| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ReadColornameDB() [CVE-2013-1981 6/13]
LoadColornameDB() calls stringSectionSize() to do a first pass over the
file (which may be provided by the user via XCMSDB environment variable)
to determine how much memory needs to be allocated to read in the file,
then allocates the returned sizes and calls ReadColornameDB() to load the
data from the file into that newly allocated memory.
If stringSectionSize() overflows the signed ints used to calculate the
file size (say if you have an xcmsdb with ~4 billion lines in or a
combined string length of ~4 gig - which while it may have been
inconceivable when Xlib was written, is quite possible today), then
LoadColornameDB() may allocate a memory buffer much smaller than the
amount of data ReadColornameDB() will write to it.
The total size is left limited to an int, because if your xcmsdb file
is larger than 2gb, you're doing it wrong.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the reported number of host entries is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the reported number of motion events is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Ensure nEvents is set to 0 when returning NULL events pointer
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the reported number of remaining fonts is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
v3: On error cases, also set values to be returned in pointer args to 0/NULL
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to _XQueryFont, but with more ways to go wrong and overflow.
Only compiled if libX11 is built with XF86BigFont support.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the CARD32 reply.nCharInfos * sizeof(XCharStruct) overflows an
unsigned long, then too small of a buffer will be allocated for the
data copied in from the reply.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If exactly one of the two reallocs in XListFontsWithInfo() fails, the
subsequent code accesses memory freed by the other realloc.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit deedeada53676ee529d700bf96fde0b29a3a1def)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the highly unlikely event that TransFileName was passed a path
containing multiple %L entries, for each entry it would call
_XlcFileName, leaking the previous results, and then for each entry it
would copy from that pointer and free it, resulting in invalid pointers
& possible double frees for each use after the first one freed it.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 358 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Use after free (CWE 416)
Use after free of pointer 'lcCompose'
at line 359 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
Error: Double free (CWE 415)
Double free of pointer 'lcCompose'
at line 360 of nx-X11/lib/X11/imLcPrs.c in function 'TransFileName'.
Previously freed at line 360 with free.
[ This bug was found by the Parfait 0.3.6 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ac417cea1136a3617f5e40f4b106aaa3f48d6c2)
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Tracked variable "size" was passed to a negative sink.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit be3e6c205d94dedc1cdebf5d17b987f0f828377a)
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
| |
Imake unsets __APPLE__ and sets __DARWIN__ instead while autoconf seems to use
__APPLE__ and not __DARWIN__ anymore.
This way we should stay safe for now. Can be changed to __APPLE__ when
we switch to modular.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2013-7439).
MakeBigReq inserts a length field after the first 4 bytes of the request
(after req->length), pushing everything else back by 4 bytes.
The current memmove moves everything but the first 4 bytes back. If a
request aligns to the end of the buffer pointer when MakeBigReq is
invoked for that request, this runs over the buffer. Instead, we need to
memmove minus the first 4 bytes (which aren't moved), minus the last 4
bytes (so we still align to the previous tail).
The 4 bytes that fell out are already handled with Data32, which will
handle the buffermax correctly.
The case where req->length = 1 was already not functional.
Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
https://bugzilla.mozilla.org/show_bug.cgi?id=803762
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Re-applied after upgrade to libX11 1.3.4: Ulrich Sibiller <uli42@gmx.de>
|
|
|
|
|
|
|
|
| |
Try to offset the cost of all the recent checks we've added by giving
the compiler a hint that the branches that involve us eating data
are less likely to be used than the ones that process it.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The global was only referenced in the main() function, which passes it
as an argument of the same name to the parse_line() function, leading
to gcc -Wshadow warnings:
makekeys.c: In function ‘parse_line’:
makekeys.c:58:24: warning: declaration of ‘buf’ shadows a global declaration
makekeys.c:54:13: warning: shadowed declaration is here
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since makekeys is built using build environment's gcc and
runs natively, we have to make sure that the size of the
Signature type is the same on both the native environment
and the target, otherwise we get mismatches upon running X,
and some LSB test failures (xts5).
Use an unsigned 32-bit integer on all platforms. Also,
eliminate the redundant multiple typedefs for the
Signature type.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
|
|
|
|
| |
makekeys expects filenames as arguments instead of stdin
|
|
|
|
|
|
|
|
|
| |
Since we can't really live without vendor keysyms, scan them all in to
generate ks_tables.h, rather than only doing the core ones, and leaving
the vendor syms to be manually synchronised with XKeysymDB.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Makekeys is used to create an optimal hash of the keysyms defined
in x11proto’s keysymdef.h.
The recent addition of new keysyms there has triggered a bug in
makekeys where it tries to use a zero on the rhs of the % (mod)
operator (resulting in a divide by zero error) whenever it fails
to find a solution within its constraints.
Increasing the size of the arrays allows it to find a solution for
the current set of keysyms.
Makekeys is only run durring the build process, so this has no impact
on users of libX11, only on the amount of VM needed to build it.
It still needs a more complete fix, but this allows compiles to
progress until that is completed.
|
|
|
|
| |
Needed by libX11 1.3.4 code
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This basically repeats commit bad67799229b94ea2ba0174319949766ad1c2fc6
after the upgrade to libX11 1.3.4.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Upstream has changed the header guards. We adapt them to prevent double inclusion.
|
| |
|
| |
|
|
|
|
|
| |
This should have been part of commit 2c31ce2 which also happens to
have a wrong description... Sigh.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was reported on irc on Fedora when rawhide went to 1.17.1.
regression occured in: 2566835b4374edb3e5a8353d4f7c9e7ec4851c57
os: Eliminate uninitialized value warnings from access.c
siAddrMatch doesn't need addr to be a useful value, it checks
some things like localuser without having an address at all.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConvertAddr function doesn't reliably set the 'addr' return value,
and so callers are getting flagged for using potentially uninitialized
values. Initialize the value in the callers to NULL and then go ahead
and check for NULL values before using them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
v1: Keith Packard
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
|
|
|
|
|
| |
v1: Eamon Walsh
v2: backport to nx-libs 3.6.x (Ulrich Sibiller)
|
|
|
|
| |
Just like upstream does
|
|
|
|
| |
just as upstream did
|
|
|
|
| |
it is no longer needed because the code here is only used in the server.
|