libx11: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit ddb58942ea5b015aa796b17fd38d46166c6f61de
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 00:23:04 2013 +0200
Upload to wheezy-security
commit 488ced2265503e5bb1005cf5f37b33d89a55780c
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 21 21:54:55 2013 +0200
Add a couple fixups for the security patches
- off-by-one in xkb
- memory leak in an error path
commit 7a3861bcf80bf9a81fd8a6c6eb1ccd26360f430c
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 01:26:25 2013 +0200
Hide _XEatDataWords
commit 0d8ce303e30177749e7feab4b10e2087c26883dc
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Wed May 8 19:33:09 2013 +0200
XListFontsWithInfo: Re-decrement flist[0] before calling free() on it.
Freeing a pointer that wasn't returned by malloc() is undefined
behavior and produces an error with OpenBSD's implementation.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 18a9d04a2eb2a030b47df4c3e9718fd6988beb82
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 19 14:30:40 2013 -0700
Give GNU & Solaris Studio compilers hints about XEatData branches
Try to offset the cost of all the recent checks we've added by giving
the compiler a hint that the branches that involve us eating data
are less likely to be used than the ones that process it.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit e702f76a910e54fbda3fa184bf97cb47203b50b0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun Mar 31 12:22:35 2013 -0700
_XkbReadGetMapReply: reject maxKeyCodes smaller than the minKeyCode
Various other bounds checks in the code assume this is true, so
enforce it when we first get the data from the X server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 3d2e00eba77dc64e63a60c260277d982689d9a06
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 16 10:03:13 2013 -0700
Use calloc in XOpenDisplay to initialize structs containing pointers
Prevents trying to free uninitialized pointers if we have to bail out
partway through setup, such as if we receive a corrupted or incomplete
connection setup block from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit aa1e8b254be75b14e56b43e4d22b9e2e6abb633a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu Mar 7 23:46:05 2013 -0800
Remove more unnecessary casts from Xmalloc/calloc calls
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit af72c6416ae858437e43ea18f2ec11ffac4e6cbd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 16:56:16 2013 -0800
Convert more _XEatData callers to _XEatDataWords
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit c698b8941cdaf143d7b653943db871d70869b820
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 11:04:37 2013 -0800
Make XGetWindowProperty() always initialize returned values
Avoids memory corruption and other errors when callers access them
without checking to see if XGetWindowProperty() returned an error value.
Callers are still required to check for errors, this just reduces the
damage when they don't.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit a3a750033f034b853e0a9412fabbfedefe4af4a1
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
Avoid overflows in XListExtensions() [CVE-2013-1997 15/15]
Ensure that when breaking the returned list into individual strings,
we don't walk past the end of allocated memory to write the '\0' bytes
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 7dc4f297f6c05b546e6bd20e57fdceac75caac07
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
Avoid overflows in XGetFontPath() [CVE-2013-1997 14/15]
Ensure that when breaking the returned list into individual strings,
we don't walk past the end of allocated memory to write the '\0' bytes
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 3552cb6e716e2b61bde65f60e3f193246a7d07c9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
Avoid overflows in XListFonts() [CVE-2013-1997 13/15]
Ensure that when breaking the returned list into individual strings,
we don't walk past the end of allocated memory to write the '\0' bytes
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 068510d10e92de5c1399ff57bb99dd52b63d30b7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]
Ensure that we don't underallocate when the server claims a very large reply
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 0965dd7c2249af6af0d832eb2752152410303b72
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
integer overflow in XGetPointerMapping() & XGetKeyboardMapping() [CVE-2013-1981 12/13]
Ensure that we don't underallocate when the server claims a very large reply
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit ced8a003a99a04acbf63729784974bffc791129b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 15:08:21 2013 -0800
integer overflow in XGetImage() [CVE-2013-1981 11/13]
Ensure that we don't underallocate when the server claims to have sent a
very large reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 5634ab8319a1e35fa9e439fbb277edd367ff450d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 8 22:25:35 2013 -0800
integer overflow in XGetWindowProperty() [CVE-2013-1981 10/13]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit dcb96d7fccd99f30f5961848992e12979d99a142
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 13:18:48 2013 -0800
integer overflows in TransFileName() [CVE-2013-1981 9/13]
When trying to process file paths the tokens %H, %L, & %S are expanded
to $HOME, the standard compose file path & the xlocaledir path.
If enough of these tokens are repeated and values like $HOME are set to
very large values, the calculation of the total string size required to
hold the expanded path can overflow, resulting in allocating a smaller
string than the amount of data we'll write to it.
Simply restrict all of these values, and the total path size to PATH_MAX,
because really, that's all you should need for a filename path.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 7338fc062e60fcfd5aed052a59449cbf1aa7a2c3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 18:37:37 2013 -0800
integer truncation in _XimParseStringFile() [CVE-2013-1981 8/13]
Called from _XimCreateDefaultTree() which uses getenv("XCOMPOSEFILE")
to specify filename.
If the size of off_t is larger than the size of unsigned long (as in
32-bit builds with large file flags), a file larger than 4 gigs could
have its size truncated, leading to data from that file being written
past the end of the undersized buffer allocated for it.
While configure.ac does not use AC_SYS_LARGEFILE to set large file mode,
builders may have added the large file compilation flags to CFLAGS on
their own.
size is left limited to an int, because if your Xim file is
larger than 2gb, you're doing it wrong.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 60e2dbe409f0bb914177c8f9c422a0fce14f36e5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 12:39:58 2013 -0800
Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2]
parseline() can call _XimParseStringFile() which can call parseline()
which can call _XimParseStringFile() which can call parseline() ....
eventually causing recursive stack overflow and crash.
Limit is set to a include depth of 100 files, which should be enough
for all known use cases, but could be adjusted later if necessary.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit d0606aef8edf4868dbdee72d4e3b2bc905533a5a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 12:01:39 2013 -0800
Unbounded recursion in GetDatabase() when parsing include files [CVE-2013-2004 1/2]
GetIncludeFile() can call GetDatabase() which can call GetIncludeFile()
which can call GetDatabase() which can call GetIncludeFile() ....
eventually causing recursive stack overflow and crash.
Easily reproduced with a resource file that #includes itself.
Limit is set to a include depth of 100 files, which should be enough
for all known use cases, but could be adjusted later if necessary.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit a0ad25f4bed7966dce821bb70923d4722f56f4e6
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 18:37:37 2013 -0800
integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]
Called from XrmGetFileDatabase() which gets called from InitDefaults()
which gets the filename from getenv ("XENVIRONMENT")
If file is exactly 0xffffffff bytes long (or longer and truncates to
0xffffffff, on implementations where off_t is larger than an int),
then size may be set to a value which overflows causing less memory
to be allocated than is written to by the following read() call.
size is left limited to an int, because if your Xresources file is
larger than 2gb, you're very definitely doing it wrong.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit e0086f1c7dee6be595609566d713f014e2e10433
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 11:44:19 2013 -0800
Integer overflows in stringSectionSize() cause buffer overflow in ReadColornameDB() [CVE-2013-1981 6/13]
LoadColornameDB() calls stringSectionSize() to do a first pass over the
file (which may be provided by the user via XCMSDB environment variable)
to determine how much memory needs to be allocated to read in the file,
then allocates the returned sizes and calls ReadColornameDB() to load the
data from the file into that newly allocated memory.
If stringSectionSize() overflows the signed ints used to calculate the
file size (say if you have an xcmsdb with ~4 billion lines in or a
combined string length of ~4 gig - which while it may have been
inconceivable when Xlib was written, is quite possible today), then
LoadColornameDB() may allocate a memory buffer much smaller than the
amount of data ReadColornameDB() will write to it.
The total size is left limited to an int, because if your xcmsdb file
is larger than 2gb, you're doing it wrong.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 7b31bc11f73e419472fc78040a2f1d7d9f5ec157
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 11:25:25 2013 -0800
unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]
Check the provided buffer size against the amount of data we're going to
write into it, not against the reported length from the ClientMessage.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit ae39f21bbf4265589a1b9a5d370429be684e9185
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 11:11:08 2013 -0800
unvalidated index/length in _XkbReadGetNamesReply() [CVE-2013-1997 11/15]
If the X server returns key name indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit a8d012797821ca3d43f97fcd8a2154f48c338a8e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 11:01:04 2013 -0800
unvalidated index in _XkbReadVirtualModMap() [CVE-2013-1997 10/15]
If the X server returns modifier map indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 38aa4c19f980cf8db8c387f92e76298879746639
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 11:04:44 2013 -0800
unvalidated index in _XkbReadExplicitComponents() [CVE-2013-1997 9/15]
If the X server returns key indexes outside the range of the number of
keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 0b89e62480d94a519f65cea955488a07b7dce46b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 10:51:51 2013 -0800
unvalidated index in _XkbReadModifierMap() [CVE-2013-1997 8/15]
If the X server returns modifier map indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 72a451c2d9a74b4879ebb2932365f334cd14982a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 10:39:21 2013 -0800
unvalidated index in _XkbReadKeyBehaviors() [CVE-2013-1997 7/15]
If the X server returns key behavior indexes outside the range of the number
of keys it told us to allocate, out of bounds memory writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 164279a0323e63866aa40f23ab5ec3807d45e4b6
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 09:40:22 2013 -0800
unvalidated index in _XkbReadKeyActions() [CVE-2013-1997 6/15]
If the X server returns key action indexes outside the range of the number
of keys it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit b3ece385eded18ea3f58552535fb4782c4509a25
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 09:28:33 2013 -0800
unvalidated index in _XkbReadKeySyms() [CVE-2013-1997 5/15]
If the X server returns keymap indexes outside the range of the number of
keys it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit cac2c3f69cf3c1d64f2ddce856154369e70df07e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 09:18:26 2013 -0800
unvalidated indexes in _XkbReadGetGeometryReply() [CVE-2013-1997 4/15]
If the X server returns color indexes outside the range of the number of
colors it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 51c7587b2e9a8185a6bac11d31f0a81859d25344
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 09:12:47 2013 -0800
unvalidated indexes in _XkbReadGeomShapes() [CVE-2013-1997 3/15]
If the X server returns shape indexes outside the range of the number
of shapes it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit e776366423bf1a23bae5a3dc8f349fa10b869c7d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 22:49:01 2013 -0800
unvalidated index in _XkbReadGetDeviceInfoReply() [CVE-2013-1997 2/15]
If the X server returns more buttons than are allocated in the XKB
device info structures, out of bounds writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 26b92ca6e5874106ad8778e53cd53bf9cb7a7937
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 19:30:09 2013 -0800
unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]
If a broken server returned larger than requested values for nPixels or
nMasks, XAllocColorCells would happily overflow the buffers provided by
the caller to write the results into.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 841dfce5362db1aa6bcbdbad068a77c0d46078ad
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 22:49:01 2013 -0800
integer overflow in XListHosts() [CVE-2013-1981 5/13]
If the reported number of host entries is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 6e7181fd692ee45418e16a2ed612e8ed7a88b6b7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 22:49:01 2013 -0800
integer overflow in XGetMotionEvents() [CVE-2013-1981 4/13]
If the reported number of motion events is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Ensure nEvents is set to 0 when returning NULL events pointer
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit f56f731fc63976a6364970a9f75fec022a12bb05
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 22:49:01 2013 -0800
integer overflow in XListFontsWithInfo() [CVE-2013-1981 3/13]
If the reported number of remaining fonts is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
v3: On error cases, also set values to be returned in pointer args to 0/NULL
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 98247595cb024512ca86be37a8abea8ee7c041c3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 21:05:27 2013 -0800
integer overflow in _XF86BigfontQueryFont() [CVE-2013-1981 2/13]
Similar to _XQueryFont, but with more ways to go wrong and overflow.
Only compiled if libX11 is built with XF86BigFont support.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 34fc836c95d8b83a7f2b2f80f0dd20dc4196c090
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 21:05:27 2013 -0800
integer overflow in _XQueryFont() on 32-bit platforms [CVE-2013-1981 1/13]
If the CARD32 reply.nCharInfos * sizeof(XCharStruct) overflows an
unsigned long, then too small of a buffer will be allocated for the
data copied in from the reply.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 851a918be91788d9cd6af1ac492afd90354d1945
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 1 20:54:24 2013 -0800
Add _XEatDataWords to discard a given number of 32-bit words of reply data
Matches the units of the length field in X protocol replies, and provides
a single implementation of overflow checking to avoid having to replicate
those checks in every caller.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit a932d5948389635dc95861396988316c6a4ad872
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 2 13:03:55 2013 -0800
Move repeated #ifdef magic to find PATH_MAX into a common header
Lets stop duplicating the mess all over
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 38f95412f55ecd70ab68726c15bb2a6358be86be
Author: Nickolai Zeldovich <nickolai@csail.mit.edu>
Date: Tue Jan 22 10:03:00 2013 -0500
XListFontsWithInfo: avoid accessing realloc'ed memory
If exactly one of the two reallocs in XListFontsWithInfo() fails, the
subsequent code accesses memory freed by the other realloc.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit deedeada53676ee529d700bf96fde0b29a3a1def)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: