libxrender: Changes to 'upstream-unstable'
configure.ac | 10 ++--------
doc/libXrender.txt | 5 ++++-
src/Filter.c | 13 ++++++++++++-
src/Glyph.c | 2 +-
src/Xrender.c | 18 ++++++++++++++++++
src/Xrenderint.h | 14 --------------
6 files changed, 37 insertions(+), 25 deletions(-)
New commits:
commit 845716f8f14963d338e5a8d5d2424baafc90fb30
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Tue Oct 4 21:24:55 2016 +0200
libXrender 0.9.10
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
diff --git a/configure.ac b/configure.ac
index ff83023..e5b82b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so Xrender version l.n.m corresponds to protocol version l.n
#
-AC_INIT(libXrender, [0.9.9],
+AC_INIT(libXrender, [0.9.10],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 9362c7ddd1af3b168953d0737877bc52d79c94f4
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun Sep 25 21:43:09 2016 +0200
Validate lengths while parsing server data.
Individual lengths inside received server data can overflow
the previously reserved memory.
It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.
v2: consume remaining bytes in the reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb@laas.fr
diff --git a/src/Xrender.c b/src/Xrender.c
index 3102eb2..71cf3e6 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
screen->subpixel = SubPixelUnknown;
xDepth = (xPictDepth *) (xScreen + 1);
+ if (screen->ndepths > rep.numDepths) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numDepths -= screen->ndepths;
for (nd = 0; nd < screen->ndepths; nd++)
{
depth->depth = xDepth->depth;
depth->nvisuals = xDepth->nPictVisuals;
depth->visuals = visual;
xVisual = (xPictVisual *) (xDepth + 1);
+ if (depth->nvisuals > rep.numVisuals) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numVisuals -= depth->nvisuals;
for (nv = 0; nv < depth->nvisuals; nv++)
{
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
commit 8fad00b0b647ee662ce4737ca15be033b7a21714
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun Sep 25 21:42:09 2016 +0200
Avoid OOB write in XRenderQueryFilters
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.
The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.
v2: consume remaining bytes in reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
diff --git a/src/Filter.c b/src/Filter.c
index edfa572..8d701eb 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- unsigned long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
if (!RenderHasExtension (info))
return NULL;
@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
* Read the filter aliases
*/
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+ reply_left = 8 + rep.length - 2 * rep.numAliases;;
/*
* Read the filter names
@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
{
int l;
_XRead (dpy, &len, 1);
+ reply_left--;
l = len & 0xff;
+ if ((unsigned long)l + 1 > nbytesName) {
+ _XEatDataWords(dpy, reply_left);
+ Xfree(filters);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+ }
+ nbytesName -= l + 1;
filters->filter[i] = name;
_XRead (dpy, name, l);
+ reply_left -= l;
name[l] = '\0';
name += l + 1;
}
commit b2df5bc42f64b45e44dbad61f3386bcb5ec1383d
Author: Lauri Kasanen <cand@gmx.com>
Date: Mon May 18 19:41:03 2015 +0300
Fix documentation to explicitly mention premultiplied alpha
Before this patch, it wasn't mentioned in this file at all, which
is a monumental oversight.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
diff --git a/doc/libXrender.txt b/doc/libXrender.txt
index 27cc75d..753ee98 100644
--- a/doc/libXrender.txt
+++ b/doc/libXrender.txt
@@ -84,7 +84,8 @@ as a separate argument which marks the valid entries.
2.4 Colors
The core protocol XColor type doesn't include an alpha component, so Xrender
-has a separate type.
+has a separate type. Note that XRender expects premultiplied alpha in all
+cases except with the gradient operations.
typedef struct {
unsigned short red;
@@ -526,6 +527,8 @@ conceptually built.
7.1 Composite
XRenderComposite exposes the RenderComposite protocol request directly.
+If a format with alpha is used, make sure it is premultiplied into the
+color channels.
void
XRenderComposite (Display *dpy,
commit bb890936bcc6053cb7a46cd9225c257ff1be389f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu Apr 30 22:29:55 2015 -0700
libXrender 0.9.9
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index b5726f0..ff83023 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so Xrender version l.n.m corresponds to protocol version l.n
#
-AC_INIT(libXrender, [0.9.8],
+AC_INIT(libXrender, [0.9.9],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 7887382e59b7a06d6b02501205d543fdf76c8249
Author: Clemens Eisserer <linuxhippy@gmail.com>
Date: Sat Nov 23 22:15:52 2013 -0800
Fix request length calculation for XRenderCompositeText32
Request length calculation inside XRenderCompositeText32 is broken for
the case where the number of glyphs fits exactky inside the last
xGlyphElt.
In XRenderCompositeText8 and XRenderCompositeText16 this case is
handled properly, somehow the "-1" got missing in
XRenderCompositeText32.
Reviewed-by: Keith Packard <keithp@keithp.com>
diff --git a/src/Glyph.c b/src/Glyph.c
index dbeb77e..48e40c3 100644
--- a/src/Glyph.c
+++ b/src/Glyph.c
@@ -665,7 +665,7 @@ XRenderCompositeText32 (Display *dpy,
len += (SIZEOF (xGlyphElt) + 4) >> 2;
}
nchars = elts[i].nchars;
- elen = SIZEOF(xGlyphElt) * ((nchars + MAX_32) / MAX_32) + nchars *4;
+ elen = SIZEOF(xGlyphElt) * ((nchars + MAX_32-1) / MAX_32) + nchars *4;
len += (elen + 3) >> 2;
}
commit 2222b0fbff96b9f0324bb1e2f56416c84be23c3b
Author: Michael Joost <mehl@michael-joost.de>
Date: Mon Nov 18 16:11:26 2013 +0100
Remove fallback for _XEatDataWords, require libX11 1.6 for it
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 4e6b271..b5726f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,13 +56,7 @@ RENDER_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`]
AC_SUBST(RENDER_VERSION)
# Obtain compiler/linker options for depedencies
-PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION)
-
-# Check for _XEatDataWords function that may be patched into older Xlib release
-SAVE_LIBS="$LIBS"
-LIBS="$RENDER_LIBS"
-AC_CHECK_FUNCS([_XEatDataWords])
-LIBS="$SAVE_LIBS"
+PKG_CHECK_MODULES(RENDER, [x11 >= 1.6] renderproto >= $RENDER_VERSION)
AC_CONFIG_FILES([Makefile
src/Makefile
diff --git a/src/Xrenderint.h b/src/Xrenderint.h
index daaa6fe..57b13da 100644
--- a/src/Xrenderint.h
+++ b/src/Xrenderint.h
@@ -109,18 +109,4 @@ XRenderFindDisplay (Display *dpy);
#define DataInt32(dpy,d,len) Data(dpy,(char *) (d),len)
#endif
-#ifndef HAVE__XEATDATAWORDS
-#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
-#include <limits.h>
-
-static inline void _XEatDataWords(Display *dpy, unsigned long n)
-{
-# ifndef LONG64
- if (n >= (ULONG_MAX >> 2))
- _XIOError(dpy);
-# endif
- _XEatData (dpy, n << 2);
-}
-#endif
-
#endif /* _XRENDERINT_H_ */
Reply to: