-
2d20890e
by Arthur Huillet
at 2017-03-07T20:39:51Z
_XDefaultError: set XlibDisplayIOError flag before calling exit
_XReply isn't reentrant, and it can lead to deadlocks when the default error
handler is called: _XDefaultError calls exit(1). It is called indirectly by
_XReply when a X protocol error comes in that isn't filtered/handled by an
extension or the application. This means that if the application (or one of its
loaded shared libraries such as the NVIDIA OpenGL driver) has registered any
_fini destructor, _fini will get called while still on the call stack of
_XReply. If the destructor interacts with the X server and calls _XReply, it
will hit a deadlock, looping on the following in _XReply:
ConditionWait(dpy, dpy->xcb->reply_notify);
It is legal for an application to make Xlib calls during _fini, and that is
useful for an OpenGL driver to avoid resource leaks on the X server side, for
example in the dlopen/dlclose case. However, the driver can not readily tell
whether its _fini is being called because Xlib called exit, or for another
reason (dlclose), so it is hard to cleanly work around this issue in the driver.
This change makes it so _XReply effectively becomes a no-op when called after
_XDefaultError was called, as though an XIOError had happened. The dpy
connection isn't broken at that point, but any call to _XReply is going to hang.
This is a bit of a kludge, because the more correct solution would be to make
_XReply reentrant, maybe by broadcasting the reply_notify condition before
calling the default error handler. However, such a change would carry a grater
risk of introducing regressions in Xlib.
This change will drop some valid requests on the floor, but this should not
matter, as it will only do so in the case where the application is dying: X will
clean up after it once exit() is done running. There is the case of
XSetCloseDownMode(RETAIN_PERMANENT), but an application using that and wishing
to clean up resources in _fini would currently be hitting a deadlock, which is
hardly a better situation.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
-
c6dadd4c
by Alan Coopersmith
at 2017-03-24T22:19:18Z
Make Xkb{Get,Set}NamedIndicator spec & manpages match code
The XKB Library spec and the man pages for XkbGetNamedIndicator &
XkbSetNamedIndicator included a device_spec argument neither function
takes, and do not include the XkbGetNamedDeviceIndicator &
XkbSetNamedDeviceIndicator variants that do take it (along with two
other arguments).
This updates them to match the interfaces the code has provided for
decades.
This has been reported multiple times, so this fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=251
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729812
Sun Bug 4528016 XkbSetNamedIndicator & XkbGetNamedIndicator man pages are wrong
(filed: alan.coopersmith@sun.com 2001-11-15 - now aka Oracle bug 15087506)
X.Org Group Defect Id #9418
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
-
b856d5d9
by Alan Coopersmith
at 2017-03-24T22:19:27Z
Clarify state parameter to XkbSetNamedDeviceIndicator
Checking a Bool to see if it's NULL does not work well in C.
Also reported in https://bugs.freedesktop.org/show_bug.cgi?id=251
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
-
7d2010fe
by Alan Coopersmith
at 2017-04-07T07:13:03Z
Improve table formatting in XkbChangeControls & XkbKeyNumGroups man pages
Includes fix for Solaris Bug 24564279: "XkbKeyNumGroups.3x11 man page
contains some malformed text" caused by extra whitespace after .TE macros
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
4fe66b1c
by Ryan C. Gordon
at 2017-08-06T23:25:25Z
Valgrind fix for XStoreColor and XStoreColors.
If the "pad" field isn't set, Valgrind will report it as uninitialized
memory accesses when the struct is copied into the Display's send buffer.
In practice, this is (probably) harmless, but Valgrind is correct in
believing it's a bug.
