Age | Commit message (Collapse) | Author |
|
XRecordFreeState() will handle the free for us, so let it.
Found by gcc 14.1:
XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’
[CWE-416] [-Wanalyzer-use-after-free]
514 | if (state->client_info[i]->ranges) {
| ~~~~~~~~~~~~~~~~~~^~~
[...]
| 455 | free(client_inf);
| | ~~~~~~~~~~~~~~~~
| | |
| | (18) freed here
Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>
|
|
Signed-off-by: Thomas Klausner <wiz@gatalith.at>
|
|
Not needed in C89 and later
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
XRecord.c: In function ‘XRecordFreeState’:
XRecord.c:515:15: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for(i=0; i<state->nclients; i++) {
^
XRecord.c: In function ‘parse_reply_call_callback’:
XRecord.c:752:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 4 > rep->length << 2)
^
XRecord.c:759:28: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 1 > rep->length << 2)
^
XRecord.c:763:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 8 > rep->length << 2)
^
XRecord.c:777:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 4 > rep->length << 2)
^
XRecord.c:785:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 4 > rep->length << 2)
^
XRecord.c:792:28: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 4 > rep->length<<2)
^
XRecord.c:797:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 8 > rep->length << 2)
^
XRecord.c:810:28: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 8 > rep->length << 2)
^
XRecord.c:818:25: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index + 4 > rep->length << 2)
^
XRecord.c:824:31: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
} else if (current_index < rep->length << 2)
^
XRecord.c:830:24: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (current_index < rep->length << 2)
^
XRecord.c:859:27: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
} while (current_index<rep->length<<2);
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Quiets gcc warnings:
XTest.c: In function ‘send_axes’:
XTest.c:274:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
ev.valuator5 = *(axes+5);
~~~~~~~~~~~~~^~~~~~~~~~~
XTest.c:275:2: note: here
case 5:
^~~~
XTest.c:276:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
ev.valuator4 = *(axes+4);
~~~~~~~~~~~~~^~~~~~~~~~~
XTest.c:277:2: note: here
case 4:
^~~~
XTest.c:278:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
ev.valuator3 = *(axes+3);
~~~~~~~~~~~~~^~~~~~~~~~~
XTest.c:279:2: note: here
case 3:
^~~~
XTest.c:280:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
ev.valuator2 = *(axes+2);
~~~~~~~~~~~~~^~~~~~~~~~~
XTest.c:281:2: note: here
case 2:
^~~~
XTest.c:282:19: warning: this statement may fall through [-Wimplicit-fallthrough=]
ev.valuator1 = *(axes+1);
~~~~~~~~~~~~~^~~~~~~~~~~
XTest.c:283:2: note: here
case 1:
^~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
A lack of range checks in libXtst allows out of boundary accesses.
The checks have to be done in-place here, because it cannot be done
without in-depth knowledge of the read data.
If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
without a client sequence have attached data, an endless loop would
occur. The do-while-loop continues until the current index reaches
the end. But in these cases, the current index would not be
incremented, leading to an endless processing.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The nclients and nranges members of the reply are both CARD32 and need
to be bounds checked before multiplying by the size of the structs to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Avoids having to do calculcations based on response contents
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Ensures local copy of headers takes precedence over any -I flags the
builder may have passed in CPPFLAGS.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
From: Tobias Koch <tobias.koch@nokia.com>
If the number of axes exceeds 6, X server will return BadValue for
XTestFakeInput because the number of axes in a single DeviceValuator
event is incorrectly set to the total number of axes.
Signed-off-by: Tobias Koch <tobias.koch@nokia.com>
Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Acked-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Compiler warning flags should be explicitly set in the makefile
rather than being merged with other packages compiler flags.
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
|
|
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Both variables are initialized inside an if condition but later checked for
NULL.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
XTest.h was in xextproto until xextproto-7.1 and did a short but whoefully
misguided visit to libXext during the cleanup of the xextproto headers.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Require xextproto 7.0.99.1.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Manual page generation, and xmlto handling, shamelessly cut&paste'd
from libXi/man/Makefile.am, so that make distcheck will work.
|
|
These parameters are not treated as input. Rename them to make the inner
workings slightly more obvious.
X.Org Bug 14511 <http://bugs.freedesktop.org/show_bug.cgi?id=14511>
|
|
(Unlikely to happen, since the smaller malloc was first, but still possible.)
|
|
|
|
|
|
|
|
a global configure cache don't get confused.
|
|
|
|
|
|
|
|
|
|
- Add Xtst build system
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|