Update to libXaw 1.0.11.

5 files changed, 109 insertions, 16 deletions

diff --git a/lib/libXaw/ChangeLog b/lib/libXaw/ChangeLog
index acd1ca6d2..5e7e8f579 100644
--- a/lib/libXaw/ChangeLog
+++ b/lib/libXaw/ChangeLog
@@ -1,3 +1,95 @@
+commit ffaad7ee2ef6e06b4585567df04f6b64356fb6fe
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Jun 1 20:31:30 2012 -0700
+
+    libXaw 1.0.11
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 52081b462ff7d1844d014bf9be887197caa88160
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat May 26 15:07:07 2012 -0700
+
+    Only call XawStackFree if XawStackAlloc was used for allocation
+    
+    In FormParagraph() in TextAction.c, the #if OLDXAW case always uses
+    fixed length buffers, while the !OLDXAW case uses XawStackAlloc &
+    XawStackFree to switch to dynamic allocations when the buffers aren't
+    large enough.
+    
+    A couple instances of XawStackFree slipped into the wrong side of
+    the #if checks though, so move them back where they belong.   Also
+    reset pos afterwards, in the case we continue and may use it again,
+    to avoid the chance of a double free.
+    
+    Found by the Parfait 0.5.0.1 bug checking tool:
+    
+    Error: Free memory not allocated dynamically by alloc (CWE 590)
+       Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
+            at line 3946 of TextAction.c in function 'FormParagraph'.
+              'buf' allocated at line 0 as auto variable.
+            at line 4000 of TextAction.c in function 'FormParagraph'.
+              'buf' allocated at line 0 as auto variable.
+    Error: Use after free (CWE 416)
+       Use after free of pointer '&buf'
+            at line 3995 of TextAction.c in function 'FormParagraph'.
+              Previously freed at line 3946 with XtFree.
+    Error: Use after free
+       Double free (CWE 415): Double free of pointer '&buf' in call to XtFree
+            at line 4000 of TextAction.c in function 'FormParagraph'.
+              Previously freed at line 3946 with XtFree.
+       Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree
+            at line 4000 of TextAction.c in function 'FormParagraph'.
+              Previously freed at line 3946 with XtFree.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
+
+commit ca35cff72a3100c9367b7e7f4811117c8733b8be
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat May 26 14:44:26 2012 -0700
+
+    Correct order of arguments to XawStackFree()
+    
+    XawStackAlloc() & XawStackFree() are macros to automate the process of
+    using a fixed size stack buffer for strings smaller than the buffer size,
+    and allocating/freeing memory for larger strings.
+    
+    XawStackFree is defined in src/Private.h as taking (pointer, stk_buffer)
+    and freeing pointer if it's not pointing to the stack buffer.
+    
+    Most of the calls of this macro get the ordering right, but a couple
+    got it reversed, passing a stack buffer to free() instead of the
+    allocated pointer.
+    
+    Found by the Parfait 0.5.0.1 bug checking tool:
+    
+    Error: Free memory not allocated dynamically by alloc (CWE 590)
+       Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
+            at line 2281 of TextAction.c in function 'DoFormatText'.
+              'buf' allocated at line 0 as auto variable.
+            at line 2296 of TextAction.c in function 'DoFormatText'.
+              'buf' allocated at line 0 as auto variable.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
+
+commit 11c3a104141e1a4946ad949dfb5514df0b66a031
+Author: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
+Date:   Tue May 22 20:42:32 2012 -0300
+
+    Correct undefined behavior access to out of scope pointer contents.
+    
+      This problem is triggered in gcc 4.7 DCE (dead code elimination).
+    In the Xaw code, the local constant "String" is not guaranteed to
+    have global scope.
+      The problem was found when debugging the reason xedit built with
+    gcc 4.7 would be very unstable, and that happens regardless of using
+    a libXaw built with gcc 4.6.
+    
+    Signed-off-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
 commit b16cc35e551860a0bff54c47b33317536ddeae52
 Author: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date:   Thu Mar 22 19:51:33 2012 -0700
diff --git a/lib/libXaw/configure b/lib/libXaw/configure
index ded9d620c..8768b6f4d 100644
--- a/lib/libXaw/configure
+++ b/lib/libXaw/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.62 for libXaw 1.0.10.
+# Generated by GNU Autoconf 2.62 for libXaw 1.0.11.
 #
 # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>.
 #
@@ -676,8 +676,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='libXaw'
 PACKAGE_TARNAME='libXaw'
-PACKAGE_VERSION='1.0.10'
-PACKAGE_STRING='libXaw 1.0.10'
+PACKAGE_VERSION='1.0.11'
+PACKAGE_STRING='libXaw 1.0.11'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg'
 
