libxrandr: Changes to 'debian-unstable'
AUTHORS | 2
COPYING | 4
ChangeLog | 182 ++++++++++++++++++++
Makefile.am | 8
autogen.sh | 4
configure.ac | 11 -
debian/changelog | 23 ++
debian/compat | 2
debian/control | 16 +
debian/libxrandr2.symbols | 12 +
debian/patches/series | 1
debian/rules | 32 +--
include/X11/extensions/Xrandr.h | 137 +++++++++++++--
src/Makefile.am | 8
src/Xrandr.c | 85 ++++++++-
src/Xrandrint.h | 21 +-
src/XrrConfig.c | 44 ++--
src/XrrCrtc.c | 32 +--
src/XrrMode.c | 10 -
src/XrrOutput.c | 21 +-
src/XrrProperty.c | 56 ++++--
src/XrrProvider.c | 217 ++++++++++++++++++++++++
src/XrrProviderProperty.c | 355 ++++++++++++++++++++++++++++++++++++++++
src/XrrScreen.c | 16 -
24 files changed, 1144 insertions(+), 155 deletions(-)
New commits:
commit 4bc520826e65f4bb81f0ccb3bada96eeb29ef11c
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:34:26 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index fd4828d..d66230a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
+libxrandr (2:1.4.1-1) sid; urgency=low
* New upstream release.
* Use dpkg-buildflags.
@@ -8,7 +8,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* Make libxrandr-dev Multi-Arch: same (closes: #678895).
* Disable silent build rules.
- -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
+ -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:31:40 +0200
libxrandr (2:1.4.0-1) experimental; urgency=low
commit 015e11e12dcfdbb8826667b5d07bbdb0543952f9
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:31:34 2013 +0200
Disable silent build rules.
diff --git a/debian/changelog b/debian/changelog
index 3ca6ff8..fd4828d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* Use dh_prep instead of dh_clean -k.
* Remove unused DEB_HOST_ARCH setting from d/rules.
* Make libxrandr-dev Multi-Arch: same (closes: #678895).
+ * Disable silent build rules.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/rules b/debian/rules
index 479fd97..529635b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -33,6 +33,7 @@ build/config.status: configure
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info \
+ --disable-silent-rules \
$(confflags)
commit a153949bb501599e1e1390f8e9152e57e464c855
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:27:29 2013 +0200
Make libxrandr-dev Multi-Arch: same (closes: #678895).
diff --git a/debian/changelog b/debian/changelog
index 6aa9ab3..3ca6ff8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Use dh_prep instead of dh_clean -k.
* Remove unused DEB_HOST_ARCH setting from d/rules.
+ * Make libxrandr-dev Multi-Arch: same (closes: #678895).
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/control b/debian/control
index 245625e..9683588 100644
--- a/debian/control
+++ b/debian/control
@@ -65,6 +65,7 @@ Description: X11 RandR extension library (debug package)
Package: libxrandr-dev
Section: libdevel
Architecture: any
+Multi-Arch: same
Depends:
${shlibs:Depends},
${misc:Depends},
commit b3628df1131c6f553fa4a25eaa49766819204d0f
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:26:32 2013 +0200
Remove unused DEB_HOST_ARCH setting from d/rules.
diff --git a/debian/changelog b/debian/changelog
index e1a2331..6aa9ab3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* Use dpkg-buildflags.
* Bump debhelper compat level to 7.
* Use dh_prep instead of dh_clean -k.
+ * Remove unused DEB_HOST_ARCH setting from d/rules.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/rules b/debian/rules
index dee1f2e..479fd97 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,6 @@ PACKAGE = libxrandr2
include debian/xsfbs/xsfbs.mk
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
-DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
commit 87693c20e217cf6bed9111eeb28eedf74298cfaf
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:23:56 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index bbecee4..e1a2331 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* New upstream release.
* Use dpkg-buildflags.
* Bump debhelper compat level to 7.
