libxxf86vm: Changes to 'debian-unstable'
ChangeLog | 129 ++++++++++++++++++++++++++++++++++++++++
autogen.sh | 5 -
configure.ac | 9 ++
debian/changelog | 19 +++++
debian/control | 3
src/Makefile.am | 4 -
src/XF86VMode.c | 177 ++++++++++++++++++++++++++++++-------------------------
7 files changed, 261 insertions(+), 85 deletions(-)
New commits:
commit ac4f6914dae0851c752060864fc851d77f099cbb
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Aug 13 06:54:49 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 796fe21..871bb6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,10 @@
-libxxf86vm (1:1.1.3-1) UNRELEASED; urgency=low
+libxxf86vm (1:1.1.3-1) unstable; urgency=low
* New upstream release.
* Make libxxf86vm-dev Multi-Arch: same (closes: #678898).
* Bump debhelper build-dep to 9 to match compat level.
- -- Julien Cristau <jcristau@debian.org> Tue, 13 Aug 2013 06:42:28 +0200
+ -- Julien Cristau <jcristau@debian.org> Tue, 13 Aug 2013 06:54:44 +0200
libxxf86vm (1:1.1.2-1+deb7u1) wheezy-security; urgency=high
commit 45aa0e952baac4ce41a8ac7485d2063b36a2004f
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Aug 13 06:54:29 2013 +0200
Bump debhelper build-dep to 9 to match compat level.
diff --git a/debian/changelog b/debian/changelog
index 014e489..796fe21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxxf86vm (1:1.1.3-1) UNRELEASED; urgency=low
* New upstream release.
* Make libxxf86vm-dev Multi-Arch: same (closes: #678898).
+ * Bump debhelper build-dep to 9 to match compat level.
-- Julien Cristau <jcristau@debian.org> Tue, 13 Aug 2013 06:42:28 +0200
diff --git a/debian/control b/debian/control
index c781d39..8362f05 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Build-Depends:
- debhelper (>= 8.1.2),
+ debhelper (>= 9),
dh-autoreconf,
libx11-dev (>= 1:0.99.2),
x11proto-xf86vidmode-dev (>= 2.2.99.1),
commit 24620f161c37b6a6c7446b1f571a7126de082622
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Aug 13 06:44:38 2013 +0200
Make libxxf86vm-dev Multi-Arch: same (closes: #678898).
diff --git a/debian/changelog b/debian/changelog
index 8eee281..014e489 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxxf86vm (1:1.1.3-1) UNRELEASED; urgency=low
* New upstream release.
+ * Make libxxf86vm-dev Multi-Arch: same (closes: #678898).
-- Julien Cristau <jcristau@debian.org> Tue, 13 Aug 2013 06:42:28 +0200
diff --git a/debian/control b/debian/control
index 95aa8fa..c781d39 100644
--- a/debian/control
+++ b/debian/control
@@ -58,6 +58,7 @@ Description: X11 XFree86 video mode extension library (debug package)
Package: libxxf86vm-dev
Section: libdevel
Architecture: any
+Multi-Arch: same
Depends:
${shlibs:Depends},
${misc:Depends},
commit 14b0e8b1b2acbcb64ea629ae76644f482f79a764
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Aug 13 06:44:05 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index 08a7e98..225701f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,132 @@
+commit 4ca5d221d35ed6981247caa5d5069f083e83b7fb
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu May 30 18:43:11 2013 -0700
+
+ libXxf86vm 1.1.3
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 4c4123441e40da97acd10f58911193ad3dcef5cd
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 14:43:48 2013 -0700
+
+ avoid integer overflow in XF86VidModeGetModeLine()
+
+ rep.privsize is a CARD32 and needs to be bounds checked before multiplying
+ by sizeof(INT32) to come up with the total size to allocate & read to avoid
+ integer overflow, though it would not result in buffer overflow as the same
+ calculation was used for both allocation & reading from the network.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 14:33:32 2013 -0700
+
+ memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001]
+
+ We trusted the server not to return more data than the client said it had
+ allocated room for, and would overflow the provided buffers if it did.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 284a88e21fc05a63466115b33efa411c60d988c9
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 14:24:12 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of length calculations
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit d0355b28dd53fba6fb29c350e090ed4a73d4c480
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 17:58:28 2013 -0700
+
+ Unlock display before returning alloc error in XF86VidModeGetDotClocks()
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 6c82906f25abcb0f8ec92bcdaf1872bd8b63ca5d
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 17:54:45 2013 -0700
+
+ Unlock display before returning alloc error in XF86VidModeGetAllModeLines()
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 8ed00bd0a7c44c7fece687e2566d920ea74ef809
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 17:52:12 2013 -0700
+
+ Unlock display before returning alloc error in XF86VidModeGetModeLine()
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit a89b1ad3377bfef9bab52f15f98b00f6540d531a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 17:40:24 2013 -0700
+
+ Improve error handling in XF86VidModeGetMonitor()
+
+ Ensure that when we return an error we unlock the display first, and
+ NULL out any pointers we freed in error cleanup.
