Bug#988832: unblock: libx11/2:1.7.1-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-x@lists.debian.org
Please unblock package libx11
This fixes CVE-2021-31535, a bug in libX11 which could lead to the
execution of additional X requests due to insufficient buffer checks.
I have done some manual tests (run an X server with various applications)
The risks are minor as the changes are pretty much limited to the security
fix, with minor changes aside of that.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
The debdiff is a little large due to the autotools version the tarball
was generated with. I'm attaching a debdiff filtered with
filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x '*/configure'
(the *.man changes are actual manpage syntax fixes, but make it harder to review
the actually important code fixes in this update, so I filtered them).
unblock libx11/2:1.7.1-1
diff -Nru libx11-1.7.0/compile libx11-1.7.1/compile
--- libx11-1.7.0/compile 2020-11-20 20:08:19.000000000 +0100
+++ libx11-1.7.1/compile 2021-05-18 16:14:45.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
@@ -53,7 +53,7 @@
MINGW*)
file_conv=mingw
;;
- CYGWIN* | MSYS*)
+ CYGWIN*)
file_conv=cygwin
;;
*)
@@ -67,7 +67,7 @@
mingw/*)
file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'`
;;
- cygwin/* | msys/*)
+ cygwin/*)
file=`cygpath -m "$file" || echo "$file"`
;;
wine/*)
diff -Nru libx11-1.7.0/configure.ac libx11-1.7.1/configure.ac
--- libx11-1.7.0/configure.ac 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/configure.ac 2021-05-18 16:14:20.000000000 +0200
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libX11], [1.7.0],
+AC_INIT([libX11], [1.7.1],
[https://gitlab.freedesktop.org/xorg/lib/libx11/issues], [libX11])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h])
diff -Nru libx11-1.7.0/debian/changelog libx11-1.7.1/debian/changelog
--- libx11-1.7.0/debian/changelog 2021-05-20 10:05:15.000000000 +0200
+++ libx11-1.7.1/debian/changelog 2021-05-20 10:05:15.000000000 +0200
@@ -1,3 +1,16 @@
+libx11 (2:1.7.1-1) unstable; urgency=medium
+
+ [ Julien Cristau ]
+ * libx11-6 Breaks old libx11-xcb1, as further mitigation for bug
+ #979590.
+
+ [ Emilio Pozuelo Monfort ]
+ * New upstream release.
+ * CVE-2021-31535: X protocol command injection due to missing request
+ length checks (closes: #988737)
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Wed, 19 May 2021 17:22:09 +0200
+
libx11 (2:1.7.0-2) unstable; urgency=medium
* Set a strict dependency of libx11-xcb1 on libx11-6, as internal ABI
diff -Nru libx11-1.7.0/debian/control libx11-1.7.1/debian/control
--- libx11-1.7.0/debian/control 2021-05-20 10:05:15.000000000 +0200
+++ libx11-1.7.1/debian/control 2021-05-20 10:05:15.000000000 +0200
@@ -28,6 +28,8 @@
${misc:Depends},
libx11-data,
Pre-Depends: ${misc:Pre-Depends}
+Breaks:
+ libx11-xcb1 (<< 2:1.7.0-2),
Multi-Arch: same
Description: X11 client-side library
This package provides a client interface to the X Window System, otherwise
diff -Nru libx11-1.7.0/depcomp libx11-1.7.1/depcomp
--- libx11-1.7.0/depcomp 2020-11-20 20:08:19.000000000 +0100
+++ libx11-1.7.1/depcomp 2021-05-18 16:14:46.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1999-2020 Free Software Foundation, Inc.
+# Copyright (C) 1999-2018 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
diff -Nru libx11-1.7.0/include/X11/Xlib.h libx11-1.7.1/include/X11/Xlib.h
--- libx11-1.7.0/include/X11/Xlib.h 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/include/X11/Xlib.h 2021-05-18 16:14:20.000000000 +0200
@@ -367,7 +367,7 @@
int bitmap_bit_order; /* LSBFirst, MSBFirst */
int bitmap_pad; /* 8, 16, 32 either XY or ZPixmap */
int depth; /* depth of image */
- int bytes_per_line; /* accelarator to next line */
+ int bytes_per_line; /* accelerator to next line */
int bits_per_pixel; /* bits per pixel (ZPixmap) */
unsigned long red_mask; /* bits in z arrangement */
unsigned long green_mask;
diff -Nru libx11-1.7.0/install-sh libx11-1.7.1/install-sh
--- libx11-1.7.0/install-sh 2020-11-20 20:08:19.000000000 +0100
+++ libx11-1.7.1/install-sh 2021-05-18 16:14:45.000000000 +0200
@@ -451,18 +451,7 @@
trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
# Copy the file name to the temp name.
- (umask $cp_umask &&
- { test -z "$stripcmd" || {
- # Create $dsttmp read-write so that cp doesn't create it read-only,
- # which would cause strip to fail.
- if test -z "$doit"; then
- : >"$dsttmp" # No need to fork-exec 'touch'.
- else
- $doit touch "$dsttmp"
- fi
- }
- } &&
- $doit_exec $cpprog "$src" "$dsttmp") &&
+ (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&
# and set any options; do chmod last to preserve setuid bits.
#
diff -Nru libx11-1.7.0/missing libx11-1.7.1/missing
--- libx11-1.7.0/missing 2020-11-20 20:08:19.000000000 +0100
+++ libx11-1.7.1/missing 2021-05-18 16:14:45.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 1996-2020 Free Software Foundation, Inc.
+# Copyright (C) 1996-2018 Free Software Foundation, Inc.
# Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
# This program is free software; you can redistribute it and/or modify
diff -Nru libx11-1.7.0/nls/en_US.UTF-8/Compose.pre libx11-1.7.1/nls/en_US.UTF-8/Compose.pre
--- libx11-1.7.0/nls/en_US.UTF-8/Compose.pre 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/nls/en_US.UTF-8/Compose.pre 2021-05-18 16:14:29.000000000 +0200
@@ -924,9 +924,11 @@
<Multi_key> <e> <minus> : "ē" U0113 # LATIN SMALL LETTER E WITH MACRON
<dead_breve> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE
<Multi_key> <U> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE
+<Multi_key> <u> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE
<Multi_key> <b> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE
<dead_breve> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE
<Multi_key> <U> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE
+<Multi_key> <u> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE
<Multi_key> <b> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE
<dead_abovedot> <E> : "Ė" U0116 # LATIN CAPITAL LETTER E WITH DOT ABOVE
<Multi_key> <period> <E> : "Ė" U0116 # LATIN CAPITAL LETTER E WITH DOT ABOVE
@@ -960,14 +962,18 @@
<Multi_key> <asciicircum> <g> : "ĝ" U011D # LATIN SMALL LETTER G WITH CIRCUMFLEX
<dead_breve> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <U> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
+<Multi_key> <u> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <G> <U> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
+<Multi_key> <G> <u> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <b> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <breve> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <G> <breve> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<Multi_key> <G> <parenleft> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE
<dead_breve> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
<Multi_key> <U> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
+<Multi_key> <u> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
<Multi_key> <g> <U> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
+<Multi_key> <g> <u> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
<Multi_key> <b> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
<Multi_key> <breve> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
<Multi_key> <g> <breve> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE
@@ -1016,9 +1022,11 @@
<Multi_key> <i> <minus> : "ī" U012B # LATIN SMALL LETTER I WITH MACRON
<dead_breve> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE
<Multi_key> <U> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE
+<Multi_key> <u> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE
<Multi_key> <b> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE
<dead_breve> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE
<Multi_key> <U> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE
+<Multi_key> <u> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE
<Multi_key> <b> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE
<dead_ogonek> <I> : "Į" U012E # LATIN CAPITAL LETTER I WITH OGONEK
<Multi_key> <semicolon> <I> : "Į" U012E # LATIN CAPITAL LETTER I WITH OGONEK
@@ -1123,9 +1131,11 @@
<Multi_key> <o> <minus> : "ō" U014D # LATIN SMALL LETTER O WITH MACRON
<dead_breve> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE
<Multi_key> <U> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE
+<Multi_key> <u> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE
<Multi_key> <b> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE
<dead_breve> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE
<Multi_key> <U> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE
+<Multi_key> <u> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE
<Multi_key> <b> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE
<dead_doubleacute> <O> : "Ő" U0150 # LATIN CAPITAL LETTER O WITH DOUBLE ACUTE
<Multi_key> <equal> <O> : "Ő" U0150 # LATIN CAPITAL LETTER O WITH DOUBLE ACUTE
@@ -6019,8 +6029,7 @@
<Multi_key> <minus> <U2191> : "⍏" U234f # - ↑ APL FUNCTIONAL SYMBOL UPWARDS VANE
<Multi_key> <U2191> <U2395> : "⍐" U2350 # ↑ ⎕ APL FUNCTIONAL SYMBOL QUAD UPWARDS ARROW
<Multi_key> <U2395> <U2191> : "⍐" U2350 # ⎕ ↑ APL FUNCTIONAL SYMBOL QUAD UPWARDS ARROW
-XCOMM I cannot get anything to work with <macron>. Given that no extant APLs use ⍑ I will just leave the lines
-XCOMM in place.
