From a4fad8f58e8c7f601f70801016861f970ab05827 Mon Sep 17 00:00:00 2001 From: Ulrich Sibiller Date: Mon, 17 Dec 2018 23:58:16 +0100 Subject: Fix crash due to uninitialized VModMap fields. Backport of commit 81b3b0cce088866dc3cda099d7c8d6655849fd43 Author: Tomas Janousek Date: Wed May 20 15:03:01 2009 +0200 Bug #6428, #16458, #21464: Fix crash due to uninitialized VModMap fields. In ProcXkbGetKbdByName, mrep.firstVModMapKey, .nVModMapKeys and .totalVModMapKeys were not initialized, contained random values and caused accesses to unallocated and later modified memory, causing XkbSizeVirtualModMap and XkbWriteVirtualModMap to see different number of nonzero values, resulting in writes past the end of an array in XkbSendMap. This patch initializes those values sensibly and reverts commits 5c0a2088 and 6dd4fc46, which have been plain non-sense. Signed-off-by: Tomas Janousek Signed-off-by: Peter Hutterer --- nx-X11/programs/Xserver/xkb/xkb.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c index e11d7e26b..67d7f2b95 100644 --- a/nx-X11/programs/Xserver/xkb/xkb.c +++ b/nx-X11/programs/Xserver/xkb/xkb.c @@ -1185,7 +1185,7 @@ XkbSizeVirtualModMap(XkbDescPtr xkb,xkbGetMapReply *rep) rep->totalVModMapKeys= 0; return 0; } - for (nRtrn=i=0;inVModMapKeys-1;i++) { + for (nRtrn=i=0;inVModMapKeys;i++) { if (xkb->server->vmodmap[i+rep->firstVModMapKey]!=0) nRtrn++; } @@ -5128,7 +5128,7 @@ ProcXkbGetKbdByName(ClientPtr client) mrep.present = 0; mrep.totalSyms = mrep.totalActs = mrep.totalKeyBehaviors= mrep.totalKeyExplicit= - mrep.totalModMapKeys= 0; + mrep.totalModMapKeys= mrep.totalVModMapKeys= 0; if (rep.reported&(XkbGBN_TypesMask|XkbGBN_ClientSymbolsMask)) { mrep.present|= XkbKeyTypesMask; mrep.firstType = 0; @@ -5154,6 +5154,8 @@ ProcXkbGetKbdByName(ClientPtr client) mrep.firstKeyExplicit = finfo.xkb->min_key_code; mrep.nKeyActs = mrep.nKeyBehaviors = mrep.nKeyExplicit = XkbNumKeys(finfo.xkb); + mrep.firstVModMapKey= finfo.xkb->min_key_code; + mrep.nVModMapKeys= XkbNumKeys(finfo.xkb); } else { mrep.virtualMods= 0; -- cgit v1.2.3 From 5b0bf752a0c5a224ddf42cccdcb37534357c08ab Mon Sep 17 00:00:00 2001 From: Ulrich Sibiller Date: Tue, 18 Dec 2018 00:05:50 +0100 Subject: xkb: Initialize pad bytes sent in replies of geometry requests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backport of commit dc9ce695a69ca0787f58f8d160212a7a41acb703 Author: Rami Ylimäki Date: Wed Mar 9 15:45:40 2011 +0200 xkb: Initialize pad bytes sent in replies of geometry requests. Valgrind complains about uninitialized data being written to clients. Reviewed-by: Erkki Seppälä Signed-off-by: Rami Ylimäki Reviewed-by: Daniel Stone Reviewed-by: Peter Hutterer Signed-off-by: Peter Hutterer --- nx-X11/programs/Xserver/xkb/xkb.