff->count * sizeof(CARD32)); + SwapLongs((CARD32 *) (&stuff[1]), stuff->count); + return (ProcXSelectExtensionEvent(client)); } diff --git a/Xi/sendexev.c b/Xi/sendexev.c index e4e38d7..588c910 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c @@ -80,7 +80,7 @@ int SProcXSendExtensionEvent(ClientPtr client) { char n; - long *p; + CARD32 *p; int i; xEvent eventT; xEvent *eventP; @@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client) REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq); swapl(&stuff->destination, n); swaps(&stuff->count, n); + + if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count + + (stuff->num_events * (sizeof(xEvent) >> 2))) + return BadLength; + eventP = (xEvent *) & stuff[1]; for (i = 0; i < stuff->num_events; i++, eventP++) { proc = EventSwapVector[eventP->u.u.type & 0177]; @@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client) *eventP = eventT; } - p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events); - for (i = 0; i < stuff->count; i++) { - swapl(p, n); - p++; - } + p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events); + SwapLongs(p, stuff->count); return (ProcXSendExtensionEvent(client)); } -- 1.5.3.6