https://bugs.freedesktop.org/attachment.cgi?id=133189
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
83107a67
by walter harms
at 2017-08-14T16:02:39Z
fix shadow warning
Signed-off-by: walter harms <wharms@bfs.de>
-
6ec901eb
by walter harms
at 2017-08-14T16:02:39Z
_XIOError(dpy); will never return so remore dead
Signed-off-by: walter harms <wharms@bfs.de>
-
916dffad
by walter harms
at 2017-08-14T16:02:40Z
remove argument check for free() adjust one inden
Signed-off-by: walter harms <wharms@bfs.de>
-
0355c392
by walter harms
at 2017-08-14T16:02:40Z
fix shadow char_size
Signed-off-by: walter harms <wharms@bfs.de>
-
d02c2466
by walter harms
at 2017-08-14T16:12:35Z
fix more shadow warning
Signed-off-by: walter harms <wharms@bfs.de>
-
714921f0
by walter harms
at 2017-08-14T16:12:35Z
no need to check argument for _XkbFree()
simplify code by removing unneeded checks
Signed-off-by: walter harms <wharms@bfs.de>
-
c1c14af4
by walter harms
at 2017-08-14T16:28:18Z
remove stray extern
remove stray extern
Signed-off-by: walter harms <wharms@bfs.de>
-
7c78fc57
by walter harms
at 2017-08-14T16:28:18Z
no need to check args for Xfree()
simplify code
Signed-off-by: walter harms <wharms@bfs.de>
-
ed9f0d34
by walter harms
at 2017-08-14T16:28:18Z
fix memleak in error path
V2: remove unneeded NULL (reported by eric.engestrom@imgtec.com)
fix mem leak in error path
Signed-off-by: walter harms <wharms@bfs.de>
-
433477fc
by walter harms
at 2017-08-14T16:54:44Z
fix memleak in error path
free all mem on error
Signed-off-by: walter harms <wharms@bfs.de>
-
9abe8380
by walter harms
at 2017-08-20T19:41:41Z
no need to check XFree arguments
You can save a bit of code. The is no need to check XFree arguments bring free_fontdataOM in line with other free function and check for NULL arg
Signed-off-by: harms wharms@bfs.de
-
bf82ec04
by walter harms
at 2017-08-20T19:44:26Z
mark _XDefaultIOError as no_return
mark _XDefaultIOError as no_return. No one comes back from exit() ...
Signed-off-by: harms wharms@bfs.de
-
2911c39c
by walter harms
at 2017-08-20T19:47:05Z
Fixes: warning: variable 'req' set but not,used
Fixes: warning: variable 'req' set but not used [-Wunused-but-set-variable]
by marking req _X_UNUSED
Solution was discussed on xorg-devel ML
Peter Hutter, Alan Coopersmith
Re: [PATCH libX11 3/5] fix: warning: pointer targets in passing argument 2 of '_XSend' differ in signedness [-Wpointer-sign]
Signed-off-by: harms wharms@bfs.de
-
e02dfe54
by wharms
at 2017-08-20T19:50:33Z
add _X_UNUSED to avoid unused variable warnings
-
36a1ac02
by wharms
at 2017-08-20T19:51:57Z
remove empty line
-
e835a9dc
by wharms
at 2017-09-03T12:17:45Z
silence gcc warning assignment discards 'const' qualifier from pointer target type
-
34f4464f
by Alan Coopersmith
at 2018-03-07T22:50:32Z
If XGetImage fails to create image, don't dereference it to bounds check
Reported by gcc 7.3:
GetImage.c:110:25: warning: potential null pointer dereference [-Wnull-dereference]
if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
~~~~~^~~~~~~~
Introduced by 8ea762f94f4c942d898fdeb590a1630c83235c17 in Xlib 1.6.4
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
-
a9dafdd5
by Michal Srb
at 2018-03-23T04:32:05Z
Use flexible array member instead of fake size.
The _XimCacheStruct structure is followed in memory by two strings containing
fname and encoding. The memory was accessed using the last member of the
structure `char fname[1]`. That is a lie, prohibits us from using sizeof and
confuses checkers. Lets declare it properly as a flexible array, so compilers
don't complain about writing past that array. As bonus we can replace the
XOffsetOf with regular sizeof.
Fixes GCC8 error:
In function 'strcpy',
inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5,
inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2,
inlined from '_XimLocalOpenIM' at imLcIm.c:700:5:
/usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy'
forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds]
return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
Caused by this line seemingly writing past the fname[1] array:
imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding);
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-
50a5a989
by Bhavi Dhingra
at 2018-03-24T18:13:46Z
Fix possible memory leak in cmsProp.c:140
https://bugs.freedesktop.org/show_bug.cgi?id=96814
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
82ca6308
by Alan Coopersmith
at 2018-03-30T22:46:18Z
Use size_t for buffer sizes in SetHints.c
These variables store values returned from strlen() as a size_t
and are passed to Xmalloc, which expects a size_t, so lets stop
converting back and forth to int along the way.
Reported by: Konstantin SKliarov
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-
796f754c
by Alan Coopersmith
at 2018-05-05T21:45:57Z
Change fall through comment in lcDB.c to match gcc's requirements
Needs to match one of the regexps shown under
https://gcc.gnu.org/onlinedocs/gcc-7.3.0/gcc/Warning-Options.html#index-Wimplicit-fallthrough
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
9c5845ff
by Martin Natano
at 2018-05-14T01:38:58Z
Don't rebuild ks_tables.h if nothing changed.
ks_tables.h is always considered out of date due to the forced rebuild
of the makekeys util. This means the file is also rebuilt during 'make
install', which is usually performed as root, which can to lead
permission problems later on.
Signed-off-by: Martin Natano <natano@natano.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-
b676e623
by Samuel Thibault
at 2018-06-13T13:46:58Z
XkbOpenDisplay.3: fix typo
XkbOpenDisplay returns a pointer to Display, not a Display.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-
d81da209
by Tobias Stoeckmann
at 2018-07-17T13:23:14Z
Validation of server response in XListHosts.
If a server sends an incorrect length in its response, a client is prone
to perform an out of boundary read while processing the data.
The length field of xHostEntry is used to specify the amount of bytes
used to represent the address. It is 16 bit, which means that it is not
possible to perform an arbitrary memory access, but it might be enough
to read sensitive information, e.g. malloc-related pointers and offsets.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-
b469da14
by Tobias Stoeckmann
at 2018-08-21T14:42:29Z
Fixed off-by-one writes (CVE-2018-14599).
The functions XGetFontPath, XListExtensions, and XListFonts are
vulnerable to an off-by-one override on malicious server responses.
The server replies consist of chunks consisting of a length byte
followed by actual string, which is not NUL-terminated.
While parsing the response, the length byte is overridden with '\0',
thus the memory area can be used as storage of C strings later on. To
be able to NUL-terminate the last string, the buffer is reserved with
an additional byte of space.
For a boundary check, the variable chend (end of ch) was introduced,
pointing at the end of the buffer which ch initially points to.
Unfortunately there is a difference in handling "the end of ch".
While chend points at the first byte that must not be written to,
the for-loop uses chend as the last byte that can be written to.
Therefore, an off-by-one can occur.
I have refactored the code so chend actually points to the last byte
that can be written to without an out of boundary access. As it is not
possible to achieve "ch + length < chend" and "ch + length + 1 > chend"
with the corrected chend meaning, I removed the inner if-check.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
dbf72805
by Tobias Stoeckmann
at 2018-08-21T14:43:06Z
Fixed out of boundary write (CVE-2018-14600).
The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).
Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
e8372276
by Tobias Stoeckmann
at 2018-08-21T14:43:22Z
Fixed crash on invalid reply (CVE-2018-14598).
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.
If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:
Xfree (list[0]-1)
turns into
Xfree (NULL-1)
which will most likely trigger a segmentation fault.
I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
17370424
by Matthieu Herrb
at 2018-08-21T14:53:40Z
Remove statement with no effect.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
733f64bf
by Matthieu Herrb
at 2018-08-21T14:54:50Z
libX11 1.6.6
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
3fdef1c0
by Andreas Boll
at 2018-08-22T18:56:11Z
Merge tag 'libX11-1.6.6' into debian-unstable
libX11-1.6.6
-
19eb2b79
by Andreas Boll
at 2018-08-22T19:03:22Z
Bump changelog
-
2325b038
by Andreas Boll
at 2018-08-22T19:11:57Z
Move libx11-doc from Recommends to Suggests (Closes: #648443).
-
17333a58
by Andreas Boll
at 2018-08-22T19:12:31Z
Add debian/README.source
-
ce46a806
by Andreas Boll
at 2018-08-22T19:12:54Z
Set source format to 1.0.
-
706cda06
by Andreas Boll
at 2018-08-22T19:13:12Z
Bump standards version to 4.2.0.
-
153e24a2
by Andreas Boll
at 2018-08-22T19:23:17Z
Upload to unstable.