+ * Use dh_prep instead of dh_clean -k.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/rules b/debian/rules
index 04d4f96..dee1f2e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -46,31 +46,27 @@ build-stamp: build/config.status
clean: xsfclean
dh_testdir
rm -f build-stamp
-
rm -f config.cache config.log config.status
rm -f */config.cache */config.log */config.status
rm -f conftest* */conftest*
rm -rf autom4te.cache */autom4te.cache
rm -rf build
- rm -f $$(find -name Makefile.in)
+ find -name Makefile.in -delete
rm -f compile config.guess config.sub configure depcomp install-sh
rm -f ltmain.sh missing INSTALL aclocal.m4 config.h.in mkinstalldirs
-
dh_clean
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
-
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
# Build architecture-dependent files here.
binary-arch: build install
dh_testdir
dh_testroot
-
dh_installdocs
dh_install --fail-missing -XlibXrandr.la
dh_installchangelogs
commit 0336f76839b692cb0f804c731cc8fecad3c61bca
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:22:22 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 540ad54..bbecee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* New upstream release.
* Use dpkg-buildflags.
+ * Bump debhelper compat level to 7.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index 6df79c9..04d4f96 100755
--- a/debian/rules
+++ b/debian/rules
@@ -72,8 +72,8 @@ binary-arch: build install
dh_testroot
dh_installdocs
- dh_install --sourcedir=debian/tmp --fail-missing -XlibXrandr.la
- dh_installchangelogs ChangeLog
+ dh_install --fail-missing -XlibXrandr.la
+ dh_installchangelogs
dh_installman
dh_link
dh_strip --dbg-package=$(PACKAGE)-dbg
commit 88911a105b001bc47a7739a4c662389310cc48d0
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:21:37 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index 14b4c38..540ad54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
* New upstream release.
+ * Use dpkg-buildflags.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
diff --git a/debian/control b/debian/control
index 4dac0dd..245625e 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Build-Depends:
debhelper (>= 8.1.3),
+# dpkg-buildflags --export=configure
+ dpkg-dev (>= 1.16.1),
libx11-dev (>= 1:0.99.2),
libxext-dev (>= 1:0.99.1),
x11proto-randr-dev (>= 1.4),
diff --git a/debian/rules b/debian/rules
index 3a9b74d..6df79c9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,16 +12,6 @@ PACKAGE = libxrandr2
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
-ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
- INSTALL_PROGRAM += -s
-endif
-
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
@@ -31,6 +21,7 @@ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
else
confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
+confflags += $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
configure: $(STAMP_DIR)/patch
dh_testdir
@@ -42,8 +33,8 @@ build/config.status: configure
cd build && \
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
- --infodir=\$${prefix}/share/info $(confflags) \
- CFLAGS="$(CFLAGS)"
+ --infodir=\$${prefix}/share/info \
+ $(confflags)
build: build-stamp
commit da3ae992b72e05551d817e6b5aca6a433c5dc65a
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 18:18:15 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index 4a67a48..d07b8f4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,140 @@
+commit f97d44f8fb9f90ce3227cca8affd3b947e9b08ca
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri May 31 15:52:23 2013 -0700
+
+ libXrandr 1.4.1
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit c90f74497dbcb96854346435349c6e2207b530c5
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat May 4 21:47:50 2013 -0700
+
+ Make XRRGet*Property() always initialize returned values
+
+ Avoids memory corruption and other errors when callers access them
+ without checking to see if the calls returned an error value.
+
+ Callers are still required to check for errors, this just reduces the
+ damage when they don't.
+
+ (Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat May 4 21:37:49 2013 -0700
+
+ integer overflow in XRRGetProviderProperty() [CVE-2013-1986 4/4]
+
+ If the reported number of properties is too large, the calculations
+ to allocate memory for them may overflow, leaving us returning less
+ memory to the caller than implied by the value written to *nitems.
