shm: limit data accessed by ClientMemOffset

src/ifs/jay_input.rs

@@ -197,14 +197,15 @@ impl JayInput {
     where
         F: FnOnce(&Rc<KbvmMap>) -> Result<(), JayInputError>,
     {
+        let len = len as _;
         let cm = Rc::new(ClientMem::new_private(
             keymap,
-            len as _,
+            len,
             true,
             Some(&self.client),
             None,
         )?)
-        .offset(0);
+        .offset(0, len);
         let mut map = vec![];
         cm.read(&mut map)?;
         self.or_error(|| {

src/ifs/wl_buffer.rs

@@ -147,7 +147,8 @@ impl WlBuffer {
         if required > mem.len() as u64 {
             return Err(WlBufferError::OutOfBounds);
         }
-        let mem = Rc::new(mem.offset(offset));
+        let size = bytes as usize;
+        let mem = Rc::new(mem.offset(offset, size));
         let min_row_size = width as u64 * format.bpp as u64;
         if (stride as u64) < min_row_size {
             return Err(WlBufferError::StrideTooSmall);
@@ -155,7 +156,7 @@ impl WlBuffer {
         let udmabuf_impossible = !mem.pool().is_sealed_memfd();
         let dmabuf_buffer_params = match udmabuf {
             None => DmabufBufferParams {
-                size: bytes as usize,
+                size,
                 udmabuf: None,
                 udmabuf_offset: 0,
                 udmabuf_size: 0,

src/ifs/wl_seat/zwp_virtual_keyboard_v1.rs

@@ -58,18 +58,13 @@ impl ZwpVirtualKeyboardV1RequestHandler for ZwpVirtualKeyboardV1 {
         if req.size > MAX_SIZE {
             return Err(ZwpVirtualKeyboardV1Error::OversizedKeymap);
         }
-        let client_mem = ClientMem::new_private(
-            &req.fd,
-            req.size as usize - 1,
-            true,
-            Some(&self.client),
-            None,
-        )
-        .map(Rc::new)
-        .map_err(ZwpVirtualKeyboardV1Error::MapKeymap)?;
+        let size = req.size as usize - 1;
+        let client_mem = ClientMem::new_private(&req.fd, size, true, Some(&self.client), None)
+            .map(Rc::new)
+            .map_err(ZwpVirtualKeyboardV1Error::MapKeymap)?;
         let mut map = vec![];
         client_mem
-            .offset(0)
+            .offset(0, size)
             .read(&mut map)
             .map_err(ZwpVirtualKeyboardV1Error::ReadKeymap)?;
         let map = self

src/ifs/zwlr_gamma_control_v1.rs

@@ -111,22 +111,21 @@ impl ZwlrGammaControlV1RequestHandler for ZwlrGammaControlV1 {
             return Ok(());
         };
 
-        // 3 color channels
-        let data_size = gamma_lut_size * 3;
+        // 3 color channels of u16
+        let data_size = size_of::<u16>() * (3 * gamma_lut_size) as usize;
 
         let mut gamma_lut = vec![];
         Rc::new(ClientMem::new_private(
             &req.fd,
-            (2 * data_size) as _,
+            data_size,
             true,
             Some(&self.client),
             None,
         )?)
-        .offset(0)
+        .offset(0, data_size)
         .read(&mut gamma_lut)?;
-        let gamma_lut = &gamma_lut[..data_size as _];
 
-        let gamma_lut = wayland_gamma_lut_to_drm_gamma_lut(gamma_lut);
+        let gamma_lut = wayland_gamma_lut_to_drm_gamma_lut(&gamma_lut);
         let gamma_lut = Rc::new(BackendGammaLut::new(gamma_lut));
         if node.set_gamma_lut(Some(gamma_lut)).is_err() {
             fail();