Compare commits
No commits in common. 'c9' and 'c8-beta' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/libX11-1.7.0.tar.bz2
|
||||
SOURCES/libX11-1.6.8.tar.bz2
|
||||
|
||||
@ -1 +1 @@
|
||||
48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2
|
||||
f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2
|
||||
|
||||
@ -0,0 +1,166 @@
|
||||
From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
|
||||
From: Keith Packard <keithp@keithp.com>
|
||||
Date: Sat, 7 Nov 2020 22:22:47 -0800
|
||||
Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
|
||||
adjustment
|
||||
|
||||
This patch is based on research done by Dmitry Osipenko to uncover the
|
||||
cause of a large class of Xlib lockups.
|
||||
|
||||
_XError must unlock and re-lock the display around the call to the
|
||||
user error handler function. When re-locking the display, two
|
||||
functions are called to ensure that the display is ready to generate a request:
|
||||
|
||||
_XIDHandler(dpy);
|
||||
_XSeqSyncFunction(dpy);
|
||||
|
||||
The first ensures that there is at least one XID available to use
|
||||
(possibly calling _xcb_generate_id to do so). The second makes sure a
|
||||
reply is received at least every 65535 requests to keep sequence
|
||||
numbers in sync (possibly generating a GetInputFocus request and
|
||||
synchronously awaiting the reply).
|
||||
|
||||
If the second of these does generate a GetInputFocus request and wait
|
||||
for the reply, then a pending error will cause recursion into _XError,
|
||||
which deadlocks the display.
|
||||
|
||||
One seemingly easy fix is to have _XError avoid those calls by
|
||||
invoking InternalLockDisplay instead of LockDisplay. That function
|
||||
does everything that LockDisplay does *except* call those final two
|
||||
functions which may end up receiving an error.
|
||||
|
||||
However, that doesn't protect the system from applications which call
|
||||
some legal Xlib function from within their error handler. Any Xlib
|
||||
function which cannot generate protocol or wait for events is valid,
|
||||
including many which invoke LockDisplay.
|
||||
|
||||
What we need to do is make LockDisplay skip these two function calls
|
||||
precisely when it is called from within the _XError context for the
|
||||
same display.
|
||||
|
||||
This patch accomplishes this by creating a list of threads in the
|
||||
display which are in _XError, and then having LockDisplay check the
|
||||
current thread against those list elements.
|
||||
|
||||
Inspired-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
Signed-off-by: Keith Packard <keithp@keithp.com>
|
||||
Tested-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
|
||||
(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
|
||||
---
|
||||
include/X11/Xlibint.h | 2 ++
|
||||
src/OpenDis.c | 1 +
|
||||
src/XlibInt.c | 10 ++++++++++
|
||||
src/locking.c | 12 ++++++++++++
|
||||
src/locking.h | 12 ++++++++++++
|
||||
5 files changed, 37 insertions(+)
|
||||
|
||||
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
|
||||
index 6b95bcf7..09078e3f 100644
|
||||
--- a/include/X11/Xlibint.h
|
||||
+++ b/include/X11/Xlibint.h
|
||||
@@ -202,6 +202,8 @@ struct _XDisplay
|
||||
unsigned long last_request_read_upper32bit;
|
||||
unsigned long request_upper32bit;
|
||||
#endif
|
||||
+
|
||||
+ struct _XErrorThreadInfo *error_threads;
|
||||
};
|
||||
|
||||
#define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
|
||||
diff --git a/src/OpenDis.c b/src/OpenDis.c
|
||||
index 82723578..85901168 100644
|
||||
--- a/src/OpenDis.c
|
||||
+++ b/src/OpenDis.c
|
||||
@@ -201,6 +201,7 @@ XOpenDisplay (
|
||||
X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
|
||||
dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */
|
||||
dpy->last_req = (char *)&_dummy_request;
|
||||
+ dpy->error_threads = NULL;
|
||||
|
||||
/* Initialize the display lock */
|
||||
if (InitDisplayLock(dpy) != 0) {
|
||||
diff --git a/src/XlibInt.c b/src/XlibInt.c
|
||||
index 4e45e62b..8771b791 100644
|
||||
--- a/src/XlibInt.c
|
||||
+++ b/src/XlibInt.c
|
||||
@@ -1482,6 +1482,11 @@ int _XError (
|
||||
if (_XErrorFunction != NULL) {
|
||||
int rtn_val;
|
||||
#ifdef XTHREADS
|
||||
+ struct _XErrorThreadInfo thread_info = {
|
||||
+ .error_thread = xthread_self(),
|
||||
+ .next = dpy->error_threads
|
||||
+ }, **prev;
|
||||
+ dpy->error_threads = &thread_info;
|
||||
if (dpy->lock)
|
||||
(*dpy->lock->user_lock_display)(dpy);
|
||||
UnlockDisplay(dpy);
|
||||
@@ -1491,6 +1496,11 @@ int _XError (
|
||||
LockDisplay(dpy);
|
||||
if (dpy->lock)
|
||||
(*dpy->lock->user_unlock_display)(dpy);
|
||||
+
|
||||
+ /* unlink thread_info from the list */
|
||||
+ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
|
||||
+ ;
|
||||
+ *prev = thread_info.next;
|
||||
#endif
|
||||
return rtn_val;
|
||||
} else {
|
||||
diff --git a/src/locking.c b/src/locking.c
|
||||
index 9f4fe067..bcadc857 100644
|
||||
--- a/src/locking.c
|
||||
+++ b/src/locking.c
|
||||
@@ -453,6 +453,9 @@ static void _XLockDisplay(
|
||||
XTHREADS_FILE_LINE_ARGS
|
||||
)
|
||||
{
|
||||
+#ifdef XTHREADS
|
||||
+ struct _XErrorThreadInfo *ti;
|
||||
+#endif
|
||||
#ifdef XTHREADS_WARN
|
||||
_XLockDisplayWarn(dpy, file, line);
|
||||
#else
|
||||
@@ -460,6 +463,15 @@ static void _XLockDisplay(
|
||||
#endif
|
||||
if (dpy->lock->locking_level > 0)
|
||||
_XDisplayLockWait(dpy);
|
||||
+#ifdef XTHREADS
|
||||
+ /*
|
||||
+ * Skip the two function calls below which may generate requests
|
||||
+ * when LockDisplay is called from within _XError.
|
||||
+ */
|
||||
+ for (ti = dpy->error_threads; ti; ti = ti->next)
|
||||
+ if (ti->error_thread == xthread_self())
|
||||
+ return;
|
||||
+#endif
|
||||
_XIDHandler(dpy);
|
||||
_XSeqSyncFunction(dpy);
|
||||
}
|
||||
diff --git a/src/locking.h b/src/locking.h
|
||||
index 5251a60c..59fc866e 100644
|
||||
--- a/src/locking.h
|
||||
+++ b/src/locking.h
|
||||
@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
|
||||
xmutex_t lock;
|
||||
} LockInfoRec;
|
||||
|
||||
+/* A list of threads currently invoking error handlers on this display
|
||||
+ * LockDisplay operates differently for these threads, avoiding
|
||||
+ * generating any requests or reading any events as that can cause
|
||||
+ * recursion into the error handling code, which will deadlock the
|
||||
+ * thread.
|
||||
+ */
|
||||
+struct _XErrorThreadInfo
|
||||
+{
|
||||
+ struct _XErrorThreadInfo *next;
|
||||
+ xthread_t error_thread;
|
||||
+};
|
||||
+
|
||||
/* XOpenDis.c */
|
||||
extern int (*_XInitDisplayLock_fn)(Display *dpy);
|
||||
extern void (*_XFreeDisplayLock_fn)(Display *dpy);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -0,0 +1,58 @@
|
||||
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sun, 17 Sep 2023 14:19:40 -0700
|
||||
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
|
||||
_XkbReadKeySyms()
|
||||
|
||||
Make sure we allocate enough memory in the first place, and
|
||||
also handle error returns from _XkbReadBufferCopyKeySyms() when
|
||||
it detects out-of-bounds issues.
|
||||
|
||||
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/xkb/XKBGetMap.c | 14 +++++++++-----
|
||||
1 file changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
|
||||
index 2891d21e..31199e4a 100644
|
||||
--- a/src/xkb/XKBGetMap.c
|
||||
+++ b/src/xkb/XKBGetMap.c
|
||||
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
if (offset + newMap->nSyms >= map->size_syms) {
|
||||
register int sz;
|
||||
|
||||
- sz = map->size_syms + 128;
|
||||
+ sz = offset + newMap->nSyms;
|
||||
+ sz = ((sz + (unsigned) 128) / 128) * 128;
|
||||
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
|
||||
if (map->syms == NULL) {
|
||||
map->size_syms = 0;
|
||||
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
map->size_syms = sz;
|
||||
}
|
||||
if (newMap->nSyms > 0) {
|
||||
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
- newMap->nSyms);
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
||||
+ newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
offset += newMap->nSyms;
|
||||
}
|
||||
else {
|
||||
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
||||
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
|
||||
if (newSyms == NULL)
|
||||
return BadAlloc;
|
||||
- if (newMap->nSyms > 0)
|
||||
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
|
||||
+ if (newMap->nSyms > 0) {
|
||||
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
|
||||
+ return BadLength;
|
||||
+ }
|
||||
else
|
||||
newSyms[0] = NoSymbol;
|
||||
oldMap->kt_index[0] = newMap->ktIndex[0];
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:54:30 -0700
|
||||
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
|
||||
in PutSubImage()
|
||||
|
||||
When splitting a single line of pixels into chunks to send to the
|
||||
X server, be sure to take into account the number of bits per pixel,
|
||||
so we don't just loop forever trying to send more pixels than fit in
|
||||
the given request size and not breaking them down into a small enough
|
||||
chunk to fix.