+XCOMM The next two somehow don't work. However, no extant APL uses "⍑".
<Multi_key> <macron> <U22a4> : "⍑" U2351 # ¯ ⊤ APL FUNCTIONAL SYMBOL UP TACK OVERBAR
<Multi_key> <U22a4> <macron> : "⍑" U2351 # ⊤ ¯ APL FUNCTIONAL SYMBOL UP TACK OVERBAR
<Multi_key> <U2207> <bar> : "⍒" U2352 # ∇ | APL FUNCTIONAL SYMBOL DEL STILE
@@ -6035,10 +6044,7 @@
<Multi_key> <minus> <U2193> : "⍖" U2356 # - ↓ APL FUNCTIONAL SYMBOL DOWNWARDS VANE
<Multi_key> <U2193> <U2395> : "⍗" U2357 # ↓ ⎕ APL FUNCTIONAL SYMBOL QUAD DOWNWARDS ARROW
<Multi_key> <U2395> <U2193> : "⍗" U2357 # ⎕ ↓ APL FUNCTIONAL SYMBOL QUAD DOWNWARDS ARROW
-XCOMM This line clashes with the <apostrophe> <underscore> <E> (and similar) that appear to be there to provide
-XCOMM a work around for the problems with <macron>. Or to cope with keyboards that do not have <macron> (more likely).
-XCOMM All APL keyboards have <macron>, it is used as the -ve sign for numbers.
-XCOMM I do not know of an extant APL using ⍘
+XCOMM The <apostrophe> <underscore> is used elsewhere. However, no extant APL uses "⍘".
<Multi_key> <underscore> <apostrophe> : "⍘" U2358 # _ ' APL FUNCTIONAL SYMBOL QUOTE UNDERBAR
<Multi_key> <U2206> <underscore> : "⍙" U2359 # ∆ _ APL FUNCTIONAL SYMBOL DELTA UNDERBAR
<Multi_key> <underscore> <U2206> : "⍙" U2359 # _ ∆ APL FUNCTIONAL SYMBOL DELTA UNDERBAR
@@ -6079,10 +6085,7 @@
<Multi_key> <asciitilde> <0> : "⍬" U236c # ~ 0 APL FUNCTIONAL SYMBOL ZILDE
<Multi_key> <bar> <asciitilde> : "⍭" U236d # | ~ APL FUNCTIONAL SYMBOL STILE TILDE
<Multi_key> <asciitilde> <bar> : "⍭" U236d # ~ | APL FUNCTIONAL SYMBOL STILE TILDE
-XCOMM This line does not work. It clashes with
-XCOMM <underscore> <semicolon> <O> for Ǭ and
-XCOMM <underscore> <semicolon> <o> for ǭ.
-XCOMM Given that no extant APLs use ⍮ I will just leave the line in place.
+XCOMM The <underscore> <semicolon> is used elsewhere. However, no extant APL uses "⍮".
<Multi_key> <semicolon> <underscore> : "⍮" U236e # ; _ APL FUNCTIONAL SYMBOL SEMICOLON UNDERBAR
<Multi_key> <U2260> <U2395> : "⍯" U236f # ≠ ⎕ APL FUNCTIONAL SYMBOL QUAD NOT EQUAL
<Multi_key> <U2395> <U2260> : "⍯" U236f # ⎕ ≠ APL FUNCTIONAL SYMBOL QUAD NOT EQUAL
diff -Nru libx11-1.7.0/nls/locale.alias.pre libx11-1.7.1/nls/locale.alias.pre
--- libx11-1.7.0/nls/locale.alias.pre 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/nls/locale.alias.pre 2021-05-18 16:14:30.000000000 +0200
@@ -16,6 +16,7 @@
Cextend.en: en_US.ISO8859-1
English_United-States.437: C
C.UTF-8: en_US.UTF-8
+C.utf8: en_US.UTF-8
XCOMM a3 is not an ISO 639 language code, but in Cyrillic, "Z" looks like "3".
a3: az_AZ.KOI8-C
a3_AZ: az_AZ.KOI8-C
diff -Nru libx11-1.7.0/README.md libx11-1.7.1/README.md
--- libx11-1.7.0/README.md 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/README.md 2021-05-18 16:14:20.000000000 +0200
@@ -31,6 +31,17 @@
https://www.x.org/wiki/Development/Documentation/SubmittingPatches
+## Release 1.7.1
+
+This is a bug fix release, including a security fix for
+CVE-2021-31535, nls and documentation corrections.
+
+ * Reject string longer than USHRT_MAX before sending them on the wire
+ * Fix out-of-bound access in KeySymToUcs4()
+ * nls: allow composing all breved letters also with a lowercase "u"
+ * nls: add 'C.utf8' as an alias for 'en_US.UTF-8'
+ * Nroff code fixes
+ * Comments fixes
## Release 1.7.0
diff -Nru libx11-1.7.0/src/Font.c libx11-1.7.1/src/Font.c
--- libx11-1.7.0/src/Font.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/Font.c 2021-05-18 16:14:33.000000000 +0200
@@ -102,6 +102,8 @@
XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
#endif
+ if (strlen(name) >= USHRT_MAX)
+ return NULL;
if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
return font_result;
LockDisplay(dpy);
@@ -663,7 +665,7 @@
if (!name)
return 0;
l = (int) strlen(name);
- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
return 0;
charset = NULL;
/* next three lines stolen from _XkbGetCharset() */
diff -Nru libx11-1.7.0/src/FontInfo.c libx11-1.7.1/src/FontInfo.c
--- libx11-1.7.0/src/FontInfo.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/FontInfo.c 2021-05-18 16:14:33.000000000 +0200
@@ -58,6 +58,9 @@
register xListFontsReq *req;
int j;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFontsWithInfo, req);
req->maxNames = maxNames;
diff -Nru libx11-1.7.0/src/FontNames.c libx11-1.7.1/src/FontNames.c
--- libx11-1.7.0/src/FontNames.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/FontNames.c 2021-05-18 16:14:33.000000000 +0200
@@ -51,6 +51,9 @@
register xListFontsReq *req;
unsigned long rlen = 0;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFonts, req);
req->maxNames = maxNames;
diff -Nru libx11-1.7.0/src/GetColor.c libx11-1.7.1/src/GetColor.c
--- libx11-1.7.0/src/GetColor.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/GetColor.c 2021-05-18 16:14:33.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -48,6 +49,9 @@
XcmsColor cmsColor_exact;
Status ret;
+ if (strlen(colorname) >= USHRT_MAX)
+ return (0);
+
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
diff -Nru libx11-1.7.0/src/LoadFont.c libx11-1.7.1/src/LoadFont.c
--- libx11-1.7.0/src/LoadFont.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/LoadFont.c 2021-05-18 16:14:34.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include "Xlibint.h"
Font
@@ -38,6 +39,9 @@
Font fid;
register xOpenFontReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return (0);
+
if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
return fid;
diff -Nru libx11-1.7.0/src/LookupCol.c libx11-1.7.1/src/LookupCol.c
--- libx11-1.7.0/src/LookupCol.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/LookupCol.c 2021-05-18 16:14:34.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,9 @@
XcmsCCC ccc;
XcmsColor cmsColor_exact;
+ n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -77,8 +81,6 @@
* Xcms and i18n methods failed, so lets pass it to the server
* for parsing.
*/
-
- n = (int) strlen (spec);
LockDisplay(dpy);
GetReq (LookupColor, req);
req->cmap = cmap;
diff -Nru libx11-1.7.0/src/ParseCol.c libx11-1.7.1/src/ParseCol.c
--- libx11-1.7.0/src/ParseCol.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/ParseCol.c 2021-05-18 16:14:34.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -47,6 +48,8 @@
if (!spec) return(0);
n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return(0);
if (*spec == '#') {
/*
* RGB
diff -Nru libx11-1.7.0/src/QuExt.c libx11-1.7.1/src/QuExt.c
--- libx11-1.7.0/src/QuExt.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/QuExt.c 2021-05-18 16:14:34.000000000 +0200
@@ -27,6 +27,8 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
+#include <stdbool.h>
#include "Xlibint.h"
Bool
@@ -40,6 +42,9 @@
xQueryExtensionReply rep;
register xQueryExtensionReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return false;
+
LockDisplay(dpy);
GetReq(QueryExtension, req);
req->nbytes = name ? (CARD16) strlen(name) : 0;
diff -Nru libx11-1.7.0/src/SetFPath.c libx11-1.7.1/src/SetFPath.c
--- libx11-1.7.0/src/SetFPath.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/SetFPath.c 2021-05-18 16:14:34.000000000 +0200
@@ -26,6 +26,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
+#include <limits.h>
#endif
#include "Xlibint.h"
@@ -49,6 +50,11 @@
req->nFonts = ndirs;
for (i = 0; i < ndirs; i++) {
n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
+ if (n >= USHRT_MAX) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
}
nbytes = (n + 3) & ~3;
req->length += nbytes >> 2;
diff -Nru libx11-1.7.0/src/SetHints.c libx11-1.7.1/src/SetHints.c
--- libx11-1.7.0/src/SetHints.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/SetHints.c 2021-05-18 16:14:34.000000000 +0200
@@ -49,6 +49,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include "Xatomtype.h"
@@ -214,6 +215,8 @@
register char *buf, *bp;
for (i = 0, nbytes = 0; i < argc; i++) {
nbytes += safestrlen(argv[i]) + 1;
+ if (nbytes >= USHRT_MAX)
+ return 1;
}
if ((bp = buf = Xmalloc(nbytes))) {
/* copy arguments into single buffer */
@@ -256,6 +259,8 @@
if (name != NULL) XStoreName (dpy, w, name);
+ if (safestrlen(icon_string) >= USHRT_MAX)
+ return 1;
if (icon_string != NULL) {
XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace,
@@ -298,6 +303,8 @@
len_nm = safestrlen(classhint->res_name);
len_cl = safestrlen(classhint->res_class);
+ if (len_nm + len_cl >= USHRT_MAX)
+ return 1;
if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
if (len_nm) {
strcpy(s, classhint->res_name);
diff -Nru libx11-1.7.0/src/StName.c libx11-1.7.1/src/StName.c
--- libx11-1.7.0/src/StName.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/StName.c 2021-05-18 16:14:35.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xatom.h>
@@ -36,7 +37,9 @@
Window w,
_Xconst char *name)
{
- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
8, PropModeReplace, (_Xconst unsigned char *)name,
name ? (int) strlen(name) : 0);
}
@@ -47,6 +50,8 @@
Window w,
_Xconst char *icon_name)
{
+ if (strlen(icon_name) >= USHRT_MAX)
+ return 0;
return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace, (_Xconst unsigned char *)icon_name,
icon_name ? (int) strlen(icon_name) : 0);
diff -Nru libx11-1.7.0/src/StNColor.c libx11-1.7.1/src/StNColor.c
--- libx11-1.7.0/src/StNColor.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/StNColor.c 2021-05-18 16:14:35.000000000 +0200
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,8 @@
XcmsColor cmsColor_exact;
XColor scr_def;
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms approach to Parse Color
diff -Nru libx11-1.7.0/src/xlibi18n/imKStoUCS.c libx11-1.7.1/src/xlibi18n/imKStoUCS.c
--- libx11-1.7.0/src/xlibi18n/imKStoUCS.c 2020-11-20 20:08:11.000000000 +0100
+++ libx11-1.7.1/src/xlibi18n/imKStoUCS.c 2021-05-18 16:14:36.000000000 +0200
@@ -285,7 +285,7 @@
return keysym_to_unicode_3a2_3fe[keysym - 0x3a2];
else if (keysym > 0x4a0 && keysym < 0x4e0)
return keysym_to_unicode_4a1_4df[keysym - 0x4a1];
- else if (keysym > 0x589 && keysym < 0x5ff)
+ else if (keysym > 0x58f && keysym < 0x5ff)
return keysym_to_unicode_590_5fe[keysym - 0x590];
else if (keysym > 0x67f && keysym < 0x700)
return keysym_to_unicode_680_6ff[keysym - 0x680];
diff -Nru libx11-1.7.0/test-driver libx11-1.7.1/test-driver
--- libx11-1.7.0/test-driver 2020-11-20 20:08:20.000000000 +0100
+++ libx11-1.7.1/test-driver 2021-05-18 16:14:46.000000000 +0200
@@ -3,7 +3,7 @@
scriptversion=2018-03-07.03; # UTC
-# Copyright (C) 2011-2020 Free Software Foundation, Inc.
+# Copyright (C) 2011-2018 Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
Reply to: