| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
All of the crts and outputs were freed, but not the arrays full of
pointers to them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
| |
User mode has no customer when create until assigned
to some output.
|
|
|
|
|
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=51375
https://bugs.freedesktop.org/attachment.cgi?id=63397
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
|
|\
| |
| |
| | |
Attributes GH PR #39: https://github.com/ArcticaProject/nx-libs/pull/39
|
| |
| |
| |
| | |
not used anywhere.
|
|\ \
| | |
| | | |
Xext CVE fixes in XVideo extension.
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXxvdisp.c rather than xvdisp.c (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xext/xvdisp.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Signed-off-by: Keith Packard <keithp@keithp.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
|
|\
| |
| | |
XRender CVE fixes for nxagent (X.Org CVE-2014-8100)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXrender.c rather than render.c (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
render/render.c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXrender.c rather than render.c (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
|
| |
| |
| |
| | |
hardware driver.
|
|/
|
|
| |
shared library.
|
|
|
|
| |
shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).
|
|
|
|
|
|
|
|
|
|
|
|
| |
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
Signed-off-by: Keith Packard <keithp@keithp.com>
|
| |
|
|
|
|
| |
work on patches / pull requests.
|
| |
|
|
|
|
| |
linking against X.Org'x libXdmcp).
|
|
|
|
| |
'dlsym'. (Fixes: X2GoBTS#853).
|
|
|
|
| |
for NX.
|
|
|
|
| |
shared library.
|
|
|
|
| |
libXfont shared library and link dynamically.
|
| |
|
|
|
|
| |
XF86Server and XorgServer.
|
|\
| |
| | |
arch cleanup (CRAY/WORD64) + X.Org CVE-2013-7439
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CVE-2013-7439).
MakeBigReq inserts a length field after the first 4 bytes of the request
(after req->length), pushing everything else back by 4 bytes.
The current memmove moves everything but the first 4 bytes back. If a
request aligns to the end of the buffer pointer when MakeBigReq is
invoked for that request, this runs over the buffer. Instead, we need to
memmove minus the first 4 bytes (which aren't moved), minus the last 4
bytes (so we still align to the previous tail).
The 4 bytes that fell out are already handled with Data32, which will
handle the buffermax correctly.
The case where req->length = 1 was already not functional.
Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
https://bugzilla.mozilla.org/show_bug.cgi?id=803762
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
|
| |
| |
| |
| | |
WORD64, WORD64ALIGN, MUSTCOPY, UNSIGNEDBITFIELDS definitions).
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
| |
NX agent contains/ed two build trees. An old one (probably pre-3.x.y)
and a "newer" one. The "newer" code tree used to become enabled by
setting NXUpgradeAgentServer in nx-X11/config/cf/host.def to YES.
As building the NXUpgradeAgentServer has been the default for
years now, we drop all code that does not get used at build time
for NXUpgradeAgentServer == YES (i.e., the code that belongs to the
pre-3.x.y phase of NX agent).
|
| |
|
|
|
|
| |
build-logic).
|
| |
|
|
|
|
| |
NXiPAQXServer.
|
|
|
|
| |
variants)
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-picked from branch 3.5.0.x.
This is basically a merge of the most current xorg-server (1.17.1) code
into nx-X11.
It makes sure that for source pictures, which do not have a drawable
surface, a filter is selected that is supported on the "main" and all
other screens. Alternatively, if the requested filter is not available
on all screens and the picture is a source picture, this function fails
gracefully.
Additionally, the ChangePictureFilter hook is now called for non-source
pictures.
This also needs an implementation in mipict.{c,h}. The default hook does
nothing and returns a success value.
|
| |
|
|
|
|
| |
is not defined).
|
|
|
|
| |
library.
|