+
+ (Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 289a1927949e6f278c18d115772e454837702e35
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat May 4 21:37:49 2013 -0700
+
+ integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4]
+
+ If the reported number of properties is too large, the calculations
+ to allocate memory for them may overflow, leaving us returning less
+ memory to the caller than implied by the value written to *nitems.
+
+ (Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 1da5b838c2a8565d4d95a4e948f951ce6b466345
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 12 21:44:59 2013 -0700
+
+ integer overflow in XRRQueryProviderProperty() [CVE-2013-1986 2/4]
+
+ Same problem as XRRQueryOutputProperty() that it was cloned from
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 12 21:44:59 2013 -0700
+
+ integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
+
+ rep.length is a CARD32, while rbytes was a signed int, so
+ rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
+ could result in integer overflow, leading to an undersized malloc
+ and reading data off the connection and writing it past the end of
+ the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 1c7ad6773ce6be00dcd6e51e9be08f203abe5071
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri May 3 23:29:22 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length bit shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 99a63d10cbbab7d69a52d25d78795a3278506ea9
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Jan 18 23:14:01 2013 -0800
+
+ Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS
+
+ Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+ - Support for the long-deprecated INCLUDES variable will be removed
+ altogether in Automake 1.14. The AM_CPPFLAGS variable should be
+ used instead.
+
+ This variable was deprecated in Automake releases prior to 1.10, which is
+ the current minimum level required to build X.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 150cf8788a94fc5fb519764e1d46cb520c1d4043
+Author: Colin Walters <walters@verbum.org>
+Date: Wed Jan 4 17:37:06 2012 -0500
+
+ autogen.sh: Implement GNOME Build API
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit c3486bccee2aaa2668f7d24d3e1bc01f3832f301
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit 6dfe7d4fa04a5054ee3daeb654ac5a763f37fed1
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Aug 31 21:39:10 2012 -0700
+
+ Constify a couple string arguments that are just copied, not modified
+
+ Fixes compiler warnings when building app/xrandr:
+
+ xrandr.c: In function ‘crtc_set_transform’:
+ xrandr.c:1459:9: warning: passing argument 4 of ‘XRRSetCrtcTransform’ discards qualifiers from pointer target type
+ X11/extensions/Xrandr.h:419:1: note: expected ‘char *’ but argument is of type ‘const char *’
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
+
commit 39976a7d1cc9e737e662695ae5326af805c50a27
Author: Dave Airlie <airlied@redhat.com>
Date: Thu Jul 26 14:15:18 2012 +1000
diff --git a/debian/changelog b/debian/changelog
index 0d82c01..14b4c38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxrandr (2:1.4.1-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 18:16:18 +0200
+
libxrandr (2:1.4.0-1) experimental; urgency=low
[ Maarten Lankhorst ]
commit f97d44f8fb9f90ce3227cca8affd3b947e9b08ca
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 31 15:52:23 2013 -0700
libXrandr 1.4.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 8466999..6776233 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so Xrandr version l.n.m corresponds to protocol version l.n
#
-AC_INIT([libXrandr], [1.4.0],
+AC_INIT([libXrandr], [1.4.1],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrandr])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit c90f74497dbcb96854346435349c6e2207b530c5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 21:47:50 2013 -0700
Make XRRGet*Property() always initialize returned values
Avoids memory corruption and other errors when callers access them
without checking to see if the calls returned an error value.
