| Age | Commit message (Collapse) | Author |
|---|
|
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
When _fs_load_glyphs calls fs_send_open_font with FontReopen set, it
passes a NULL name and namelen of 0, since fs_send_open_font is going
to reuse the previous name.
This overly restrictive check was added in XFree86 4.3.99.12:
http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.23&r2=3.24
http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c?rev=3.24&content-type=text/vnd.viewcvs-markup
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Instead of editing fsio.h to turn on debugging logs, just add
-DDEBUG to CPPFLAGS when building.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Many const char issues.
One extra 'i' declared in ScaleFont; we can just use the same 'i' as
exists at the top level scope.
Also ignore bad-function-cast in ftfuncs.c and bitscale.c because
we're casting the return value from floor or ceil from double to
int. As floor and ceil are kinda designed to generate integer results,
it's pretty clear that we're doing what we want and that the compiler
is generating noise. I'm not sure why bad-function-cast is ever a good
warning to turn on, but I'll leave that for another day.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
|
|
Quiets cppcheck 1.63 warning:
[fc/fserve.c:2972]: (error) Uninitialized variable: lcreq
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If socket is getting interrupted with signal EINTR, we should keep
socket in progress state. I have borrowed following code from socket
write _fs_flush():line274 . I have done exactly same at _fs_fill().
Socket write will not close the connection and re attempt to read buffer.
Signed-off-by: Arvind Umrao <arvind.umrao@oracle.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Besides cluttering Valgrind output, this might also be an information leak.
Signed-off-by: Peter Astrand <astrand@cendio.se>
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
Distribute ChangeLog but not autogen.sh.
Use a single toplevel .gitignore file, instead of one per subdirectory.
|
|
|
|
|
|
Xprint is just insidious, isn't it.
|
|
Versions of xfs before commit 3fe28a31a2974287acc182c7c9bfd68d94ea6292
will reject CreateAC packets with 0 auths unless they claim to have at
least 4 bytes of authentication data that isn't actually read.
|
|
This lets the user set CFLAGS when running make.
|
|
|
|
|
|
|
|
|
|
|
|
Jover).
|
|
|
|
found when building in the modular tree
|
|
|
|
|
|
<X11/fonts/*.h>
|
|
Add XSERV_t, TRANS_SERVER, TRANS_REOPEN to quash warnings.
Add #include <dix-config.h> or <xorg-config.h>, as appropriate, to all
source files in the xserver/xorg tree, predicated on defines of
HAVE_{DIX,XORG}_CONFIG_H. Change all Xfont includes to
<X11/fonts/foo.h>.
|
|
|
|
|
|
|
|
Copy Xtrans.h to exports/include/X11/Xtrans only
|
|
|
|
|
|
mingw (Win32) port
|
|
|
|
|
|
|
