libxi: Changes to 'debian-unstable'
ChangeLog | 47 ++++++++++++++++++++++++++++++++++++++++++++++
configure.ac | 2 -
debian/changelog | 4 +--
man/XListInputDevices.txt | 12 +++++++++--
src/XListDev.c | 45 ++++++++++++++++++++++++--------------------
5 files changed, 85 insertions(+), 25 deletions(-)
New commits:
commit 9004ba18e0a63a77202daaa10958694b6d62e914
Author: Andreas Boll <andreas.boll.dev@gmail.com>
Date: Tue Oct 25 11:49:55 2016 +0200
Close bug #840440
diff --git a/debian/changelog b/debian/changelog
index 4bc177e..507a79d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
libxi (2:1.7.8-1) UNRELEASED; urgency=medium
* New upstream release.
- - Fixes CVE-2016-7945 and CVE-2016-7946.
+ - Fixes CVE-2016-7945 and CVE-2016-7946 (Closes: #840440).
* Update d/upstream/signing-key.asc with Matthieu Herrb's key.
* Update a bunch of URLs in packaging to https.
* Bump Standards-Version to 3.9.8, no changes needed.
commit c7f7a08c647c66380cc8ce592ddaae1c393fe65c
Author: Andreas Boll <andreas.boll.dev@gmail.com>
Date: Tue Oct 25 11:45:01 2016 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index bf3e809..3737961 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,50 @@
+commit 1bdeb431c3cc9eec7e12fdd29a83237f2f228865
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue Oct 25 12:43:44 2016 +1000
+
+ libXi 1.7.8
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 43904c9c5a0f5750a03a9bd8c96ccda182eb5a9a
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu Oct 13 13:33:11 2016 +1000
+
+ XListInputDevices: don't touch ndevices in case of error
+
+ We used to always set *ndevices to the number of devices returned by the
+ server. This magically worked because we pretty much never returned an error
+ except on faulty server or library implementations. With 19a9cd60 we now have
+ more chances of getting an error, so the polite thing is to just leave *ndevices
+ alone when we error out.
+
+ Document it as such in the man page, just in case someone accidentally reads
+ it.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ CC: Niels Ole Salscheider <niels_ole@salscheider-online.de>
+ Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
+
+commit b843fe1c0a6b4dbaae9f364042c6a247249305ef
+Author: Niels Ole Salscheider <niels_ole@salscheider-online.de>
+Date: Fri Oct 7 21:46:44 2016 +0200
+
+ SizeClassInfo can return 0 even without an error
+
+ Catch the error case separately. Commit 19a9cd607d added length checking to
+ SizeClassInfo but re-used the return value of 0 for an error. A device without
+ classes (as is initialized by xf86-input-libinput for tablets) can
+ legitimately return 0 and erroneously triggers an error.
+ Fix this by using a separate value for the error.
+
+ Reproducible by calling XListInputDevices() with a tablet attached.
+
+ This fixes a regression introduced in commit 19a9cd607d.
+
+ Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
+
commit 8e0476653dd134cee84f4e893f656b2f93c4e3b0
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Tue Oct 4 21:14:01 2016 +0200
diff --git a/debian/changelog b/debian/changelog
index aed45a9..4bc177e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxi (2:1.7.7-1) UNRELEASED; urgency=medium
+libxi (2:1.7.8-1) UNRELEASED; urgency=medium
* New upstream release.
- Fixes CVE-2016-7945 and CVE-2016-7946.
commit 1bdeb431c3cc9eec7e12fdd29a83237f2f228865
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue Oct 25 12:43:44 2016 +1000
libXi 1.7.8
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
diff --git a/configure.ac b/configure.ac
index f7d322c..3b84c74 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXi], [1.7.7],
+AC_INIT([libXi], [1.7.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXi])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([src/config.h])
commit 43904c9c5a0f5750a03a9bd8c96ccda182eb5a9a
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date: Thu Oct 13 13:33:11 2016 +1000
XListInputDevices: don't touch ndevices in case of error
We used to always set *ndevices to the number of devices returned by the
server. This magically worked because we pretty much never returned an error
except on faulty server or library implementations. With 19a9cd60 we now have
more chances of getting an error, so the polite thing is to just leave *ndevices
alone when we error out.
Document it as such in the man page, just in case someone accidentally reads
it.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
CC: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
diff --git a/man/XListInputDevices.txt b/man/XListInputDevices.txt
index 276660d..450f377 100644
--- a/man/XListInputDevices.txt
+++ b/man/XListInputDevices.txt
@@ -220,5 +220,13 @@ DESCRIPTION
Floating. If the device is a master device, attached specifies
the device ID of the master device this device is paired with.
- To free the XDeviceInfo array created by XListInputDevices, use
- XFreeDeviceList.
+RETURN VALUE
+------------
+
+ XListInputDevices returns a pointer to an array of XDeviceInfo
+ structs and sets ndevices_return to the number of elements in
+ that array. To free the XDeviceInfo array created by
+ XListInputDevices, use XFreeDeviceList.
