aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix memory leaks on _XimGetAttributeID error paths.Ander Conselvan de Oliveira2016-10-191-2/+6
| | | | | | Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms: Fix memory leaks on LINEAR_RGB_InitSCCData error path.Ander Conselvan de Oliveira2016-10-191-3/+3
| | | | | | | | | | | pScreenData is replaced when building per visual intensity tables. If malloc failed the old value of pScreenData (stored also in pScreenDefaultData) was being leaked. Also, property_return wasn't free'd in that case. Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms: Fix error on LINEAR_RGB_InitSCCData error path.Ander Conselvan de Oliveira2016-10-191-1/+1
| | | | | | | | | Due to what looks like a copy & paste error, pScreenData->pBlueTbl would be accessed after being free'd. Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* FSWrap: fix potential leak in copy_string_listAnder Conselvan de Oliveira2016-10-191-1/+1
| | | | | | | | If list_count is 0, dst would be allocated and leaked. Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Fix memory leak with broken bitmap files in XReadBitmapFileDataAnder Conselvan de Oliveira2016-10-191-0/+5
| | | | | | | | | | | | | | Bitmap file data is read looping through the lines in the input file. If there is extra data after the bitmap, these lines will be processed and if this data represents another bitmap it will replace the one read before causing the memory allocated for bits to leak. This changes the code to stop processing the file once a bitmap was read. Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Add #define XK_SINHALAHarshula Jayasuriya2016-10-191-0/+1
| | | | | | | | | Add #define XK_SINHALA so that the Sinhala keysyms can be used by the lk xkb keymap. Signed-off-by: Harshula Jayasuriya <harshula@gmail.com> Reviewed-by: Daniel Stone <daniel@fooishbar.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xkb: XkbPropertyPtr determined allocation success from wrong variablesErkki Seppälä2016-10-191-2/+2
| | | | | | | | | | | | | Cannot reach dead statement "return NULL;" Check for the NULLness of prop->name and prop->value instead of name and value, which was checked earlier anyway. Decided against using strdup due to curious memory allocation functions and the rest of the xkb not using it either. Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* keyBind: Use Xcalloc to initialize allocated _XKeytransErkki Seppälä2016-10-191-1/+1
| | | | | | | | | | Using uninitialized value "p->modifiers" Small fix by using Xcalloc instead of Xmalloc Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Clean up memory when first XCreateRegion succeeds and second failsAlan Coopersmith2016-10-191-2/+11
| | | | | | | | | | | | | | | | | | | Error: Memory leak (CWE 401) Memory leak of pointer 's' allocated with XCreateRegion() at line 387 of /export/alanc/X.Org/sx86-gcc/lib/libX11/nx-X11/lib/X11/Region.c in function 'XShrinkRegion'. 's' allocated at line 387 with XCreateRegion(). s leaks when s != 0 at line 387. Error: Memory leak (CWE 401) Memory leak of pointer 'tra' allocated with XCreateRegion() at line 1452 of /export/alanc/X.Org/sx86-gcc/lib/libX11/nx-X11/lib/X11/Region.c in function 'XXorRegion'. 'tra' allocated at line 1451 with XCreateRegion(). tra leaks when tra != 0 at line 1451. [ This bug was found by the Parfait 0.3.6 bug checking tool. For more information see http://labs.oracle.com/projects/parfait/ ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* cmsProp: don't deal with uninitialized values, fail insteadErkki Seppälä2016-10-191-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Properly handle the return value of XGetWindowProperty by considering if after the loop as well. Using freed pointer "prop_ret" There were numerous things wrong in how this function interacted with XGetWindowProperty. None of the local variables were initialized and remained that way if the call to XGetWindowProperty returned 1 (not Succeed). That doesn't result in after_ret being initialized in which case if it happens to be 0, the loop was exited. In that case format_ret and nitems_ret were uninitialized and the function might return with success (but with uninitialized pointer in prop_ret) or XcmsFailure. As the buffer enlarging code was called only when XGetWindowProperty failed (returned not Success), after_ret would not have been initialized. It would have been initialized only if the XGetWindowProperty has returned Success earlier, but in that case the code fragment would not have been reached. This patch alters the function to return XcmsFailure if the call to XGetWindowProperty fails. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms/LRGB: don't double-free property_returnAnder Conselvan de Oliveira2016-10-191-1/+0
| | | | | | | | | | | | | property_return was free'd before and in the case the conditional is true, the call to XcmsGetProperty failed which means that property_return wasn't set so there is no need to free it again. Double free of pointer "property_return" in call to "free" Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Xrm.c: ReadInFile: refactor fstat error handlingAlan Coopersmith2016-10-191-9/+4
| | | | | | | | | We can simplify the fstat failure case now that the GetFileSize macro has been expanded inline. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Expand GetSizeOfFile() macro at the one place it's calledAlan Coopersmith2016-10-192-50/+8
| | | | | | | | Removes XrmI.h header that only contained this single macro Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XlibInt: Use strncpy+zero termination instead of strcpy to enforce buffer sizeErkki Seppälä2016-10-191-3/+4
| | | | | | | | | | | Possible overrun of 8192 byte fixed size buffer "buffer" by copying "ext->name" without length checking Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xlibi18n/lcFile: Removed superfluous check for NULL target_dirErkki Seppälä2016-10-191-4/+2
| | | | | | | | | | | | The situation is already handled before this code. Cannot reach dead expression "0U" inside statement "if (1U + (target_dir ? strl..." Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XlibInt: info_list->watch_data was reallocated, but result was discardedAnder Conselvan de Oliveira2016-10-191-0/+1
| | | | | | | | | | | | | | | info_list->watch_data was being reallocated, but the return value of the reallocation was stored only into a local variable. This might cause some funky behavior and crashes. Variable "wd_array" goes out of scope Value "wd_array" is overwritten in "wd_array = (XPointer*)realloc((char*)info_list->watch_data, (((dpy->watcher_count + 1) * 4U == 0U) ? 1U : ((dpy->watcher_count + 1) * 4U)))" Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms/LRGB: Add a label for freeing property_return.Ander Conselvan de Oliveira2016-10-191-14/+10
| | | | | | | | | | | | The rest of the code uses goto's to free memory allocated later and prevent memory leaks, but there were several paths were property_return was free'd just before a goto. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcms/LRGB: Fix potential resource leak.Ander Conselvan de Oliveira2016-10-191-0/+2
| | | | | | | | | property_return was not free'd if the allocation of pRedTbl failed. Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Xrm: NEWTABLE had a memory leak after a memory allocation errorErkki Seppälä2016-10-191-1/+3
| | | | | | | | | | | | | The NEWTABLE macro missed freeing its allocated memory on subsequent memory allocation errors. Added call to Xfree. Variable "table" goes out of scope Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* ImUtil: Handle a memory leak in one early return branchErkki Seppälä2016-10-191-0/+1
| | | | | | | | | | | | Fixed memory leak by adding Xfree for image Variable "image" goes out of scope Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xlibi18n/lcGeneric: Initialize uninitialized local variableErkki Seppälä2016-10-191-1/+1
| | | | | | | | | | Using uninitialized value "new" Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* xcmx/cmxColNm: Removed unused assignments to pBuf (in two functions)Erkki Seppälä2016-10-191-2/+2
| | | | | | | | | | Pointer "pBuf" returned from "fgets(buf, 256, stream)" is never used Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XDefaultOMIF.c: Fix memory leaks in get_font_nameAlan Coopersmith2016-10-191-8/+2
| | | | | | | | | | | | | Instead of copying the value returned by get_prop_name and then releasing it, directly use the return value of get_prop_name, which allocates memory for the name. If get_prop_name returns NULL, continue on to XFreeFont to release the font before returning the NULL via the normal function return. Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Comparing array against NULL is not useful "&xkb->server->vmods != NULL"Erkki Seppälä2016-10-191-1/+1
| | | | | | | | Removed superfluous comparison. Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Variable "entry" tracked as NULL was dereferenced.Erkki Seppälä2016-10-191-1/+1
| | | | | | | | | Check entry for non-nullness before dereferencing it Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Dereferencing possibly NULL "str" in call to function "memcpy" (Deref ↵Erkki Seppälä2016-10-191-0/+2
| | | | | | | | | | | assumed on the basis of 'nonnull' parameter attribute.) If _XkbGetReadBufferPtr returns NULL, goto BAILOUT Reviewed-by: Dirk Wallenstein <halsmit@t-online.de> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Using freed pointer "e"Erkki Seppälä2016-10-191-2/+2
| | | | | | | | | Reordered code to first to do the comparison and then to release data Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Initialize event typePauli Nieminen2016-10-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | If we receive unsupported event closing connection triggers valgrind error. ==12017== Conditional jump or move depends on uninitialised value(s) ==12017== at 0x487D454: _XFreeDisplayStructure (OpenDis.c:607) ==12017== by 0x486857B: XCloseDisplay (ClDisplay.c:72) *snip* ==12017== Uninitialised value was created by a heap allocation ==12017== at 0x4834C48: malloc (vg_replace_malloc.c:236) ==12017== by 0x4894147: _XEnq (XlibInt.c:877) ==12017== by 0x4891BF3: handle_response (xcb_io.c:335) ==12017== by 0x4892263: _XReply (xcb_io.c:626) *snip* Problem is that XFreeDisplaySturture is checking for qelt->event.type == GenericEvent while _XUnknownWireEvent doesn't store the type. Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Pauli Nieminen <ext-pauli.nieminen@nokia.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* LINEAR_RGB_InitSCCData: When malloc fails, don't try to free unallocated bitsAlan Coopersmith2016-10-191-1/+1
| | | | | | | | | | | | | | | | | | One of the malloc failure checks had a goto to the wrong spot in the list of cleanup free() calls to unwind at the end, and was freeing bits that hadn't been initialized/allocated yet, since they would be stored in the struct that just failed to be allocated. Error: Null pointer dereference (CWE 476) Read from pointer that could be constant 'NULL' at line 805 of /export/alanc/X.Org/sx86/lib/libX11/nx-X11/lib/X11/LRGB.c in function 'LINEAR_RGB_InitSCCData'. Pointer checked against constant 'NULL' at line 754 but does not protect the dereference. [ This bug was found by the Parfait bug checking tool. For more information see http://research.sun.com/projects/parfait ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Cope with 0x1234cafe-style inputDaniel Stone2016-10-191-0/+10
| | | | | | | | | If we get input in the style of 0xdeadbeef, just return that exact keysym. Introduces a dependency on strtoul, which I'm told is OK on all the systems we care about. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Check strdup() return valueDaniel Stone2016-10-191-0/+2
| | | | | | Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Keith Packard <keithp@keithp.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Delete now-redundant XKeysymDBDaniel Stone2016-10-192-385/+0
| | | | | | | | | | Since XStringToKeysym now supports all the vendor keysyms, just delete our XKeysymDB, which was incomplete at best, misleading at worst, and always an annoyance. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* XStringToKeysym: Special case for XF86 keysymsDaniel Stone2016-10-191-0/+13
| | | | | | | | | | Some XFree86 keysyms were in XKeysymDB as XF86_foo, despite really being XF86foo. So, if we get to the bottom of XStringToKeysym and haven't found our XF86_foo, try it again as XF86foo. Signed-off-by: Daniel Stone <daniel@fooishbar.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Pending.c: conditionally include stdio.hUlrich Sibiller2016-10-131-0/+2
|
* Add a couple fixups for the security patchesJulien Cristau2016-10-123-2/+3
| | | | | | | | | Add a couple fixups for the security patches - off-by-one in xkb - memory leak in an error path Backport from debian to NX: Ulrich Sibiller <uli42@gmx.de>
* XListFontsWithInfo: Re-decrement flist[0] before calling free() on it.Matthieu Herrb2016-10-121-2/+4
| | | | | | | | | | | Freeing a pointer that wasn't returned by malloc() is undefined behavior and produces an error with OpenBSD's implementation. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* _XkbReadGetMapReply: reject maxKeyCodes smaller than the minKeyCodeAlan Coopersmith2016-10-121-0/+2
| | | | | | | | | Various other bounds checks in the code assume this is true, so enforce it when we first get the data from the X server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Use calloc in XOpenDisplay to initialize structs containing pointersAlan Coopersmith2016-10-121-9/+4
| | | | | | | | | | Prevents trying to free uninitialized pointers if we have to bail out partway through setup, such as if we receive a corrupted or incomplete connection setup block from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Unbounded recursion in _XimParseStringFile() when parsing include files ↵Alan Coopersmith2016-10-121-3/+17
| | | | | | | | | | | | | | | | | [CVE-2013-2004 2/2] parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Unbounded recursion in GetDatabase() when parsing include files ↵Alan Coopersmith2016-10-121-9/+15
| | | | | | | | | | | | | | | | | | | [CVE-2013-2004 1/2] GetIncludeFile() can call GetDatabase() which can call GetIncludeFile() which can call GetDatabase() which can call GetIncludeFile() .... eventually causing recursive stack overflow and crash. Easily reproduced with a resource file that #includes itself. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Avoid overflows in XListExtensions() [CVE-2013-1997 15/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Avoid overflows in XGetFontPath() [CVE-2013-1997 14/15]Alan Coopersmith2016-10-121-14/+22
| | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* Avoid overflows in XListFonts() [CVE-2013-1997 13/15]Alan Coopersmith2016-10-121-13/+22
| | | | | | | | | | Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]Alan Coopersmith2016-10-121-1/+1
| | | | | | | | | | | Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]Alan Coopersmith2016-10-121-0/+2
| | | | | | | | | | | If the X server returns key name indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]Alan Coopersmith2016-10-121-0/+3
| | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]Alan Coopersmith2016-10-121-1/+5
| | | | | | | | | | | If the X server returns key indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]Alan Coopersmith2016-10-121-0/+5
| | | | | | | | | | | If the X server returns modifier map indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]Alan Coopersmith2016-10-121-2/+4
| | | | | | | | | | | If the X server returns key behavior indexes outside the range of the number of keys it told us to allocate, out of bounds memory writes could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
* unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]Alan Coopersmith2016-10-121-0/+4
| | | | | | | | | | | If the X server returns key action indexes outside the range of the number of keys it told us to allocate, out of bounds memory access could occur. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>