aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* XlibInt: info_list->watch_data was reallocated, but result was discardedAnder Conselvan de Oliveira2016-10-191-0/+1
| | | | | | | | | | | | | | | info_list->watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes. Variable "wd_array" goes out of scope Value "wd_array" is overwritten in "wd_array = (XPointer*)realloc((char*)info_list->watch_data, (((dpy->watcher_count + 1) * 4U == 0U) ? 1U : ((dpy->watcher_count + 1) * 4U)))" Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms/LRGB: Add a label for freeing property_return.Ander Conselvan de Oliveira2016-10-191-14/+10
| | | | | | | | | | | | The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms/LRGB: Fix potential resource leak.Ander Conselvan de Oliveira2016-10-191-0/+2
| | | | | | | | | property_return was not free'd if the allocation of pRedTbl failed. Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Xrm: NEWTABLE had a memory leak after a memory allocation errorErkki Seppälä2016-10-191-1/+3
| | | | | | | | | | | | | The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree. Variable "table" goes out of scope Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* ImUtil: Handle a memory leak in one early return branchErkki Seppälä2016-10-191-0/+1
| | | | | | | | | | | | Fixed memory leak by adding Xfree for image Variable "image" goes out of scope Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xlibi18n/lcGeneric: Initialize uninitialized local variableErkki Seppälä2016-10-191-1/+1
| | | | | | | | | | Using uninitialized value "new" Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcmx/cmxColNm: Removed unused assignments to pBuf (in two functions)Erkki Seppälä2016-10-191-2/+2
| | | | | | | | | | Pointer "pBuf" returned from "fgets(buf, 256, stream)" is never used Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XDefaultOMIF.c: Fix memory leaks in get_font_nameAlan Coopersmith2016-10-191-8/+2
| | | | | | | | | | | | | Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name. If get_prop_name returns NULL, continue on to XFreeFont to release the font before returning the NULL via the normal function return. Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Comparing array against NULL is not useful "&xkb->server->vmods != NULL"Erkki Seppälä2016-10-191-1/+1
| | | | | | | | Removed superfluous comparison. Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Variable "entry" tracked as NULL was dereferenced.Erkki Seppälä2016-10-191-1/+1
| | | | | | | | | Check entry for non-nullness before dereferencing it Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Dereferencing possibly NULL "str" in call to function "memcpy" (Deref ↵Erkki Seppälä2016-10-191-0/+2
| | | | | | | | | | | assumed on the basis of 'nonnull' parameter attribute.) If _XkbGetReadBufferPtr returns NULL, goto BAILOUT Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Using freed pointer "e"Erkki Seppälä2016-10-191-2/+2
| | | | | | | | | Reordered code to first to do the comparison and then to release data Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Initialize event typePauli Nieminen2016-10-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | If we receive unsupported event closing connection triggers valgrind error. ==12017== Conditional jump or move depends on uninitialised value(s) ==12017== at 0x487D454: _XFreeDisplayStructure (OpenDis.c:607) ==12017== by 0x486857B: XCloseDisplay (ClDisplay.c:72) *snip* ==12017== Uninitialised value was created by a heap allocation ==12017== at 0x4834C48: malloc (vg_replace_malloc.c:236) ==12017== by 0x4894147: _XEnq (XlibInt.c:877) ==12017== by 0x4891BF3: handle_response (xcb_io.c:335) ==12017== by 0x4892263: _XReply (xcb_io.c:626) *snip* Problem is that XFreeDisplaySturture is checking for qelt->event.type == GenericEvent while _XUnknownWireEvent doesn't store the type. Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Pauli Nieminen <ext-pauli.nieminen@nokia.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* LINEAR_RGB_InitSCCData: When malloc fails, don't try to free unallocated bitsAlan Coopersmith2016-10-191-1/+1
| | | | | | | | | | | | | | | | | | One of the malloc failure checks had a goto to the wrong spot in the list of cleanup free() calls to unwind at the end, and was freeing bits that hadn't been initialized/allocated yet, since they would be stored in the struct that just failed to be allocated. Error: Null pointer dereference (CWE 476) Read from pointer that could be constant 'NULL' at line 805 of /export/alanc/X.Org/sx86/lib/libX11/nx-X11/lib/X11/LRGB.c in function 'LINEAR_RGB_InitSCCData'. Pointer checked against constant 'NULL' at line 754 but does not protect the dereference. [ This bug was found by the Parfait bug checking tool. For more information see http://research.sun.com/projects/parfait ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Cope with 0x1234cafe-style inputDaniel Stone2016-10-191-0/+10
| | | | | | | | | If we get input in the style of 0xdeadbeef, just return that exact keysym. Introduces a dependency on strtoul, which I'm told is OK on all the systems we care about. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Check strdup() return valueDaniel Stone2016-10-191-0/+2
| | | | | | Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Keith Packard <keithp@keithp.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Delete now-redundant XKeysymDBDaniel Stone2016-10-192-385/+0
| | | | | | | | | | Since XStringToKeysym now supports all the vendor keysyms, just delete our XKeysymDB, which was incomplete at best, misleading at worst, and always an annoyance. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Special case for XF86 keysymsDaniel Stone2016-10-191-0/+13
| | | | | | | | | | Some XFree86 keysyms were in XKeysymDB as XF86_foo, despite really being XF86foo. So, if we get to the bottom of XStringToKeysym and haven't found our XF86_foo, try it again as XF86foo. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* debian/rules: Don't use -pie -fPIE at build time for 3.5.99.2 as it causes ↵Mike Gabriel2016-10-141-1/+1
| | | | nxagent to segfault. Investigating the reasons behind it is in process...
