| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
|
|
|
|
|
|
|
|
| |
from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
|
|
|
|
| |
Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
|
|
|
|
|
|
|
|
| |
bdfReadCharacters() from xorg/lib/libXfont http://lists.x.org/archives/xorg-announce/2014-January/002389.html
Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
|
|
|
|
|
|
|
|
| |
d11ee5886e9d9ec610051a206b135a4cdc1e09a0
Specially crafted LZW stream can crash an application using libXfont
that is used to open untrusted font files. With X server, this may
allow privilege escalation when exploited
|
|
|
|
|
|
|
|
|
|
|
|
| |
(601_nx-X11_build-option-changes-to-not-use-bundled-libraries.full.patch).
This commit has been submitted by Orion in two
portions. One was submitted to X2Go BTS and created
on Wed, 10 Jul 2013.
The other portion has been taken from the Fedora
package by Mike Gabriel and worked into this
patch on Fri, 06 Dec 2013.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(600_nx-X11+nxcompext+nxcompshad_unique-libnames.full.patch).
We really want to make use of rpm's automatic dependency finding.
Binaries are scanned for DT_NEEDED entries, the latter of which are
then used for populating the "Requires"-type deps. The "nxagent"
binary for example would require libX11.so.6. That incurs problems:
1. A package manager told to install nxagent could select xorg-x11
rather than nx-libs, even though nxagent depends on the NX version.
2. A package manager told to install $some_program could select nx-libs
rather than xorg-x11 (since both provide libX11.so.6), but, since
the NX library is in an obscure directory, running $some_program
would fail as libX11.so.6 is not found.
To solve this, give the NX libraries unique names different from the
Xorg ones.
|
| |
|
| |
|
|
|
|
| |
This reverts commit e77bf36d9afbc7e56522574b06217d57c11dd095.
|
| |
|
|
|
|
|
|
|
|
| |
Summary: Imported nx-X11-3.3.0-7.tar.gz
Keywords:
Imported nx-X11-3.3.0-7.tar.gz
into Git repository
|
|
|
|
|
|
|
|
| |
Summary: Imported nx-X11-3.1.0-4.tar.gz
Keywords:
Imported nx-X11-3.1.0-4.tar.gz
into Git repository
|
|
Summary: Imported nx-X11-3.1.0-1.tar.gz
Keywords:
Imported nx-X11-3.1.0-1.tar.gz
into Git repository
|