|
||||
|
||||
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index 857ee916..a6db7b42 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -914,8 +914,9 @@ PutSubImage (
|
||||
req_width, req_height - SubImageHeight,
|
||||
dest_bits_per_pixel, dest_scanline_pad);
|
||||
} else {
|
||||
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
|
||||
- * dest_scanline_pad) - left_pad;
|
||||
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
|
||||
+ * dest_scanline_pad) - left_pad)
|
||||
+ / dest_bits_per_pixel;
|
||||
|
||||
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
|
||||
(unsigned int) SubImageWidth, 1,
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,59 @@
|
||||
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
|
||||
From: Yair Mizrahi <yairm@jfrog.com>
|
||||
Date: Thu, 7 Sep 2023 16:15:32 -0700
|
||||
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
|
||||
a heap overflow
|
||||
|
||||
When the format is `Pixmap` it calculates the size of the image data as:
|
||||
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
There is no validation on the `width` of the image, and so this
|
||||
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/ImUtil.c | 20 +++++++++++++++-----
|
||||
1 file changed, 15 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/ImUtil.c b/src/ImUtil.c
|
||||
index 36f08a03..fbfad33e 100644
|
||||
--- a/src/ImUtil.c
|
||||
+++ b/src/ImUtil.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <X11/Xlibint.h>
|
||||
#include <X11/Xutil.h>
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "ImUtil.h"
|
||||
|
||||
static int _XDestroyImage(XImage *);
|
||||
@@ -361,13 +362,22 @@ XImage *XCreateImage (
|
||||
/*
|
||||
* compute per line accelerator.
|
||||
*/
|
||||
- {
|
||||
- if (format == ZPixmap)
|
||||
+ if (format == ZPixmap) {
|
||||
+ if ((INT_MAX / bits_per_pixel) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
- else
|
||||
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
|
||||
+ } else {
|
||||
+ if ((INT_MAX - offset) < width) {
|
||||
+ Xfree(image);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
min_bytes_per_line =
|
||||
- ROUNDUP((width + offset), image->bitmap_pad);
|
||||
+ ROUNDUP((width + offset), image->bitmap_pad);
|
||||
}
|
||||
if (image_bytes_per_line == 0) {
|
||||
image->bytes_per_line = min_bytes_per_line;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,64 @@
|
||||
From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001
|
||||
From: Adam Jackson <ajax@redhat.com>
|
||||
Date: Wed, 11 Dec 2019 11:53:11 -0500
|
||||
Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
XCopyColormapAndFree/5 threw an assertion:
|
||||
|
||||
520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A)
|
||||
520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap,
|
||||
520|4 5 00014017 1 4|then a BadColor error occurs.
|
||||
520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap.
|
||||
520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument.
|
||||
520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs.
|
||||
520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received
|
||||
220|4 5 2 15:05:53|UNRESOLVED
|
||||
410|4 5 1 15:05:53|IC End
|
||||
510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV)
|
||||
|
||||
More specifically:
|
||||
|
||||
lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed.
|
||||
|
||||
This bug was introduced (by following my advice, d'oh) in:
|
||||
|
||||
commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d
|
||||
Author: Tapani Pälli <tapani.palli@intel.com>
|
||||
Date: Mon May 13 08:29:49 2019 +0300
|
||||
|
||||
Protect colormap add/removal with display lock
|
||||
|
||||
In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the
|
||||
display lock. The problem is said routine has side effects, including
|
||||
trying to implicitly create a colormap in some cases. Since we don't run
|
||||
the XID handler until SyncHandle() we would see inconsistent internal
|
||||
xlib state, triggering the above assert.
|
||||
|
||||
Fix this by dropping and re-taking the display lock before calling into
|
||||
XCMS.
|
||||
---
|
||||
src/CopyCmap.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
|
||||
index b4954b01..b37aba73 100644
|
||||
--- a/src/CopyCmap.c
|
||||
+++ b/src/CopyCmap.c
|
||||
@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree(
|
||||
mid = req->mid = XAllocID(dpy);
|
||||
req->srcCmap = src_cmap;
|
||||
|
||||
+ /* re-lock the display to keep XID handling in sync */
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+ LockDisplay(dpy);
|
||||
+
|
||||
#if XCMS
|
||||
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
|
||||
#endif
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 13 Aug 2020 18:02:58 +0200
|
||||
Subject: [PATCH] Fix an integer overflow in init_om()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
CVE-2020-14363
|
||||
|
||||
This can lead to a double free later, as reported by Jayden Rivers.
