nx-libs/nx-X11/programs, branch pr/dix-cve-fixes

dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).

2015-05-31T02:03:55+00:00

The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Signed-off-by: Keith Packard

dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]

2015-05-31T01:59:45+00:00

ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: dix/dispatch.c

Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html

2015-05-31T01:58:57+00:00

Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)

Merge pull request #36 from ArcticaProject/pr/render-cve-fixes

2015-05-26T08:31:46+00:00

XRender CVE fixes for nxagent (X.Org CVE-2014-8100)

render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]

2015-05-24T23:03:10+00:00

v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer Conflicts: render/render.c

render: check request size before reading it [CVE-2014-8100 1/2]

2015-05-24T23:02:56+00:00

Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Julien Cristau Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith Conflicts: render/render.c

hw/nxagent clean-up: Drop NXrandr.{c|h} client lib copy-of-code from nxagent hardware driver.

2015-05-20T10:16:15+00:00

library clean-up: Don't build libNX_Xrandr anymore. Use system's libXrandr shared library.

2015-05-20T10:16:15+00:00

library clean-up: Don't build libNX_Xdamage anymore. Use system's libXdamage shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).

2015-05-01T13:46:01+00:00

dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).

2015-05-01T11:17:03+00:00