Callers are still required to check for errors, this just reduces the
damage when they don't.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XrrProperty.c b/src/XrrProperty.c
index 707a28d..2096c56 100644
--- a/src/XrrProperty.c
+++ b/src/XrrProperty.c
@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
xRRGetOutputPropertyReq *req;
unsigned long nbytes, rbytes;
+ /* Always initialize return values, in case callers fail to initialize
+ them and fail to check the return code for an error. */
+ *actual_type = None;
+ *actual_format = 0;
+ *nitems = *bytes_after = 0L;
+ *prop = (unsigned char *) NULL;
+
RRCheckExtension (dpy, info, 1);
LockDisplay (dpy);
@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
return ((xError *)&rep)->errorCode;
}
- *prop = (unsigned char *) NULL;
if (rep.propertyType != None) {
int format = rep.format;
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index 6989580..34cc082 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
xRRGetProviderPropertyReq *req;
unsigned long nbytes, rbytes;
+ /* Always initialize return values, in case callers fail to initialize
+ them and fail to check the return code for an error. */
+ *actual_type = None;
+ *actual_format = 0;
+ *nitems = *bytes_after = 0L;
+ *prop = (unsigned char *) NULL;
+
RRCheckExtension (dpy, info, 1);
LockDisplay (dpy);
@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
return ((xError *)&rep)->errorCode;
}
- *prop = (unsigned char *) NULL;
if (rep.propertyType != None) {
int format = rep.format;
commit 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 21:37:49 2013 -0700
integer overflow in XRRGetProviderProperty() [CVE-2013-1986 4/4]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index dc699f6..6989580 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -257,7 +257,7 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRGetProviderPropertyReply rep;
xRRGetProviderPropertyReq *req;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
RRCheckExtension (dpy, info, 1);
@@ -282,34 +282,40 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
*prop = (unsigned char *) NULL;
if (rep.propertyType != None) {
+ int format = rep.format;
+
+ /*
+ * Protect against both integer overflow and just plain oversized
+ * memory allocation - no server should ever return this many props.
+ */
+ if (rep.nItems >= (INT_MAX >> 4))
+ format = -1; /* fall through to default error case */
+
/*
* One extra byte is malloced than is needed to contain the property
* data, but this last byte is null terminated and convenient for
* returning string properties, so the client doesn't then have to
* recopy the string to make it null terminated.
*/
- switch (rep.format) {
+ switch (format) {
case 8:
nbytes = rep.nItems;
rbytes = rep.nItems + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XReadPad (dpy, (char *) *prop, nbytes);
break;
case 16:
nbytes = rep.nItems << 1;
rbytes = rep.nItems * sizeof (short) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XRead16Pad (dpy, (short *) *prop, nbytes);
break;
case 32:
nbytes = rep.nItems << 2;
rbytes = rep.nItems * sizeof (long) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XRead32 (dpy, (long *) *prop, nbytes);
break;
commit 289a1927949e6f278c18d115772e454837702e35
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 21:37:49 2013 -0700
integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XrrProperty.c b/src/XrrProperty.c
index 50382bf..707a28d 100644
--- a/src/XrrProperty.c
+++ b/src/XrrProperty.c
@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRGetOutputPropertyReply rep;
xRRGetOutputPropertyReq *req;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
RRCheckExtension (dpy, info, 1);
@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
*prop = (unsigned char *) NULL;
if (rep.propertyType != None) {
+ int format = rep.format;
+
+ /*
+ * Protect against both integer overflow and just plain oversized
+ * memory allocation - no server should ever return this many props.
+ */
+ if (rep.nItems >= (INT_MAX >> 4))
+ format = -1; /* fall through to default error case */
+
/*
* One extra byte is malloced than is needed to contain the property
* data, but this last byte is null terminated and convenient for
* returning string properties, so the client doesn't then have to
* recopy the string to make it null terminated.