+
+ On error, XListInputDevices returns NULL and ndevices_return is
+ left unmodified.
diff --git a/src/XListDev.c b/src/XListDev.c
index e4bd3d5..dda6011 100644
--- a/src/XListDev.c
+++ b/src/XListDev.c
@@ -175,7 +175,7 @@ ParseClassInfo(xAnyClassPtr *any, XAnyClassPtr *Any, int num_classes)
XDeviceInfo *
XListInputDevices(
register Display *dpy,
- int *ndevices)
+ int *ndevices_return)
{
size_t s, size;
xListInputDevicesReq *req;
@@ -190,6 +190,7 @@ XListInputDevices(
int i;
unsigned long rlen;
XExtDisplayInfo *info = XInput_find_display(dpy);
+ int ndevices;
LockDisplay(dpy);
if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
@@ -205,8 +206,8 @@ XListInputDevices(
return (XDeviceInfo *) NULL;
}
- if ((*ndevices = rep.ndevices)) { /* at least 1 input device */
- size = *ndevices * sizeof(XDeviceInfo);
+ if ((ndevices = rep.ndevices)) { /* at least 1 input device */
+ size = ndevices * sizeof(XDeviceInfo);
if (rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2; /* multiply length by 4 */
slist = list = Xmalloc(rlen);
@@ -219,17 +220,17 @@ XListInputDevices(
}
_XRead(dpy, (char *)list, rlen);
- any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
+ any = (xAnyClassPtr) ((char *)list + (ndevices * sizeof(xDeviceInfo)));
sav_any = any;
end = (char *)list + rlen;
- for (i = 0; i < *ndevices; i++, list++) {
+ for (i = 0; i < ndevices; i++, list++) {
if(SizeClassInfo(&any, end - (char *)any, (int)list->num_classes, &s))
goto out;
size += s;
}
Nptr = ((unsigned char *)list) + rlen;
- for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
+ for (i = 0, nptr = (unsigned char *)any; i < ndevices; i++) {
if (nptr >= Nptr)
goto out;
size += *nptr + 1;
@@ -245,10 +246,10 @@ XListInputDevices(
}
sclist = clist;
Any = (XAnyClassPtr) ((char *)clist +
- (*ndevices * sizeof(XDeviceInfo)));
+ (ndevices * sizeof(XDeviceInfo)));
list = slist;
any = sav_any;
- for (i = 0; i < *ndevices; i++, list++, clist++) {
+ for (i = 0; i < ndevices; i++, list++, clist++) {
clist->type = list->type;
clist->id = list->id;
clist->use = list->use;
@@ -261,7 +262,7 @@ XListInputDevices(
clist = sclist;
nptr = (unsigned char *)any;
Nptr = (unsigned char *)Any;
- for (i = 0; i < *ndevices; i++, clist++) {
+ for (i = 0; i < ndevices; i++, clist++) {
clist->name = (char *)Nptr;
memcpy(Nptr, nptr + 1, *nptr);
Nptr += (*nptr);
@@ -270,6 +271,8 @@ XListInputDevices(
}
}
+ *ndevices_return = ndevices;
+
out:
XFree((char *)slist);
UnlockDisplay(dpy);
commit b843fe1c0a6b4dbaae9f364042c6a247249305ef
Author: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Date: Fri Oct 7 21:46:44 2016 +0200
SizeClassInfo can return 0 even without an error
Catch the error case separately. Commit 19a9cd607d added length checking to
SizeClassInfo but re-used the return value of 0 for an error. A device without
classes (as is initialized by xf86-input-libinput for tablets) can
legitimately return 0 and erroneously triggers an error.
Fix this by using a separate value for the error.
Reproducible by calling XListInputDevices() with a tablet attached.
This fixes a regression introduced in commit 19a9cd607d.
Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
diff --git a/src/XListDev.c b/src/XListDev.c
index f850cd0..e4bd3d5 100644
--- a/src/XListDev.c
+++ b/src/XListDev.c
@@ -73,27 +73,28 @@ static int pad_to_xid(int base_size)
return ((base_size + padsize - 1)/padsize) * padsize;
}
-static size_t
-SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
+static int
+SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes, size_t *size)
{
- int size = 0;
int j;
+ size_t sz = 0;
+
for (j = 0; j < num_classes; j++) {
switch ((*any)->class) {
case KeyClass:
- size += pad_to_xid(sizeof(XKeyInfo));
+ sz += pad_to_xid(sizeof(XKeyInfo));
break;
case ButtonClass:
- size += pad_to_xid(sizeof(XButtonInfo));
+ sz += pad_to_xid(sizeof(XButtonInfo));
break;
case ValuatorClass:
{
xValuatorInfoPtr v;
if (len < sizeof(v))
- return 0;
+ return 1;
v = (xValuatorInfoPtr) *any;
- size += pad_to_xid(sizeof(XValuatorInfo) +
+ sz += pad_to_xid(sizeof(XValuatorInfo) +
(v->num_axes * sizeof(XAxisInfo)));
break;
}
@@ -101,11 +102,13 @@ SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
break;
}
if ((*any)->length > len)
- return 0;
+ return 1;
*any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
}
- return size;
+ *size = sz;
+
+ return 0;
}
static void
@@ -220,8 +223,7 @@ XListInputDevices(
sav_any = any;
end = (char *)list + rlen;
for (i = 0; i < *ndevices; i++, list++) {
- s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
- if (!s)
+ if(SizeClassInfo(&any, end - (char *)any, (int)list->num_classes, &s))
goto out;
size += s;
}
Reply to: