| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The array is defined as having NUM_LOCALEDIR entries, so use that
instead of hardcoded 256 value (the other two calls already did this).
Reported by parfait:
Buffer overflow (CWE 120): In pointer dereference of argv[argc] with index argc
Pointer size is 64 elements (of 8 bytes each), index is 255
at line 82 of nx-X11/lib/X11/lcFile.c in function 'parse_line'.
called at line 178 in function '_XlcParsePath' with argv = argv.
called at line 722 in function '_XlcLocaleLibDirName' with argv = args, argsize = 256.
at line 82 of nx-X11/lib/X11/lcFile.c in function 'parse_line'.
called at line 178 in function '_XlcParsePath' with argv = argv.
called at line 638 in function '_XlcLocaleDirName' with argv = args, argsize = 256.
[ This bug was found by the Parfait 1.2.0 bug checking tool.
http://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13 ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
imRm.c: In function '_XimSetICMode':
imRm.c:2419:37: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
imRm.c:2420:30: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
lcGenConv.c: In function 'byteM_parse_codeset':
lcGenConv.c:345:13: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
| |
Add const qualifiers to casts where needed, remove other casts that
are no longer needed.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of reusing the input parameter to store the output, make a
result variable instead, so that there's less const confusion.
Fixes gcc warnings:
lcWrap.c: In function 'XSetLocaleModifiers':
lcWrap.c:87:18: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
lcWrap.c:91:25: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
lcWrap.c:93:12: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makes code considerably less crufty and clears gcc warnings:
XlcDL.c: In function '_XlcDynamicLoad':
XlcDL.c:384:44: warning: cast discards '__attribute__((const))' qualifier
from pointer target type [-Wcast-qual]
XlcDL.c:386:51: warning: cast discards '__attribute__((const))' qualifier
from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Strings from the supported_charset_list[] were being copied one by
one to a stack buffer, and then strdup called on that buffer.
Instead, just strdup the original string, without the local copy,
and use a more traditional for loop, so it's easier to figure out
what the code is doing (cleaning up a gcc const-cast warning in
the process).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function performs operations on a region, and when finished,
checks to see if it should compact the rectangle list. If the
number of rectangles for which memory is allocated in the list is
more than twice the number used, it tries to shrink. realloc()
should not fail in this case, but if it does, might as well keep
the correct value for the number of allocated rectangles, so we
don't try to grow it unnecessarily later if adding to the region.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Zero out the region size when freeing the region so callers don't think
there's anything there. (Pointer is already set to NULL from the realloc
result itself.) Return 0 to the callers, and have them cascade that back
to their callers to indicate failure, instead of their usual return value
of 1 on success.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if realloc failed to increase the size, we'd still
record that we had allocated the larger size, but the pointer
to it would be NULL, causing future calls to be broken, and the
previous allocation to be lost/leaked.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous code seemed to assume that printf("%s", NULL) would result
in a 0-length string, not "(null)" or similar, but since there's no
point looking for files in "(null)/filepath...", instead we just
skip over NULL entries in search paths when generating file names.
In the *DirName() functions, this effectively just moves the "bail on
NULL in arg[i]" check up from the later code that assigned it to targetdir
and then bailed if that was NULL.
Not sure how there ever could be a NULL in arg[i], given the current
implementation of XlcParsePath, but it's easy enough to check once and
reject up front instead of on every reference.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
File Leak: Leaked File fp
at line 219 of lib/libX11/nx-X11/lib/X11/XlcDL.c in function 'resolve_object'.
fp initialized at line 198 with fopen
[ This bug was found by the Parfait 1.2.0 bug checking tool.
http://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13 ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
| |
Fix bogus timestamp generted by XIM due to uninitialized
data field. Also set appropriate serial, too.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=39367
Signed-off-by: Chiaki ISHIKAWA <ishikawa@yk.rim.or.jp>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
place.
When synthesized key events are sent on commit XIM sets the 'fabricated'
flag so that the keypress handler knows that these were not real events.
This also happens when committing due to the loss of focus. However in this
case the keypress/release filters which consume and unset this flag are no
longer in the filter chain.
So the flag is erronously set when a real keyboard event is received after
focus has been regained. So the first event is wrongly treated as a
fabricated key in the keypress handler which will at the same time reset
the flag so the second key event is treated correctly.
This fix only sets the flag when at least one of the keyboard filters is in
place.
How to reproduce this bug: run scim, choose a Japanese input method start
two instances of xterm: start typing in one xterm (this should pop up an
IM window). Without comitting (hitting 'enter') move focus to the other
xterm, then move focus back. Start typing again. The first character will
be committed immediately without popping up an input window.
With this fix this behavior is gone.
See also: https://bugzilla.novell.com/show_bug.cgi?id=239698
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
| |
Handle arbitrary length data in the same fashion as other calls,
avoiding need to ensure it fits all in the request buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Two users of GetReqExtra pass arbitrarily sized allocations from the
caller (ModMap and Host). Adjust _XGetRequest() (called by the GetReqExtra
macro) to double-check the requested length and invalidate "req" when
this happens. Users of GetReqExtra passing lengths greater than the Xlib
buffer size (normally 16K) must check "req" and fail gracefully instead
of crashing.
Any callers of GetReqExtra that do not check "req" for NULL
will experience this change, in the pathological case, as a NULL
dereference instead of a buffer overflow. This is an improvement, but
the documentation for GetReqExtra has been updated to reflect the need
to check the value of "req" after the call.
Bug that manifested the problem:
https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/792628
Signed-off-by: Kees Cook <kees@outflux.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[For all of these, LONG_MAX was the correct value to prevent overflows
for the recent CVEs. Lowering to INT_MAX catches buggy replies from
the server that 32-bit clients would reject but 64-bit would accept,
so we catch bugs sooner, and really, no sane & working server should
ever report more than 2gb of extension names, font path entries,
key modifier maps, etc. -alan- ]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clang complained (correctly):
warning: comparison of constant 768614336404564650 with expression
of type 'CARD32' (aka 'unsigned int') is always true
[-Wtautological-constant-out-of-range-compare]
[While LONG_MAX is correct, since it's used in size_t math, the
numbers have to be limited to 32-bit range to be usable by 32-bit
clients, and values beyond that range are far more likely to be
bugs in the data from the server than valid numbers of characters
in a font. -alan- ]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
| |
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
| |
It seems useless to do that since the code tests for both source
length and destination to be non-zero. This fixes a cut'n'paste
problem in xterm where the paste length was limited to 1024 (BUFSIZ)
in button.c.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit looks a bit crazy at first glance. It (re-)introduces lots
of whitespaces and bad formatting.
Explanation: Backporting upstream changes lead to commits being
applied out of order. This meant a lot of manual intervention which in
turn lead to slight differences between upstream and NX.
With this commit these slight differences are minimized which will be
of great help when adding further upstream patches.
|
|
|
|
|
|
|
| |
Better to silence the compiler warning than break ABI.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Inspired by a pattern in NoMachine's NX. Consistently zeroed buffers
compress better with ssh and friends. Note that you'll need to rebuild
all your protocol libraries to take advantage of this.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
| |
Using uninitialized value "error.resourceID" in call to function "_XError"
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Called from XrmGetFileDatabase() which gets called from InitDefaults()
which gets the filename from getenv ("XENVIRONMENT")
If file is exactly 0xffffffff bytes long (or longer and truncates to
0xffffffff, on implementations where off_t is larger than an int),
then size may be set to a value which overflows causing less memory
to be allocated than is written to by the following read() call.
size is left limited to an int, because if your Xresources file is
larger than 2gb, you're very definitely doing it wrong.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
XFree colormap_ret and initialize it when appropriate.
Variable "colormap_ret" goes out of scope
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
| |
_XimLocalMbLookupString can return a braille keysym even if _Xlcwctomb can't
convert to the current MB charset.
_XimLocalUtf8LookupString needs to set the braille keysym and status too.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
| |
This reverts commit 8866f80d9f42e02093058cab027edbf127118105.
That commit had been edited and was incomplete, by reverting
and re-applying we get it right.
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
We have the same commit for XKBGAlloc.c but it was missing here since
upstream has dropped OpenDis.c when they switched to XCB.
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
| |
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
| |
Fixes builds with Solaris Studio 12.3 when lint is enabled, since it no
longer ignores *.h files, but complains when they reference undefined
typedefs or macros.
Signed-off-by: Niveditha Rau <Niveditha.Rau@Oracle.COM>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes small memory leak introduced in commit 5669a22081
Reported-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Hint: Upstream commit 5669a22081 is "integer overflow in _XF86BigfontQueryFont() [CVE-2013-1981 2/13]"
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Also check the XkbGetNames reply when names->keys was just allocated.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Tested-by: Colin Walters <walters@verbum.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
| |
This reverts commit b092864a39bbcd4f34c5c26a7cd0df90e235815d.
We will use the proper libX11 upstream patches now.
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
While the C standard technically allows for the compiler to translate
pointer = 0 or pointer = NULL into something other than filling the
pointer address with 0 bytes, the rest of the Xlib code already assumes
that calloc initializes any pointers in the struct to NULL, and there
are no known systems supported by X.Org where this is not true.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
| |
Don't provide a fallback definition #ifdef X_NOT_POSIX anymore.
We already use size_t throughout the rest of Xlib, just had this
one instance left in XKBGAlloc.c of a fallback definition.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|