libxaw: Changes to 'upstream-unstable'

To: debian-x@lists.debian.org
Subject: libxaw: Changes to 'upstream-unstable'
From: Julien Cristau <jcristau@alioth.debian.org>
Date: Sun, 16 Jun 2013 18:36:01 +0000
Message-id: <[🔎] E1UoHo1-0005oT-1p@vasks.debian.org>
 configure.ac     |    2 +-
 src/Text.c       |    2 +-
 src/TextAction.c |    9 +++++----
 3 files changed, 7 insertions(+), 6 deletions(-)

New commits:
commit ffaad7ee2ef6e06b4585567df04f6b64356fb6fe
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Jun 1 20:31:30 2012 -0700

    libXaw 1.0.11
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/configure.ac b/configure.ac
index 2423263..3ed625e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
 
 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([libXaw], [1.0.10],
+AC_INIT([libXaw], [1.0.11],
         [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXaw])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h])

commit 52081b462ff7d1844d014bf9be887197caa88160
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat May 26 15:07:07 2012 -0700

    Only call XawStackFree if XawStackAlloc was used for allocation
    
    In FormParagraph() in TextAction.c, the #if OLDXAW case always uses
    fixed length buffers, while the !OLDXAW case uses XawStackAlloc &
    XawStackFree to switch to dynamic allocations when the buffers aren't
    large enough.
    
    A couple instances of XawStackFree slipped into the wrong side of
    the #if checks though, so move them back where they belong.   Also
    reset pos afterwards, in the case we continue and may use it again,
    to avoid the chance of a double free.
    
    Found by the Parfait 0.5.0.1 bug checking tool:
    
    Error: Free memory not allocated dynamically by alloc (CWE 590)
       Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
            at line 3946 of TextAction.c in function 'FormParagraph'.
              'buf' allocated at line 0 as auto variable.
            at line 4000 of TextAction.c in function 'FormParagraph'.
              'buf' allocated at line 0 as auto variable.
    Error: Use after free (CWE 416)
       Use after free of pointer '&buf'
            at line 3995 of TextAction.c in function 'FormParagraph'.
              Previously freed at line 3946 with XtFree.
    Error: Use after free
       Double free (CWE 415): Double free of pointer '&buf' in call to XtFree
            at line 4000 of TextAction.c in function 'FormParagraph'.
              Previously freed at line 3946 with XtFree.
       Double free (CWE 415): Double free of pointer '<unknown>' in call to XtFree
            at line 4000 of TextAction.c in function 'FormParagraph'.
              Previously freed at line 3946 with XtFree.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>

diff --git a/src/TextAction.c b/src/TextAction.c
index fe7e573..7b87ce4 100644
--- a/src/TextAction.c
+++ b/src/TextAction.c
@@ -3935,6 +3935,8 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
     }
 
     if (FormRegion(ctx, from, to, pos, src->textSrc.num_text) == XawReplaceError) {
+	XawStackFree(pos, buf);
+	pos = buf;
 #else
     from =  SrcScan(ctx->text.source, ctx->text.insertPos,
 		    XawstParagraph, XawsdLeft, 1, False);
@@ -3943,7 +3945,6 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 
     if (FormRegion(ctx, from, to, pos, 1) == XawReplaceError) {
 #endif
-	XawStackFree(pos, buf);
 	XBell(XtDisplay(w), 0);
 #ifndef OLDXAW
 	if (undo) {
@@ -3991,13 +3992,13 @@ FormParagraph(Widget w, XEvent *event, String *params, Cardinal *num_params)
 			       XawsdLeft, 1, False), False);
 	tw->text.clear_to_eol = True;
     }
+    XawStackFree(pos, buf);
 #else
     ctx->text.old_insert = ctx->text.insertPos = *pos;
     _XawTextBuildLineTable(ctx, SrcScan(ctx->text.source, ctx->text.lt.top,
 			   XawstEOL, XawsdLeft, 1, False), False);
     ctx->text.clear_to_eol = True;
 #endif
-    XawStackFree(pos, buf);
     ctx->text.showposition = True;
 
     EndAction(ctx);

commit ca35cff72a3100c9367b7e7f4811117c8733b8be
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat May 26 14:44:26 2012 -0700

    Correct order of arguments to XawStackFree()
    
    XawStackAlloc() & XawStackFree() are macros to automate the process of
    using a fixed size stack buffer for strings smaller than the buffer size,
    and allocating/freeing memory for larger strings.
    
    XawStackFree is defined in src/Private.h as taking (pointer, stk_buffer)
    and freeing pointer if it's not pointing to the stack buffer.
    
    Most of the calls of this macro get the ordering right, but a couple
    got it reversed, passing a stack buffer to free() instead of the
    allocated pointer.
    
    Found by the Parfait 0.5.0.1 bug checking tool:
    
    Error: Free memory not allocated dynamically by alloc (CWE 590)
       Free() was called on a pointer 'buf' to the auto variable 'buf'. Free() must only be used on dynamically allocated memory
            at line 2281 of TextAction.c in function 'DoFormatText'.
              'buf' allocated at line 0 as auto variable.
            at line 2296 of TextAction.c in function 'DoFormatText'.
              'buf' allocated at line 0 as auto variable.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Acked-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>

diff --git a/src/TextAction.c b/src/TextAction.c
index 6705316..fe7e573 100644
--- a/src/TextAction.c
+++ b/src/TextAction.c
@@ -2278,7 +2278,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level,
 			    text.length = bytes;
 			bytes -= text.length;
 			if (_XawTextReplace(ctx, tmp, tmp, &text)) {
-			    XawStackFree(buf, text.ptr);
+			    XawStackFree(text.ptr, buf);
 			    return (XawEditError);
 			}
 			if (num_pos) {
@@ -2293,7 +2293,7 @@ DoFormatText(TextWidget ctx, XawTextPosition left, Bool force, int level,
 		    }
 		    position += count;
 		    right += count;
-		    XawStackFree(buf, text.ptr);
+		    XawStackFree(text.ptr, buf);
 		}
 		break;
 	}

commit 11c3a104141e1a4946ad949dfb5514df0b66a031
Author: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
Date:   Tue May 22 20:42:32 2012 -0300

    Correct undefined behavior access to out of scope pointer contents.
    
      This problem is triggered in gcc 4.7 DCE (dead code elimination).
    In the Xaw code, the local constant "String" is not guaranteed to
    have global scope.
      The problem was found when debugging the reason xedit built with
    gcc 4.7 would be very unstable, and that happens regardless of using
    a libXaw built with gcc 4.6.
    
    Signed-off-by: pcpa <paulo.cesar.pereira.de.andrade@gmail.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/src/Text.c b/src/Text.c
index 72387e9..a1ae74a 100644
--- a/src/Text.c
+++ b/src/Text.c
@@ -3146,7 +3146,7 @@ _XawTextSetSelection(TextWidget ctx, XawTextPosition l, XawTextPosition r,
     if (nelems == 1 && !strcmp (list[0], "none"))
 	return;
     if (nelems == 0) {
-	String defaultSel = "PRIMARY";
+	static String defaultSel = "PRIMARY";
 	list = &defaultSel;
 	nelems = 1;
     }
Reply to:
Prev by Date: Bug#712515: libdrm: Add x32 to architecture list for libdrm-intel1{,-dbg}
Next by Date: libxaw: Changes to 'refs/tags/libxaw-2_1.0.11-1'
Previous by thread: mesa_8.0.5-4+deb7u2_amd64.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Next by thread: libxaw: Changes to 'refs/tags/libxaw-2_1.0.11-1'
Index(es):
- Date
- Thread