| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
v2: backports to VcXsrv 1.15.2.x (Mike DePaulo)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
| |
|
| |
|
| |
|
|
|
|
| |
(GitHub Issue #1)
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Conflicts:
openssl/Makefile
openssl/Makefile.bak
openssl/crypto/cryptlib.c
|
| |
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)
|
|
|
|
|
|
|
|
|
|
|
| |
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Found with afl-1.23b.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c)
|
|
|
|
|
|
|
|
|
|
| |
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
|
|
|
|
|
|
| |
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
(cherry picked from commit d9fda3d247942292a5f24694c22337c547006e11)
|
|
|
|
| |
with CVE-2015-2157 fix)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The absence of these could have prevented sensitive private key
information from being properly cleared out of memory that PuTTY tools
had finished with.
Thanks to Patrick Coleman for spotting this and sending a patch.
Origin: upstream, http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commitdiff;h=65f69bca7363ceceeac515ae2a82b8f8adc6404d
Bug: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
Bug-Debian: http://bugs.debian.org/779488
Patch-Name: private-key-not-wiped-2.patch
|
| |
|
|
|
| |
These branch names are based on the X2Go convention for branch names.
|
| |
|
| |
|
|\
| |
| |
| | |
1.15.2.x
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Conflicts:
xorg-server/hw/xwin/XWin.rc
xorg-server/installer/vcxsrv-64-debug.nsi
xorg-server/installer/vcxsrv-64.nsi
xorg-server/installer/vcxsrv-debug.nsi
xorg-server/installer/vcxsrv.nsi
|
| |
|
|
|
|
|
|
|
| |
Conflicts:
freetype/src/base/ftbdf.c
freetype/src/base/fttype1.c
freetype/src/pfr/pfrobjs.c
|
| |
|
|
|
|
|
|
| |
Also, community edition is supposed to have the same features as Professional,
so we can safely assume that Professional and other commercial editions
will work fine.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
| |
|
| |
|
|
|
|
|
| |
Conflicts:
openssl/Makefile
|
| |
|
|
|
|
| |
1.15.1)
|
| |
|
| |
|