diff options
| author | Julien Cristau <jcristau@debian.org> | 2013-05-21 21:54:55 +0200 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:39 +0200 |
| commit | a9f623f0a63372ca0705e8394fadf514dec55b1c (patch) | |
| tree | 478aa88a8c42cbcb8221dd6680a16131556b49be | |
| parent | 838108c296cb739350456f49431b57821c78b15c (diff) | |
| download | nx-libs-a9f623f0a63372ca0705e8394fadf514dec55b1c.tar.gz nx-libs-a9f623f0a63372ca0705e8394fadf514dec55b1c.tar.bz2 nx-libs-a9f623f0a63372ca0705e8394fadf514dec55b1c.zip | |
Add a couple fixups for the security patches
Add a couple fixups for the security patches
- off-by-one in xkb
- memory leak in an error path
Backport from debian to NX: Ulrich Sibiller <uli42@gmx.de>
| -rw-r--r-- | nx-X11/lib/X11/Font.c | 1 | ||||
| -rw-r--r-- | nx-X11/lib/X11/XKBGetMap.c | 2 | ||||
| -rw-r--r-- | nx-X11/lib/X11/XKBNames.c | 2 |
3 files changed, 3 insertions, 2 deletions
diff --git a/nx-X11/lib/X11/Font.c b/nx-X11/lib/X11/Font.c index 0501ae279..d311cd0f7 100644 --- a/nx-X11/lib/X11/Font.c +++ b/nx-X11/lib/X11/Font.c @@ -508,6 +508,7 @@ _XF86BigfontQueryFont ( any real font needs, so the combined total doesn't overflow either */ if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) || reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) { + Xfree(fs->properties); Xfree((char *) fs); _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c index 5eb1d41bf..391d7aa89 100644 --- a/nx-X11/lib/X11/XKBGetMap.c +++ b/nx-X11/lib/X11/XKBGetMap.c @@ -427,7 +427,7 @@ XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { if (((int) rep->firstVModMapKey + rep->nVModMapKeys) - > xkb->max_key_code) + > xkb->max_key_code + 1) return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c index 1f5207493..c82b59e30 100644 --- a/nx-X11/lib/X11/XKBNames.c +++ b/nx-X11/lib/X11/XKBNames.c @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, |