| Age | Commit message (Collapse) | Author |
|---|
|
The Xv query functions for adaptors and encodings suffer from out of
boundary accesses if a hostile X server sends a maliciously crafted
response.
A previous fix already checks the received length against fixed values
but ignores additional length specifications which are stored inside
the received data.
These lengths are accessed in a for-loop. The easiest way to guarantee
a correct processing is by validating all lengths against the
remaining size left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed
it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Breaks out of tree lintlib builds by causing VPATH lookup to fail.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reduce code duplication, make error checking & cleanup more consistent
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
If we failed to allocate the buffer to _XRead into, discard the
rest of the reply, instead of leaving it to confuse the reading
of the next reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
xvproto.h names don't match those required by the Xlibint.h GetReq* macros,
but at least we can rely on the _XGetRequest function for the bulk of the
work now, instead of duplicating it.
Also clears clang warnings repeated for every request function:
Xv.c:137:5: warning: cast from 'char *' to 'xvQueryExtensionReq *' increases re
quired alignment from 1 to 2 [-Wcast-align]
XvGetReq(QueryExtension, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./Xvlibint.h:52:8: note: expanded from macro 'XvGetReq'
req = (xv##name##Req *)(dpy->last_req = dpy->bufptr);\
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Xv.c:137:5: warning: implicit conversion loses integer precision: 'int' to 'CAR
D8' (aka 'unsigned char') [-Wconversion]
XvGetReq(QueryExtension, req);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./Xvlibint.h:53:30: note: expanded from macro 'XvGetReq'
req->reqType = info->codes->major_opcode;\
~ ~~~~~~~~~~~~~^~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
|
|
Makes code clearer, and using ~3U instead of ~3 clears some signed int
warnings.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Clears up:
Xv.c:196:21: warning: implicit conversion changes signedness: 'CARD32' (aka 'unsigned int') to 'int' [-Wsign-conversion]
size = rep.length << 2;
~ ~~~~~~~~~~~^~~~
Xv.c:212:41: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) {
~~~~~~~~^~~~~
Xv.c:236:43: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion]
pa->num_adaptors = rep.num_adaptors - ii;
~ ~~~~~~~~~~~~~~~~~^~~~
Xv.c:243:40: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
if ( (name = (char *)Xmalloc(size+1)) == NULL)
~~~~~~~~~~~~^~~
Xv.c:251:37: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
(void)strncpy(name, u.string, size);
~~~~~~~ ^~~~
Xv.c:260:36: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
if ((pfs=(XvFormat *)Xmalloc(size))==NULL) {
~~~~~~~~^~~~~
Xv.c:269:20: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
for (jj=0; jj<pa->num_formats; jj++) {
~~^~~~~~~~~~~~~~~~
Xv.c:259:29: warning: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
size = pa->num_formats*sizeof(XvFormat);
~ ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
Xv.c:305:16: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
for (ii=0; ii<pAdaptors->num_adaptors; ii++, pa++)
~~^~~~~~~~~~~~~~~~~~~~~~~~
Xv.c:356:21: warning: implicit conversion changes signedness: 'CARD32' (aka 'unsigned int') to 'int' [-Wsign-conversion]
size = rep.length << 2;
~ ~~~~~~~~~~~^~~~
Xv.c:369:41: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) {
~~~~~~~~^~~~~
Xv.c:392:45: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion]
pe->num_encodings = rep.num_encodings - jj;
~ ~~~~~~~~~~~~~~~~~~^~~~
Xv.c:397:40: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
if ( (name = (char *)Xmalloc(size+1)) == NULL) {
~~~~~~~~~~~~^~~
Xv.c:404:31: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
strncpy(name, u.string, size);
~~~~~~~ ^~~~
Xv.c:433:16: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
for (ii=0; ii<pEncodings->num_encodings; ii++, pe++) {
~~^~~~~~~~~~~~~~~~~~~~~~~~~~
Xv.c:886:27: warning: comparison of integers of different signs: 'int' and 'CAR
D32' (aka 'unsigned int') [-Wsign-compare]
for (i = 0; i < rep.num_attributes; i++) {
~ ^ ~~~~~~~~~~~~~~~~~~
Xv.c:946:27: warning: comparison of integers of different signs: 'int' and 'CAR
D32' (aka 'unsigned int') [-Wsign-compare]
for (i = 0; i < rep.num_formats; i++) {
~ ^ ~~~~~~~~~~~~~~~
Xv.c:1100:5: warning: comparison of integers of different signs: 'int' and 'unsigned int' [-Wsign-compare]
SetReqLen(req, len, len);
^~~~~~~~~~~~~~~~~~~~~~~~
X11/Xlibint.h:530:27: note: expanded from macro 'SetReqLen'
if ((req->length + n) > (unsigned)65535) { \
^ ~~~~~~~~~~~~~~~
Xv.c:1100:20: warning: implicit conversion changes signedness: 'int' to 'unsigned int' [-Wsign-conversion]
SetReqLen(req, len, len);
~~~~~~~~~~~~~~~^~~~~~~~~
X11/Xlibint.h:532:21: note: expanded from macro 'SetReqLen'
MakeBigReq(req,n) \
^
X11/Xlibint.h:505:35: note: expanded from macro 'MakeBigReq'
((CARD32 *)req)[1] = _BRlen + n + 2; \
~ ^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
|
|
Having differing indent levels of 2, 3, & 4 spaces hurts my eyes.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
memory.
This patch attempts to fix this bug by ensuring that there is at least one
nil byte at the end of all the name strings. This should prevent reading
past the end of the allocation as well as exposing uninitialized memory.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Acked-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
|
|
Free the portion of the encoding list we had already filled in if we get
an error allocating memory for a list entry.
|
|
|
|
|
|
|
|
|
|
|
|
a global configure cache don't get confused.
|
|
|
|
|
|
|
|
Add XSERV_t, TRANS_SERVER, TRANS_REOPEN to quash warnings.
Add #include <dix-config.h> or <xorg-config.h>, as appropriate, to all
source files in the xserver/xorg tree, predicated on defines of
HAVE_{DIX,XORG}_CONFIG_H. Change all Xfont includes to
<X11/fonts/foo.h>.
|
|
|
|
whitespace after backslash modularizeapp.sh: s/destkop/desktop/
modular/symlink.sh: Add bitmaps for xeyes, system.xsm for xsm, and
Xvidtune.cpp for xvidtune. Also comment out non-existing mga_bios.h
Check in buildsystems for xsetroot, xsm, xstdcmap, xtrap, and xvinfo
|
|
- Add Xv build system
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