* nx-X11/programs/Xserver/GL/glx/Imakefile: typo fix, leading to ↵Mihai Moldovan2016-10-141-1/+1
| | | | | | glcontextmodes.c not being compiled. The typo didn't cause immediate problems.
* release 3.5.99.23.5.99.2Mike Gabriel2016-10-134-7/+561
|
* debian/*.triggers: Call ldconfig via a trigger for all shared libraries.Mike Gabriel2016-10-134-0/+4
|
* debian/rules: Don't modify/create post{inst,rm} scripts during ↵Mike Gabriel2016-10-131-0/+3
| | | | dh_makeshlibs. This avoids adding ldconfig calls to such scripts.
* hw/nxagent/{Clipboard|Events}.c: Typo fix in error messages.Mike Gabriel2016-10-132-3/+3
|
* nxcomp/{Client|}Proxy.cpp: Typo fix in error messages.Mike Gabriel2016-10-132-6/+6
|
* debian/libnx-x11-6.symbols: Update symbols for new backports in libNX_X11 API.Mike Gabriel2016-10-131-0/+20
|
* Pending.c: conditionally include stdio.hUlrich Sibiller2016-10-131-0/+2
|
* nxcomp: Fix typo in usage message.Ulrich Sibiller2016-10-131-1/+1
|
* Merge branch 'uli42-pr/libX11_debian_backports' into 3.6.xMike Gabriel2016-10-1331-303/+528
|\ | | | | | | Attributes GH PR #215: https://github.com/ArcticaProject/nx-libs/pull/215
| * Add a couple fixups for the security patchesJulien Cristau2016-10-123-2/+3
| | | | | | | | | | | | | | | | | | Add a couple fixups for the security patches - off-by-one in xkb - memory leak in an error path Backport from debian to NX: Ulrich Sibiller <uli42@gmx.de>
| * XListFontsWithInfo: Re-decrement flist[0] before calling free() on it.Matthieu Herrb2016-10-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | Freeing a pointer that wasn't returned by malloc() is undefined behavior and produces an error with OpenBSD's implementation. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * _XkbReadGetMapReply: reject maxKeyCodes smaller than the minKeyCodeAlan Coopersmith2016-10-121-0/+2
| | | | | | | | | | | | | | | | | | Various other bounds checks in the code assume this is true, so enforce it when we first get the data from the X server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Use calloc in XOpenDisplay to initialize structs containing pointersAlan Coopersmith2016-10-121-9/+4
| | | | | | | | | | | | | | | | | | | | Prevents trying to free uninitialized pointers if we have to bail out partway through setup, such as if we receive a corrupted or incomplete connection setup block from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Unbounded recursion in _XimParseStringFile() when parsing include files ↵Alan Coopersmith2016-10-121-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [CVE-2013-2004 2/2] parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Unbounded recursion in GetDatabase() when parsing include files ↵Alan Coopersmith2016-10-121-9/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [CVE-2013-2004 1/2] GetIncludeFile() can call GetDatabase() which can call GetIncludeFile() which can call GetDatabase() which can call GetIncludeFile() .... eventually causing recursive stack overflow and crash. Easily reproduced with a resource file that #includes itself. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XListExtensions() [CVE-2013-1997 15/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XGetFontPath() [CVE-2013-1997 14/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * Avoid overflows in XListFonts() [CVE-2013-1997 13/15]Alan Coopersmith2016-10-121-13/+22
| | | | | | | | | | | | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]Alan Coopersmith2016-10-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]Alan Coopersmith2016-10-121-0/+2
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key name indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]Alan Coopersmith2016-10-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]Alan Coopersmith2016-10-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]Alan Coopersmith2016-10-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]Alan Coopersmith2016-10-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key behavior indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]Alan Coopersmith2016-10-121-0/+4
| | | | | | | | | | | | | | | | | | | | | | If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]Alan Coopersmith2016-10-121-1/+6
| | | | | | | | | | | | | | | | | | | | | | If the X server returns keymap indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]Alan Coopersmith2016-10-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | If the X server returns color indexes outside the range of the number of colors it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated indexes in _XkbReadGeomShapes() [CVE-2013-1997 3/15]Alan Coopersmith2016-10-121-4/+8
| | | | | | | | | | | | | | | | | | | | | | If the X server returns shape indexes outside the range of the number of shapes it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]Alan Coopersmith2016-10-121-0/+6
| | | | | | | | | | | | | | | | | | | | | | If the X server returns more buttons than are allocated in the XKB device info structures, out of bounds writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| * unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]Alan Coopersmith2016-10-121-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | If a broken server returned larger than requested values for nPixels or nMasks, XAllocColorCells would happily overflow the buffers provided by the caller to write the results into. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 09:25:29 +0000