NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=3.6.x 2015-04-22T04:22:37+00:00 2015-04-22T04:22:37+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-14T07:24:55+00:00 urn:sha1:70b77a0fc329e2e205a596a738c7307d354e7b1c 2015-04-16T12:09:07+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-04-15T07:58:01+00:00 urn:sha1:bad67799229b94ea2ba0174319949766ad1c2fc6 2015-02-16T09:29:36+00:00 Joerg Sonnenberger joerg@britannica.bec.de 2011-08-21T16:51:53+00:00 urn:sha1:65deb86f8dab0c88e051b5ac416b7907433aa849 It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com> 2015-02-16T09:29:14+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-02-16T09:29:14+00:00 urn:sha1:18e337ddf410accec5bdf18c5d28bbd5f3ace7cb This reverts commit 6acafc9334828da22446380c81af81bde14b5d86. 2015-02-16T05:16:41+00:00 Joerg Sonnenberger joerg@britannica.bec.de 2011-08-21T16:51:53+00:00 urn:sha1:6acafc9334828da22446380c81af81bde14b5d86 It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com> 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T01:53:14+00:00 urn:sha1:36f1dae749acb065eaefca56d42d19ef6822a001 lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues. 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T01:28:30+00:00 urn:sha1:f53f2474d5d33cca04c4c7744ecc50cec41ba94f FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size. 2015-02-14T15:14:31+00:00 Mike DePaulo mikedep333@gmail.com 2015-02-09T00:15:20+00:00 urn:sha1:af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited 2015-02-02T14:04:01+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-02-02T14:04:01+00:00 urn:sha1:e399356ed17baf7b50da393a3f13682b01bd14a9 2011-10-10T15:47:42+00:00 Reinhard Tartler siretart@tauware.de 2011-10-10T15:47:42+00:00 urn:sha1:5036ffbe6500adc6f55d6b814a21f5222114ca18 Summary: Imported nx-X11-3.3.0-7.tar.gz Keywords: Imported nx-X11-3.3.0-7.tar.gz into Git repository