libxfixes: Changes to 'upstream-unstable'
Makefile.am | 6 +++---
autogen.sh | 4 +++-
configure.ac | 10 ++++++++--
include/X11/extensions/Xfixes.h | 6 +++---
man/Xfixes.man | 6 +++---
src/Cursor.c | 34 ++++++++++++++++++++--------------
src/Makefile.am | 7 +++----
src/Region.c | 12 ++++++------
src/SaveSet.c | 2 +-
src/Selection.c | 2 +-
src/Xfixes.c | 26 +++++++++++++-------------
src/Xfixesint.h | 16 ++++++++++++++--
12 files changed, 78 insertions(+), 53 deletions(-)
New commits:
commit 0cb446962381f750e05d97bfb974ca1e32481d5d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue May 28 21:11:10 2013 -0700
libXfixes 5.0.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index bb8e976..f85bd72 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,7 +32,7 @@ AC_PREREQ([2.60])
# that 'revision' number appears in Xfixes.h and has to be manually
# synchronized.
#
-AC_INIT(libXfixes, [5.0],
+AC_INIT(libXfixes, [5.0.1],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfixes])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit c480fe3271873ec7471b0cbd680f4dac18ca8904
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:24:08 2013 -0700
integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Cursor.c b/src/Cursor.c
index 641b747..33590b7 100644
--- a/src/Cursor.c
+++ b/src/Cursor.c
@@ -47,6 +47,7 @@
#include <config.h>
#endif
#include "Xfixesint.h"
+#include <limits.h>
void
XFixesSelectCursorInput (Display *dpy,
@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
xXFixesGetCursorImageAndNameReq *req;
xXFixesGetCursorImageAndNameReply rep;
- int npixels;
- int nbytes_name;
- int nbytes, nread, rlength;
+ size_t npixels;
+ size_t nbytes_name;
+ size_t nbytes, nread, rlength;
XFixesCursorImage *image;
char *name;
@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
}
npixels = rep.width * rep.height;
nbytes_name = rep.nbytes;
- /* reply data length */
- nbytes = (long) rep.length << 2;
- /* bytes of actual data in the reply */
- nread = (npixels << 2) + nbytes_name;
- /* size of data returned to application */
- rlength = (sizeof (XFixesCursorImage) +
- npixels * sizeof (unsigned long) +
- nbytes_name + 1);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
+ - nbytes_name)) {
+ /* reply data length */
+ nbytes = (size_t) rep.length << 2;
+ /* bytes of actual data in the reply */
+ nread = (npixels << 2) + nbytes_name;
+ /* size of data returned to application */
+ rlength = (sizeof (XFixesCursorImage) +
+ npixels * sizeof (unsigned long) +
+ nbytes_name + 1);
- image = (XFixesCursorImage *) Xmalloc (rlength);
+ image = Xmalloc (rlength);
+ } else
+ image = NULL;
if (!image)
{
_XEatDataWords(dpy, rep.length);
commit b031e3b60fa1af9e49449f23d4a84395868be3ab
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:20:59 2013 -0700
Use _XEatDataWords to avoid overflow of _XEatData calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index b942ffa..bb8e976 100644
--- a/configure.ac
+++ b/configure.ac
@@ -57,6 +57,13 @@ AC_SUBST(FIXESEXT_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(FIXESEXT, xproto [fixesproto >= $FIXESEXT_VERSION] xextproto x11)
+# Check for _XEatDataWords function that may be patched into older Xlib releases
+SAVE_LIBS="$LIBS"
+LIBS="$FIXESEXT_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/Cursor.c b/src/Cursor.c
index b3dfed1..641b747 100644
--- a/src/Cursor.c
+++ b/src/Cursor.c
@@ -113,7 +113,7 @@ XFixesGetCursorImage (Display *dpy)
image = (XFixesCursorImage *) Xmalloc (rlength);
if (!image)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -191,7 +191,7 @@ XFixesGetCursorName (Display *dpy, Cursor cursor, Atom *atom)
_XReadPad(dpy, name, (long)rep.nbytes);
name[rep.nbytes] = '\0';
} else {
- _XEatData(dpy, (unsigned long) (rep.nbytes + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
name = (char *) NULL;
}
UnlockDisplay(dpy);
diff --git a/src/Region.c b/src/Region.c
index 042f966..cb0cf6e 100644
--- a/src/Region.c
+++ b/src/Region.c
@@ -338,7 +338,7 @@ XFixesFetchRegionAndBounds (Display *dpy,
rects = Xmalloc (nrects * sizeof (XRectangle));
if (!rects)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xfixesint.h b/src/Xfixesint.h
index 8a4d5fd..7bf5bfd 100644
--- a/src/Xfixesint.h
+++ b/src/Xfixesint.h
@@ -60,4 +60,18 @@ XFixesFindDisplay (Display *dpy);
#define XFixesSimpleCheckExtension(dpy,i) \
if (!XFixesHasExtension(i)) { return; }
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
#endif /* _XFIXESINT_H_ */
commit f870dfb47da9d43d1750ea5e5fc9288c4158f7ad
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 09:26:05 2013 -0800
XFixesFetchRegionAndBounds: use nread in call to XReadPad
We already went through the trouble of calculating a variable with the
amount to read, might as well use it instead of recalculating it.
