xkb: proof GetCountedString against request length attacks

GetCountedString did a check for the whole string to be within the request buffer but not for the initial 2 bytes that contain the length field. A swapped client could send a malformed request to trigger a swaps() on those bytes, writing into random memory. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2026-04-14 17:18:09 +00:00 · 2022-07-05 12:06:20 +10:00
parent 1bb7767f19
commit 11beef0b7f
1 changed files with 5 additions and 0 deletions
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
    CARD16 len;

    wire = *wire_inout;
+
+    if (client->req_len <
+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
+        return BadValue;
+
    len = *(CARD16 *) wire;
    if (client->swapped) {
        swaps(&len);