| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2013-7439).
MakeBigReq inserts a length field after the first 4 bytes of the request
(after req->length), pushing everything else back by 4 bytes.
The current memmove moves everything but the first 4 bytes back. If a
request aligns to the end of the buffer pointer when MakeBigReq is
invoked for that request, this runs over the buffer. Instead, we need to
memmove minus the first 4 bytes (which aren't moved), minus the last 4
bytes (so we still align to the previous tail).
The 4 bytes that fell out are already handled with Data32, which will
handle the buffermax correctly.
The case where req->length = 1 was already not functional.
Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
https://bugzilla.mozilla.org/show_bug.cgi?id=803762
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
| |
WORD64, WORD64ALIGN, MUSTCOPY, UNSIGNEDBITFIELDS definitions).
|
| |
|
|
|
|
| |
build-logic).
|
| |
|
| |
|
|\
| |
| |
| | |
Attributes GH PR #8: https://github.com/ArcticaProject/nx-libs/pull/8
|
| |
| |
| |
| | |
NXiPAQXServer.
|
| |
| |
| |
| | |
variants)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
|
| |
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
This is basically a merge of the most current xorg-server (1.17.1) code
into nx-X11.
It makes sure that for source pictures, which do not have a drawable
surface, a filter is selected that is supported on the "main" and all
other screens. Alternatively, if the requested filter is not available
on all screens and the picture is a source picture, this function fails
gracefully.
Additionally, the ChangePictureFilter hook is now called for non-source
pictures.
This also needs an implementation in mipict.{c,h}. The default hook does
nothing and returns a success value.
|
| |
|
|
|
|
| |
current_version on OS X. ld(1) on 10.6 fails otherwise.
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
|
|
|
|
|
|
|
|
|
| |
libNX_Xcomp*.
Cherry-picked from branch 3.5.0.x.
Conflicts:
debian/changelog
|
|
|
|
| |
if it is not available.
|
|
|
|
| |
from other UNIX-based systems.
|
|
|
|
| |
of -bundle.
|
|
|
|
| |
old cruft.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
rule).
|
| |
|
|
|
|
| |
is not defined).
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared library.
One release goal for version 3.6.x of nx-libs is dropping as many bundled libraries as possible that haven't
been adapted to nx-libs.
Starting with libNX_Xpm here.
The libNX_Xpm library is only referenced once (nx-X11/programs/Xserver/hw/nxagent/Holder.c).
When grepping through Xserver/hw/nxagent the suspicion comes up, that the libXpm linkage is not
needed at all, because none of the provided functions are used inside the nxagent Xserver.
|
|/
|
|
| |
library.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Github summary page).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
v3: backport to nx-libs 3.6.x because this is
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
v3: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
index 2405090..7db0959 100644
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following three functions:
bits_to_bytes(bits) - the number of bytes needed to hold 'bits'
bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes'
pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than
'bytes'.
All three operations are common in protocol processing and currently the
server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set
of functions reduce the error rate of these (albeit simple) calculations and
improve readability of the code.
The functions do not check for overflow.
v2: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
|
|\
| |
| | |
Make nxagent aware of its NX'ish version string (and number).
|