 ac_unique_file="Makefile.am"
@@ -1470,7 +1470,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libXaw 1.0.10 to adapt to many kinds of systems.
+\`configure' configures libXaw 1.0.11 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1540,7 +1540,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libXaw 1.0.10:";;
+     short | recursive ) echo "Configuration of libXaw 1.0.11:";;
    esac
   cat <<\_ACEOF
 
@@ -1665,7 +1665,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libXaw configure 1.0.10
+libXaw configure 1.0.11
 generated by GNU Autoconf 2.62
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1679,7 +1679,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libXaw $as_me 1.0.10, which was
+It was created by libXaw $as_me 1.0.11, which was
 generated by GNU Autoconf 2.62.  Invocation command line was
 
   $ $0 $@
@@ -2333,7 +2333,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libXaw'
- VERSION='1.0.10'
+ VERSION='1.0.11'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -24167,7 +24167,7 @@ exec 6>&1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libXaw $as_me 1.0.10, which was
+This file was extended by libXaw $as_me 1.0.11, which was
 generated by GNU Autoconf 2.62.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -24220,7 +24220,7 @@ Report bugs to <bug-autoconf@gnu.org>."
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-libXaw config.status 1.0.10
+libXaw config.status 1.0.11
 configured by $0, generated by GNU Autoconf 2.62,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff --git a/lib/libXaw/configure.ac b/lib/libXaw/configure.ac
index 60baa0d55..73b167f52 100644
--- a/lib/libXaw/configure.ac
+++ b/lib/libXaw/configure.ac
@@ -1,7 +1,7 @@
 
 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([libXaw], [1.0.10],
+AC_INIT([libXaw], [1.0.11],
         [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXaw])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h])
diff --git a/lib/libXaw/src/Text.c b/lib/libXaw/src/Text.c
index 72387e919..a1ae74a6b 100644
--- a/lib/libXaw/src/Text.c
+++ b/lib/libXaw/src/Text.c
@@ -3146,7 +3146,7 @@ _XawTextSetSelection(TextWidget ctx, XawTextPosition l, XawTextPosition r,
     if (nelems == 1 && !strcmp (list[0], "none"))
 	return;
     if (nelems == 0) {
-	String defaultSel = "PRIMARY";
+	static String defaultSel = "PRIMARY";
 	list = &defaultSel;
 	nelems = 1;
     }
diff --git a/lib/libXaw/src/TextAction.c b/lib/libXaw/src/TextAction.c
index 6705316d3..7b87ce4b0 100644
--- a/lib/libXaw/src/TextAction.c
+++ b/lib/libXaw/src/TextAction.c
@@ -2278,7 +2278,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level,
 			    text.length = bytes;
 			bytes -= text.length;
 			if (_XawTextReplace(ctx, tmp, tmp, &text)) {
-			    XawStackFree(buf, text.ptr);
+			    XawStackFree(text.ptr, buf);
 			    return (XawEditError);
 			}
 			if (num_pos) {
@@ -2293,7 +2293,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level,
 		    }
 		    position += count;
 		    right += count;
-		    XawStackFree(buf, text.ptr);
+		    XawStackFree(text.ptr, buf);
 		}
 		break;
 	}
@@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
     }
 
     if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) {
+	XawStackFree(pos, buf);
+	pos = buf;
 #else
     from =  SrcScan(ctx->text.source, ctx->text.insertPos,
 		    XawstParagraph, XawsdLeft, 1, False);
@@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 
     if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) {
 #endif
-	XawStackFree(pos, buf);
 	XBell(XtDisplay(w), 0);
 #ifndef OLDXAW
 	if (undo) {
@@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 			       XawsdLeft, 1, False), False);
 	tw->text.clear_to_eol = True;
     }
+    XawStackFree(pos, buf);
 #else
     ctx->text.old_insert = ctx->text.insertPos = *pos;
     _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top,
 			   XawstEOL, XawsdLeft, 1, False), False);
     ctx->text.clear_to_eol = True;
 #endif
-    XawStackFree(pos, buf);
     ctx->text.showposition = True;
 
     EndAction(ctx);