|
||||
|
||||
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
||||
|
||||
(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d)
|
||||
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
|
||||
---
|
||||
modules/om/generic/omGeneric.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
|
||||
index 22f826ec..bcfb9ab8 100644
|
||||
--- a/modules/om/generic/omGeneric.c
|
||||
+++ b/modules/om/generic/omGeneric.c
|
||||
@@ -1908,7 +1908,8 @@ init_om(
|
||||
char **required_list;
|
||||
XOrientation *orientation;
|
||||
char **value, buf[BUFSIZ], *bufptr;
|
||||
- int count = 0, num = 0, length = 0;
|
||||
+ int count = 0, num = 0;
|
||||
+ unsigned int length = 0;
|
||||
|
||||
_XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
|
||||
if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -0,0 +1,63 @@
|
||||
From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <fziglio@redhat.com>
|
||||
Date: Wed, 29 Jan 2020 09:06:54 +0000
|
||||
Subject: [PATCH libX11] Fix poll_for_response race condition
|
||||
|
||||
In poll_for_response is it possible that event replies are skipped
|
||||
and a more up to date message reply is returned.
|
||||
This will cause next poll_for_event call to fail aborting the program.
|
||||
|
||||
This was proved using some slow ssh tunnel or using some program
|
||||
to slow down server replies (I used a combination of xtrace and strace).
|
||||
|
||||
How the race happens:
|
||||
- program enters into poll_for_response;
|
||||
- poll_for_event is called but the server didn't still send the reply;
|
||||
- pending_requests is not NULL because we send a request (see call
|
||||
to append_pending_request in _XSend);
|
||||
- xcb_poll_for_reply64 is called from poll_for_response;
|
||||
- xcb_poll_for_reply64 will read from server, at this point
|
||||
server reply with an event (say sequence N) and the reply to our
|
||||
last request (say sequence N+1);
|
||||
- xcb_poll_for_reply64 returns the reply for the request we asked;
|
||||
- last_request_read is set to N+1 sequence in poll_for_response;
|
||||
- poll_for_response returns the response to the request;
|
||||
- poll_for_event is called (for instance from another poll_for_response);
|
||||
- event with sequence N is retrieved;
|
||||
- the N sequence is widen, however, as the "new" number computed from
|
||||
last_request_read is less than N the number is widened to N + 2^32
|
||||
(assuming last_request_read is still contained in 32 bit);
|
||||
- poll_for_event enters the nested if statement as req is NULL;
|
||||
- we compare the widen N (which now does not fit into 32 bit) with
|
||||
request (which fits into 32 bit) hitting the throw_thread_fail_assert.
|
||||
|
||||
I propose to change the widen to not go too far from the wide number
|
||||
instead of supposing the result is always bigger than the wide number
|
||||
passed.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||||
---
|
||||
src/xcb_io.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/xcb_io.c b/src/xcb_io.c
|
||||
index 6a12d150..2aacbda3 100644
|
||||
--- a/src/xcb_io.c
|
||||
+++ b/src/xcb_io.c
|
||||
@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
|
||||
}
|
||||
|
||||
/* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
|
||||
- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
|
||||
*/
|
||||
static void widen(uint64_t *wide, unsigned int narrow)
|
||||
{
|
||||
- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
|
||||
- *wide = new + (((uint64_t)(new < *wide)) << 32);
|
||||
+ *wide += (int32_t) (narrow - *wide);
|
||||
}
|
||||
|
||||
/* Thread-safety rules:
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Tue, 27 Jul 2021 11:46:19 +1000
|
||||
Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
|
||||
|
||||
These keys are all defined through a macro in the form:
|
||||
#define XF86XK_BrightnessAuto _EVDEVK(0x0F4)
|
||||
|
||||
The _EVDEVK macro is simply an offset of 0x10081000.
|
||||
Let's parse these lines correctly so those keysyms end up in our
|
||||
hashtables.
