NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=update-workflows 2015-04-22T04:22:37+00:00 2015-04-22T04:22:37+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-14T07:24:55+00:00 urn:sha1:70b77a0fc329e2e205a596a738c7307d354e7b1c 2015-04-16T12:09:07+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-15T07:58:01+00:00 urn:sha1:bad67799229b94ea2ba0174319949766ad1c2fc6 2015-02-16T05:03:48+00:00 Mihai Moldovan ionic@ionic.de 2015-02-16T05:03:48+00:00 urn:sha1:b04f11915e29d9563d279e1326f61b50ea414dba 2015-02-16T04:54:00+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T02:03:33+00:00 urn:sha1:31322c2bd9be76493a5a04a23ea68e063fe3b7e6 The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) 2015-02-16T04:52:09+00:00 Mihai Moldovan ionic@ionic.de 2015-02-16T04:52:09+00:00 urn:sha1:c0d0e373d4c42c7813b1955fc18f5c9f63c725e0 This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519. 2015-02-16T04:47:25+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T03:08:09+00:00 urn:sha1:e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan) 2015-02-16T04:26:40+00:00 Mihai Moldovan ionic@ionic.de 2015-02-16T04:26:40+00:00 urn:sha1:5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7. 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T03:38:32+00:00 urn:sha1:b65259bf3bcca15b5069cb7a6c06f95a40f79813 fs_read_list_info() parses a reply from the font server. The reply contains a number of additional data items with embedded length or count fields, none of which are validated. This can cause out of bound reads when looping over these items in the reply. 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T03:35:21+00:00 urn:sha1:ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply. 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T03:27:47+00:00 urn:sha1:ece51493f1d970f45e53588e33a700464a42fbab fs_read_glyphs() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads when looping over the glyph bitmaps in the reply.