Changeset View
Changeset View
Standalone View
Standalone View
files/Fix-size-calculation-in-_XimAttributeToValue.patch
- This file was added.
| From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001 | |||||
| From: Yichao Yu <yyc1992@gmail.com> | |||||
| Date: Sun, 2 Aug 2020 13:43:58 -0400 | |||||
| Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`. | |||||
| The check here guards the read below. | |||||
| For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` | |||||
| these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. | |||||
| (There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this | |||||
| function and doesn't need to be checked.) | |||||
| The old code here used the native datatype size instead of the wire protocol size causing | |||||
| the check to always fail. | |||||
| Also fix the size calculation for the header (size). It is 2 x CARD16 for both types | |||||
| despite the unused `CARD16` for `XimType_XIMStyles`. | |||||
| [1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles | |||||
| This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. | |||||
| Fix #116 | |||||
| --- | |||||
| modules/im/ximcp/imRmAttr.c | 4 ++-- | |||||
| 1 file changed, 2 insertions(+), 2 deletions(-) | |||||
| diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c | |||||
| index 2491908e..919c5564 100644 | |||||
| --- a/modules/im/ximcp/imRmAttr.c | |||||
| +++ b/modules/im/ximcp/imRmAttr.c | |||||
| @@ -265,7 +265,7 @@ _XimAttributeToValue( | |||||
| if (num > (USHRT_MAX / sizeof(XIMStyle))) | |||||
| return False; | |||||
| - if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) | |||||
| + if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) | |||||
| return False; | |||||
| alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; | |||||
| if (alloc_len < sizeof(XIMStyles)) | |||||
| @@ -379,7 +379,7 @@ _XimAttributeToValue( | |||||
| if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) | |||||
| return False; | |||||
| - if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) | |||||
| + if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) | |||||
| return False; | |||||
| alloc_len = sizeof(XIMHotKeyTriggers) | |||||
| + sizeof(XIMHotKeyTrigger) * num; | |||||
| -- | |||||
| GitLab | |||||
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.