NXv3 (redistributed) https://cgit.arctica-project.org/nx-libs/atom?h=pr%2Frender-cleanup 2015-02-18T02:23:43+00:00 2015-02-18T02:23:43+00:00 Peter Hutterer peter.hutterer@who-t.net 2009-06-29T03:09:57+00:00 urn:sha1:3937db18a203f9936387286b95328f27013a5ffe This patch adds the following three functions: bits_to_bytes(bits) - the number of bytes needed to hold 'bits' bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than 'bytes'. All three operations are common in protocol processing and currently the server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set of functions reduce the error rate of these (albeit simple) calculations and improve readability of the code. The functions do not check for overflow. v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> 2015-02-14T15:14:32+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-26T18:54:41+00:00 urn:sha1:fde1375e373137ac52d0530b819bf9df64ab14c1 Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xi/chgdctl.c Xi/chgfctl.c Xi/xiallowev.c Xi/xichangecursor.c Xi/xichangehierarchy.c Xi/xigetclientpointer.c Xi/xigrabdev.c Xi/xipassivegrab.c Xi/xiproperty.c Xi/xiquerydevice.c Xi/xiquerypointer.c Xi/xiselectev.c Xi/xisetclientpointer.c Xi/xisetdevfocus.c Xi/xiwarppointer.c [RHEL5: Xi/xi* files are XI2 ] 2015-02-14T15:14:32+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-23T07:44:46+00:00 urn:sha1:82d7279ebfa04f319e68145b3adbf65716e59584 Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> RHEL5: add #include <stdint.h> for uint64_t v3: backport to nx-libs 3.6.x (Mike DePaulo) 2015-02-14T15:14:32+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2014-01-23T06:37:15+00:00 urn:sha1:ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> Conflicts: dix/region.c include/regionstr.h 2015-02-13T12:37:33+00:00 Orion Poplawski orion@cora.nwra.com 2015-02-13T12:37:33+00:00 urn:sha1:31cdd874cf2ca5b5cfad699ff1d283f0747821e4 2015-02-02T14:04:01+00:00 Mike Gabriel mike.gabriel@das-netzwerkteam.de 2015-02-02T14:04:01+00:00 urn:sha1:e399356ed17baf7b50da393a3f13682b01bd14a9 2011-10-10T15:43:39+00:00 Reinhard Tartler siretart@tauware.de 2011-10-10T15:43:39+00:00 urn:sha1:f4092abdf94af6a99aff944d6264bc1284e8bdd4 Summary: Imported nx-X11-3.1.0-1.tar.gz Keywords: Imported nx-X11-3.1.0-1.tar.gz into Git repository