From d088698324d5e71cb93ccd429f084729ba07872c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20=C3=85strand?= Date: Fri, 13 Feb 2009 10:23:28 +0100 Subject: Backport: xserver: Avoid sending uninitialized padding data over the network Signed-off-by: Peter Hutterer --- nx-X11/programs/Xserver/hw/nxagent/Keyboard.c | 2 ++ nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 20 +++++++++++++++++++- nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c | 2 ++ nx-X11/programs/Xserver/hw/nxagent/NXevents.c | 6 ++++++ nx-X11/programs/Xserver/hw/nxagent/NXextension.c | 2 ++ nx-X11/programs/Xserver/hw/nxagent/NXmiexpose.c | 3 ++- nx-X11/programs/Xserver/hw/nxagent/NXproperty.c | 1 + nx-X11/programs/Xserver/hw/nxagent/NXrender.c | 2 ++ nx-X11/programs/Xserver/hw/nxagent/NXshm.c | 1 + nx-X11/programs/Xserver/hw/nxagent/NXwindow.c | 13 +++++++++++++ 10 files changed, 50 insertions(+), 2 deletions(-) (limited to 'nx-X11/programs/Xserver/hw/nxagent') diff --git a/nx-X11/programs/Xserver/hw/nxagent/Keyboard.c b/nx-X11/programs/Xserver/hw/nxagent/Keyboard.c index a51d19e81..9c89b555f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/Keyboard.c +++ b/nx-X11/programs/Xserver/hw/nxagent/Keyboard.c @@ -1214,6 +1214,7 @@ void nxagentNotifyKeyboardChanges(int oldMinKeycode, int oldMaxKeycode) dev = inputInfo.keyboard; xkb = dev -> key -> xkbInfo -> desc; + memset(&nkn, 0, sizeof(xkbNewKeyboardNotify)); nkn.deviceID = nkn.oldDeviceID = dev -> id; nkn.minKeyCode = 8; nkn.maxKeyCode = 255; @@ -1233,6 +1234,7 @@ void nxagentNotifyKeyboardChanges(int oldMinKeycode, int oldMaxKeycode) int i; xEvent event; + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MappingNotify; event.u.mappingNotify.request = MappingKeyboard; event.u.mappingNotify.firstKeyCode = inputInfo.keyboard -> key -> curKeySyms.minKeyCode; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index 0ed7277a1..ea4f59d19 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -931,6 +931,7 @@ ProcGetWindowAttributes(register ClientPtr client) SecurityReadAccess); if (!pWin) return(BadWindow); + memset(&wa, 0, sizeof(xGetWindowAttributesReply)); GetWindowAttributes(pWin, client, &wa); WriteReplyToClient(client, sizeof(xGetWindowAttributesReply), &wa); return(client->noClientException); @@ -1155,6 +1156,7 @@ GetGeometry(register ClientPtr client, xGetGeometryReply *rep) REQUEST_SIZE_MATCH(xResourceReq); SECURITY_VERIFY_GEOMETRABLE (pDraw, stuff->id, client, SecurityReadAccess); + memset(rep, 0, sizeof(xGetGeometryReply)); rep->type = X_Reply; rep->length = 0; rep->sequenceNumber = client->sequence; @@ -1216,6 +1218,7 @@ ProcQueryTree(register ClientPtr client) SecurityReadAccess); if (!pWin) return(BadWindow); + memset(&reply, 0, sizeof(xQueryTreeReply)); reply.type = X_Reply; reply.root = WindowTable[pWin->drawable.pScreen->myNum]->drawable.id; reply.sequenceNumber = client->sequence; @@ -1279,6 +1282,7 @@ ProcInternAtom(register ClientPtr client) if (atom != BAD_RESOURCE) { xInternAtomReply reply; + memset(&reply, 0, sizeof(xInternAtomReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -1302,6 +1306,7 @@ ProcGetAtomName(register ClientPtr client) if ( (str = NameForAtom(stuff->id)) ) { len = strlen(str); + memset(&reply, 0, sizeof(xGetAtomNameReply)); reply.type = X_Reply; reply.length = (len + 3) >> 2; reply.sequenceNumber = client->sequence; @@ -1441,6 +1446,7 @@ ProcGetSelectionOwner(register ClientPtr client) i = 0; while ((i < NumCurrentSelections) && CurrentSelections[i].selection != stuff->id) i++; + memset(&reply, 0, sizeof(xGetSelectionOwnerReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -1512,7 +1518,9 @@ ProcConvertSelection(register ClientPtr client) CurrentSelections[i].pWin)) #endif ) + { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = SelectionRequest; event.u.selectionRequest.time = stuff->time; event.u.selectionRequest.owner = @@ -1526,6 +1534,7 @@ ProcConvertSelection(register ClientPtr client) NoEventMask /* CantBeFiltered */, NullGrab)) return (client->noClientException); } + memset(&event, 0, sizeof(xEvent)); event.u.u.type = SelectionNotify; event.u.selectionNotify.time = stuff->time; event.u.selectionNotify.requestor = stuff->requestor; @@ -1622,6 +1631,7 @@ ProcTranslateCoords(register ClientPtr client) SecurityReadAccess); if (!pDst) return(BadWindow); + memset(&rep, 0, sizeof(xTranslateCoordsReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1850,6 +1860,7 @@ ProcQueryFont(register ClientPtr client) { return(BadAlloc); } + memset(reply, 0, rlength); reply->type = X_Reply; reply->length = (rlength - sizeof(xGenericReply)) >> 2; @@ -2659,6 +2670,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, return(BadValue); } SECURITY_VERIFY_DRAWABLE(pDraw, drawable, client, SecurityReadAccess); + memset(&xgi, 0, sizeof(xGetImageReply)); if(pDraw->type == DRAWABLE_WINDOW) { if( /* check for being viewable */ @@ -2712,9 +2724,10 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, xgi.length = length; if (im_return) { - pBuf = (char *)xalloc(sz_xGetImageReply + length); + pBuf = (char *)xcalloc(1, sz_xGetImageReply + length); if (!pBuf) return (BadAlloc); + if (widthBytesLine == 0) linesPerBuf = 0; else @@ -2752,6 +2765,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable, } if(!(pBuf = (char *) ALLOCATE_LOCAL(length))) return (BadAlloc); + memset(pBuf, 0, length); WriteReplyToClient(client, sizeof (xGetImageReply), &xgi); } @@ -3520,6 +3534,7 @@ ProcQueryColors(register ClientPtr client) prgbs = (xrgb *)ALLOCATE_LOCAL(count * sizeof(xrgb)); if(!prgbs && count) return(BadAlloc); + memset(prgbs, 0, count * sizeof(xrgb)); if( (retval = QueryColors(pcmp, count, (Pixel *)&stuff[1], prgbs)) ) { if (prgbs) DEALLOCATE_LOCAL(prgbs); @@ -3531,6 +3546,7 @@ ProcQueryColors(register ClientPtr client) return (retval); } } + memset(&qcr, 0, sizeof(xQueryColorsReply)); qcr.type = X_Reply; qcr.length = (count * sizeof(xrgb)) >> 2; qcr.sequenceNumber = client->sequence; @@ -3755,6 +3771,7 @@ ProcQueryBestSize (register ClientPtr client) pScreen = pDraw->pScreen; (* pScreen->QueryBestSize)(stuff->class, &stuff->width, &stuff->height, pScreen); + memset(&reply, 0, sizeof(xQueryBestSizeReply)); reply.type = X_Reply; reply.length = 0; reply.sequenceNumber = client->sequence; @@ -4623,6 +4640,7 @@ SendErrorToClient(ClientPtr client, unsigned majorCode, unsigned minorCode, { xError rep; + memset(&rep, 0, sizeof(xError)); rep.type = X_Error; rep.sequenceNumber = client->sequence; rep.errorCode = errorCode; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c index 5622f8cee..828b9bf4c 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c @@ -929,6 +929,7 @@ finish: for (i = 0; i < nnames; i++) stringLens += (names->length[i] <= 255) ? names->length[i] : 0; + memset(&reply, 0, sizeof(xListFontsReply)); reply.type = X_Reply; reply.length = (stringLens + nnames + 3) >> 2; reply.nFonts = nnames; @@ -1227,6 +1228,7 @@ doListFontsWithInfo(ClientPtr client, LFWIclosurePtr c) err = AllocError; break; } + memset(reply + c->length, 0, length - c->length); c->reply = reply; c->length = length; } diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXevents.c b/nx-X11/programs/Xserver/hw/nxagent/NXevents.c index c5593adbb..872a02ce5 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXevents.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXevents.c @@ -3606,6 +3606,7 @@ EnterLeaveEvent( } if (mask & filters[type]) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = type; event.u.u.detail = detail; event.u.enterLeave.time = currentTime.milliseconds; @@ -4024,6 +4025,7 @@ ProcGetInputFocus(ClientPtr client) FocusClassPtr focus = inputInfo.keyboard->focus; REQUEST_SIZE_MATCH(xReq); + memset(&rep, 0, sizeof(xGetInputFocusReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -4104,6 +4106,7 @@ ProcGrabPointer(ClientPtr client) } /* at this point, some sort of reply is guaranteed. */ time = ClientTimeToServerTime(stuff->time); + memset(&rep, 0, sizeof(xGrabPointerReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; rep.length = 0; @@ -4321,6 +4324,8 @@ ProcGrabKeyboard(ClientPtr client) } #endif REQUEST_SIZE_MATCH(xGrabKeyboardReq); + memset(&rep, 0, sizeof(xGrabKeyboardReply)); + #ifdef XCSECURITY if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE)) { @@ -4399,6 +4404,7 @@ ProcQueryPointer(ClientPtr client) return BadWindow; if (mouse->valuator->motionHintWindow) MaybeStopHint(mouse, client); + memset(&rep, 0, sizeof(xQueryPointerReply)); rep.type = X_Reply; rep.sequenceNumber = client->sequence; rep.mask = mouse->button->state | inputInfo.keyboard->key->state; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXextension.c b/nx-X11/programs/Xserver/hw/nxagent/NXextension.c index ead9b9d28..f964e2fd8 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXextension.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXextension.c @@ -332,6 +332,7 @@ ProcQueryExtension(ClientPtr client) REQUEST_FIXED_SIZE(xQueryExtensionReq, stuff->nbytes); + memset(&reply, 0, sizeof(xQueryExtensionReply)); reply.type = X_Reply; reply.length = 0; reply.major_opcode = 0; @@ -378,6 +379,7 @@ ProcListExtensions(ClientPtr client) REQUEST_SIZE_MATCH(xReq); + memset(&reply, 0, sizeof(xListExtensionsReply)); reply.type = X_Reply; reply.nExtensions = 0; reply.length = 0; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXmiexpose.c b/nx-X11/programs/Xserver/hw/nxagent/NXmiexpose.c index 3fc73cf3b..125f1b1c4 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXmiexpose.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXmiexpose.c @@ -457,6 +457,7 @@ miSendGraphicsExpose (client, pRgn, drawable, major, minor) else { xEvent event; + memset(&event, 0, sizeof(xEvent)); event.u.u.type = NoExpose; event.u.noExposure.drawable = drawable; event.u.noExposure.majorEvent = major; @@ -482,7 +483,7 @@ miSendExposures(pWin, pRgn, dx, dy) numRects = REGION_NUM_RECTS(pRgn); if(!(pEvent = (xEvent *) ALLOCATE_LOCAL(numRects * sizeof(xEvent)))) return; - + memset(pEvent, 0, numRects * sizeof(xEvent)); for (i=numRects, pe = pEvent; --i >= 0; pe++, pBox++) { pe->u.u.type = Expose; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXproperty.c b/nx-X11/programs/Xserver/hw/nxagent/NXproperty.c index cd1ec6ddd..ee2d6da94 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXproperty.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXproperty.c @@ -620,6 +620,7 @@ ProcGetProperty(ClientPtr client) pProp = pProp->next; } + memset(&reply, 0, sizeof(xGetPropertyReply)); reply.type = X_Reply; reply.sequenceNumber = client->sequence; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c index c2f6527a6..e34689399 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXrender.c @@ -392,6 +392,7 @@ ProcRenderQueryVersion (ClientPtr client) pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; + memset(&rep, 0, sizeof(xRenderQueryVersionReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -516,6 +517,7 @@ ProcRenderQueryPictFormats (ClientPtr client) reply = (xRenderQueryPictFormatsReply *) xalloc (rlength); if (!reply) return BadAlloc; + memset(reply, 0, rlength); reply->type = X_Reply; reply->sequenceNumber = client->sequence; reply->length = (rlength - sizeof(xGenericReply)) >> 2; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/NXshm.c index eaaa92041..468dd480d 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXshm.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXshm.c @@ -401,6 +401,7 @@ ProcShmQueryVersion(client) register int n; REQUEST_SIZE_MATCH(xShmQueryVersionReq); + memset(&rep, 0, sizeof(xShmQueryVersionReply)); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXwindow.c b/nx-X11/programs/Xserver/hw/nxagent/NXwindow.c index 76e86fd2a..bb28961d1 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXwindow.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXwindow.c @@ -960,6 +960,7 @@ CreateWindow(Window wid, register WindowPtr pParent, int x, int y, unsigned w, if (SubSend(pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = CreateNotify; event.u.createNotify.window = wid; event.u.createNotify.parent = pParent->drawable.id; @@ -1027,6 +1028,7 @@ CrushTree(WindowPtr pWin) pParent = pChild->parent; if (SubStrSend(pChild, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = DestroyNotify; event.u.destroyNotify.window = pChild->drawable.id; DeliverEvents(pChild, &event, 1, NullWindow); @@ -1076,6 +1078,7 @@ DeleteWindow(pointer value, XID wid) pParent = pWin->parent; if (wid && pParent && SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = DestroyNotify; event.u.destroyNotify.window = pWin->drawable.id; DeliverEvents(pWin, &event, 1, NullWindow); @@ -2562,6 +2565,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP #endif )) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ConfigureRequest; event.u.configureRequest.window = pWin->drawable.id; if (mask & CWSibling) @@ -2606,6 +2610,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP if (size_change && ((pWin->eventMask|wOtherEventMasks(pWin)) & ResizeRedirectMask)) { xEvent eventT; + memset(&eventT, 0, sizeof(xEvent)); eventT.u.u.type = ResizeRequest; eventT.u.resizeRequest.window = pWin->drawable.id; eventT.u.resizeRequest.width = w; @@ -2652,6 +2657,7 @@ ConfigureWindow(register WindowPtr pWin, register Mask mask, XID *vlist, ClientP ActuallyDoSomething: if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ConfigureNotify; event.u.configureNotify.window = pWin->drawable.id; if (pSib) @@ -2825,6 +2831,7 @@ ReparentWindow(register WindowPtr pWin, register WindowPtr pParent, if (WasMapped) UnmapWindow(pWin, FALSE); + memset(&event, 0, sizeof(xEvent)); event.u.u.type = ReparentNotify; event.u.reparent.window = pWin->drawable.id; event.u.reparent.parent = pParent->drawable.id; @@ -2996,6 +3003,7 @@ MapWindow(register WindowPtr pWin, ClientPtr client) #endif )) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapRequest; event.u.mapRequest.window = pWin->drawable.id; #ifdef XAPPGROUP @@ -3018,6 +3026,7 @@ MapWindow(register WindowPtr pWin, ClientPtr client) pWin->mapped = TRUE; if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapNotify; event.u.mapNotify.window = pWin->drawable.id; event.u.mapNotify.override = pWin->overrideRedirect; @@ -3110,6 +3119,7 @@ MapSubwindows(register WindowPtr pParent, ClientPtr client) { if (parentRedirect && !pWin->overrideRedirect) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapRequest; event.u.mapRequest.window = pWin->drawable.id; event.u.mapRequest.parent = pParent->drawable.id; @@ -3122,6 +3132,7 @@ MapSubwindows(register WindowPtr pParent, ClientPtr client) pWin->mapped = TRUE; if (parentNotify || StrSend(pWin)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = MapNotify; event.u.mapNotify.window = pWin->drawable.id; event.u.mapNotify.override = pWin->overrideRedirect; @@ -3283,6 +3294,7 @@ UnmapWindow(register WindowPtr pWin, Bool fromConfigure) return(Success); if (SubStrSend(pWin, pParent)) { + memset(&event, 0, sizeof(xEvent)); event.u.u.type = UnmapNotify; event.u.unmapNotify.window = pWin->drawable.id; event.u.unmapNotify.fromConfigure = fromConfigure; @@ -3577,6 +3589,7 @@ SendVisibilityNotify(WindowPtr pWin) } #endif + memset(&event, 0, sizeof(xEvent)); event.u.u.type = VisibilityNotify; event.u.visibility.window = pWin->drawable.id; event.u.visibility.state = visibility; -- cgit v1.2.3