aboutsummaryrefslogtreecommitdiff
path: root/nx-X11
Commit message (Collapse)AuthorAgeFilesLines
* dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]Alan Coopersmith2015-05-301-1/+3
| | | | | | | | | | | | | | | | | | | ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
* Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from ↵Mike DePaulo2015-05-301-0/+5
| | | | | | | | | | | | | | | | | | | | | | | xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. v2: Apply to NXdixfonts.c rather than dixfonts.c (Mike DePaulo)
* Merge pull request #36 from ArcticaProject/pr/render-cve-fixesMike Gabriel2015-05-261-2/+18
|\ | | | | XRender CVE fixes for nxagent (X.Org CVE-2014-8100)
| * render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]pr/render-cve-fixesAlan Coopersmith2015-05-241-1/+16
| | | | | | | | | | | | | | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
| * render: check request size before reading it [CVE-2014-8100 1/2]Julien Cristau2015-05-241-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXrender.c rather than render.c (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c
* | hw/nxagent clean-up: Drop NXrandr.{c|h} client lib copy-of-code from nxagent ↵Mike Gabriel2015-05-204-1033/+3
| | | | | | | | hardware driver.
* | library clean-up: Don't build libNX_Xrandr anymore. Use system's libXrandr ↵Mike Gabriel2015-05-2017-1768/+4
|/ | | | shared library.
* library clean-up: Don't build libNX_Xdamage anymore. Use system's libXdamage ↵Mike Gabriel2015-05-0120-986/+3
| | | | shared library. (Fixes ArcticaProject/nx-libs#6, X2GoBTS#826).
* dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).Keith Packard2015-05-011-1/+1
| | | | | | | | | | | | The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) Signed-off-by: Keith Packard <keithp@keithp.com>
* imake cleanup: Drop references to X11 build-logic that is not present in nx-X11.Mike Gabriel2015-04-2819-2678/+23
|
* imake cleanup: Break up multiple vars into invidual lines to ease further ↵Mike Gabriel2015-04-287-36/+128
| | | | work on patches / pull requests.
* Fix underlinking issues for libNX_X{composite,damage,fixes}.Mike Gabriel2015-04-261-0/+3
|
* libX11 underlinking problem: Fix undefined reference to 'XdmcpWrap' (by ↵Mike Gabriel2015-04-261-1/+1
| | | | linking against X.Org'x libXdmcp).
* libX11 underlinking problem: Fix undefined reference to 'dlopen' and ↵Mike Gabriel2015-04-261-1/+1
| | | | 'dlsym'. (Fixes: X2GoBTS#853).
* xbitmaps cleanup: The <X11/bitmaps/*> headers are not required at build time ↵Mike Gabriel2015-04-2371-2680/+1
| | | | for NX.
* library clean-up: Don't build libNX_Xdmcp anymore. Use system's libXdmcp ↵Mike Gabriel2015-04-2250-3301/+6
| | | | shared library.
* library clean-up: Don't build and link libXfont.a anymore. Use system's ↵pr/libxfont-cleanupMike Gabriel2015-04-22230-66988/+46
| | | | libXfont shared library and link dynamically.
* fix for Xcursor clean-up (422fe90)Mike Gabriel2015-04-213-3/+3
|
* imake cleanup (nx-X11/programs/Xserver/Imakefile): Drop build rules for ↵Mike Gabriel2015-04-171-286/+2
| | | | XF86Server and XorgServer.
* Merge pull request #12 from sunweaver/pr/arch-cleanup.CRAYMike DePaulo2015-04-1653-1033/+43
|\ | | | | arch cleanup (CRAY/WORD64) + X.Org CVE-2013-7439
| * MakeBigReq: don't move the last word, already handled by Data32 (X.Org ↵Karl Tomlinson2015-04-161-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2013-7439). MakeBigReq inserts a length field after the first 4 bytes of the request (after req->length), pushing everything else back by 4 bytes. The current memmove moves everything but the first 4 bytes back. If a request aligns to the end of the buffer pointer when MakeBigReq is invoked for that request, this runs over the buffer. Instead, we need to memmove minus the first 4 bytes (which aren't moved), minus the last 4 bytes (so we still align to the previous tail). The 4 bytes that fell out are already handled with Data32, which will handle the buffermax correctly. The case where req->length = 1 was already not functional. Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS). https://bugzilla.mozilla.org/show_bug.cgi?id=803762 Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
| * old-arch cleanup: Drop CRAY support (i.e., drop code related to CRAY, _CRAY, ↵Mike Gabriel2015-04-1653-1031/+26
| | | | | | | | WORD64, WORD64ALIGN, MUSTCOPY, UNSIGNEDBITFIELDS definitions).
* | library clean-up: Drop nx-X11/lib/Xcursor. Not used at build time.Mike Gabriel2015-04-1623-4847/+1
| |
* | NXAGENT_UPGRADE code cleanup:Mike Gabriel2015-04-1652-38864/+6098
|/ | | | | | | | | | | NX agent contains/ed two build trees. An old one (probably pre-3.x.y) and a "newer" one. The "newer" code tree used to become enabled by setting NXUpgradeAgentServer in nx-X11/config/cf/host.def to YES. As building the NXUpgradeAgentServer has been the default for years now, we drop all code that does not get used at build time for NXUpgradeAgentServer == YES (i.e., the code that belongs to the pre-3.x.y phase of NX agent).
* drop: nx-X11/config/util/ (not needed at build time).Mike Gabriel2015-04-1449-6480/+1
|
* imake clean-up: nx-X11/config/Imakefile (drop BuildDPSLibrary related ↵Mike Gabriel2015-04-141-4/+1
| | | | build-logic).
* fix for ebe00df38f264ef71dac3c73d416a74685c8cbd2 (removal of DmxLibrary)Mike Gabriel2015-04-081-4/+0
|
* imake clean: Remove (probably incomplete) support for NXZaurusXServer, ↵Mike Gabriel2015-04-051-54/+0
| | | | NXiPAQXServer.
* imake cleanup: nx-X11/programs/Xserver/Imakefile (drop non-provided Xserver ↵Mike Gabriel2015-04-051-286/+1
| | | | variants)
* imake cleanup: nx-X11/programs/Imakefile (reduce to minimal).Mike Gabriel2015-04-041-136/+0
|
* imake cleanup: Drop all references to BuildFontServer.Mike Gabriel2015-04-048-44/+2
|
* imake cleanup: Drop all references to XprtServer and BuildXprint*.Mike Gabriel2015-04-0421-4365/+12
|
* imake cleanup: Drop all references to XdmxServer and BuildXdmx*.Mike Gabriel2015-04-0413-1930/+8
|
* imake cleanup: Drop all references to XVirtualFramebufferServer.Mike Gabriel2015-04-049-74/+3
|
* imake cleanup: Drop all references to XNestServer.Mike Gabriel2015-04-0410-76/+7
|
* imake cleanup: Drop all references to XWinServer.Mike Gabriel2015-04-043-99/+3
|
* nx-X11: add more NULL guards to TEST and DEBUG sections of Render.c.Mihai Moldovan2015-03-291-65/+90
| | | | Cherry-picked from branch 3.5.0.x.
* nx-X11: fix typo in previous commit.Mihai Moldovan2015-03-291-1/+1
| | | | Cherry-picked from branch 3.5.0.x.
* nx-X11: handle source pictures (those without a Drawable surface) gracefully.Mihai Moldovan2015-03-294-20/+89
| | | | | | | | | | | | | | | | | | | Cherry-picked from branch 3.5.0.x. This is basically a merge of the most current xorg-server (1.17.1) code into nx-X11. It makes sure that for source pictures, which do not have a drawable surface, a filter is selected that is supported on the "main" and all other screens. Alternatively, if the requested filter is not available on all screens and the picture is a source picture, this function fails gracefully. Additionally, the ChangePictureFilter hook is now called for non-source pictures. This also needs an implementation in mipict.{c,h}. The default hook does nothing and returns a success value.
* nx-X11/**: Drop non-imake Makefile* files.Mike Gabriel2015-03-047-951/+0
|
* nx-X11/config/cf/X11.tmpl: Fix imake warning ("UseInstalledOnCrossCompile" ↵Mike Gabriel2015-03-041-0/+2
| | | | is not defined).
* library clean-up: Don't build libNX_Xpm anymore. Use system's libXpm shared ↵Mike Gabriel2015-03-0336-9608/+4
| | | | library.
* Drop unused .cvsignore filesMike DePaulo2015-02-183-73/+0
|
* xkb: Check strings length against request sizeOlivier Fourdan2015-02-171-25/+41
| | | | | | | | | | | | | | | Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. v3: backport to nx-libs 3.6.x because this is the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43) (cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1) Signed-off-by: Julien Cristau <jcristau@debian.org>
* xkb: Don't swap XkbSetGeometry data in the input bufferOlivier Fourdan2015-02-171-16/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau <jcristau@debian.org> index 2405090..7db0959 100644
* include: introduce byte counting functions.Peter Hutterer2015-02-171-0/+30
| | | | | | | | | | | | | | | | | | | | This patch adds the following three functions: bits_to_bytes(bits) - the number of bytes needed to hold 'bits' bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than 'bytes'. All three operations are common in protocol processing and currently the server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set of functions reduce the error rate of these (albeit simple) calculations and improve readability of the code. The functions do not check for overflow. v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
* Coverity #844, #845, #846: Fix memory leaks.Daniel Stone2015-02-171-3/+19
| | | | | v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo)
* Make nxagent process aware of its current NX'ish version.Mike Gabriel2015-02-175-5/+40
| | | | | | | | | | | This feature copies the way how X.Org version string and number are propagated at build time. First use case: if people start nxagent, it reports its version number on stderr. This is about being human-friendly. Second use case: None, so far. But it will now be easy to use the NXAGENT_VERSION_STRING in later feature add-ons.
* nx-X11/programs/Xserver/hw/nxagent/: Drop unused VERSION file.Mike Gabriel2015-02-161-1/+0
|
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>