Compare commits
No commits in common. 'c10-beta' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/libX11-1.8.7.tar.xz
|
||||
SOURCES/libX11-1.7.0.tar.bz2
|
||||
|
||||
@ -1 +1 @@
|
||||
034271312467ea99699fb8d926118d395e33a663 SOURCES/libX11-1.8.7.tar.xz
|
||||
48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 21 Jun 2024 14:37:24 +0200
|
||||
Subject: [PATCH] Fix deadlock in XRebindKeysym()
|
||||
|
||||
Xlib is now built with threading support enabled from the constructor
|
||||
by default.
|
||||
|
||||
XRebindKeysym() acquires the display lock, then calls:
|
||||
|
||||
| XRebindKeysym()
|
||||
| LockDisplay()
|
||||
| ComputeMaskFromKeytrans()
|
||||
| -> XkbKeysymToModifiers()
|
||||
| -> _XkbLoadDpy()
|
||||
| -> XkbGetMap()
|
||||
| -> XkbGetUpdatedMap()
|
||||
| LockDisplay()
|
||||
|
||||
And the dead lock:
|
||||
|
||||
| Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already
|
||||
| locked at KeyBind.c line 937
|
||||
|
||||
To avoid the issue, call ComputeMaskFromKeytrans() from outside the display
|
||||
lock.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/256>
|
||||
---
|
||||
src/KeyBind.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/KeyBind.c b/src/KeyBind.c
|
||||
index a8181b91..a5e22131 100644
|
||||
--- a/src/KeyBind.c
|
||||
+++ b/src/KeyBind.c
|
||||
@@ -958,8 +958,9 @@ XRebindKeysym (
|
||||
memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb);
|
||||
p->key = keysym;
|
||||
p->mlen = nm;
|
||||
- ComputeMaskFromKeytrans(dpy, p);
|
||||
UnlockDisplay(dpy);
|
||||
+ ComputeMaskFromKeytrans(dpy, p);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:37:21 +0200
|
||||
Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`_XimRead()` is being called with `reply` as target buffer instead of
|
||||
using `preply`, accessing uninitialized memory a few lines later.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
|
||||
Calling "malloc" which returns uninitialized memory.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
|
||||
Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
|
||||
which points to uninitialized data.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
|
||||
Using uninitialized value "*((CARD8 *)preply)".
|
||||
# 571| }
|
||||
# 572| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
|
||||
# 573|-> if (*((CARD8 *)preply) == XIM_ERROR) {
|
||||
# 574| _XimProcError(im, 0, (XPointer)&buf_s[3]);
|
||||
# 575| if(reply != preply)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imDefLkup.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
|
||||
index 2e53ab23..8ccaee26 100644
|
||||
--- a/modules/im/ximcp/imDefLkup.c
|
||||
+++ b/modules/im/ximcp/imDefLkup.c
|
||||
@@ -635,7 +635,7 @@ _XimTriggerNotify(
|
||||
} else {
|
||||
buf_size = len;
|
||||
preply = Xmalloc(len);
|
||||
- ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
|
||||
+ ret_code = _XimRead(im, &len, preply, buf_size,
|
||||
_XimTriggerNotifyCheck, (XPointer)ic);
|
||||
if(ret_code != XIM_TRUE) {
|
||||
Xfree(preply);
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -0,0 +1,108 @@
|
||||
From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 10 Jun 2023 16:30:07 -0700
|
||||
Subject: [PATCH libX11] InitExt.c: Add bounds checks for extension request,
|
||||
event, & error codes
|
||||
|
||||
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
|
||||
that would cause Xlib to write entries out-of-bounds of the arrays to
|
||||
store them, though this would only overwrite other parts of the Display
|
||||
struct, not outside the bounds allocated for that structure.
|
||||
|
||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 42 insertions(+)
|
||||
|
||||
diff --git a/src/InitExt.c b/src/InitExt.c
|
||||
index 4de46f15..afc00a6b 100644
|
||||
--- a/src/InitExt.c
|
||||
+++ b/src/InitExt.c
|
||||
@@ -33,6 +33,18 @@ from The Open Group.
|
||||
#include <X11/Xos.h>
|
||||
#include <stdio.h>
|
||||
|
||||
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
|
||||
+#ifndef LastExtensionEvent
|
||||
+#define LastExtensionEvent 127
|
||||
+#endif
|
||||
+
|
||||
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
|
||||
+#ifndef LastExtensionRequest
|
||||
+#define FirstExtensionRequest 128
|
||||
+#define LastExtensionRequest 255
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
/*
|
||||
* This routine is used to link a extension in so it will be called
|
||||
* at appropriate times.
|
||||
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
|
||||
WireToEventType proc) /* routine to call when converting event */
|
||||
{
|
||||
register WireToEventType oldproc;
|
||||
+ if (event_number < 0 ||
|
||||
+ event_number > LastExtensionEvent) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||
+ event_number);
|
||||
+ return (WireToEventType)_XUnknownWireEvent;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->event_vec[event_number];
|
||||
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
|
||||
)
|
||||
{
|
||||
WireToEventCookieType oldproc;
|
||||
+ if (extension < FirstExtensionRequest ||
|
||||
+ extension > LastExtensionRequest) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||
+ extension);
|
||||
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
||||
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
|
||||
)
|
||||
{
|
||||
CopyEventCookieType oldproc;
|
||||
+ if (extension < FirstExtensionRequest ||
|
||||
+ extension > LastExtensionRequest) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||
+ extension);
|
||||
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||
+ }
|
||||
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
||||
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
|
||||
EventToWireType proc) /* routine to call when converting event */
|
||||
{
|
||||
register EventToWireType oldproc;
|
||||
+ if (event_number < 0 ||
|
||||
+ event_number > LastExtensionEvent) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||
+ event_number);
|
||||
+ return (EventToWireType)_XUnknownNativeEvent;
|
||||
+ }
|
||||
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
||||
LockDisplay (dpy);
|
||||
oldproc = dpy->wire_vec[event_number];
|
||||
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
|
||||
WireToErrorType proc) /* routine to call when converting error */
|
||||
{
|
||||
register WireToErrorType oldproc = NULL;
|
||||
+ if (error_number < 0 ||
|
||||
+ error_number > LastExtensionError) {
|
||||
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
|
||||
+ error_number);
|
||||
+ return (WireToErrorType)_XDefaultWireError;
|
||||
+ }
|
||||
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
||||
LockDisplay (dpy);
|
||||
if (!dpy->error_vec) {
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Thu, 6 Jun 2024 16:25:26 +0200
|
||||
Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree"
|
||||
|
||||
This change was to fix the next change that we are to revert as well.
|
||||
|
||||
This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0.
|
||||
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
|
||||
---
|
||||
src/CopyCmap.c | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
|
||||
index b37aba73..b4954b01 100644
|
||||
--- a/src/CopyCmap.c
|
||||
+++ b/src/CopyCmap.c
|
||||
@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree(
|
||||
mid = req->mid = XAllocID(dpy);
|
||||
req->srcCmap = src_cmap;
|
||||
|
||||
- /* re-lock the display to keep XID handling in sync */
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
- LockDisplay(dpy);
|
||||
-
|
||||
#if XCMS
|
||||
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
|
||||
#endif
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -0,0 +1,43 @@
|
||||
From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 27 Jul 2021 11:46:19 +1000
|
||||
Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
|
||||
|
||||
These keys are all defined through a macro in the form:
|
||||
#define XF86XK_BrightnessAuto _EVDEVK(0x0F4)
|
||||
|
||||
The _EVDEVK macro is simply an offset of 0x10081000.
|
||||
Let's parse these lines correctly so those keysyms end up in our
|
||||
hashtables.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
src/util/makekeys.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/util/makekeys.c b/src/util/makekeys.c
|
||||
index e847ef4c..4896cc53 100644
|
||||
--- a/src/util/makekeys.c
|
||||
+++ b/src/util/makekeys.c
|
||||
@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* See if we can parse one of the _EVDEVK symbols */
|
||||
+ i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
|
||||
+ if (i == 2 && (tmp = strstr(key, "XK_"))) {
|
||||
+ memcpy(prefix, key, (size_t)(tmp - key));
|
||||
+ prefix[tmp - key] = '\0';
|
||||
+ tmp += 3;
|
||||
+ memmove(key, tmp, strlen(tmp) + 1);
|
||||
+
|
||||
+ *val += 0x10081000;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
/* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
|
||||
* immediately: if the target is in the form XF86XK_foo, we need to
|
||||
* canonicalise this to XF86foo before we do the lookup. */
|
||||
--
|
||||
2.31.1
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:41:40 +0200
|
||||
Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`_XimRead()` is being called with `reply` as target buffer instead of
|
||||
using `preply`, accessing uninitialized memory a few lines later.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn:
|
||||
Calling "malloc" which returns uninitialized memory.
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign:
|
||||
Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))",
|
||||
which points to uninitialized data.
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use:
|
||||
Using uninitialized value "*((CARD8 *)preply)".
|
||||
# 477| return False;
|
||||
# 478| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
|
||||
# 479|-> if (*((CARD8 *)preply) == XIM_ERROR) {
|
||||
# 480| _XimProcError(im, 0, (XPointer)&buf_s[3]);
|
||||
# 481| if(reply != preply)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imExten.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c
|
||||
index c2e48a89..a25f00d0 100644
|
||||
--- a/modules/im/ximcp/imExten.c
|
||||
+++ b/modules/im/ximcp/imExten.c
|
||||
@@ -466,7 +466,7 @@ _XimExtension(
|
||||
} else {
|
||||
buf_size = len;
|
||||
preply = Xmalloc(buf_size);
|
||||
- ret_code = _XimRead(im, &len, reply, buf_size,
|
||||
+ ret_code = _XimRead(im, &len, preply, buf_size,
|
||||
_XimQueryExtensionCheck, 0);
|
||||
if(ret_code != XIM_TRUE) {
|
||||
Xfree(preply);
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,92 +0,0 @@
|
||||
From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 7 Jun 2024 09:07:39 +0200
|
||||
Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock"
|
||||
|
||||
That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*()
|
||||
family of functions within a display lock to make the XCMS colormap
|
||||
functions thread safe.
|
||||
|
||||
Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because
|
||||
_XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls
|
||||
XGetVisualInfo() which also tries to acquire the display lock.
|
||||
|
||||
So, instead of moving the entire functions within the display lock,
|
||||
let's try to make the functions themselves thread safe in the following
|
||||
commit, and revert this change which causes a deadlock.
|
||||
|
||||
This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d.
|
||||
|
||||
Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
|
||||
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
|
||||
---
|
||||
src/CopyCmap.c | 6 +++---
|
||||
src/CrCmap.c | 6 +++---
|
||||
src/FreeCmap.c | 6 +++---
|
||||
3 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
|
||||
index b4954b01..5444550c 100644
|
||||
--- a/src/CopyCmap.c
|
||||
+++ b/src/CopyCmap.c
|
||||
@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree(
|
||||
mid = req->mid = XAllocID(dpy);
|
||||
req->srcCmap = src_cmap;
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#if XCMS
|
||||
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return(mid);
|
||||
}
|
||||
diff --git a/src/CrCmap.c b/src/CrCmap.c
|
||||
index 1b18a15b..9904c7dd 100644
|
||||
--- a/src/CrCmap.c
|
||||
+++ b/src/CrCmap.c
|
||||
@@ -48,12 +48,12 @@ Colormap XCreateColormap(
|
||||
if (visual == CopyFromParent) req->visual = CopyFromParent;
|
||||
else req->visual = visual->visualid;
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#ifdef XCMS
|
||||
_XcmsAddCmapRec(dpy, mid, w, visual);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return(mid);
|
||||
}
|
||||
diff --git a/src/FreeCmap.c b/src/FreeCmap.c
|
||||
index 68496dd8..e2b76fa6 100644
|
||||
--- a/src/FreeCmap.c
|
||||
+++ b/src/FreeCmap.c
|
||||
@@ -41,12 +41,12 @@ XFreeColormap(
|
||||
LockDisplay(dpy);
|
||||
GetResReq(FreeColormap, cmap, req);
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#ifdef XCMS
|
||||
_XcmsDeleteCmapRec(dpy, cmap);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,47 +0,0 @@
|
||||
From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:49:26 +0200
|
||||
Subject: [PATCH 3/6] Fix use of uninitialized variable in
|
||||
_XimEncodeICATTRIBUTE
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In the `res->resource_size == XimType_NEST` code path, if
|
||||
`res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can
|
||||
be used uninitialized.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl:
|
||||
Declaring variable "len" without initializer.
|
||||
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use:
|
||||
Using uninitialized value "len".
|
||||
# 1177| }
|
||||
# 1178|
|
||||
# 1179|-> if (len == 0) {
|
||||
# 1180| continue;
|
||||
# 1181| } else if (len < 0) {
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imRmAttr.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
|
||||
index 709e64ab..c56bd62e 100644
|
||||
--- a/modules/im/ximcp/imRmAttr.c
|
||||
+++ b/modules/im/ximcp/imRmAttr.c
|
||||
@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE(
|
||||
|
||||
*ret_len = 0;
|
||||
for (p = arg; p && p->name; p++) {
|
||||
+ len = 0;
|
||||
buf_s = (CARD16 *)buf;
|
||||
if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) {
|
||||
if (_XimSetInnerICAttributes(ic, top, p, mode))
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,62 +0,0 @@
|
||||
From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 17:37:39 +0200
|
||||
Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
|
||||
XkbResizeKeyActions
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
|
||||
function can create a `newActs` array of an unespected size.
|
||||
Check the value and return if it is invalid.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
|
||||
Checking "xkb->server->size_acts == 0" implies that
|
||||
"xkb->server->size_acts" is 0 on the true branch.