Also move initialization of the variable to the point it's needed/used
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/Region.c b/src/Region.c
index 94c5403..042f966 100644
--- a/src/Region.c
+++ b/src/Region.c
@@ -335,7 +335,6 @@ XFixesFetchRegionAndBounds (Display *dpy,
bounds->height = rep.height;
nbytes = (long) rep.length << 2;
nrects = rep.length >> 1;
- nread = nrects << 3;
rects = Xmalloc (nrects * sizeof (XRectangle));
if (!rects)
{
@@ -344,7 +343,8 @@ XFixesFetchRegionAndBounds (Display *dpy,
SyncHandle ();
return NULL;
}
- _XRead16 (dpy, (short *) rects, nrects << 3);
+ nread = nrects << 3;
+ _XRead16 (dpy, (short *) rects, nread);
/* skip any padding */
if(nbytes > nread)
{
commit ad2a06d4d3c60198bc40116623153f71a208a240
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 09:18:14 2013 -0800
Remove duplicate declaration of XFixesExtensionName in Xfixesint.h
Silences gcc warnings:
In file included from Region.c:26:0:
Xfixesint.h:52:13: warning: redundant redeclaration of 'XFixesExtensionName' [-Wredundant-decls]
Xfixesint.h:34:13: note: previous declaration of 'XFixesExtensionName' was here
In file included from Cursor.c:49:0:
Xfixesint.h:52:13: warning: redundant redeclaration of 'XFixesExtensionName' [-Wredundant-decls]
Xfixesint.h:34:13: note: previous declaration of 'XFixesExtensionName' was here
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/src/Xfixesint.h b/src/Xfixesint.h
index 2ee17bc..8a4d5fd 100644
--- a/src/Xfixesint.h
+++ b/src/Xfixesint.h
@@ -31,8 +31,6 @@
#include "Xfixes.h"
#include <X11/extensions/xfixesproto.h>
-extern char XFixesExtensionName[];
-
typedef struct _XFixesExtDisplayInfo {
struct _XFixesExtDisplayInfo *next; /* keep a linked list */
Display *display; /* which display this is */
commit 73a0fbb479f5b7806a3dd0741be55c9abda76220
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Jan 18 23:10:01 2013 -0800
Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Makefile.am b/src/Makefile.am
index 672e08a..4e3f542 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -8,11 +8,10 @@ libXfixes_la_SOURCES = \
Xfixes.c \
Xfixesint.h
-libXfixes_la_LIBADD = @FIXESEXT_LIBS@
AM_CFLAGS = $(CWARNFLAGS) @FIXESEXT_CFLAGS@
+AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions
-INCLUDES = -I$(top_srcdir)/include/X11/extensions
-
+libXfixes_la_LIBADD = @FIXESEXT_LIBS@
libXfixes_la_LDFLAGS = -version-number 3:1:0 -no-undefined
libXfixesincludedir = $(includedir)/X11/extensions
commit d6931eda2fe86566823437507b5d818458cfd002
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit 945803cdf3442f60ea25763a84b940e11653a205
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index fc8c1e1..b942ffa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,7 +39,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
commit 991eb6dad335f4915de8bb2d36d82f0346ae88fb
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Fri Feb 11 15:36:33 2011 +1000
man: remove "current", we're way past 1.0.
Claiming "the current 1.0 release" when the library is already past version
4 is a tad confusing.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/man/Xfixes.man b/man/Xfixes.man
index 754ee72..e356838 100644
--- a/man/Xfixes.man
+++ b/man/Xfixes.man
@@ -69,7 +69,7 @@ Extension. This extension provides application with work arounds for
various limitations in the core protocol.
.SH RESTRICTIONS
.B Xfixes
-will remain upward compatible after the current 1.0 release.
+will remain upward compatible after the 1.0 release.
.SH AUTHORS
Keith Packard, member of the XFree86 Project, Inc. and
HP, Owen Taylor, member of the Gnome Foundation and Redhat, Inc.
commit ca7b0066fe6f315d2499338cd133e5b1e9d11236
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Sep 16 22:19:59 2011 -0700
Strip trailing whitespace
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/Makefile.am b/Makefile.am
index d6a90e3..b5d567d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,6 @@
-#
+#
# Copyright © 2003 Keith Packard, Noah Levitt
-#
+#
# Permission to use, copy, modify, distribute, and sell this software and its
# documentation for any purpose is hereby granted without fee, provided that
# the above copyright notice appear in all copies and that both that
@@ -10,7 +10,7 @@
# specific, written prior permission. Keith Packard makes no
# representations about the suitability of this software for any purpose. It
# is provided "as is" without express or implied warranty.
-#
+#
# KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
# EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR
diff --git a/include/X11/extensions/Xfixes.h b/include/X11/extensions/Xfixes.h
index 10a7e2e..8995d14 100644
--- a/include/X11/extensions/Xfixes.h
+++ b/include/X11/extensions/Xfixes.h
@@ -133,7 +133,7 @@ XFixesChangeSaveSet (Display *dpy,
void
XFixesSelectSelectionInput (Display *dpy,
Window win,
- Atom selection,
+ Atom selection,
unsigned long eventMask);
void
@@ -198,12 +198,12 @@ XRectangle *
XFixesFetchRegion (Display *dpy, XserverRegion region, int *nrectanglesRet);
XRectangle *
-XFixesFetchRegionAndBounds (Display *dpy, XserverRegion region,
+XFixesFetchRegionAndBounds (Display *dpy, XserverRegion region,
int *nrectanglesRet,
XRectangle *bounds);
void
-XFixesSetGCClipRegion (Display *dpy, GC gc,
+XFixesSetGCClipRegion (Display *dpy, GC gc,
int clip_x_origin, int clip_y_origin,
XserverRegion region);
diff --git a/man/Xfixes.man b/man/Xfixes.man
index 075b78f..754ee72 100644
--- a/man/Xfixes.man
+++ b/man/Xfixes.man
@@ -31,9 +31,9 @@
XFixes \- Augmented versions of core protocol requests
.SH SYNTAX
\&#include <X11/extensions/Xfixes.h>
-.nf
+.nf
.sp
-Bool XFixesQueryExtension \^(\^Display *\fIdpy\fP,
+Bool XFixesQueryExtension \^(\^Display *\fIdpy\fP,
int *\fIevent_base_return\fP, int *\fIerror_base_return\fP\^);
.sp
Status XFixesQueryVersion \^(\^Display *\fIdpy\fP,
diff --git a/src/Cursor.c b/src/Cursor.c
index 0d656f7..b3dfed1 100644
--- a/src/Cursor.c
+++ b/src/Cursor.c
@@ -106,7 +106,7 @@ XFixesGetCursorImage (Display *dpy)
/* bytes of actual data in the reply */
nread = (npixels << 2) + nbytes_name;
/* size of data returned to application */
- rlength = (sizeof (XFixesCursorImage) +
+ rlength = (sizeof (XFixesCursorImage) +
npixels * sizeof (unsigned long) +
nbytes_name + 1);
diff --git a/src/Makefile.am b/src/Makefile.am
index 544230f..672e08a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -16,5 +16,5 @@ INCLUDES = -I$(top_srcdir)/include/X11/extensions
libXfixes_la_LDFLAGS = -version-number 3:1:0 -no-undefined
libXfixesincludedir = $(includedir)/X11/extensions
-libXfixesinclude_HEADERS = $(top_srcdir)/include/X11/extensions/Xfixes.h
+libXfixesinclude_HEADERS = $(top_srcdir)/include/X11/extensions/Xfixes.h
diff --git a/src/Region.c b/src/Region.c
index 842da06..94c5403 100644
--- a/src/Region.c
+++ b/src/Region.c
@@ -303,8 +303,8 @@ XFixesFetchRegion (Display *dpy, XserverRegion region, int *nrectanglesRet)
}
XRectangle *
-XFixesFetchRegionAndBounds (Display *dpy,
- XserverRegion region,
+XFixesFetchRegionAndBounds (Display *dpy,
+ XserverRegion region,
int *nrectanglesRet,
XRectangle *bounds)
{
@@ -357,7 +357,7 @@ XFixesFetchRegionAndBounds (Display *dpy,
}
void
-XFixesSetGCClipRegion (Display *dpy, GC gc,
+XFixesSetGCClipRegion (Display *dpy, GC gc,
int clip_x_origin, int clip_y_origin,
XserverRegion region)
{
diff --git a/src/SaveSet.c b/src/SaveSet.c
index c57ae73..cf050a0 100644
--- a/src/SaveSet.c
+++ b/src/SaveSet.c
@@ -26,7 +26,7 @@
#endif
#include "Xfixesint.h"
-void
+void
XFixesChangeSaveSet (Display *dpy, Window win, int mode, int target, int map)
{
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
diff --git a/src/Selection.c b/src/Selection.c
index 708d583..7f4769c 100644
--- a/src/Selection.c
+++ b/src/Selection.c
@@ -29,7 +29,7 @@
void
XFixesSelectSelectionInput (Display *dpy,
Window win,
- Atom selection,
+ Atom selection,
unsigned long eventMask)
{
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
diff --git a/src/Xfixes.c b/src/Xfixes.c
index 7d3af84..c32ee39 100644
--- a/src/Xfixes.c
+++ b/src/Xfixes.c
@@ -31,7 +31,7 @@ char XFixesExtensionName[] = XFIXES_NAME;
static int
XFixesCloseDisplay (Display *dpy, XExtCodes *codes);
-
+
static Bool
XFixesWireToEvent(Display *dpy, XEvent *event, xEvent *wire);
@@ -57,13 +57,13 @@ XFixesExtAddDisplay (XFixesExtInfo *extinfo,
info->codes = XInitExtension (dpy, ext_name);
/*
- * if the server has the extension, then we can initialize the
+ * if the server has the extension, then we can initialize the
* appropriate function vectors
*/
if (info->codes) {
xXFixesQueryVersionReply rep;
xXFixesQueryVersionReq *req;
- XESetCloseDisplay (dpy, info->codes->extension,
+ XESetCloseDisplay (dpy, info->codes->extension,
XFixesCloseDisplay);
for (ev = info->codes->first_event;
ev < info->codes->first_event + XFixesNumberEvents;
@@ -81,7 +81,7 @@ XFixesExtAddDisplay (XFixesExtInfo *extinfo,
req->xfixesReqType = X_XFixesQueryVersion;
req->majorVersion = XFIXES_MAJOR;
req->minorVersion = XFIXES_MINOR;
- if (!_XReply (dpy, (xReply *) &rep, 0, xTrue))
+ if (!_XReply (dpy, (xReply *) &rep, 0, xTrue))
{
UnlockDisplay (dpy);
SyncHandle ();
@@ -123,7 +123,7 @@ XFixesExtAddDisplay (XFixesExtInfo *extinfo,
* XFixesExtRemoveDisplay - remove the indicated display from the
* extension object. (Replaces XextRemoveDisplay.)
*/
-static int
+static int
XFixesExtRemoveDisplay (XFixesExtInfo *extinfo, Display *dpy)
{
XFixesExtDisplayInfo *info, *prev;
@@ -164,7 +164,7 @@ XFixesExtRemoveDisplay (XFixesExtInfo *extinfo, Display *dpy)
* XextFindDisplay.)
*/
static XFixesExtDisplayInfo *
-XFixesExtFindDisplay (XFixesExtInfo *extinfo,
+XFixesExtFindDisplay (XFixesExtInfo *extinfo,
Display *dpy)
{
XFixesExtDisplayInfo *info;
@@ -172,7 +172,7 @@ XFixesExtFindDisplay (XFixesExtInfo *extinfo,
/*
* see if this was the most recently accessed display
*/
- if ((info = extinfo->cur) && info->display == dpy)
+ if ((info = extinfo->cur) && info->display == dpy)
return info;
/*
@@ -198,11 +198,11 @@ XFixesFindDisplay (Display *dpy)
info = XFixesExtFindDisplay (&XFixesExtensionInfo, dpy);
if (!info)
- info = XFixesExtAddDisplay (&XFixesExtensionInfo, dpy,
+ info = XFixesExtAddDisplay (&XFixesExtensionInfo, dpy,
XFixesExtensionName);
return info;
}
-
+
static int
XFixesCloseDisplay (Display *dpy, XExtCodes *codes)
{
@@ -296,24 +296,24 @@ XFixesEventToWire(Display *dpy, XEvent *event, xEvent *wire)
return False;
}
-Bool
+Bool
XFixesQueryExtension (Display *dpy,
int *event_base_return,
int *error_base_return)
{
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
- if (XFixesHasExtension(info))
+ if (XFixesHasExtension(info))
{
*event_base_return = info->codes->first_event;
*error_base_return = info->codes->first_error;
return True;
- }
+ }
else
return False;
}
-Status
+Status
XFixesQueryVersion (Display *dpy,
int *major_version_return,
int *minor_version_return)
Reply to: