| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backported from X.org:
From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 12 Nov 2020 19:15:07 +0100
Subject: [PATCH] Check SetMap request length carefully.
Avoid out of bounds memory accesses on too short request.
ZDI-CAN 11572 / CVE-2020-14360
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Fixes ArcticaProject/nx-libs#972.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xkb.c: In function ‘ProcXkbSetCompatMap’:
xkb.c:2601:20: warning: declaration of ‘i’ shadows a previous local [-Wshadow=compatible-local]
register unsigned i,bit;
^
xkb.c:2529:23: note: shadowed declaration is here
register unsigned i,bit;
^
xkb.c:2601:22: warning: declaration of ‘bit’ shadows a previous local [-Wshadow=compatible-local]
register unsigned i,bit;
^~~
xkb.c:2529:25: note: shadowed declaration is here
register unsigned i,bit;
^~~
Backport of this xorg upstream commit:
commit 344eea237fc07dedfd733d14f95ed0ad26bb5f81
Author: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Date: Tue Oct 16 02:04:34 2012 -0500
xkb: fix shadow warnings
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 758393951233d1b2520cf4cefd33ec4288a3880a
Author: Dave Airlie <airlied@redhat.com>
Date: Wed Sep 12 11:09:40 2018 +1000
xkb: fix what looks to be a copy-paste error with first vs firstMM
Pointed out by coverity.
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
commit 534fc5140b039a8c98ab715d0a6740d513b41209
Author: Daniel Stone <daniel@fooishbar.org>
Date: Sun Feb 3 23:30:22 2008 +1100
XKB: Remove a bunch of mad ifdefs
We have SEEK_SET and size_t, seriously. Also use DebugF instead of
ifdef DEBUG, and ditch a couple of random bits that were never used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of
commit dc9ce695a69ca0787f58f8d160212a7a41acb703
Author: Rami Ylimäki <rami.ylimaki@vincit.fi>
Date: Wed Mar 9 15:45:40 2011 +0200
xkb: Initialize pad bytes sent in replies of geometry requests.
Valgrind complains about uninitialized data being written to clients.
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport of
commit 81b3b0cce088866dc3cda099d7c8d6655849fd43
Author: Tomas Janousek <tomi@nomi.cz>
Date: Wed May 20 15:03:01 2009 +0200
Bug #6428, #16458, #21464: Fix crash due to uninitialized VModMap fields.
In ProcXkbGetKbdByName, mrep.firstVModMapKey, .nVModMapKeys and
.totalVModMapKeys were not initialized, contained random values and caused
accesses to unallocated and later modified memory, causing
XkbSizeVirtualModMap and XkbWriteVirtualModMap to see different number of
nonzero values, resulting in writes past the end of an array in XkbSendMap.
This patch initializes those values sensibly and reverts commits 5c0a2088 and
6dd4fc46, which have been plain non-sense.
Signed-off-by: Tomas Janousek <tomi@nomi.cz>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have fixed that (independendly) before, but missed one line.
Backported-to-nx-by: Ulrich Sibiller <uli42@gmx.de>
commit 85f9017393c9bb19553e9afcf554673a44a09993
Author: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
Date: Tue Feb 8 11:10:10 2011 +0200
ProcXkbGetXkbByName: fix use of uninitialised bytes valgrind error.