*/
- switch (rep.format) {
+ switch (format) {
case 8:
nbytes = rep.nItems;
rbytes = rep.nItems + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XReadPad (dpy, (char *) *prop, nbytes);
break;
case 16:
nbytes = rep.nItems << 1;
rbytes = rep.nItems * sizeof (short) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XRead16Pad (dpy, (short *) *prop, nbytes);
break;
case 32:
nbytes = rep.nItems << 2;
rbytes = rep.nItems * sizeof (long) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
_XRead32 (dpy, (long *) *prop, nbytes);
break;
commit 1da5b838c2a8565d4d95a4e948f951ce6b466345
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 21:44:59 2013 -0700
integer overflow in XRRQueryProviderProperty() [CVE-2013-1986 2/4]
Same problem as XRRQueryOutputProperty() that it was cloned from
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index 2d90a0a..dc699f6 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -31,6 +31,7 @@
#include <X11/extensions/render.h>
#include <X11/extensions/Xrender.h>
#include "Xrandrint.h"
+#include <limits.h>
Atom *
XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRQueryProviderPropertyReply rep;
xRRQueryProviderPropertyReq *req;
- int rbytes, nbytes;
+ unsigned int rbytes, nbytes;
XRRPropertyInfo *prop_info;
RRCheckExtension (dpy, info, NULL);
@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
return NULL;
}
- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
- nbytes = rep.length << 2;
+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
+ nbytes = rep.length << 2;
+
+ prop_info = Xmalloc (rbytes);
+ } else
+ prop_info = NULL;
- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
commit 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 21:44:59 2013 -0700
integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
rep.length is a CARD32, while rbytes was a signed int, so
rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
could result in integer overflow, leading to an undersized malloc
and reading data off the connection and writing it past the end of
the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XrrProperty.c b/src/XrrProperty.c
index 2b065b2..50382bf 100644
--- a/src/XrrProperty.c
+++ b/src/XrrProperty.c
@@ -31,6 +31,7 @@
#include <X11/extensions/render.h>
#include <X11/extensions/Xrender.h>
#include "Xrandrint.h"
+#include <limits.h>
Atom *
XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRQueryOutputPropertyReply rep;
xRRQueryOutputPropertyReq *req;
- int rbytes, nbytes;
+ unsigned int rbytes, nbytes;
XRRPropertyInfo *prop_info;
RRCheckExtension (dpy, info, NULL);
@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
return NULL;
}
- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
- nbytes = rep.length << 2;
+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
+ nbytes = rep.length << 2;
+
+ prop_info = Xmalloc (rbytes);
+ } else
+ prop_info = NULL;
- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
commit 1c7ad6773ce6be00dcd6e51e9be08f203abe5071
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 23:29:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 3f28bef..8466999 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RANDR_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/Xrandrint.h b/src/Xrandrint.h
index aed10e4..1687c29 100644
--- a/src/Xrandrint.h
+++ b/src/Xrandrint.h
@@ -42,6 +42,19 @@ extern char XRRExtensionName[];
XExtDisplayInfo *XRRFindDisplay (Display *dpy);
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* deliberately opaque internal data structure; can be extended,
but not reordered */
diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
index 04087c5..a704a52 100644
--- a/src/XrrCrtc.c
+++ b/src/XrrCrtc.c
@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
xci = (XRRCrtcInfo *) Xmalloc(rbytes);
if (xci == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
if (!crtc_gamma)
{
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
goto out;
}
_XRead16 (dpy, crtc_gamma->red, rep.size * 2);
@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy,
int extraBytes = rep.length * 4 - CrtcTransformExtra;
extra = Xmalloc (extraBytes);
if (!extra) {
- _XEatData (dpy, extraBytes);
+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return False;
diff --git a/src/XrrOutput.c b/src/XrrOutput.c
index f13a932..4df894e 100644
--- a/src/XrrOutput.c
+++ b/src/XrrOutput.c
@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
xoi = (XRROutputInfo *) Xmalloc(rbytes);
if (xoi == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/XrrProperty.c b/src/XrrProperty.c
index 4c3fdb0..2b065b2 100644
--- a/src/XrrProperty.c
+++ b/src/XrrProperty.c
@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
diff --git a/src/XrrProvider.c b/src/XrrProvider.c
index fcd06ff..309e321 100644
--- a/src/XrrProvider.c
+++ b/src/XrrProvider.c
@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window)
xrpr = (XRRProviderResources *) Xmalloc(rbytes);
if (xrpr == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
xpi = (XRRProviderInfo *)Xmalloc(rbytes);
if (xpi == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index c8c08e9..2d90a0a 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
Reply to: