From d088698324d5e71cb93ccd429f084729ba07872c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20=C3=85strand?= Date: Fri, 13 Feb 2009 10:23:28 +0100 Subject: Backport: xserver: Avoid sending uninitialized padding data over the network Signed-off-by: Peter Hutterer --- nx-X11/programs/Xserver/dix/devices.c | 2 ++ nx-X11/programs/Xserver/dix/dispatch.c | 20 +++++++++++++++++++- nx-X11/programs/Xserver/dix/dixfonts.c | 2 ++ nx-X11/programs/Xserver/dix/events.c | 4 ++++ nx-X11/programs/Xserver/dix/extension.c | 2 ++ nx-X11/programs/Xserver/dix/main.c | 4 ++++ nx-X11/programs/Xserver/dix/property.c | 1 + nx-X11/programs/Xserver/dix/window.c | 13 +++++++++++++ 8 files changed, 47 insertions(+), 1 deletion(-) (limited to 'nx-X11/programs/Xserver/dix') diff --git a/nx-X11/programs/Xserver/dix/devices.c b/nx-X11/programs/Xserver/dix/devices.c index e26879f28..e29154cfc 100644 --- a/nx-X11/programs/Xserver/dix/devices.c +++ b/nx-X11/programs/Xserver/dix/devices.c @@ -1037,6 +1037,7 @@ ProcGetModifierMapping(ClientPtr client) register KeyClassPtr keyc = inputInfo.keyboard->key; REQUEST_SIZE_MATCH(xReq); + memset(&rep, 0, sizeof(xGetModifierMappingReply)); rep.type = X_Reply; rep.numKeyPerModifier = keyc->maxKeysPerModifier; rep.sequenceNumber = client->sequence; @@ -1157,6 +1158,7 @@ ProcGetKeyboardMapping(ClientPtr client) return BadValue; } + memset(&rep, 0, sizeof(xGetKeyboardMappingReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; rep.keySymsPerKeyCode = curKeySyms->mapWidth; diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c index ab1064051..3fd971101 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -579,6 +579,7 @@ ProcGetWindowAttributes(register ClientPtr client) SecurityReadAccess); if (!pWin) return(BadWindow); + memset(&wa, 0, sizeof(xGetWindowAttributesReply)); GetWindowAttributes(pWin, client, &wa); WriteReplyToClient(client, sizeof(xGetWindowAttributesReply), &wa); return(client->noClientException); @@ -834,6 +835,7 @@ ProcGetGeometry(register ClientPtr client) xGetGeometryReply rep; int status; + memset(&rep, 0, sizeof(xGetGeometryReply)); if ((status = GetGeometry(client, &rep)) != Success) return status; @@ -856,6 +858,7 @@ ProcQueryTree(register ClientPtr client) SecurityReadAccess); if (!pWin) return(BadWindow); + memset(&reply, 0, sizeof(xQueryTreeReply)); reply.type = X_Reply; reply.root = WindowTable[pWin->drawable.pScreen->myNum]->drawable.id; reply.sequenceNumber = client->sequence; @@ -909,6 +912,7 @@ ProcInternAtom(register ClientPtr client) if (atom != BAD_RESOURCE) { xInternAtomReply reply; + memset(&reply, 0, sizeof(xInternAtomReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -932,6 +936,7 @@ ProcGetAtomName(register ClientPtr client) if ( (str = NameForAtom(stuff->id)) ) { len = strlen(str); + memset(&reply, 0, sizeof(xGetAtomNameReply)); reply.type = X_Reply; reply.length = (len + 3) >> 2; reply.sequenceNumber = client->sequence; @@ -1061,6 +1066,7 @@ ProcGetSelectionOwner(register ClientPtr client) i = 0; while ((i < NumCurrentSelections) && CurrentSelections[i].selection != stuff->id) i++; + memset(&reply, 0, sizeof(xGetSelectionOwnerReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -1112,6 +1118,7 @@ ProcConvertSelection(register ClientPtr client) #endif ) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = SelectionRequest; event.u.selectionRequest.time = stuff->time; event.u.selectionRequest.owner = @@ -1125,6 +1132,7 @@ ProcConvertSelection(register ClientPtr client) NoEventMask /* CantBeFiltered */, NullGrab)) return (client->noClientException); } + memset(&event, 0, sizeof(xEvent)); event.u.u.type = SelectionNotify; event.u.selectionNotify.time = stuff->time; event.u.selectionNotify.requestor = stuff->requestor; @@ -1221,6 +1229,7 @@ ProcTranslateCoords(register ClientPtr client) SecurityReadAccess); if (!pDst) return(BadWindow); + memset(&rep, 0, sizeof(xTranslateCoordsReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1370,6 +1379,7 @@ ProcQueryFont(register ClientPtr client) return(BadAlloc); } + memset(reply, 0, rlength); reply->type = X_Reply; reply->length = (rlength - sizeof(xGenericReply)) >> 2; reply->sequenceNumber = client->sequence; @@ -2112,6 +2122,8 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, return(BadValue); } SECURITY_VERIFY_DRAWABLE(pDraw, drawable, client, SecurityReadAccess); + + memset(&xgi, 0, sizeof(xGetImageReply)); if(pDraw->type == DRAWABLE_WINDOW) { if( /* check for being viewable */ @@ -2165,7 +2177,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, xgi.length = length; if (im_return) { - pBuf = (char *)xalloc(sz_xGetImageReply + length); + pBuf = (char *)xcalloc(1, sz_xGetImageReply + length); if (!pBuf) return (BadAlloc); if (widthBytesLine == 0) @@ -2205,6 +2217,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, } if(!(pBuf = (char *) ALLOCATE_LOCAL(length))) return (BadAlloc); + memset(pBuf, 0, length); WriteReplyToClient(client, sizeof (xGetImageReply), &xgi); } @@ -2973,6 +2986,7 @@ ProcQueryColors(register ClientPtr client) prgbs = (xrgb *)ALLOCATE_LOCAL(count * sizeof(xrgb)); if(!prgbs && count) return(BadAlloc); + memset(prgbs, 0, count * sizeof(xrgb)); if( (retval = QueryColors(pcmp, count, (Pixel *)&stuff[1], prgbs)) ) { if (prgbs) DEALLOCATE_LOCAL(prgbs); @@ -2984,6 +2998,8 @@ ProcQueryColors(register ClientPtr client) return (retval); } } + + memset(&qcr, 0, sizeof(xQueryColorsReply)); qcr.type = X_Reply; qcr.length = (count * sizeof(xrgb)) >> 2; qcr.sequenceNumber = client->sequence; @@ -3201,6 +3217,7 @@ ProcQueryBestSize (register ClientPtr client) pScreen = pDraw->pScreen; (* pScreen->QueryBestSize)(stuff->class, &stuff->width, &stuff->height, pScreen); + memset(&reply, 0, sizeof(xQueryBestSizeReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -3976,6 +3993,7 @@ SendErrorToClient(ClientPtr client, unsigned majorCode, unsigned minorCode, { xError rep; + memset(&rep, 0, sizeof(xError)); rep.type = X_Error; rep.sequenceNumber = client->sequence; rep.errorCode = errorCode; diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c index 9a8b09993..c7f00ce47 100644 --- a/nx-X11/programs/Xserver/dix/dixfonts.c +++ b/nx-X11/programs/Xserver/dix/dixfonts.c @@ -850,6 +850,7 @@ finish: for (i = 0; i < nnames; i++) stringLens += (names->length[i] <= 255) ? names->length[i] : 0; + memset(&reply, 0, sizeof(xListFontsReply)); reply.type = X_Reply; reply.length = (stringLens + nnames + 3) >> 2; reply.nFonts = nnames; @@ -1102,6 +1103,7 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c) err = AllocError; break; } + memset(reply + c->length, 0, length - c->length); c->reply = reply; c->length = length; } diff --git a/nx-X11/programs/Xserver/dix/events.c b/nx-X11/programs/Xserver/dix/events.c index 4373673f9..9d1ebe7d0 100644 --- a/nx-X11/programs/Xserver/dix/events.c +++ b/nx-X11/programs/Xserver/dix/events.c @@ -3733,6 +3733,7 @@ ProcGetInputFocus(ClientPtr client) FocusClassPtr focus = inputInfo.keyboard->focus; REQUEST_SIZE_MATCH(xReq); + memset(&rep, 0, sizeof(xGetInputFocusReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -3807,6 +3808,7 @@ ProcGrabPointer(ClientPtr client) } /* at this point, some sort of reply is guaranteed. */ time = ClientTimeToServerTime(stuff->time); + memset(&rep, 0, sizeof(xGrabPointerReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; rep.length = 0; @@ -3982,6 +3984,7 @@ ProcGrabKeyboard(ClientPtr client) int result; REQUEST_SIZE_MATCH(xGrabKeyboardReq); + memset(&rep, 0, sizeof(xGrabKeyboardReply)); #ifdef XCSECURITY if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE)) { @@ -4036,6 +4039,7 @@ ProcQueryPointer(ClientPtr client) return BadWindow; if (mouse->valuator->motionHintWindow) MaybeStopHint(mouse, client); + memset(&rep, 0, sizeof(xQueryPointerReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; rep.mask = mouse->button->state | inputInfo.keyboard->key->state; diff --git a/nx-X11/programs/Xserver/dix/extension.c b/nx-X11/programs/Xserver/dix/extension.c index 270d54f9b..19333c151 100644 --- a/nx-X11/programs/Xserver/dix/extension.c +++ b/nx-X11/programs/Xserver/dix/extension.c @@ -313,6 +313,7 @@ ProcQueryExtension(ClientPtr client) REQUEST_FIXED_SIZE(xQueryExtensionReq, stuff->nbytes); + memset(&reply, 0, sizeof(xQueryExtensionReply)); reply.type = X_Reply; reply.length = 0; reply.major_opcode = 0; @@ -352,6 +353,7 @@ ProcListExtensions(ClientPtr client) REQUEST_SIZE_MATCH(xReq); + memset(&reply, 0, sizeof(xListExtensionsReply)); reply.type = X_Reply; reply.nExtensions = 0; reply.length = 0; diff --git a/nx-X11/programs/Xserver/dix/main.c b/nx-X11/programs/Xserver/dix/main.c index 270de6ced..b7452c5c2 100644 --- a/nx-X11/programs/Xserver/dix/main.c +++ b/nx-X11/programs/Xserver/dix/main.c @@ -534,6 +534,7 @@ CreateConnectionBlock() char *pBuf; + memset(&setup, 0, sizeof(xConnSetup)); /* Leave off the ridBase and ridMask, these must be sent with connection */ @@ -574,6 +575,7 @@ CreateConnectionBlock() while (--i >= 0) *pBuf++ = 0; + memset(&format, 0, sizeof(xPixmapFormat)); for (i=0; inext; } + memset(&reply, 0, sizeof(xGetPropertyReply)); reply.type = X_Reply; reply.sequenceNumber = client->sequence; if (!pProp) diff --git a/nx-X11/programs/Xserver/dix/window.c b/nx-X11/programs/Xserver/dix/window.c index c060f4a23..b65bda0e3 100644 --- a/nx-X11/programs/Xserver/dix/window.c +++ b/nx-X11/programs/Xserver/dix/window.c @@ -774,6 +774,7 @@ CreateWindow(Window wid, register WindowPtr pParent, int x, int y, unsigned w, if (SubSend(pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = CreateNotify; event.u.createNotify.window = wid; event.u.createNotify.parent = pParent->drawable.id; @@ -841,6 +842,7 @@ CrushTree(WindowPtr pWin) pParent = pChild->parent; if (SubStrSend(pChild, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = DestroyNotify; event.u.destroyNotify.window = pChild->drawable.id; DeliverEvents(pChild, &event, 1, NullWindow); @@ -890,6 +892,7 @@ DeleteWindow(pointer value, XID wid) pParent = pWin->parent; if (wid && pParent && SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = DestroyNotify; event.u.destroyNotify.window = pWin->drawable.id; DeliverEvents(pWin, &event, 1, NullWindow); @@ -2306,6 +2309,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP #endif )) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ConfigureRequest; event.u.configureRequest.window = pWin->drawable.id; if (mask & CWSibling) @@ -2350,6 +2354,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP if (size_change && ((pWin->eventMask|wOtherEventMasks(pWin)) & ResizeRedirectMask)) { xEvent eventT; + memset(&eventT, 0, sizeof(xEvent)); eventT.u.u.type = ResizeRequest; eventT.u.resizeRequest.window = pWin->drawable.id; eventT.u.resizeRequest.width = w; @@ -2396,6 +2401,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP ActuallyDoSomething: if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ConfigureNotify; event.u.configureNotify.window = pWin->drawable.id; if (pSib) @@ -2552,6 +2558,7 @@ ReparentWindow(register WindowPtr pWin, register WindowPtr pParent, if (WasMapped) UnmapWindow(pWin, FALSE); + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ReparentNotify; event.u.reparent.window = pWin->drawable.id; event.u.reparent.parent = pParent->drawable.id; @@ -2708,6 +2715,7 @@ MapWindow(register WindowPtr pWin, ClientPtr client) #endif )) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapRequest; event.u.mapRequest.window = pWin->drawable.id; #ifdef XAPPGROUP @@ -2730,6 +2738,7 @@ MapWindow(register WindowPtr pWin, ClientPtr client) pWin->mapped = TRUE; if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapNotify; event.u.mapNotify.window = pWin->drawable.id; event.u.mapNotify.override = pWin->overrideRedirect; @@ -2820,6 +2829,7 @@ MapSubwindows(register WindowPtr pParent, ClientPtr client) { if (parentRedirect && !pWin->overrideRedirect) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapRequest; event.u.mapRequest.window = pWin->drawable.id; event.u.mapRequest.parent = pParent->drawable.id; @@ -2832,6 +2842,7 @@ MapSubwindows(register WindowPtr pParent, ClientPtr client) pWin->mapped = TRUE; if (parentNotify || StrSend(pWin)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapNotify; event.u.mapNotify.window = pWin->drawable.id; event.u.mapNotify.override = pWin->overrideRedirect; @@ -2985,6 +2996,7 @@ UnmapWindow(register WindowPtr pWin, Bool fromConfigure) return(Success); if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = UnmapNotify; event.u.unmapNotify.window = pWin->drawable.id; event.u.unmapNotify.fromConfigure = fromConfigure; @@ -3279,6 +3291,7 @@ SendVisibilityNotify(WindowPtr pWin) } #endif + memset(&event, 0, sizeof(xEvent)); event.u.u.type = VisibilityNotify; event.u.visibility.window = pWin->drawable.id; event.u.visibility.state = visibility; -- cgit v1.2.3