mattkwan-zz / android-xserver

Automatically exported from code.google.com/p/android-xserver
61 stars 49 forks source link

Request length signed/unsigned type conflict could cause problems #11

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Java used signed values for all types, the x protocol uses unsigned types.
2. If a request with length greater than 0x7fff is received, it will be 
interpreted as negative.
3. Lots of places in the code check that the request length is not smaller than 
a value.
4. If the value is negative it will send an error to the client when it should 
not.
5. Could cause any number of problems.

http://code.google.com/p/android-xserver/source/browse/XServer/src/au/com/darksi
de/XServer/Client.java#220

Change this line from:

_inputOutput.writeShort ((short) 0xffff); // Max request length.

to:

_inputOutput.writeShort ((short) 0x7fff); // Max request length.

This will prevent clients from sending too large requests. If this reduces 
performance, implement BIG-REQUEST extension:

after enabling BIG-REQUEST (need to assign it a major opcode which will be 
negative in java, >127 in x protocol, reply to all requests with this opcode as 
in http://www.x.org/releases/X11R7.6/doc/bigreqsproto/bigreq.html),

http://code.google.com/p/android-xserver/source/browse/XServer/src/au/com/darksi
de/XServer/Client.java#244

check if this value is zero, if it is read an integer from the next 4 bytes 
(this is all the extension does). 

Original issue reported on code.google.com by comms.me...@gmail.com on 22 May 2012 at 3:39

GoogleCodeExporter commented 9 years ago
Fixed in release 1.11

Original comment by matti.k...@gmail.com on 25 Aug 2013 at 10:36