==9999== Syscall param writev(vector[...]) points to uninitialised byte(s)
==9999== at 0x4AB5154: writev (writev.c:51)
==9999== by 0x7C7C3: _XSERVTransWritev (Xtrans.c:912)
==9999== by 0x61C8B: FlushClient (io.c:924)
==9999== by 0x62423: WriteToClient (io.c:846)
==9999== by 0xCE39B: XkbSendMap (xkb.c:1408)
==9999== by 0xD247B: ProcXkbGetKbdByName (xkb.c:5814)
==9999== by 0x4AB53: Dispatch (dispatch.c:432)
==9999== by 0x205BF: main (main.c:291)
==9999== Address 0x557eb68 is 40 bytes inside a block of size 4,096 alloc'd
==9999== at 0x48334A4: calloc (vg_replace_malloc.c:467)
==9999== by 0x62567: WriteToClient (io.c:1065)
==9999== by 0x452EB: ProcEstablishConnection (dispatch.c:3685)
==9999== by 0x4AB53: Dispatch (dispatch.c:432)
==9999== by 0x205BF: main (main.c:291)
==9999== Uninitialised value was created by a stack allocation
==9999== at 0xD1910: ProcXkbGetKbdByName (xkb.c:5559)
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Oliver McFadden <oliver.mcfadden@nokia.com>
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backported-to-nx-by: Ulrich Sibiller <uli42@gmx.de>
commit 8a34d7a8532c7ca013e67307f3baf200167abb92
Author: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
Date: Tue Feb 8 11:10:11 2011 +0200
XkbSendNames: fix use of uninitialised bytes valgrind error.
==537== Syscall param writev(vector[...]) points to uninitialised byte(s)
==537== at 0x4AB7154: writev (writev.c:51)
==537== by 0x8935B: _XSERVTransWritev (Xtrans.c:912)
==537== by 0x6C55F: FlushClient (io.c:924)
==537== by 0x6CCF3: WriteToClient (io.c:846)
==537== by 0xD51D3: XkbSendNames (xkb.c:3765)
==537== by 0xD8183: ProcXkbGetKbdByName (xkb.c:5825)
==537== by 0x27B7B: Dispatch (dispatch.c:432)
==537== by 0x205B7: main (main.c:291)
==537== Address 0x55899f2 is 154 bytes inside a block of size 1,896 alloc'd
==537== at 0x4834C48: malloc (vg_replace_malloc.c:236)
==537== by 0xD47AF: XkbSendNames (xkb.c:3642)
==537== by 0xD8183: ProcXkbGetKbdByName (xkb.c:5825)
==537== by 0x27B7B: Dispatch (dispatch.c:432)
==537== by 0x205B7: main (main.c:291)
==537== Uninitialised value was created by a heap allocation
==537== at 0x4834C48: malloc (vg_replace_malloc.c:236)
==537== by 0xD47AF: XkbSendNames (xkb.c:3642)
==537== by 0xD8183: ProcXkbGetKbdByName (xkb.c:5825)
==537== by 0x27B7B: Dispatch (dispatch.c:432)
==537== by 0x205B7: main (main.c:291)
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Oliver McFadden <oliver.mcfadden@nokia.com>
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Spotted in and backported from X.org:
commit 021fc5cb2cb4a7972b4a6fcb570c1da92787d68d
Author: Adam Jackson <ajax@benzedrine.nwnk.net>
Date: Sun Mar 18 16:31:19 2007 -0400
Static markup and dead code cull over xkb/.
The former <X11/extensions/XKBsrv.h> has been pulled into the server now as
include/xkbsrv.h, and the world updated to look for it in the new place,
since it made no sense to define server API in an extension header. Any
further work along this line will need to do similar things with XKBgeom.h
and friends.
Backported-to-NX-by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
|
|
| |
and do it identically everywhere. As we are using C99 designated
initializers here we remove the memset and bzero calls that had been
used for this at some locations.
|
|
|
|
|
|
|
| |
In XORG-7_1 xkbconfig.c had been dropped. We must keep this file
because it is used by hw/nxagent/Keyboard.c to load the xkb
configuration file. Maybe we should move the relevant code to there or
drop xkb configuration file support from nxagent.
|
|
|
|
| |
as reported by valgrind
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is basically a backport of the following commits + replacing
xalloc/xfree by malloc/free. Fixes ArcticaProject/nx-libs#358.
commit 2761c103311a1160bc483fd0367d654733df8598
Author: Daniel Stone <daniel@fooishbar.org>
Date: Mon Nov 5 14:03:26 2007 +0000
OS: Remove usage of alloca
Replace with heap allocations.
commit 5e363500c86042c394595e1a6633581eb8fcd1bb
Author: Daniel Stone <daniel@fooishbar.org>
Date: Mon Nov 5 14:38:28 2007 +0000
OS: Remove ALLOCATE_LOCAL from os.h
Remove ALLOCATE_LOCAL_FALLBACK and DEALLOCATE_LOCAL_FALLBACK from os.h, and
remove the include of Xalloca.h as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The two functions have identical semantics, including safely returning
NULL when NULL is passed in (which POSIX strdup does not guarantee).
Some callers could probably be adjusted to call libc strdup directly,
when we know the input is non-NULL.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inspired by X.org commits:
commit 08093c25a91c07ab8af7cece9bba738b827cfd1b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon Oct 24 23:16:30 2011 -0700
Convert some malloc + strncpy pairs into strndup calls
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
commit 816b79dd061e9839cec94a4986a7820b70ca8a7f
Author: Mikhail Gusarov <dottedmag@dottedmag.net>
Date: Thu May 13 03:45:21 2010 +0700
Remove useless casts
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
This PR ships a tiny change in MakeAtom, that we adopted.
We did not adopt the full commit.
commit 5623c27700b7b23a8dbbd8c8f45e5d4fa0c667e3
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Mon Feb 2 19:25:14 2009 -0800
Constify atom name strings
Changes MakeAtom to take a const char * and NameForAtom to return them,
since many callers pass pointers to constant strings stored in read-only
ELF sections. Updates in-tree callers as necessary to clear const
mismatch warnings introduced by this change.
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Backported-to-NX-by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
|
|
| |
xkb.c: In function ‘_GetCountedString’:
xkb.c:4405:8: warning: assignment makes integer from pointer without a cast [enabled by default]
len= (CARD16 *)wire;
|
|
|
|
| |
just as upstream did
|
|
|
|
| |
just like upstream does
|
|
|
|
| |
just like upstream does
|
|
|
|
|
| |
This has already been started while replacing copyright info in file
headers and has now been completed with this commit.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove defines of NEED_EVENTS and NEED_REPLIES because they are never
used anywhere.
Basically these three commits, but as they are newer and to not match
the code structure the patches have not been applied but replaced by
sed + manual intervention:
From cb95642dc8edebb2935dd471f8b339cb98aa8481 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@redhat.com>
Date: Fri, 28 Nov 2008 22:28:32 +1000
Subject: Remove #define NEED_EVENTS and NEED_REPLIES
A grep on xorg/* revealed there's no consumer of this define.
Quote Alan Coopersmith:
"The consumer was in past versions of the headers now located
in proto/x11proto - for instance, in X11R6.0's xc/include/Xproto.h,
all the event definitions were only available if NEED_EVENTS were
defined, and all the reply definitions required NEED_REPLIES.
Looks like Xproto.h dropped them by X11R6.3, which didn't have
the #ifdef's anymore, so these are truly ancient now."
Signed-off-by: Peter Hutterer <peter.hutterer@redhat.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
--
From 6de368c9aa7ccd2fcd62fca5a2b278913db4d03d Mon Sep 17 00:00:00 2001
From: Fernando Carrijo <fcarrijo@yahoo.com.br>
Date: Thu, 1 Jul 2010 06:50:47 -0300
Subject: Purge macros NEED_EVENTS and NEED_REPLIES
Signed-off-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Acked-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
--
From 57c03e52e6b4e3ed54df5fdd778865467d08e119 Mon Sep 17 00:00:00 2001
From: Fernando Carrijo <fcarrijo@yahoo.com.br>
Date: Thu, 1 Jul 2010 06:59:48 -0300
Subject: Purge macro NEED_EVENTS
Signed-off-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Acked-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Casting return to (void) was used to tell lint that you intended
to ignore the return value, so it didn't warn you about it.
Casting the third argument to (char *) was used as the most generic
pointer type in the days before compilers supported C89 (void *)
(except for a couple places it's used for byte-sized pointer math).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
Backport to nx-libs: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
| |
to xkb.h. Explicitly initialise nTypes in xkb.c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(introducing wrong_size check at build time).
While working on this changeset, various spots got discovered where
swapl or swaps was used on a wrong type, where byte swapping calls had
been forgotten or done on the wrong variable.
This backport at least includes changes from the following X.org
commits, listed in non-chronological order:
commit 2c7c520cfe0df30f4bc3adba59d9c62582823bf8
Author: Matt Turner <mattst88@gmail.com>
Date: Thu Aug 4 15:35:41 2011 -0400
Use internal temp variable for swap macros
Also, fix whitespace, mainly around
swaps(&rep.sequenceNumber)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
commit 9edcae78c46286baff42e74bfe26f6ae4d00fe01
Author: Matt Turner <mattst88@gmail.com>
Date: Wed Sep 21 17:14:16 2011 -0400
Use correct swap{l,s} (or none at all for CARD8)
Swapping the wrong size was never caught because swap{l,s} are macros.
It's clear in the case of Xext/xres.c, that the author believed
client_major/minor to be CARD16 from looking at the code in the first
hunk.
v2: dmx.c fixes from Keith.
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
commit dab064fa5e0b1f5c67222562ad5367005832cba1
Author: Andrea Canciani <ranma42@gmail.com>
Date: Tue Nov 2 20:10:32 2010 +0100
render: Fix byteswapping of gradient stops
The function swapStops repeatedly swaps the color components as
CARD16, but incorrectly steps over them as if they were CARD32.
This causes half of the stops not to be swapped at all and some
unrelated data be swapped instead.
Signed-off-by: Andrea Canciani <ranma42@gmail.com>
Reviewed-by: Soren Sandmann <sandmann@daimi.au.dk>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
commit 54770c980cd2b91a8377f975a58ed69def5cfa42
Author: Matt Turner <mattst88@gmail.com>
Date: Tue Aug 16 16:59:07 2011 -0400
Cast char* buffers to swap functions
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
commit 6844bd2e63490870bab3c469eec6030354ef2865
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Wed Jan 9 19:52:00 2008 -0800
More Xv extension byte swapping fixes
commit e46f6ddeccd082b2d507a1e8b57ea30e6b0a2c83
Author: Michel Dänzer <michel@tungstengraphics.com>
Date: Wed Jan 16 14:24:22 2008 +0100
Yet another Xv extension byte swapping fix.
|
|
|
|
| |
Fixes ArcticaProject/nx-libs#105
|
|
|
|
| |
header file containing all use protocol versions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the process of building nxagent against more and more system-wide installed
X.org libraries, we come to the limit of including structs from this (bundled
nx-X11) and that (system-wide X.Org) library.
This commit introduces a clear namespace separation of headers provided by
nx-X11 and headers provided by X.Org. This approach is only temporary as we
want to drop all nx-X11 bundled libraries from nx-libs.
However, for a while we need to make this separation clear and also ship
some reduced fake X.Org headers that avoid pulling in libX* and libNX_X*
symbols at the same time.
This patch has been tested on Debian jessie and unstable and requires no
overall testing on various distros and distro versions, as we finally will
drop all libNX_X* libraries and build against X.org's client libs.
For now, this hack eases our development / cleanup process.
|
|
|
|
|
|
|
|
|
|
| |
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Rebased against NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
|
|
|
| |
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
v3: backport to nx-libs 3.6.x because this is
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
v3: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
index 2405090..7db0959 100644
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
|
|
Summary: Imported nx-X11-3.1.0-1.tar.gz
Keywords:
Imported nx-X11-3.1.0-1.tar.gz
into Git repository
|