From a9f623f0a63372ca0705e8394fadf514dec55b1c Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Tue, 21 May 2013 21:54:55 +0200 Subject: Add a couple fixups for the security patches Add a couple fixups for the security patches - off-by-one in xkb - memory leak in an error path Backport from debian to NX: Ulrich Sibiller --- nx-X11/lib/X11/Font.c | 1 + nx-X11/lib/X11/XKBGetMap.c | 2 +- nx-X11/lib/X11/XKBNames.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/nx-X11/lib/X11/Font.c b/nx-X11/lib/X11/Font.c index 0501ae279..d311cd0f7 100644 --- a/nx-X11/lib/X11/Font.c +++ b/nx-X11/lib/X11/Font.c @@ -508,6 +508,7 @@ _XF86BigfontQueryFont ( any real font needs, so the combined total doesn't overflow either */ if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) || reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) { + Xfree(fs->properties); Xfree((char *) fs); _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; diff --git a/nx-X11/lib/X11/XKBGetMap.c b/nx-X11/lib/X11/XKBGetMap.c index 5eb1d41bf..391d7aa89 100644 --- a/nx-X11/lib/X11/XKBGetMap.c +++ b/nx-X11/lib/X11/XKBGetMap.c @@ -427,7 +427,7 @@ XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { if (((int) rep->firstVModMapKey + rep->nVModMapKeys) - > xkb->max_key_code) + > xkb->max_key_code + 1) return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { diff --git a/nx-X11/lib/X11/XKBNames.c b/nx-X11/lib/X11/XKBNames.c index 1f5207493..c82b59e30 100644 --- a/nx-X11/lib/X11/XKBNames.c +++ b/nx-X11/lib/X11/XKBNames.c @@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, -- cgit v1.2.3