nx-libs/nx-X11/lib, branch 3.5.99.2 NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=3.5.99.2 2016-10-13T12:05:20+00:00 Pending.c: conditionally include stdio.h 2016-10-13T12:05:20+00:00 Ulrich Sibiller uli42@gmx.de 2016-10-07T19:19:07+00:00 urn:sha1:97c26978b23d85439e5dbeea26520b982ebf8473 Add a couple fixups for the security patches 2016-10-12T07:34:39+00:00 Julien Cristau jcristau@debian.org 2013-05-21T19:54:55+00:00 urn:sha1:a9f623f0a63372ca0705e8394fadf514dec55b1c Add a couple fixups for the security patches - off-by-one in xkb - memory leak in an error path Backport from debian to NX: Ulrich Sibiller <uli42@gmx.de> XListFontsWithInfo: Re-decrement flist[0] before calling free() on it. 2016-10-12T07:34:39+00:00 Matthieu Herrb matthieu.herrb@laas.fr 2013-05-08T17:33:09+00:00 urn:sha1:838108c296cb739350456f49431b57821c78b15c Freeing a pointer that wasn't returned by malloc() is undefined behavior and produces an error with OpenBSD's implementation. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> _XkbReadGetMapReply: reject maxKeyCodes smaller than the minKeyCode 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-31T19:22:35+00:00 urn:sha1:dc749a457d62b330051e9fb709960951e05de41b Various other bounds checks in the code assume this is true, so enforce it when we first get the data from the X server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Use calloc in XOpenDisplay to initialize structs containing pointers 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-16T17:03:13+00:00 urn:sha1:37f8d3eb8ec4a44bebaac7893e5881bd59b5440c Prevents trying to free uninitialized pointers if we have to bail out partway through setup, such as if we receive a corrupted or incomplete connection setup block from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2] 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-02T20:39:58+00:00 urn:sha1:e386187e91569eae3064927d5b5753a7a68ace47 parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Unbounded recursion in GetDatabase() when parsing include files [CVE-2013-2004 1/2] 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-02T20:01:39+00:00 urn:sha1:bddfee4a987c0ef5eb26e1b14b8385e7630a1e21 GetIncludeFile() can call GetDatabase() which can call GetIncludeFile() which can call GetDatabase() which can call GetIncludeFile() .... eventually causing recursive stack overflow and crash. Easily reproduced with a resource file that #includes itself. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Avoid overflows in XListExtensions() [CVE-2013-1997 15/15] 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-02T23:08:21+00:00 urn:sha1:dbc11719399ce7e191c806ad6b5c9104666e2a77 Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Avoid overflows in XGetFontPath() [CVE-2013-1997 14/15] 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-02T23:08:21+00:00 urn:sha1:77edd88e104cbd3fb5dc95473adac1db2c2302a3 Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de> Avoid overflows in XListFonts() [CVE-2013-1997 13/15] 2016-10-12T07:34:39+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2013-03-02T23:08:21+00:00 urn:sha1:f6c5069ac78d2fe9883cc7ddaf1f32cc17d27107 Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>