libxinerama: Changes to 'upstream-unstable'
autogen.sh | 4 ++-
configure.ac | 9 ++++++--
src/Xinerama.c | 61 ++++++++++++++++++++++++++++++++++++++++++---------------
3 files changed, 55 insertions(+), 19 deletions(-)
New commits:
commit 6e1d1dc328ba8162bba2f4694e7f3c706a1491ff
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu May 30 17:27:51 2013 -0700
libXinerama 1.1.3
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 046a1aa..17c5cb1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXinerama], [1.1.2],
+AC_INIT([libXinerama], [1.1.3],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXinerama])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 99c644fc8488657bdd106717df7446d606f9ef22
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Mar 8 19:55:55 2013 -0800
integer overflow in XineramaQueryScreens() [CVE-2013-1985]
If the reported number of screens is too large, the calculations to
allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xinerama.c b/src/Xinerama.c
index 04189b6..67a35b5 100644
--- a/src/Xinerama.c
+++ b/src/Xinerama.c
@@ -303,24 +303,36 @@ XineramaQueryScreens(
return NULL;
}
- if(rep.number) {
- if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) {
+ /*
+ * rep.number is a CARD32 so could be as large as 2^32
+ * The X11 protocol limits the total screen size to 64k x 64k,
+ * and no screen can be smaller than a pixel. While technically
+ * that means we could theoretically reach 2^32 screens, and that's
+ * not even taking overlap into account, Xorg is currently limited
+ * to 16 screens, and few known servers have a much higher limit,
+ * so 1024 seems more than enough to prevent both integer overflow
+ * and insane X server responses causing massive memory allocation.
+ */
+ if ((rep.number > 0) && (rep.number <= 1024))
+ scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number);
+ if (scrnInfo != NULL) {
+ int i;
+
+ for (i = 0; i < rep.number; i++) {
xXineramaScreenInfo scratch;
- int i;
-
- for(i = 0; i < rep.number; i++) {
- _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
- scrnInfo[i].screen_number = i;
- scrnInfo[i].x_org = scratch.x_org;
- scrnInfo[i].y_org = scratch.y_org;
- scrnInfo[i].width = scratch.width;
- scrnInfo[i].height = scratch.height;
- }
-
- *number = rep.number;
- } else
- _XEatDataWords(dpy, rep.length);
+
+ _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
+
+ scrnInfo[i].screen_number = i;
+ scrnInfo[i].x_org = scratch.x_org;
+ scrnInfo[i].y_org = scratch.y_org;
+ scrnInfo[i].width = scratch.width;
+ scrnInfo[i].height = scratch.height;
+ }
+
+ *number = rep.number;
} else {
+ _XEatDataWords(dpy, rep.length);
*number = 0;
}
commit 7ce3ce4be46087f9cc57cb415875abaaa961f734
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat May 4 09:21:14 2013 -0700
Use _XEatDataWords to avoid overflow of _XEatData calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index e335508..046a1aa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1])
+# Check for _XEatDataWords function that may be patched into older Xlib releases
+SAVE_LIBS="$LIBS"
+LIBS="$XINERAMA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}"
diff --git a/src/Xinerama.c b/src/Xinerama.c
index 7d7e4d8..04189b6 100644
--- a/src/Xinerama.c
+++ b/src/Xinerama.c
@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital
Equipment Corporation.
******************************************************************/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <X11/extensions/Xext.h>
@@ -31,6 +35,19 @@ Equipment Corporation.
#include <X11/extensions/panoramiXproto.h>
#include <X11/extensions/Xinerama.h>
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _panoramiX_ext_info_data;
static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data;
@@ -302,7 +319,7 @@ XineramaQueryScreens(
*number = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
} else {
*number = 0;
}
commit 470b9356af961ff7d3968b164aa73872b49a5dcc
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit c20859051442e4a262895a78ae934758fbdc34a0
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index 545c946..e335508 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,7 +28,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
Reply to: