| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Xrender.c: In function ‘XRenderQueryFormats’:
Xrender.c:406:19: warning: declaration of ‘xDepth’ shadows a global declaration [-Wshadow]
xPictDepth *xDepth;
^~~~~~
In file included from /net/also.us.oracle.com/export/alanc/X.Org/amd64-gcc/install/usr/X11R7/include/X11/Xlibint.h:43:0,
from Xrenderint.h:31,
from Xrender.c:28:
/net/also.us.oracle.com/export/alanc/X.Org/amd64-gcc/install/usr/X11R7/include/X11/Xproto.h:329:7: note: shadowed declaration is here
} xDepth;
^~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
These are not needed in C89 and later
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Rationale: I don't have enough expertise to judge on how the tessellation
algorithm is broken in XRenderComputeTrapezoids but I do trust Keith Packard
that it is. However using cairo for proper tessellation, as he suggests, is
too heavyweight, and here I propose to alter the code to at least do not cause
coredumps.
Even if/when the function will be marked as obsolete, I believe it is pretty
much capable of rendering relatively simple shapes, and still retains some
value.
|
|
Signed-off-by: Robin Linden <dev@robinlinden.eu>
|
|
Individual lengths inside received server data can overflow
the previously reserved memory.
It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.
v2: consume remaining bytes in the reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb@laas.fr
|
|
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.
The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.
v2: consume remaining bytes in reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Request length calculation inside XRenderCompositeText32 is broken for
the case where the number of glyphs fits exactky inside the last
xGlyphElt.
In XRenderCompositeText8 and XRenderCompositeText16 this case is
handled properly, somehow the "-1" got missing in
XRenderCompositeText32.
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Due to C arithmetic conversion rules we must use an unsigned constant (or a
cast) to perform the multiplication using unsigned arithmetic.
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Clears Sun compiler warning:
"Xrender.c", line 127: warning: integer overflow detected: op "<<"
since 1 << 31 overflows a signed 32-bit int.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Acked-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
|
|
64-bit systems.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
|
|
|
|
|
|
|
|
|
|
malloc succeeds.
|
|
|
|
|
|
references to include <X11/Xregion.h>.
|
|
|
|
|
|
|
|
$(top_srcdir) to INCLUDES
|
|
|
|
- Add Xrender to symlink.sh
|
|
|
|
|
|
fix option name in log message.
improve debugging messages.
|
|
|
|
|
|
|
|
|
