aboutsummaryrefslogtreecommitdiff
path: root/nx-X11
Commit message (Collapse)AuthorAgeFilesLines
* nxagent: make Fullscreen and AllScreens BooleansUlrich Sibiller2021-01-156-35/+29
| | | | | There's no need/sense in having a tri-state with the third state being UNDEFINED.
* Handlers.c: ensure regular yields if suspendedUlrich Sibiller2021-01-151-1/+22
| | | | Fixes ArcticaProject/nx-libs#903
* CVE-2020-14360: Check SetMap request length carefully.Mike Gabriel2021-01-151-0/+91
| | | | | | | | | | | | | | | | | | Backported from X.org: From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001 From: Matthieu Herrb <matthieu@herrb.eu> Date: Thu, 12 Nov 2020 19:15:07 +0100 Subject: [PATCH] Check SetMap request length carefully. Avoid out of bounds memory accesses on too short request. ZDI-CAN 11572 / CVE-2020-14360 This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Fixes ArcticaProject/nx-libs#972.
* Init.c: Initialize nxagentGrabServerInfoUlrich Sibiller2021-01-121-1/+8
| | | | Fixes ArcticaProject/nx-libs#983
* Events.c: fix leftover DEBUG and TEST definitionsUlrich Sibiller2020-12-031-4/+1
| | | | causing DEBUG output in regular builds.
* NXdixfonts.c: Regression fix for db45683a. Fix typo in libXfont1 function ↵Mike Gabriel2020-11-041-1/+1
| | | | call (FreeFontName -> FreeFontNames). Fixes FTBFS on Ubuntu 14.04 and 16.04.
* release 3.5.99.253.5.99.25Mike Gabriel2020-11-042-1/+1
|
* NXdixfonts.c: Hard-code the enablement of NXAGENT_DANGEROUS_XFONT_LOOP_EXIT.Mike Gabriel2020-11-041-0/+7
|
* NXdixfonts.c: Rename BREAK_XFONT_LOOP to NXAGENT_DANGEROUS_XFONT_LOOP_EXIT ↵Mike Gabriel2020-11-041-4/+4
| | | | (better macro name).
* Clipboard.c: fix bug in special optimization for nested settingsUlrich Sibiller2020-11-041-2/+3
| | | | Fixes ArcticaProject/nx-libs#941
* compext/Png.c: fix shadowingUlrich Sibiller2020-11-031-3/+3
| | | | | | | | | | | | | | | | | Png.c: In function ‘PngWriteData’: Png.c:603:38: warning: declaration of ‘png_ptr’ shadows a global declaration [-Wshadow] 603 | static void PngWriteData(png_structp png_ptr, png_bytep data, png_size_t length) | ~~~~~~~~~~~~^~~~~~~ Png.c:77:13: note: shadowed declaration is here 77 | png_structp png_ptr; | ^~~~~~~ Png.c: In function ‘PngFlushData’: Png.c:610:38: warning: declaration of ‘png_ptr’ shadows a global declaration [-Wshadow] 610 | static void PngFlushData(png_structp png_ptr) | ~~~~~~~~~~~~^~~~~~~ Png.c:77:13: note: shadowed declaration is here 77 | png_structp png_ptr; | ^~~~~~~
* Screen.c: fix indentation in nxagentMaximizeToFullScreenUlrich Sibiller2020-11-031-37/+37
|
* Atoms.c: fix FIXME commentUlrich Sibiller2020-11-031-1/+1
|
* Atoms.c: improve debug outputUlrich Sibiller2020-11-031-1/+1
|
* Events.c: scope improvementUlrich Sibiller2020-11-031-2/+2
|
* Xext/panoramiX.c: rename shadowing variablesUlrich Sibiller2020-11-031-7/+7
|
* Clipboard.c: add missing ifdefsUlrich Sibiller2020-11-031-0/+6
|
* Compext.c: scope improvementsUlrich Sibiller2020-11-031-14/+6
|
* GCs.h: fix typoUlrich Sibiller2020-11-031-1/+1
|
* Atoms.c: drop double includeUlrich Sibiller2020-11-031-1/+0
|
* Compext.c: use SAFE_free macroUlrich Sibiller2020-11-034-169/+106
|
* Clipboard.c: fix missing )Ulrich Sibiller2020-11-031-1/+1
|
* NXdixfonts.c: fix memory leakUlrich Sibiller2020-11-031-6/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ==15332== 2,500 (96 direct, 2,404 indirect) bytes in 6 blocks are definitely lost in loss record 324 of 342 ==15332== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15332== by 0x5748B9E: FontFileStartListFonts (in /usr/lib/x86_64-linux-gnu/libXfont.so.1.4.1) ==15332== by 0x5748C4A: FontFileStartListFontsAndAliases (in /usr/lib/x86_64-linux-gnu/libXfont.so.1.4.1) ==15332== by 0x42859A: nxdoListFontsAndAliases (NXdixfonts.c:1163) ==15332== by 0x42C0E0: nxOpenFont (NXdixfonts.c:1541) ==15332== by 0x43392E: ProcOpenFont (NXdispatch.c:902) ==15332== by 0x434585: Dispatch (NXdispatch.c:482) ==15332== by 0x40EF77: main (main.c:355) FontFileStartListFonts[AndAliases]() allocates some private data. This data is used by subsequent calls of FontFileListNextFontOrAlias() in a loop. (Only) the last call to that function will free() the private data and return with BadFontName. FontFileListNextFontOrAlias() is the only libXfont function that free()s the private data. In nxagent the loop is exited as soon as a font exists both locally and remote. Therefore the private data would never be free()d. Solution: do not break the loop but store the first matching result and let the loop run to the end, ignoring all following results. Disadvantage: this can mean hundreds of extra iterations for nothing. I have done no investigation of the time penalty this might cause. Unfortunately this is the only clean way I have found so far. An unclean solution has also been implemented. It can be activated by defining BREAK_XFONT_LOOP. In that case the private data is handled in nxagent by taking assumptions about its structure (taken from the libXfont source). That will break if libXfont changes its internal handling of the private. Therefore it is discouraged. An third alternative would be to drop using libXfont from the system. Instead fork libXfont to the nx-libs tree, add some patches link to that library statically. Fixes ArcticaProject/nx-libs#586
* yConnDis.c: fix memory leakUlrich Sibiller2020-11-031-12/+28
| | | | | | | | | | | | | | | | | | Direct leak of 3 byte(s) in 1 object(s) allocated from: #0 0xb79e85d4 in __interceptor_malloc (/lib/i386-linux-gnu/libasan.so.5+0xeb5d4) #1 0xb770b635 in copystring /home/uli/work/nx/nx-libs/nx-X11/lib/src/ConnDis.c:96 #2 0xb770ba56 in _X11TransConnectDisplay /home/uli/work/nx/nx-libs/nx-X11/lib/src/ConnDis.c:229 #3 0xb776b4fd in XOpenDisplay /home/uli/work/nx/nx-libs/nx-X11/lib/src/OpenDis.c:215 #4 0x63e2fd in nxagentInternalOpenDisplay /home/uli/work/nx/nx-libs/nx-X11/programs/Xserver/hw/nxagent/Display.c:608 #5 0x63fa03 in nxagentOpenDisplay /home/uli/work/nx/nx-libs/nx-X11/programs/Xserver/hw/nxagent/Display.c:1140 #6 0x694b5a in InitOutput /home/uli/work/nx/nx-libs/nx-X11/programs/Xserver/hw/nxagent/Init.c:305 #7 0x5f7b11 in main /home/uli/work/nx/nx-libs/nx-X11/programs/Xserver/dix/main.c:278 #8 0xb6f04b40 in __libc_start_main ../csu/libc-start.c:308 I have not investigated the exact location where an XFree() was missing but added multiple Xfree() calls whereever appropriate. Fixes ArcticaProject/nx-libs#951
* Events.c: More cosmeticsUlrich Sibiller2020-10-171-7/+9
|
* Window.c: some more TEST and DEBUG outputUlrich Sibiller2020-10-171-0/+9
|
* Screen.c: some more (cosmetic) changesUlrich Sibiller2020-10-171-61/+49
|
* Screen.c: scope improvementsUlrich Sibiller2020-10-171-25/+13
|
* Screen.c: move attributes/valuemask to inner scopesUlrich Sibiller2020-10-171-11/+9
|
* Screen.c: drop unneccessary mask variableUlrich Sibiller2020-10-171-9/+3
|
* Screen.c: remove another pointless code blockUlrich Sibiller2020-10-171-10/+0
| | | | | Setting nxagentDefaultWindow[pScreen->myNum] is pointless because it is overwritten in the next code block...
* Screen.c: remove code that will have no effectUlrich Sibiller2020-10-171-5/+0
| | | | | | | setting a value for an attribute in the structure is pointless if you do not set the valuemask accordingly. Adding the missing valuemask code here would also be pointless because the valuemask is set to a fixed value later on. Therefore we can drop this code here.
* Screen.c: scope improvementUlrich Sibiller2020-10-171-1/+2
|
* Screen.c: cleanup auto dpi handlingUlrich Sibiller2020-10-171-6/+9
| | | | new code is easier to read
* Init.c: small simplificationUlrich Sibiller2020-10-171-4/+2
|
* NXwindow.c: fix some format specifiersUlrich Sibiller2020-10-171-6/+5
|
* Window.c: simplify setting of isMapped private varUlrich Sibiller2020-10-171-8/+2
|
* Window.c: -reportprivatewids reports root window as suchUlrich Sibiller2020-10-171-4/+14
| | | | and not as a "private" window like all others.
* Screen.c: simplify nxagentResizeScreenUlrich Sibiller2020-10-171-12/+13
|
* Screen.c: improve output of nxagentPrintAgentGeometryUlrich Sibiller2020-10-172-11/+15
|
* Screen.c: improve debug outputUlrich Sibiller2020-10-171-13/+29
|
* nxagent: add names to some windows in DEBUG modeUlrich Sibiller2020-10-173-6/+83
|
* Display.c: disable confine windowUlrich Sibiller2020-10-172-0/+6
| | | | We are not using it anywhere so let's disable it via a macro for now.
* Events.c: store parent window from event to meaningful variableUlrich Sibiller2020-10-171-9/+7
|
* Events.c: add some comments/FIXMEsUlrich Sibiller2020-10-171-2/+3
|
* Events.c: add more DEBUG outputUlrich Sibiller2020-10-171-11/+78
|
* nxagent: Prevent resize loopUlrich Sibiller2020-10-176-19/+35
| | | | | | This only happened with certain window managers like mutter. Fixes ArcticaProject/nx-libs#925
* Display.c: factor out confinement window creationUlrich Sibiller2020-10-171-30/+24
|
* Screen.c: fix resizing bug with mutter window managerUlrich Sibiller2020-10-171-1/+1
| | | | | | | Not really sure why I introduced the client check years ago. Grabbed is grabbed, so I don't see a reason implementing it this way. Fixes ArcticaProject/nx-libs#925.
* nxagent: fix stack smashingUlrich Sibiller2020-10-174-4/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In compext Atom has the size of XlibAtom. Therefore calling functions of Compext.c requires to use/pass XlibAtom. Same for Window/XlibWindow. ==15438==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcdc0 at pc 0x5555556a81b5 bp 0x7fffffffcd10 sp 0x7fffffffcd08 WRITE of size 8 at 0x7fffffffcdc0 thread T0 #0 0x5555556a81b4 in NXGetCollectedProperty nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c:4124 #1 0x5555557d0488 in nxagentCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Clipboard.c:1202 #2 0x555555723340 in nxagentHandleCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:3923 #3 0x55555571d4db in nxagentHandleProxyEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:3007 #4 0x55555571bb92 in nxagentHandleClientMessageEvent nx-X11/programs/Xserver/hw/nxagent/Events.c:2595 #5 0x555555717dfc in nxagentDispatchEvents nx-X11/programs/Xserver/hw/nxagent/Events.c:1827 #6 0x555555750813 in nxagentBlockHandler nx-X11/programs/Xserver/hw/nxagent/Handlers.c:437 #7 0x5555556c1b5d in BlockHandler nx-X11/programs/Xserver/dix/dixutils.c:403 #8 0x5555556d47ff in WaitForSomething nx-X11/programs/Xserver/os/WaitFor.c:232 #9 0x555555665b22 in Dispatch nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c:365 #10 0x5555555ed760 in main nx-X11/programs/Xserver/dix/main.c:350 #11 0x7ffff604909a in __libc_start_main ../csu/libc-start.c:308 #12 0x5555555edc09 in _start (nx-X11/programs/Xserver/nxagent+0x99c09) Address 0x7fffffffcdc0 is located in stack of thread T0 at offset 32 in frame #0 0x5555557d0324 in nxagentCollectPropertyEvent nx-X11/programs/Xserver/hw/nxagent/Clipboard.c:1190 This frame has 5 object(s): [32, 36) 'atomReturnType' <== Memory access at offset 32 partially overflows this variable [96, 100) 'resultFormat' [160, 168) 'ulReturnItems' [224, 232) 'ulReturnBytesLeft' [288, 296) 'pszReturnData' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow nx-X11/programs/Xserver/hw/nxagent/compext/Compext.c:4124 in NXGetCollectedProperty ...