Age | Commit message (Collapse) | Author |
|
The fix for double alignment on 32bits machines with strict constraints
was already committed.
|
|
internally.
The functions wireToRawEvent() and copyRawEvent() get memories first,
then allocate memory blocks sequentially for several objects include
'double' from there.
On m88k, the memory area for 'double' should be 8-byte aligned, but
sizeof(XIRawEvent) is 60 and sizeof(out->valuators.mask_len) is 8.
In this case, allocated 'double' memory was not 8-byte aligned.
Because of this, 'xeyes' on luna88k was aborted with Bus Error right
after moving mouse for several years with sys/arch/m88k/m88k/trap.c
r.127.
Tested by me on luna88k, ok matthieu@
|
|
|
|
|
|
|
|
|
|
|
|
By validating length fields from server responses, out of boundary
accesses and endless loops can be mitigated.
From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
|
|
|
|
|
|
Tested by ajacoutot@ against gnome.
|
|
|
|
discovered by Ilja van Sprundel.
CVE-2013-1981 X.org libX11 1.5.99.901 (1.6 RC1) integer overflows
CVE-2013-1982 X.org libXext 1.3.1 integer overflows
CVE-2013-1983 X.org libXfixes 5.0 integer overflows
CVE-2013-1984 X.org libXi 1.7.1 integer overflows
CVE-2013-1985 X.org libXinerama 1.1.2 integer overflows
CVE-2013-1986 X.org libXrandr 1.4.0 integer overflows
CVE-2013-1987 X.org libXrender 0.9.7 integer overflows
CVE-2013-1988 X.org libXRes 1.0.6 integer overflows
CVE-2013-1989 X.org libXv 1.0.7 integer overflows
CVE-2013-1990 X.org libXvMC 1.0.7 integer overflows
CVE-2013-1991 X.org libXxf86dga 1.1.3 integer overflows
CVE-2013-1992 X.org libdmx 1.1.2 integer overflows
CVE-2013-1994 X.org libchromeXvMC & libchromeXvMCPro in openChrome
0.3.2 integer overflows
CVE-2013-1995 X.org libXi 1.7.1 sign extension issues
CVE-2013-1996 X.org libFS 1.0.4 sign extension issues
CVE-2013-1997 X.org libX11 1.5.99.901 (1.6 RC1) buffer overflows
CVE-2013-1998 X.org libXi 1.7.1 buffer overflows
CVE-2013-1999 X.org libXvMC 1.0.7 buffer overflows
CVE-2013-2000 X.org libXxf86dga 1.1.3 buffer overflows
CVE-2013-2001 X.org libXxf86vm 1.1.2 buffer overflows
CVE-2013-2002 X.org libXt 1.1.3 buffer overflows
CVE-2013-2003 X.org libXcursor 1.1.13 integer overflows
CVE-2013-2004 X.org libX11 1.5.99.901 (1.6 RC1) unbounded recursion
CVE-2013-2005 X.org libXt 1.1.3 memory corruption
CVE-2013-2066 X.org libXv 1.0.7 buffer overflows
|
|
|
|
crash on sparc64.
Upstream git commit 07ced7b48219e3bc0c98806f3d7106f86d1b2ca0
OK matthieu@
|
|
|
|
|
|
This contains more doc fixes and a few more bug fixes.
|
|
Tested by ajacoutot@, jasper@, krw@, shadchin@.
I believe that the bugs spotted by krw@ are fixed in an upcoming
inputproto update.
|
|
Just use Data() to send the xXIEventMask structure on the wire.
|
|
May change if upstreams fix it differently.
Still broken on cross-endian remote connections though.
|
|
From upstream; ok matthieu@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|