kossLAN/wry
1
0
Fork 0
forked from wry/wry
Code Pull requests Activity

shm: limit data accessed by ClientMemOffset

Browse source
This commit is contained in:
Julian Orth 2026-02-27 20:06:22 +01:00
parent 3f70242d32
commit 518095c7c2
7 changed files with 24 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/cli/input.rs
View file

@ -427,10 +427,9 @@ impl Input {
async fn handle_keymap(&self, input: JayInputId) -> Vec<u8> { async fn handle_keymap(&self, input: JayInputId) -> Vec<u8> {
let data = Rc::new(RefCell::new(Vec::new())); let data = Rc::new(RefCell::new(Vec::new()));
jay_input::Keymap::handle(&self.tc, input, data.clone(), |d, map| { jay_input::Keymap::handle(&self.tc, input, data.clone(), |d, map| {
let mem = Rc::new( let len = map.keymap_len as _;
ClientMem::new_private(&map.keymap, map.keymap_len as _, true, None, None).unwrap(), let mem = Rc::new(ClientMem::new_private(&map.keymap, len, true, None, None).unwrap())
) .offset(0, len);
.offset(0);
mem.read(d.borrow_mut().deref_mut()).unwrap(); mem.read(d.borrow_mut().deref_mut()).unwrap();
}); });
self.tc.round_trip().await; self.tc.round_trip().await;

4
src/clientmem.rs
View file

@ -131,12 +131,12 @@ impl ClientMem {
self.data.len() self.data.len()
} }
pub fn offset(self: &Rc<Self>, offset: usize) -> ClientMemOffset { pub fn offset(self: &Rc<Self>, offset: usize, len: usize) -> ClientMemOffset {
let mem = unsafe { &*self.data }; let mem = unsafe { &*self.data };
ClientMemOffset { ClientMemOffset {
mem: self.clone(), mem: self.clone(),
offset, offset,
data: &mem[offset..], data: &mem[offset..][..len],
} }
} }

5
src/ifs/jay_input.rs
View file

@ -197,14 +197,15 @@ impl JayInput {
where where
F: FnOnce(&Rc<KbvmMap>) -> Result<(), JayInputError>, F: FnOnce(&Rc<KbvmMap>) -> Result<(), JayInputError>,
{ {
let len = len as _;
let cm = Rc::new(ClientMem::new_private( let cm = Rc::new(ClientMem::new_private(
keymap, keymap,
len as _, len,
true, true,
Some(&self.client), Some(&self.client),
None, None,
)?) )?)
.offset(0); .offset(0, len);
let mut map = vec![]; let mut map = vec![];
cm.read(&mut map)?; cm.read(&mut map)?;
self.or_error(|| { self.or_error(|| {

5
src/ifs/wl_buffer.rs
View file

@ -147,7 +147,8 @@ impl WlBuffer {
if required > mem.len() as u64 { if required > mem.len() as u64 {
return Err(WlBufferError::OutOfBounds); return Err(WlBufferError::OutOfBounds);
} }
let mem = Rc::new(mem.offset(offset)); let size = bytes as usize;
let mem = Rc::new(mem.offset(offset, size));
let min_row_size = width as u64 * format.bpp as u64; let min_row_size = width as u64 * format.bpp as u64;
if (stride as u64) < min_row_size { if (stride as u64) < min_row_size {
return Err(WlBufferError::StrideTooSmall); return Err(WlBufferError::StrideTooSmall);
@ -155,7 +156,7 @@ impl WlBuffer {
let udmabuf_impossible = !mem.pool().is_sealed_memfd(); let udmabuf_impossible = !mem.pool().is_sealed_memfd();
let dmabuf_buffer_params = match udmabuf { let dmabuf_buffer_params = match udmabuf {
None => DmabufBufferParams { None => DmabufBufferParams {
size: bytes as usize, size,
udmabuf: None, udmabuf: None,
udmabuf_offset: 0, udmabuf_offset: 0,
udmabuf_size: 0, udmabuf_size: 0,

15
src/ifs/wl_seat/zwp_virtual_keyboard_v1.rs
View file

@ -58,18 +58,13 @@ impl ZwpVirtualKeyboardV1RequestHandler for ZwpVirtualKeyboardV1 {
if req.size > MAX_SIZE { if req.size > MAX_SIZE {
return Err(ZwpVirtualKeyboardV1Error::OversizedKeymap); return Err(ZwpVirtualKeyboardV1Error::OversizedKeymap);
} }
let client_mem = ClientMem::new_private( let size = req.size as usize - 1;
&req.fd, let client_mem = ClientMem::new_private(&req.fd, size, true, Some(&self.client), None)
req.size as usize - 1, .map(Rc::new)
true, .map_err(ZwpVirtualKeyboardV1Error::MapKeymap)?;
Some(&self.client),
None,
)
.map(Rc::new)
.map_err(ZwpVirtualKeyboardV1Error::MapKeymap)?;
let mut map = vec![]; let mut map = vec![];
client_mem client_mem
.offset(0) .offset(0, size)
.read(&mut map) .read(&mut map)
.map_err(ZwpVirtualKeyboardV1Error::ReadKeymap)?; .map_err(ZwpVirtualKeyboardV1Error::ReadKeymap)?;
let map = self let map = self

11
src/ifs/zwlr_gamma_control_v1.rs
View file

@ -111,22 +111,21 @@ impl ZwlrGammaControlV1RequestHandler for ZwlrGammaControlV1 {
return Ok(()); return Ok(());
}; };
// 3 color channels // 3 color channels of u16
let data_size = gamma_lut_size * 3; let data_size = size_of::<u16>() * (3 * gamma_lut_size) as usize;
let mut gamma_lut = vec![]; let mut gamma_lut = vec![];
Rc::new(ClientMem::new_private( Rc::new(ClientMem::new_private(
&req.fd, &req.fd,
(2 * data_size) as _, data_size,
true, true,
Some(&self.client), Some(&self.client),
None, None,
)?) )?)
.offset(0) .offset(0, data_size)
.read(&mut gamma_lut)?; .read(&mut gamma_lut)?;
let gamma_lut = &gamma_lut[..data_size as _];
let gamma_lut = wayland_gamma_lut_to_drm_gamma_lut(gamma_lut); let gamma_lut = wayland_gamma_lut_to_drm_gamma_lut(&gamma_lut);
let gamma_lut = Rc::new(BackendGammaLut::new(gamma_lut)); let gamma_lut = Rc::new(BackendGammaLut::new(gamma_lut));
if node.set_gamma_lut(Some(gamma_lut)).is_err() { if node.set_gamma_lut(Some(gamma_lut)).is_err() {
fail(); fail();

5
src/it/tests/t0040_virtual_keyboard.rs
View file

@ -149,8 +149,9 @@ async fn test(run: Rc<TestRun>) -> TestResult {
} }
fn read_keymap(fd: &Rc<OwnedFd>, size: usize) -> String { fn read_keymap(fd: &Rc<OwnedFd>, size: usize) -> String {
let client_mem = ClientMem::new_private(fd, size - 1, true, None, None).unwrap(); let size = size - 1;
let client_mem = Rc::new(client_mem).offset(0); let client_mem = ClientMem::new_private(fd, size, true, None, None).unwrap();
let client_mem = Rc::new(client_mem).offset(0, size);
let mut v = vec![]; let mut v = vec![];
client_mem.read(&mut v).unwrap(); client_mem.read(&mut v).unwrap();
v.as_bstr().to_string() v.as_bstr().to_string()