aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Comparing array against NULL is not useful "&xkb->server->vmods != NULL"Erkki Seppälä2016-10-191-1/+1
| | | | | | | | Removed superfluous comparison. Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Variable "entry" tracked as NULL was dereferenced.Erkki Seppälä2016-10-191-1/+1
| | | | | | | | | Check entry for non-nullness before dereferencing it Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Dereferencing possibly NULL "str" in call to function "memcpy" (Deref ↵Erkki Seppälä2016-10-191-0/+2
| | | | | | | | | | | assumed on the basis of 'nonnull' parameter attribute.) If _XkbGetReadBufferPtr returns NULL, goto BAILOUT Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Using freed pointer "e"Erkki Seppälä2016-10-191-2/+2
| | | | | | | | | Reordered code to first to do the comparison and then to release data Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Initialize event typePauli Nieminen2016-10-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | If we receive unsupported event closing connection triggers valgrind error. ==12017== Conditional jump or move depends on uninitialised value(s) ==12017== at 0x487D454: _XFreeDisplayStructure (OpenDis.c:607) ==12017== by 0x486857B: XCloseDisplay (ClDisplay.c:72) *snip* ==12017== Uninitialised value was created by a heap allocation ==12017== at 0x4834C48: malloc (vg_replace_malloc.c:236) ==12017== by 0x4894147: _XEnq (XlibInt.c:877) ==12017== by 0x4891BF3: handle_response (xcb_io.c:335) ==12017== by 0x4892263: _XReply (xcb_io.c:626) *snip* Problem is that XFreeDisplaySturture is checking for qelt->event.type == GenericEvent while _XUnknownWireEvent doesn't store the type. Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Pauli Nieminen <ext-pauli.nieminen@nokia.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* LINEAR_RGB_InitSCCData: When malloc fails, don't try to free unallocated bitsAlan Coopersmith2016-10-191-1/+1
| | | | | | | | | | | | | | | | | | One of the malloc failure checks had a goto to the wrong spot in the list of cleanup free() calls to unwind at the end, and was freeing bits that hadn't been initialized/allocated yet, since they would be stored in the struct that just failed to be allocated. Error: Null pointer dereference (CWE 476) Read from pointer that could be constant 'NULL' at line 805 of /export/alanc/X.Org/sx86/lib/libX11/nx-X11/lib/X11/LRGB.c in function 'LINEAR_RGB_InitSCCData'. Pointer checked against constant 'NULL' at line 754 but does not protect the dereference. [ This bug was found by the Parfait bug checking tool. For more information see http://research.sun.com/projects/parfait ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Cope with 0x1234cafe-style inputDaniel Stone2016-10-191-0/+10
| | | | | | | | | If we get input in the style of 0xdeadbeef, just return that exact keysym. Introduces a dependency on strtoul, which I'm told is OK on all the systems we care about. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Check strdup() return valueDaniel Stone2016-10-191-0/+2
| | | | | | Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Keith Packard <keithp@keithp.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Delete now-redundant XKeysymDBDaniel Stone2016-10-192-385/+0
| | | | | | | | | | Since XStringToKeysym now supports all the vendor keysyms, just delete our XKeysymDB, which was incomplete at best, misleading at worst, and always an annoyance. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Special case for XF86 keysymsDaniel Stone2016-10-191-0/+13
| | | | | | | | | | Some XFree86 keysyms were in XKeysymDB as XF86_foo, despite really being XF86foo. So, if we get to the bottom of XStringToKeysym and haven't found our XF86_foo, try it again as XF86foo. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* debian/rules: Don't use -pie -fPIE at build time for 3.5.99.2 as it causes ↵Mike Gabriel2016-10-141-1/+1
| | | | nxagent to segfault. Investigating the reasons behind it is in process...
* nx-X11/programs/Xserver/GL/glx/Imakefile: typo fix, leading to ↵Mihai Moldovan2016-10-141-1/+1
| | | | | | glcontextmodes.c not being compiled. The typo didn't cause immediate problems.
* release 3.5.99.23.5.99.2Mike Gabriel2016-10-134-7/+561
|
* debian/*.triggers: Call ldconfig via a trigger for all shared libraries.Mike Gabriel2016-10-134-0/+4
|
* debian/rules: Don't modify/create post{inst,rm} scripts during ↵Mike Gabriel2016-10-131-0/+3
| | | | dh_makeshlibs. This avoids adding ldconfig calls to such scripts.
* hw/nxagent/{Clipboard|Events}.c: Typo fix in error messages.Mike Gabriel2016-10-132-3/+3
|
* nxcomp/{Client|}Proxy.cpp: Typo fix in error messages.Mike Gabriel2016-10-132-6/+6
|
* debian/libnx-x11-6.symbols: Update symbols for new backports in libNX_X11 API.Mike Gabriel2016-10-131-0/+20
|
* Pending.c: conditionally include stdio.hUlrich Sibiller2016-10-131-0/+2
|
* nxcomp: Fix typo in usage message.Ulrich Sibiller2016-10-131-1/+1
|
* Merge branch 'uli42-pr/libX11_debian_backports' into 3.6.xMike Gabriel2016-10-1331-303/+528
|\ | | | | | | Attributes GH PR #215: https://github.com/ArcticaProject/nx-libs/pull/215
| * Add a couple fixups for the security patchesJulien Cristau2016-10-123-2/+3
| | | | | | | | | | | | | | | | | | Add a couple fixups for the security patches - off-by-one in xkb - memory leak in an error path Backport from debian to NX: Ulrich Sibiller <uli42@gmx.de>
| * XListFontsWithInfo: Re-decrement flist[0] before calling free() on it.Matthieu Herrb2016-10-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | Freeing a pointer that wasn't returned by malloc() is undefined behavior and produces an error with OpenBSD's implementation. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * _XkbReadGetMapReply: reject maxKeyCodes smaller than the minKeyCodeAlan Coopersmith2016-10-121-0/+2
| | | | | | | | | | | | | | | | | | Various other bounds checks in the code assume this is true, so enforce it when we first get the data from the X server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Use calloc in XOpenDisplay to initialize structs containing pointersAlan Coopersmith2016-10-121-9/+4
| | | | | | | | | | | | | | | | | | | | Prevents trying to free uninitialized pointers if we have to bail out partway through setup, such as if we receive a corrupted or incomplete connection setup block from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Unbounded recursion in _XimParseStringFile() when parsing include files ↵Alan Coopersmith2016-10-121-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [CVE-2013-2004 2/2] parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Unbounded recursion in GetDatabase() when parsing include files ↵Alan Coopersmith2016-10-121-9/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [CVE-2013-2004 1/2] GetIncludeFile() can call GetDatabase() which can call GetIncludeFile() which can call GetDatabase() which can call GetIncludeFile() .... eventually causing recursive stack overflow and crash. Easily reproduced with a resource file that #includes itself. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XListExtensions() [CVE-2013-1997 15/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XGetFontPath() [CVE-2013-1997 14/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XListFonts() [CVE-2013-1997 13/15]Alan Coopersmith2016-10-121-13/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]Alan Coopersmith2016-10-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]Alan Coopersmith2016-10-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key name indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]Alan Coopersmith2016-10-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]Alan Coopersmith2016-10-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]Alan Coopersmith2016-10-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]Alan Coopersmith2016-10-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key behavior indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]Alan Coopersmith2016-10-121-0/+4
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]Alan Coopersmith2016-10-121-1/+6
| | | | | | | | | | | | | | | | | | | | | | If the X server returns keymap indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]Alan Coopersmith2016-10-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | If the X server returns color indexes outside the range of the number of colors it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated indexes in _XkbReadGeomShapes() [CVE-2013-1997 3/15]Alan Coopersmith2016-10-121-4/+8
| | | | | | | | | | | | | | | | | | | | | | If the X server returns shape indexes outside the range of the number of shapes it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]Alan Coopersmith2016-10-121-0/+6
| | | | | | | | | | | | | | | | | | | | | | If the X server returns more buttons than are allocated in the XKB device info structures, out of bounds writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]Alan Coopersmith2016-10-121-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | If a broken server returned larger than requested values for nPixels or nMasks, XAllocColorCells would happily overflow the buffers provided by the caller to write the results into. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Make XGetWindowProperty() always initialize returned valuesAlan Coopersmith2016-10-121-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Avoids memory corruption and other errors when callers access them without checking to see if XGetWindowProperty() returned an error value. Callers are still required to check for errors, this just reduces the damage when they don't. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Move repeated #ifdef magic to find PATH_MAX into a common headerAlan Coopersmith2016-10-124-48/+85
| | | | | | | | | | | | | | | | | | Lets stop duplicating the mess all over Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Convert more _XEatData callers to _XEatDataWordsAlan Coopersmith2016-10-126-20/+20
| | | | | | | | | | | | | | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]Alan Coopersmith2016-10-121-4/+9
| | | | | | | | | | | | | | | | | | Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * integer overflow in XGetPointerMapping() & XGetKeyboardMapping() ↵Alan Coopersmith2016-10-121-11/+20
| | | | | | | | | | | | | | | | | | | | | | [CVE-2013-1981 12/13] Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * integer overflow in XGetImage() [CVE-2013-1981 11/13]Alan Coopersmith2016-10-121-4/+8
| | | | | | | | | | | | | | | | | | | | Ensure that we don't underallocate when the server claims to have sent a very large reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * integer overflow in XGetWindowProperty() [CVE-2013-1981 10/13]Alan Coopersmith2016-10-121-9/+16
| | | | | | | | | | | | | | | | | | | | | | | | If the reported number of properties is too large, the calculations to allocate memory for them may overflow, leaving us returning less memory to the caller than implied by the value written to *nitems. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * integer overflows in TransFileName() [CVE-2013-1981 9/13]Alan Coopersmith2016-10-121-11/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When trying to process file paths the tokens %H, %L, & %S are expanded to $HOME, the standard compose file path & the xlocaledir path. If enough of these tokens are repeated and values like $HOME are set to very large values, the calculation of the total string size required to hold the expanded path can overflow, resulting in allocating a smaller string than the amount of data we'll write to it. Simply restrict all of these values, and the total path size to PATH_MAX, because really, that's all you should need for a filename path. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>