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
|
||||
"calloc" allocates 8 bytes dictated by parameters
|
||||
"(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
|
||||
and "8UL".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
|
||||
Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
|
||||
Assigning: "nActs" = "1".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
|
||||
Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
|
||||
true branch.
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
|
||||
Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
|
||||
passing it to a function which accesses it at byte offset 15
|
||||
using argument "nCopy * 8UL" (which evaluates to 8).
|
||||
# 828|
|
||||
# 829| if (nCopy > 0)
|
||||
# 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
|
||||
# 831| nCopy * sizeof(XkbAction));
|
||||
# 832| if (nCopy < nKeyActs)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
src/xkb/XKBMAlloc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
|
||||
index 8b3be303..0563a688 100644
|
||||
--- a/src/xkb/XKBMAlloc.c
|
||||
+++ b/src/xkb/XKBMAlloc.c
|
||||
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
|
||||
register int i, nActs;
|
||||
XkbAction *newActs;
|
||||
|
||||
- if (needed == 0) {
|
||||
+ if (needed <= 0) {
|
||||
xkb->server->key_acts[key] = 0;
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,64 +0,0 @@
|
||||
From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 18:04:35 +0200
|
||||
Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: RESOURCE_LEAK (CWE-772):
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn:
|
||||
Storage is returned from allocation function "calloc".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign:
|
||||
Assigning: "tmp" = storage returned from
|
||||
"calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape:
|
||||
Resource "tmp" is not freed or pointed-to in "memcpy".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign:
|
||||
Assigning: "buf" = "tmp".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign:
|
||||
Assigning: "data" = "buf".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape:
|
||||
Resource "data" is not freed or pointed-to in
|
||||
"_XimEncodeIMATTRIBUTE".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "data" going out of scope leaks the storage it points to.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "buf" going out of scope leaks the storage it points to.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "tmp" going out of scope leaks the storage it points to.
|
||||
# 1331|
|
||||
# 1332| if (!total)
|
||||
# 1333|-> return (char *)NULL;
|
||||
# 1334|
|
||||
# 1335| buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imDefIm.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
|
||||
index a12d2970..e3075398 100644
|
||||
--- a/modules/im/ximcp/imDefIm.c
|
||||
+++ b/modules/im/ximcp/imDefIm.c
|
||||
@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues(
|
||||
}
|
||||
_XimSetCurrentIMValues(im, &im_values);
|
||||
|
||||
- if (!total)
|
||||
- return (char *)NULL;
|
||||
+ if (!total) {
|
||||
+ if (buf != tmp_buf)
|
||||
+ Xfree(buf);
|
||||
+ return (char *)NULL;
|
||||
+ }
|
||||
|
||||
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
|
||||
buf_s[0] = im->private.proto.imid;
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 18:21:08 +0200
|
||||
Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When `num_fields == 12`, if the last character of the pattern is '-',
|
||||
the `buf` array is overrun.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
|
||||
Checking "length > 255" implies that "length" may be up to 255 on
|
||||
the false branch.
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
|
||||
Assigning: "last" = "buf + length - 1". "last" may now point to as
|
||||
high as byte 254 of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
|
||||
Incrementing "last". "last" may now point to as high as byte 255
|
||||
of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
|
||||
Incrementing "last". "last" may now point to as high as byte 256
|
||||
of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
|
||||
Overrunning array of 256 bytes at byte offset 256 by
|
||||
dereferencing pointer "++last".
|
||||
# 718| *++last = '*';
|
||||
# 719|
|
||||
# 720|-> *++last = '-';
|
||||
# 721| break;
|
||||
# 722| case 13:
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/om/generic/omGeneric.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
|
||||
index 406cec93..370072f3 100644
|
||||
--- a/modules/om/generic/omGeneric.c
|
||||
+++ b/modules/om/generic/omGeneric.c
|
||||
@@ -688,7 +688,7 @@ parse_omit_name(
|
||||
|
||||
length = strlen (pattern);
|
||||
|
||||
- if (length > XLFD_MAX_LEN)
|
||||
+ if (length > XLFD_MAX_LEN - 1)
|
||||
return -1;
|
||||
|
||||
strcpy(buf, pattern);
|
||||
--
|
||||
2.45.2
|
||||
|
||||
Loading…
Reference in new issue