+
+ Instead of adding these fixes to every error check, instead combine
+ the error handling cleanup into a single copy.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit ef95f1c3737d9efc7d97fb1784f80ef3540a846b
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 15:13:06 2013 -0700
+
+ When Xcalloc() returns NULL, you don't need to Xfree() it
+
+ I have no words to explain how this ever happened.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 6772336755c6eb5b46c471dd5ae2ac89101ed179
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Jan 18 23:15:31 2013 -0800
+
+ Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS
+
+ Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
+
+ - Support for the long-deprecated INCLUDES variable will be removed
+ altogether in Automake 1.14. The AM_CPPFLAGS variable should be
+ used instead.
+
+ This variable was deprecated in Automake releases prior to 1.10, which is
+ the current minimum level required to build X.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 9f56d200d3675fe3e178001112c563d548376b7a
+Author: Colin Walters <walters@verbum.org>
+Date: Tue Jan 15 14:39:40 2013 -0500
+
+ autogen.sh: Honor NOCONFIGURE environment variable
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit 6528ae139506212644dc68a0696580c848e3f8de
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
commit a0bd361fe688590b7d62ffb3ad1c1648a22096d4
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Mar 7 21:39:46 2012 -0800
diff --git a/debian/changelog b/debian/changelog
index 767dc14..8eee281 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxxf86vm (1:1.1.3-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 13 Aug 2013 06:42:28 +0200
+
libxxf86vm (1:1.1.2-1+deb7u1) wheezy-security; urgency=high
* When Xcalloc() returns NULL, you don't need to Xfree() it
commit 4ca5d221d35ed6981247caa5d5069f083e83b7fb
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu May 30 18:43:11 2013 -0700
libXxf86vm 1.1.3
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index b637788..d0dbcef 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXxf86vm], [1.1.2],
+AC_INIT([libXxf86vm], [1.1.3],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXxf86vm])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS(src/config.h)
commit a0177def7b14474bdb475c3c316ffd9b2821008c
Author: Julien Cristau <jcristau@debian.org>
Date: Wed May 15 19:59:30 2013 +0200
Upload to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index b149c0d..767dc14 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libxxf86vm (1:1.1.2-1+deb7u1) wheezy-security; urgency=high
+
+ * When Xcalloc() returns NULL, you don't need to Xfree() it
+ * Improve error handling in XF86VidModeGetMonitor()
+ * Unlock display before returning alloc error in XF86VidModeGetModeLine(),
+ XF86VidModeGetAllModeLines(), XF86VidModeGetDotClocks()
+ * memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001]
+ * avoid integer overflow in XF86VidModeGetModeLine()
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 15 May 2013 19:35:47 +0200
+
libxxf86vm (1:1.1.2-1) unstable; urgency=low
[ Robert Hooker ]
commit 405fc9e9decd363e18fe4220820f11eaf1641f2b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:43:48 2013 -0700
avoid integer overflow in XF86VidModeGetModeLine()
rep.privsize is a CARD32 and needs to be bounds checked before multiplying
by sizeof(INT32) to come up with the total size to allocate & read to avoid
integer overflow, though it would not result in buffer overflow as the same
calculation was used for both allocation & reading from the network.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index a32564e..fb94816 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
}
if (modeline->privsize > 0) {
- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ if (modeline->privsize < (INT_MAX / sizeof(INT32)))
+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ else
+ modeline->private = NULL;
if (modeline->private == NULL) {
_XEatDataWords(dpy, rep.length -
((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
commit 4bc7287b38a085203b6a64ba1dadccc6aa629f76
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:33:32 2013 -0700
memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001]
We trusted the server not to return more data than the client said it had
allocated room for, and would overflow the provided buffers if it did.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index bd54937..a32564e 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
XExtDisplayInfo *info = find_display (dpy);
xXF86VidModeGetGammaRampReq *req;
xXF86VidModeGetGammaRampReply rep;
+ Bool result = True;
XF86VidModeCheckExtension (dpy, info, False);
@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
req->screen = screen;
req->size = size;
if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
+ result = False;
}
- if(rep.size) {
- _XRead(dpy, (char*)red, rep.size << 1);
- _XRead(dpy, (char*)green, rep.size << 1);
- _XRead(dpy, (char*)blue, rep.size << 1);
+ else if (rep.size) {
+ if (rep.size <= size) {
+ _XRead(dpy, (char*)red, rep.size << 1);
+ _XRead(dpy, (char*)green, rep.size << 1);
+ _XRead(dpy, (char*)blue, rep.size << 1);
+ }
+ else {
+ _XEatDataWords(dpy, rep.length);
+ result = False;
+ }
}
UnlockDisplay(dpy);
SyncHandle();
- return True;
+ return result;
}
Bool XF86VidModeGetGammaRampSize(
commit 2044c62b7704fdd1c12206abee919afdacc2df71
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:24:12 2013 -0700
Use _XEatDataWords to avoid overflow of length calculations
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/configure.ac b/configure.ac
index e9cfa1e..c7566f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,6 +23,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86VM_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 1b907f4..bd54937 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <X11/Xlibint.h>
#include <X11/extensions/xf86vmproto.h>
#include <X11/extensions/xf86vmode.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
#ifdef DEBUG
#include <stdio.h>
@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
if (modeline->privsize > 0) {
modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
if (modeline->private == NULL) {
- _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
result = False;
} else
_XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
sizeof(XF86VidModeModeInfo *)
+sizeof(XF86VidModeModeInfo)))) {
- if (majorVersion < 2)
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
- else
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
UnlockDisplay(dpy);
SyncHandle();
return False;
@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (oldxmdline.privsize > 0) {
if (!(modelines[i]->private =
Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, oldxmdline.privsize);
} else {
_XRead(dpy, (char*)modelines[i]->private,
oldxmdline.privsize * sizeof(INT32));
@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (xmdline.privsize > 0) {
if (!(modelines[i]->private =
Xcalloc(xmdline.privsize, sizeof(INT32)))) {
- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, xmdline.privsize);
} else {
_XRead(dpy, (char*)modelines[i]->private,
xmdline.privsize * sizeof(INT32));
@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
monitor->hsync = monitor->vsync = NULL;
}
if (result == False) {
- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+ _XEatDataWords(dpy, rep.length);
Xfree(monitor->vendor);
monitor->vendor = NULL;
Xfree(monitor->model);
@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
dotclocks = Xcalloc(rep.clocks, sizeof(int));
if (dotclocks == NULL) {
- _XEatData(dpy, (rep.clocks) * 4);
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
result = False;
}
else {
commit 9576ff151de495ab2b4950644076d3e5c2237a40
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 17:58:28 2013 -0700
Unlock display before returning alloc error in XF86VidModeGetDotClocks()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d0355b28dd53fba6fb29c350e090ed4a73d4c480)
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 76276b6..1b907f4 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -1014,6 +1014,7 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
xXF86VidModeGetDotClocksReq *req;
int i, *dotclocks;
CARD32 dotclk;
+ Bool result = True;
XF86VidModeCheckExtension (dpy, info, False);
@@ -1033,19 +1034,21 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
*maxclocksPtr = rep.maxclocks;
*flagsPtr = rep.flags;
- if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) {
+ dotclocks = Xcalloc(rep.clocks, sizeof(int));
+ if (dotclocks == NULL) {
_XEatData(dpy, (rep.clocks) * 4);
- return False;
+ result = False;
}
-
- for (i = 0; i < rep.clocks; i++) {
- _XRead(dpy, (char*)&dotclk, 4);
- dotclocks[i] = dotclk;
+ else {
+ for (i = 0; i < rep.clocks; i++) {
+ _XRead(dpy, (char*)&dotclk, 4);
+ dotclocks[i] = dotclk;
+ }
}
*clocksPtr = dotclocks;
UnlockDisplay(dpy);
SyncHandle();
- return True;
+ return result;
}
Bool
commit 1669e72a11709b7b096d2deafb8c76885b20c9f9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 17:54:45 2013 -0700
Unlock display before returning alloc error in XF86VidModeGetAllModeLines()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6c82906f25abcb0f8ec92bcdaf1872bd8b63ca5d)
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 28c79c1..76276b6 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -322,6 +322,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
_XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
else
_XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+ UnlockDisplay(dpy);
+ SyncHandle();
return False;
}
mdinfptr = (XF86VidModeModeInfo *) (
commit fbf34fff944c44272eef151dd4b4e647d7531d04
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 17:52:12 2013 -0700
Unlock display before returning alloc error in XF86VidModeGetModeLine()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 8ed00bd0a7c44c7fece687e2566d920ea74ef809)
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 165f8ba..28c79c1 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -203,6 +203,7 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
xXF86OldVidModeGetModeLineReply oldrep;
xXF86VidModeGetModeLineReq *req;
int majorVersion, minorVersion;
+ Bool result = True;
XF86VidModeCheckExtension (dpy, info, False);
XF86VidModeQueryVersion(dpy, &majorVersion, &minorVersion);
@@ -254,17 +255,18 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
}
if (modeline->privsize > 0) {
- if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) {
+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ if (modeline->private == NULL) {
_XEatData(dpy, (modeline->privsize) * sizeof(INT32));
- return False;
- }
- _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+ result = False;
+ } else
+ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
} else {
modeline->private = NULL;
}
UnlockDisplay(dpy);
SyncHandle();
- return True;
+ return result;
}
Bool
commit 44cb00bb95b05a64fb524901b5c05a493377f908
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 17:40:24 2013 -0700
Improve error handling in XF86VidModeGetMonitor()
Ensure that when we return an error we unlock the display first, and
NULL out any pointers we freed in error cleanup.
Instead of adding these fixes to every error check, instead combine
the error handling cleanup into a single copy.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit a89b1ad3377bfef9bab52f15f98b00f6540d531a)
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index c0e50e6..165f8ba 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -856,6 +856,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
xXF86VidModeGetMonitorReq *req;
CARD32 syncrange;
int i;
+ Bool result = True;
XF86VidModeCheckExtension (dpy, info, False);
@@ -875,63 +876,58 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
monitor->bandwidth = (float)rep.bandwidth / 1e6;
#endif
if (rep.vendorLength) {
- if (!(monitor->vendor = (char *)Xcalloc(rep.vendorLength + 1, 1))) {
- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
- return False;
- }
+ monitor->vendor = Xcalloc(rep.vendorLength + 1, 1);
+ if (monitor->vendor == NULL)
+ result = False;
} else {
monitor->vendor = NULL;
}
- if (rep.modelLength) {
- if (!(monitor->model = Xcalloc(rep.modelLength + 1, 1))) {
- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
- if (monitor->vendor)
- Xfree(monitor->vendor);
- return False;
- }
+ if (result && rep.modelLength) {
+ monitor->model = Xcalloc(rep.modelLength + 1, 1);
+ if (monitor->model == NULL)
+ result = False;
} else {
monitor->model = NULL;
}
- if (!(monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)))) {
- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
-
- if (monitor->vendor)
- Xfree(monitor->vendor);
- if (monitor->model)
- Xfree(monitor->model);
- return False;
+ if (result) {
+ monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange));
+ monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange));
+ if ((monitor->hsync == NULL) || (monitor->vsync == NULL))
+ result = False;
+ } else {
+ monitor->hsync = monitor->vsync = NULL;
}
- if (!(monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)))) {
+ if (result == False) {
_XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
- if (monitor->vendor)
- Xfree(monitor->vendor);
- if (monitor->model)
- Xfree(monitor->model);
+ Xfree(monitor->vendor);
+ monitor->vendor = NULL;
+ Xfree(monitor->model);
+ monitor->model = NULL;
Xfree(monitor->hsync);
- return False;
- }
- for (i = 0; i < rep.nhsync; i++) {
- _XRead(dpy, (char *)&syncrange, 4);
- monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
- monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0;
+ monitor->hsync = NULL;
+ Xfree(monitor->vsync);
+ monitor->vsync = NULL;
}
- for (i = 0; i < rep.nvsync; i++) {
- _XRead(dpy, (char *)&syncrange, 4);
- monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
- monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0;
+ else {
+ for (i = 0; i < rep.nhsync; i++) {
+ _XRead(dpy, (char *)&syncrange, 4);
+ monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
+ monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0;
+ }
+ for (i = 0; i < rep.nvsync; i++) {
+ _XRead(dpy, (char *)&syncrange, 4);
+ monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
+ monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0;
+ }
+ if (rep.vendorLength)
+ _XReadPad(dpy, monitor->vendor, rep.vendorLength);
+ if (rep.modelLength)
+ _XReadPad(dpy, monitor->model, rep.modelLength);
}
- if (rep.vendorLength)
- _XReadPad(dpy, monitor->vendor, rep.vendorLength);
- if (rep.modelLength)
- _XReadPad(dpy, monitor->model, rep.modelLength);
-
UnlockDisplay(dpy);
SyncHandle();
- return True;
+ return result;
}
Bool
commit 43dd2ff96958f225bd167ac8209679b58689e640
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 15:13:06 2013 -0700
When Xcalloc() returns NULL, you don't need to Xfree() it
I have no words to explain how this ever happened.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ef95f1c3737d9efc7d97fb1784f80ef3540a846b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 4f19cf3..c0e50e6 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -256,7 +256,6 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
if (modeline->privsize > 0) {
if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) {
_XEatData(dpy, (modeline->privsize) * sizeof(INT32));
- Xfree(modeline->private);
return False;
}
_XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
@@ -321,7 +320,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
_XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
else
_XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
- Xfree(modelines);
return False;
}
mdinfptr = (XF86VidModeModeInfo *) (
@@ -353,7 +351,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (!(modelines[i]->private =
Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
_XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
- Xfree(modelines[i]->private);
} else {
_XRead(dpy, (char*)modelines[i]->private,
oldxmdline.privsize * sizeof(INT32));
@@ -384,7 +381,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (!(modelines[i]->private =
Xcalloc(xmdline.privsize, sizeof(INT32)))) {
_XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
- Xfree(modelines[i]->private);
} else {
_XRead(dpy, (char*)modelines[i]->private,
xmdline.privsize * sizeof(INT32));
@@ -1039,7 +1035,6 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) {
_XEatData(dpy, (rep.clocks) * 4);
- Xfree(dotclocks);
return False;
}
commit 4c4123441e40da97acd10f58911193ad3dcef5cd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:43:48 2013 -0700
avoid integer overflow in XF86VidModeGetModeLine()
rep.privsize is a CARD32 and needs to be bounds checked before multiplying
by sizeof(INT32) to come up with the total size to allocate & read to avoid
integer overflow, though it would not result in buffer overflow as the same
calculation was used for both allocation & reading from the network.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index a32564e..fb94816 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
}
if (modeline->privsize > 0) {
- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ if (modeline->privsize < (INT_MAX / sizeof(INT32)))
+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ else
+ modeline->private = NULL;
if (modeline->private == NULL) {
_XEatDataWords(dpy, rep.length -
((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
commit 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:33:32 2013 -0700
memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001]
We trusted the server not to return more data than the client said it had
allocated room for, and would overflow the provided buffers if it did.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index bd54937..a32564e 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
XExtDisplayInfo *info = find_display (dpy);
xXF86VidModeGetGammaRampReq *req;
xXF86VidModeGetGammaRampReply rep;
+ Bool result = True;
XF86VidModeCheckExtension (dpy, info, False);
@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
req->screen = screen;
req->size = size;
if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
+ result = False;
}
- if(rep.size) {
- _XRead(dpy, (char*)red, rep.size << 1);
- _XRead(dpy, (char*)green, rep.size << 1);
- _XRead(dpy, (char*)blue, rep.size << 1);
+ else if (rep.size) {
+ if (rep.size <= size) {
+ _XRead(dpy, (char*)red, rep.size << 1);
+ _XRead(dpy, (char*)green, rep.size << 1);
+ _XRead(dpy, (char*)blue, rep.size << 1);
+ }
+ else {
+ _XEatDataWords(dpy, rep.length);
+ result = False;
+ }
}
UnlockDisplay(dpy);
SyncHandle();
- return True;
+ return result;
}
Bool XF86VidModeGetGammaRampSize(
commit 284a88e21fc05a63466115b33efa411c60d988c9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 14:24:12 2013 -0700
Use _XEatDataWords to avoid overflow of length calculations
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index d8a23b0..b637788 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86VM_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 1b907f4..bd54937 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <X11/Xlibint.h>
#include <X11/extensions/xf86vmproto.h>
#include <X11/extensions/xf86vmode.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
#ifdef DEBUG
#include <stdio.h>
@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
if (modeline->privsize > 0) {
modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
if (modeline->private == NULL) {
- _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
result = False;
} else
_XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
sizeof(XF86VidModeModeInfo *)
+sizeof(XF86VidModeModeInfo)))) {
- if (majorVersion < 2)
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
- else
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
UnlockDisplay(dpy);
SyncHandle();
return False;
Reply to: