followup for libX11 XKB security fixes
Alan Coopersmith
alan.coopersmith at oracle.com
Thu May 23 11:33:13 PDT 2013
I'd originally coded all the checks for xkb->max_key_code, then in testing
found that because Xlib accesses the xkb->max_key_code'th entry of the array,
it needed to be xkb->max_key_code + 1, and I updated the checks - I guess I
missed those two. Sorry about that.
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
On 05/23/13 10:26 AM, Julien Cristau wrote:
> Hi,
>
> I noticed some inconsistencies in the XKB security changes in Xlib.
> Resending to the public list now that the embargo is lifted.
>
> Here's another change I think is necessary:
>
> diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
> index 0875dfd..c73e655 100644
> --- a/src/xkb/XKBGetMap.c
> +++ b/src/xkb/XKBGetMap.c
> @@ -426,7 +426,7 @@ XkbServerMapPtr srv;
>
> if ( rep->totalVModMapKeys>0 ) {
> if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
> - > xkb->max_key_code)
> + > xkb->max_key_code + 1)
> return BadLength;
> if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
> (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
> diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
> index 6faef02..6df7406 100644
> --- a/src/xkb/XKBNames.c
> +++ b/src/xkb/XKBNames.c
> @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy,
> nKeys= xkb->max_key_code+1;
> names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
> }
> - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
> + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
> goto BAILOUT;
> if (names->keys!=NULL) {
> if (!_XkbCopyFromReadBuffer(&buf,
>
> This makes the checks against max_key_code consistent, and means the
> GetNames reply gets checked even when names->keys was just allocated.
> Running 'xset q' here under xtrace shows GetNames returning firstKey=8
> nKeys=248, which would trip the original check with maxKeyCode=255.
> GetMap seems to return firstVModMapKey=0 nVModMapKeys=0
> totalVModMapKeys=0 though, so I don't know how to trigger the first
> check.
>
> Cheers,
> Julien
>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list