|
||||
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
src/util/makekeys.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/util/makekeys.c b/src/util/makekeys.c
|
||||
index e847ef4c..4896cc53 100644
|
||||
--- a/src/util/makekeys.c
|
||||
+++ b/src/util/makekeys.c
|
||||
@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ /* See if we can parse one of the _EVDEVK symbols */
|
||||
+ i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
|
||||
+ if (i == 2 && (tmp = strstr(key, "XK_"))) {
|
||||
+ memcpy(prefix, key, (size_t)(tmp - key));
|
||||
+ prefix[tmp - key] = '\0';
|
||||
+ tmp += 3;
|
||||
+ memmove(key, tmp, strlen(tmp) + 1);
|
||||
+
|
||||
+ *val += 0x10081000;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
/* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
|
||||
* immediately: if the target is in the form XF86XK_foo, we need to
|
||||
* canonicalise this to XF86foo before we do the lookup. */
|
||||
--
|
||||
2.31.1
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 15:55:04 -0700
|
||||
Subject: [PATCH 2/3] XPutImage: clip images to maximum height & width allowed
|
||||
by protocol
|
||||
|
||||
The PutImage request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), same as the maximum dimensions of an X11
|
||||
Drawable, which the image is being copied to.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/PutImage.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/PutImage.c b/src/PutImage.c
|
||||
index a6db7b42..ba411e36 100644
|
||||
--- a/src/PutImage.c
|
||||
+++ b/src/PutImage.c
|
||||
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include "Xlibint.h"
|
||||
#include "Xutil.h"
|
||||
#include <stdio.h>
|
||||
+#include <limits.h>
|
||||
#include "Cr.h"
|
||||
#include "ImUtil.h"
|
||||
#include "reallocarray.h"
|
||||
@@ -962,6 +963,10 @@ XPutImage (
|
||||
height = image->height - req_yoffset;
|
||||
if ((width <= 0) || (height <= 0))
|
||||
return 0;
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = USHRT_MAX;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = USHRT_MAX;
|
||||
|
||||
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
|
||||
dest_bits_per_pixel = 1;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,47 @@
|
||||
From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 7 Sep 2023 16:12:27 -0700
|
||||
Subject: [PATCH 3/3] XCreatePixmap: trigger BadValue error for out-of-range
|
||||
dimensions
|
||||
|
||||
The CreatePixmap request specifies height & width of the image as CARD16
|
||||
(unsigned 16-bit integer), so if either is larger than that, set it to 0
|
||||
so the X server returns a BadValue error as the protocol requires.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/CrPixmap.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/CrPixmap.c b/src/CrPixmap.c
|
||||
index cdf31207..3cb2ca6d 100644
|
||||
--- a/src/CrPixmap.c
|
||||
+++ b/src/CrPixmap.c
|
||||
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#include <config.h>
|
||||
#endif
|
||||
#include "Xlibint.h"
|
||||
+#include <limits.h>
|
||||
|
||||
#ifdef USE_DYNAMIC_XCURSOR
|
||||
void
|
||||
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
|
||||
Pixmap pid;
|
||||
register xCreatePixmapReq *req;
|
||||
|
||||
+ /*
|
||||
+ * Force a BadValue X Error if the requested dimensions are larger
|
||||
+ * than the X11 protocol has room for, since that's how callers expect
|
||||
+ * to get notified of errors.
|
||||
+ */
|
||||
+ if (width > USHRT_MAX)
|
||||
+ width = 0;
|
||||
+ if (height > USHRT_MAX)
|
||||
+ height = 0;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(CreatePixmap, req);
|
||||
req->drawable = d;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -0,0 +1,411 @@
|
||||
From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Fri, 19 Feb 2021 15:30:39 +0100
|
||||
Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending
|
||||
them on the wire
|
||||
|
||||
The X protocol uses CARD16 values to represent the length so
|
||||
this would overflow.
|
||||
|
||||
CVE-2021-31535
|
||||
|
||||
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
|
||||
|
||||
[mustard: backported 10 1.6.8 by merging the warning fixes from
|
||||
upstream commimt 84427130 first - ajax]
|
||||
---
|
||||
src/Font.c | 10 ++++++----
|
||||
src/FontInfo.c | 5 ++++-
|
||||
src/FontNames.c | 5 ++++-
|
||||
src/GetColor.c | 6 +++++-
|
||||
src/LoadFont.c | 6 +++++-
|
||||
src/LookupCol.c | 6 ++++--
|
||||
src/ParseCol.c | 7 +++++--
|
||||
src/QuExt.c | 7 ++++++-
|
||||
src/SetFPath.c | 12 +++++++++---
|
||||
src/SetHints.c | 9 ++++++++-
|
||||
src/StNColor.c | 5 ++++-
|
||||
src/StName.c | 11 ++++++++---
|
||||
12 files changed, 68 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/src/Font.c b/src/Font.c
|
||||
index 09d2ae91..1cd89cca 100644
|
||||
--- a/src/Font.c
|
||||
+++ b/src/Font.c
|
||||
@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont(
|
||||
XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
|
||||
#endif
|
||||
|
||||
+ if (strlen(name) >= USHRT_MAX)
|
||||
+ return NULL;
|
||||
if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
|
||||
return font_result;
|
||||
LockDisplay(dpy);
|
||||
GetReq(OpenFont, req);
|
||||
seq = dpy->request; /* Can't use extended sequence number here */
|
||||
- nbytes = req->nbytes = name ? strlen(name) : 0;
|
||||
+ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0);
|
||||
req->fid = fid = XAllocID(dpy);
|
||||
req->length += (nbytes+3)>>2;
|
||||
Data (dpy, name, nbytes);
|
||||
@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
|
||||
|
||||
if (!name)
|
||||
return 0;
|
||||
- l = strlen(name);
|
||||
- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
|
||||
+ l = (int) strlen(name);
|
||||
+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
|
||||
return 0;
|
||||
charset = NULL;
|
||||
/* next three lines stolen from _XkbGetCharset() */
|
||||
@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont(
|
||||
return 0;
|
||||
if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
|
||||
return 0;
|
||||
- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
|
||||
+ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
|
||||
return 0;
|
||||
strcpy(buf, name);
|
||||
strcpy(buf + l - 1, p + 1);
|
||||
diff --git a/src/FontInfo.c b/src/FontInfo.c
|
||||
index f870e431..6644b3fa 100644
|
||||
--- a/src/FontInfo.c
|
||||
+++ b/src/FontInfo.c
|
||||
@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */
|
||||
register xListFontsReq *req;
|
||||
int j;
|
||||
|
||||
+ if (strlen(pattern) >= USHRT_MAX)
|
||||
+ return NULL;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(ListFontsWithInfo, req);
|
||||
req->maxNames = maxNames;
|
||||
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
|
||||
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
|
||||
req->length += (nbytes + 3) >> 2;
|
||||
_XSend (dpy, pattern, nbytes);
|
||||
/* use _XSend instead of Data, since subsequent _XReply will flush buffer */
|
||||
diff --git a/src/FontNames.c b/src/FontNames.c
|
||||
index b78792d6..458d80c9 100644
|
||||
--- a/src/FontNames.c
|
||||
+++ b/src/FontNames.c
|
||||
@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */
|
||||
register xListFontsReq *req;
|
||||
unsigned long rlen = 0;
|
||||
|
||||
+ if (strlen(pattern) >= USHRT_MAX)
|
||||
+ return NULL;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(ListFonts, req);
|
||||
req->maxNames = maxNames;
|
||||
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
|
||||
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
|
||||
req->length += (nbytes + 3) >> 2;
|
||||
_XSend (dpy, pattern, nbytes);
|
||||
/* use _XSend instead of Data, since following _XReply will flush buffer */
|
||||
diff --git a/src/GetColor.c b/src/GetColor.c
|
||||
index cd0eb9f6..c8178067 100644
|
||||
--- a/src/GetColor.c
|
||||
+++ b/src/GetColor.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include "Xlibint.h"
|
||||
#include "Xcmsint.h"
|
||||
@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
|
||||
XcmsColor cmsColor_exact;
|
||||
Status ret;
|
||||
|
||||
+ if (strlen(colorname) >= USHRT_MAX)
|
||||
+ return (0);
|
||||
+
|
||||
#ifdef XCMS
|
||||
/*
|
||||
* Let's Attempt to use Xcms and i18n approach to Parse Color
|
||||
@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */
|
||||
GetReq(AllocNamedColor, req);
|
||||
|
||||
req->cmap = cmap;
|
||||
- nbytes = req->nbytes = strlen(colorname);
|
||||
+ nbytes = req->nbytes = (CARD16) strlen(colorname);
|
||||
req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */
|
||||
|
||||
_XSend(dpy, colorname, nbytes);
|
||||
diff --git a/src/LoadFont.c b/src/LoadFont.c
|
||||
index f547976b..3996436f 100644
|
||||
--- a/src/LoadFont.c
|
||||
+++ b/src/LoadFont.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include "Xlibint.h"
|
||||
|
||||
Font
|
||||
@@ -38,12 +39,15 @@ XLoadFont (
|
||||
Font fid;
|
||||
register xOpenFontReq *req;
|
||||
|
||||
+ if (strlen(name) >= USHRT_MAX)
|
||||
+ return (0);
|
||||
+
|
||||
if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
|
||||
return fid;
|
||||
|
||||
LockDisplay(dpy);
|
||||
GetReq(OpenFont, req);
|
||||
- nbytes = req->nbytes = name ? strlen(name) : 0;
|
||||
+ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0;
|
||||
req->fid = fid = XAllocID(dpy);
|
||||
req->length += (nbytes+3)>>2;
|
||||
Data (dpy, name, nbytes);
|
||||
diff --git a/src/LookupCol.c b/src/LookupCol.c
|
||||
index f7f969f5..cd9b1368 100644
|
||||
--- a/src/LookupCol.c
|
||||
+++ b/src/LookupCol.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include "Xlibint.h"
|
||||
#include "Xcmsint.h"
|
||||
@@ -46,6 +47,9 @@ XLookupColor (
|
||||
XcmsCCC ccc;
|
||||
XcmsColor cmsColor_exact;
|
||||
|
||||
+ n = (int) strlen (spec);
|
||||
+ if (n >= USHRT_MAX)
|
||||
+ return 0;
|
||||
#ifdef XCMS
|
||||
/*
|
||||
* Let's Attempt to use Xcms and i18n approach to Parse Color
|
||||
@@ -77,8 +81,6 @@ XLookupColor (
|
||||
* Xcms and i18n methods failed, so lets pass it to the server
|
||||
* for parsing.
|
||||
*/
|
||||
-
|
||||
- n = strlen (spec);
|
||||
LockDisplay(dpy);
|
||||
GetReq (LookupColor, req);
|
||||
req->cmap = cmap;
|
||||
diff --git a/src/ParseCol.c b/src/ParseCol.c
|
||||
index e997b1b8..7a84a17b 100644
|
||||
--- a/src/ParseCol.c
|
||||
+++ b/src/ParseCol.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include "Xlibint.h"
|
||||
#include "Xcmsint.h"
|
||||
@@ -46,7 +47,9 @@ XParseColor (
|
||||
XcmsColor cmsColor;
|
||||
|
||||
if (!spec) return(0);
|
||||
- n = strlen (spec);
|
||||
+ n = (int) strlen (spec);
|
||||
+ if (n >= USHRT_MAX)
|
||||
+ return(0);
|
||||
if (*spec == '#') {
|
||||
/*
|
||||
* RGB
|
||||
@@ -119,7 +122,7 @@ XParseColor (
|
||||
LockDisplay(dpy);
|
||||
GetReq (LookupColor, req);
|
||||
req->cmap = cmap;
|
||||
- req->nbytes = n = strlen(spec);
|
||||
+ req->nbytes = (CARD16) (n = (int) strlen(spec));
|
||||
req->length += (n + 3) >> 2;
|
||||
Data (dpy, spec, (long)n);
|
||||
if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {
|
||||
diff --git a/src/QuExt.c b/src/QuExt.c
|
||||
index 4e230e77..4cb99fcf 100644
|
||||
--- a/src/QuExt.c
|
||||
+++ b/src/QuExt.c
|
||||
@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
+#include <stdbool.h>
|
||||
#include "Xlibint.h"
|
||||
|
||||
Bool
|
||||
@@ -40,9 +42,12 @@ XQueryExtension(
|
||||
xQueryExtensionReply rep;
|
||||
register xQueryExtensionReq *req;
|
||||
|
||||
+ if (strlen(name) >= USHRT_MAX)
|
||||
+ return false;
|
||||
+
|
||||
LockDisplay(dpy);
|
||||
GetReq(QueryExtension, req);
|
||||
- req->nbytes = name ? strlen(name) : 0;
|
||||
+ req->nbytes = name ? (CARD16) strlen(name) : 0;
|
||||
req->length += (req->nbytes+(unsigned)3)>>2;
|
||||
_XSend(dpy, name, (long)req->nbytes);
|
||||
(void) _XReply (dpy, (xReply *)&rep, 0, xTrue);
|
||||
diff --git a/src/SetFPath.c b/src/SetFPath.c
|
||||
index 60aaef01..13fce49e 100644
|
||||
--- a/src/SetFPath.c
|
||||
+++ b/src/SetFPath.c
|
||||
@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
+#include <limits.h>
|
||||
#endif
|
||||
#include "Xlibint.h"
|
||||
|
||||
@@ -48,7 +49,12 @@ XSetFontPath (
|
||||
GetReq (SetFontPath, req);
|
||||
req->nFonts = ndirs;
|
||||
for (i = 0; i < ndirs; i++) {
|
||||
- n += safestrlen (directories[i]) + 1;
|
||||
+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
|
||||
+ if (n >= USHRT_MAX) {
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
nbytes = (n + 3) & ~3;
|
||||
req->length += nbytes >> 2;
|
||||
@@ -59,9 +65,9 @@ XSetFontPath (
|
||||
char *tmp = p;
|
||||
|
||||
for (i = 0; i < ndirs; i++) {
|
||||
- register int length = safestrlen (directories[i]);
|
||||
+ register int length = (int) safestrlen (directories[i]);
|
||||
*p = length;
|
||||
- memcpy (p + 1, directories[i], length);
|
||||
+ memcpy (p + 1, directories[i], (size_t)length);
|
||||
p += length + 1;
|
||||
}
|
||||
Data (dpy, tmp, nbytes);
|
||||
diff --git a/src/SetHints.c b/src/SetHints.c
|
||||
index bc46498a..61cb0684 100644
|
||||
--- a/src/SetHints.c
|
||||
+++ b/src/SetHints.c
|
||||
@@ -49,6 +49,7 @@ SOFTWARE.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <X11/Xlibint.h>
|
||||
#include <X11/Xutil.h>
|
||||
#include "Xatomtype.h"
|
||||
@@ -214,6 +215,8 @@ XSetCommand (
|
||||
register char *buf, *bp;
|
||||
for (i = 0, nbytes = 0; i < argc; i++) {
|
||||
nbytes += safestrlen(argv[i]) + 1;
|
||||
+ if (nbytes >= USHRT_MAX)
|
||||
+ return 1;
|
||||
}
|
||||
if ((bp = buf = Xmalloc(nbytes))) {
|
||||
/* copy arguments into single buffer */
|
||||
@@ -256,11 +259,13 @@ XSetStandardProperties (
|
||||
|
||||
if (name != NULL) XStoreName (dpy, w, name);
|
||||
|
||||
+ if (safestrlen(icon_string) >= USHRT_MAX)
|
||||
+ return 1;
|
||||
if (icon_string != NULL) {
|
||||
XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
|
||||
PropModeReplace,
|
||||
(_Xconst unsigned char *)icon_string,
|
||||
- safestrlen(icon_string));
|
||||
+ (int)safestrlen(icon_string));
|
||||
}
|
||||
|
||||
if (icon_pixmap != None) {
|
||||
@@ -298,6 +303,8 @@ XSetClassHint(
|
||||
|
||||
len_nm = safestrlen(classhint->res_name);
|
||||
len_cl = safestrlen(classhint->res_class);
|
||||
+ if (len_nm + len_cl >= USHRT_MAX)
|
||||
+ return 1;
|
||||
if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
|
||||
if (len_nm) {
|
||||
strcpy(s, classhint->res_name);
|
||||
diff --git a/src/StNColor.c b/src/StNColor.c
|
||||
index 8b821c3e..16dc9cbc 100644
|
||||
--- a/src/StNColor.c
|
||||
+++ b/src/StNColor.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include "Xlibint.h"
|
||||
#include "Xcmsint.h"
|
||||
@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
|
||||
XcmsColor cmsColor_exact;
|
||||
XColor scr_def;
|
||||
|
||||
+ if (strlen(name) >= USHRT_MAX)
|
||||
+ return 0;
|
||||
#ifdef XCMS
|
||||
/*
|
||||
* Let's Attempt to use Xcms approach to Parse Color
|
||||
@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */
|
||||
req->cmap = cmap;
|
||||
req->flags = flags;
|
||||
req->pixel = pixel;
|
||||
- req->nbytes = nbytes = strlen(name);
|
||||
+ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name));
|
||||
req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */
|
||||
Data(dpy, name, (long)nbytes);
|
||||
UnlockDisplay(dpy);
|
||||
diff --git a/src/StName.c b/src/StName.c
|
||||
index b4048bff..04bb3aa6 100644
|
||||
--- a/src/StName.c
|
||||
+++ b/src/StName.c
|
||||
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
#endif
|
||||
+#include <limits.h>
|
||||
#include <X11/Xlibint.h>
|
||||
#include <X11/Xatom.h>
|
||||
|
||||
@@ -36,9 +37,11 @@ XStoreName (
|
||||
Window w,
|
||||
_Xconst char *name)
|
||||
{
|
||||
- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
|
||||
+ if (strlen(name) >= USHRT_MAX)
|
||||
+ return 0;
|
||||
+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
|
||||
8, PropModeReplace, (_Xconst unsigned char *)name,
|
||||
- name ? strlen(name) : 0);
|
||||
+ name ? (int) strlen(name) : 0);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -47,7 +50,9 @@ XSetIconName (
|
||||
Window w,
|
||||
_Xconst char *icon_name)
|
||||
{
|
||||
+ if (strlen(icon_name) >= USHRT_MAX)
|
||||
+ return 0;
|
||||
return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
|
||||
PropModeReplace, (_Xconst unsigned char *)icon_name,
|
||||
- icon_name ? strlen(icon_name) : 0);
|
||||
+ icon_name ? (int) strlen(icon_name) : 0);
|
||||
}
|
||||
--
|
||||
2.30.1
|
||||
|
||||
Loading…
Reference in new issue