aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib
Commit message (Collapse)AuthorAgeFilesLines
* Fix alpha premultiplication in XRenderParseColor.Emanuele Giaquinta2015-06-231-3/+3
| | | | | | | | | | | Due to C arithmetic conversion rules we must use an unsigned constant (or a cast) to perform the multiplication using unsigned arithmetic. Fixes ArcticaProject/nx-libs#55. Author: Emanuele Giaquinta <emanuele.giaquinta@gmail.com> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com> Rebased against NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
* library clean-up: Drop libXx86{misc,vm,dga} libraries. Not needed by nx-libs.Mike Gabriel2015-06-2214-4852/+0
|
* library clean-up: Drop nx-X11/lib/Xxf86rush and references to libglide{2,3}. ↵Mike Gabriel2015-06-213-327/+0
| | | | Unused in nx-libs.
* remove libxkbui, looks like it is not used anywhereHenning Heinold2015-06-206-977/+0
|
* Drop nx-X11/lib/GL and move Imakefile.inc include files into Xserver code tree.Mike Gabriel2015-06-1640-4524/+1
| | | | | | | | | | | | The client-side library libNX_GL.{a,so} is not built when building nx-libs. However, nx-X11/lib/GL/** ships several imake include files (Imakefile.inc) that are also used in nx-X11/programs/Xserver/GL/**. These files have been moved from the nx-X11/lib/GL/ code subtree to the nx-X11/programs/Xserver/GL/. Furthermore, we don't provide module builds of the GL extension anymore, as that feature is neither used in nx-libs.
* library clean-up: Don't compile (i.e., remove) libNX_Xres.a anymore. It is ↵Mike Gabriel2015-06-025-421/+0
| | | | not used anywhere.
* library clean-up: Don't build libNX_Xrandr anymore. Use system's libXrandr ↵Mike Gabriel2015-05-208-1437/+0
| | | | shared library.
* library clean-up: Don't build libNX_Xdamage anymore. Use system's libXdamage ↵Mike Gabriel2015-05-0114-733/+0
| | | | shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).
* imake cleanup: Drop references to X11 build-logic that is not present in nx-X11.Mike Gabriel2015-04-282-125/+2
|
* imake cleanup: Break up multiple vars into invidual lines to ease further ↵Mike Gabriel2015-04-284-23/+89
| | | | work on patches / pull requests.
* library clean-up: Don't build libNX_Xdmcp anymore. Use system's libXdmcp ↵Mike Gabriel2015-04-2247-3261/+2
| | | | shared library.
* library clean-up: Don't build and link libXfont.a anymore. Use system's ↵pr/libxfont-cleanupMike Gabriel2015-04-22191-63701/+4
| | | | libXfont shared library and link dynamically.
* fix for Xcursor clean-up (422fe90)Mike Gabriel2015-04-213-3/+3
|
* Merge pull request #12 from sunweaver/pr/arch-cleanup.CRAYMike DePaulo2015-04-1642-913/+35
|\ | | | | arch cleanup (CRAY/WORD64) + X.Org CVE-2013-7439
| * MakeBigReq: don't move the last word, already handled by Data32 (X.Org ↵Karl Tomlinson2015-04-161-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2013-7439). MakeBigReq inserts a length field after the first 4 bytes of the request (after req->length), pushing everything else back by 4 bytes. The current memmove moves everything but the first 4 bytes back. If a request aligns to the end of the buffer pointer when MakeBigReq is invoked for that request, this runs over the buffer. Instead, we need to memmove minus the first 4 bytes (which aren't moved), minus the last 4 bytes (so we still align to the previous tail). The 4 bytes that fell out are already handled with Data32, which will handle the buffermax correctly. The case where req->length = 1 was already not functional. Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS). https://bugzilla.mozilla.org/show_bug.cgi?id=803762 Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
| * old-arch cleanup: Drop CRAY support (i.e., drop code related to CRAY, _CRAY, ↵Mike Gabriel2015-04-1642-911/+18
| | | | | | | | WORD64, WORD64ALIGN, MUSTCOPY, UNSIGNEDBITFIELDS definitions).
* | library clean-up: Drop nx-X11/lib/Xcursor. Not used at build time.Mike Gabriel2015-04-1623-4847/+1
|/
* fix for ebe00df38f264ef71dac3c73d416a74685c8cbd2 (removal of DmxLibrary)Mike Gabriel2015-04-081-4/+0
|
* imake cleanup: Drop all references to XprtServer and BuildXprint*.Mike Gabriel2015-04-041-5/+1
|
* imake cleanup: Drop all references to XdmxServer and BuildXdmx*.Mike Gabriel2015-04-041-1/+1
|
* imake cleanup: Drop all references to XNestServer.Mike Gabriel2015-04-041-1/+1
|
* imake cleanup: Drop all references to XWinServer.Mike Gabriel2015-04-041-1/+1
|
* nx-X11/**: Drop non-imake Makefile* files.Mike Gabriel2015-03-044-205/+0
|
* library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared ↵Mike Gabriel2015-03-033-166/+0
| | | | library.
* Drop unused .cvsignore filesMike DePaulo2015-02-183-73/+0
|
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* Revert "Do proper input validation to fix for CVE-2011-2895."Mike Gabriel2015-02-161-17/+14
| | | | This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* nx-X11/lib/font/fc/fserve.c: initialize remaining bufleft variables.Mihai Moldovan2015-02-161-2/+2
|
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-161-3/+18
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mihai Moldovan2015-02-161-18/+3
| | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-162-8/+54
| | | | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() ↵Mihai Moldovan2015-02-162-52/+7
| | | | | | from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7.
* CVE-2014-0210: unvalidated length fields in fs_read_list_info() from ↵Mike DePaulo2015-02-141-1/+55
| | | | | | | | | xorg/lib/libXfont commit d338f81df1e188eb16e1d6aeea7f4800f89c1218 fs_read_list_info() parses a reply from the font server. The reply contains a number of additional data items with embedded length or count fields, none of which are validated. This can cause out of bound reads when looping over these items in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_list() from ↵Mike DePaulo2015-02-141-0/+15
| | | | | | | | | xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39 fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from ↵Mike DePaulo2015-02-141-1/+28
| | | | | | | | | xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565 fs_read_glyphs() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads when looping over the glyph bitmaps in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from ↵Mike DePaulo2015-02-141-0/+10
| | | | | | | | xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length.
* CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont ↵Mike DePaulo2015-02-141-1/+6
| | | | | | | | commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33 fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption.
* CVE-2014-0211: integer overflow in fs_read_extent_info() from ↵Mike DePaulo2015-02-141-1/+11
| | | | | | | | | xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1 fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-142-7/+52
| | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
* CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from ↵Mike DePaulo2015-02-141-0/+18
| | | | | | | | | | | | | | | | | | | | xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply.
* CVE-2014-0210: unvalidated lengths when reading replies from font server ↵Mike DePaulo2015-02-141-6/+38
| | | | | | | | from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12 Functions to handle replies to font server requests were casting replies from the generic form to reply specific structs without first checking that the reply was at least as long as the struct being cast to.
* Don't crash when we receive an FS_Error from the font server (Guillem ↵Mike DePaulo2015-02-141-1/+1
| | | | Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-141-3/+18
| | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated.
* CVE-2014-0209: integer overflow of realloc() size in lexAlias() from ↵Mike DePaulo2015-02-141-0/+4
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues.
* CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from ↵Mike DePaulo2015-02-141-0/+5
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size.
* CVE-2013-6462: unlimited sscanf overflows stack buffer in ↵Mike DePaulo2015-02-141-1/+1
| | | | | | | | bdfReadCharacters() from xorg/lib/libXfont http://lists.x.org/archives/xorg-announce/2014-January/002389.html Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data.
* LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit ↵Mike DePaulo2015-02-141-0/+2
| | | | | | | | d11ee5886e9d9ec610051a206b135a4cdc1e09a0 Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited
* Handle some serious compilation warnings ↵Mirraz Mirraz2015-02-131-1/+1
| | | | (603_nx-X11_compilation_warnings.full.patch).
* Do not build bundled libraries ↵Orion Poplawski2015-02-132-7/+1
| | | | | | | | | | | | (601_nx-X11_build-option-changes-to-not-use-bundled-libraries.full.patch). This commit has been submitted by Orion in two portions. One was submitted to X2Go BTS and created on Wed, 10 Jul 2013. The other portion has been taken from the Fedora package by Mike Gabriel and worked into this patch on Fri, 06 Dec 2013.