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c index 67d7f2b95..8d3fc6108 100644 --- a/nx-X11/programs/Xserver/xkb/xkb.c +++ b/nx-X11/programs/Xserver/xkb/xkb.c @@ -3783,7 +3783,7 @@ ProcXkbSetNames(ClientPtr client) static char * XkbWriteCountedString(char *wire,char *str,Bool swap) { -CARD16 len,*pLen; +CARD16 len,*pLen, paddedLen; len= (str?strlen(str):0); pLen= (CARD16 *)wire; @@ -3791,8 +3791,9 @@ CARD16 len,*pLen; if (swap) { swaps(pLen); } - memcpy(&wire[2],str,len); - wire+= ((2+len+3)/4)*4; + paddedLen= pad_to_int32(sizeof(len)+len)-sizeof(len); + strncpy(&wire[sizeof(len)],str,paddedLen); + wire+= sizeof(len)+paddedLen; return wire; } @@ -3903,6 +3904,7 @@ xkbShapeWireDesc * shapeWire; if (shape->approx!=NULL) shapeWire->approxNdx= XkbOutlineIndex(shape,shape->approx); else shapeWire->approxNdx= XkbNoShape; + shapeWire->pad= 0; if (swap) { swapl(&shapeWire->name); } @@ -3914,6 +3916,7 @@ xkbShapeWireDesc * shapeWire; olWire= (xkbOutlineWireDesc *)wire; olWire->nPoints= ol->num_points; olWire->cornerRadius= ol->corner_radius; + olWire->pad= 0; wire= (char *)&olWire[1]; ptWire= (xkbPointWireDesc *)wire; for (p=0,pt=ol->points;pnum_points;p++,pt++) { @@ -4023,6 +4026,8 @@ xkbOverlayWireDesc * olWire; olWire= (xkbOverlayWireDesc *)wire; olWire->name= ol->name; olWire->nRows= ol->num_rows; + olWire->pad1= 0; + olWire->pad2= 0; if (swap) { swapl(&olWire->name); } @@ -4034,6 +4039,7 @@ xkbOverlayWireDesc * olWire; rowWire= (xkbOverlayRowWireDesc *)wire; rowWire->rowUnder= row->row_under; rowWire->nKeys= row->num_keys; + rowWire->pad1= 0; wire= (char *)&rowWire[1]; for (k=0,key=row->keys;knum_keys;k++,key++) { xkbOverlayKeyWireDesc * keyWire; -- cgit v1.2.3 From 44c59e12dc3fb509d3d237cbc782cc44dfa30f4e Mon Sep 17 00:00:00 2001 From: Ulrich Sibiller Date: Tue, 18 Dec 2018 00:17:51 +0100 Subject: Fix uninitialized bytes Fixes this valgrind finding ==16977== Warning: invalid file descriptor -1 in syscall close() ==16977== Conditional jump or move depends on uninitialised value(s) ==16977== at 0x544B6B: XkbSendNewKeyboardNotify (xkbEvents.c:62) ==16977== by 0x540481: ProcXkbGetKbdByName (xkb.c:5330) ==16977== by 0x4341C5: Dispatch (NXdispatch.c:482) ==16977== by 0x40EB02: main (main.c:353) ==16977== Uninitialised value was created by a heap allocation ==16977== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==16977== by 0x431BD7: NextAvailableClient (dispatch.c:3719) ==16977== by 0x47B297: AllocNewConnection (connection.c:821) ==16977== by 0x47B297: EstablishNewConnections (connection.c:910) ==16977== by 0x463DFE: ProcessWorkQueue (dixutils.c:541) ==16977== by 0x47635E: WaitForSomething (WaitFor.c:213) ==16977== by 0x434089: Dispatch (NXdispatch.c:360) ==16977== by 0x40EB02: main (main.c:353) --- nx-X11/programs/Xserver/dix/dispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c index 3c791465e..5c4e54c73 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -3716,7 +3716,7 @@ ClientPtr NextAvailableClient(void * ospriv) i = nextFreeClientID; if (i == MAXCLIENTS) return (ClientPtr)NULL; - clients[i] = client = (ClientPtr)malloc(totalClientSize); + clients[i] = client = (ClientPtr)calloc(1,totalClientSize); if (!client) return (ClientPtr)NULL; InitClient(client, i, ospriv); -- cgit v1.2.3