Skip to content

Commit

Permalink
xkbcomp: fix crashes in the parser when geometry tokens appear
Browse files Browse the repository at this point in the history 
In the XKB format, floats and various keywords can only be used in the
xkb_geometry section. xkbcommon removed support xkb_geometry, but still
parses it for backward compatibility. As part of ignoring it, the float
AST node and various keywords were removed, and instead NULL was
returned by their parsing actions. However, the rest of the code does
not handle NULLs, and so when they appear crashes usually ensue.

To fix this, restore the float AST node and the ignored keywords. None
of the evaluating code expects them, so nice error are displayed.

Caught with the afl fuzzer.

Signed-off-by: Ran Benita <ran234@gmail.com>
  • Loading branch information
@bluetech
bluetech committed Jul 30, 2018
1 parent 1f9d124 commit e3cacae
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 5 deletions.
8 changes: 8 additions & 0 deletions src/xkbcomp/ast-build.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,13 @@ ExprCreateInteger(int ival)
return expr;
}

ExprDef *
ExprCreateFloat(void)
{
EXPR_CREATE(ExprFloat, expr, EXPR_VALUE, EXPR_TYPE_FLOAT);
return expr;
}

ExprDef *
ExprCreateBoolean(bool set)
{
Expand Down Expand Up @@ -783,6 +790,7 @@ static const char *expr_value_type_strings[_EXPR_TYPE_NUM_VALUES] = {
[EXPR_TYPE_UNKNOWN] = "unknown",
[EXPR_TYPE_BOOLEAN] = "boolean",
[EXPR_TYPE_INT] = "int",
[EXPR_TYPE_FLOAT] = "float",
[EXPR_TYPE_STRING] = "string",
[EXPR_TYPE_ACTION] = "action",
[EXPR_TYPE_KEYNAME] = "keyname",
Expand Down
3 changes: 3 additions & 0 deletions src/xkbcomp/ast-build.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ ExprCreateString(xkb_atom_t str);
ExprDef *
ExprCreateInteger(int ival);

ExprDef *
ExprCreateFloat(void);

ExprDef *
ExprCreateBoolean(bool set);

Expand Down
7 changes: 7 additions & 0 deletions src/xkbcomp/ast.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ enum expr_value_type {
EXPR_TYPE_UNKNOWN = 0,
EXPR_TYPE_BOOLEAN,
EXPR_TYPE_INT,
EXPR_TYPE_FLOAT,
EXPR_TYPE_STRING,
EXPR_TYPE_ACTION,
EXPR_TYPE_KEYNAME,
Expand Down Expand Up @@ -186,6 +187,12 @@ typedef struct {
int ival;
} ExprInteger;

typedef struct {
ExprCommon expr;
/* We don't support floats, but we still represnt them in the AST, in
* order to provide proper error messages. */
} ExprFloat;

typedef struct {
ExprCommon expr;
xkb_atom_t key_name;
Expand Down
10 changes: 5 additions & 5 deletions src/xkbcomp/parser.y
View file
Original file line number Diff line number Diff line change
Expand Up @@ -591,13 +591,13 @@ Element : ACTION_TOK
| INDICATOR
{ $$ = xkb_atom_intern_literal(param->ctx, "indicator"); }
| SHAPE
{ $$ = XKB_ATOM_NONE; }
{ $$ = xkb_atom_intern_literal(param->ctx, "shape"); }
| ROW
{ $$ = XKB_ATOM_NONE; }
{ $$ = xkb_atom_intern_literal(param->ctx, "row"); }
| SECTION
{ $$ = XKB_ATOM_NONE; }
{ $$ = xkb_atom_intern_literal(param->ctx, "section"); }
| TEXT
{ $$ = XKB_ATOM_NONE; }
{ $$ = xkb_atom_intern_literal(param->ctx, "text"); }
;

OptMergeMode : MergeMode { $$ = $1; }
Expand Down Expand Up @@ -687,7 +687,7 @@ Terminal : String
| Integer
{ $$ = ExprCreateInteger($1); }
| Float
{ $$ = NULL; }
{ $$ = ExprCreateFloat(/* Discard $1 */); }
| KEYNAME
{ $$ = ExprCreateKeyName($1); }
;
Expand Down

1 comment on commit e3cacae

@msmeissn
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2018-15854.

Please sign in to comment.