[Git][xorg-team/lib/libx11][upstream-unstable] 4 commits: include <limits.h> always, not if HAVE_CONFIG_H is set.

["Timo Aaltonen (@tjaalton)" <tjaalton@debian.org>]

Title: GitLab

Timo Aaltonen pushed to branch upstream-unstable at X Strike Force / lib / libx11

Commits:

• a8216e86
  by Matthieu Herrb at 2021-05-22T17:36:37+02:00

  include <limits.h> always, not if HAVE_CONFIG_H is set.
  
  via Matthew Green from the NetBSD project
  
  Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
  

• ab2f5953
  by Matthieu Herrb at 2021-05-30T16:33:48+02:00

  Check for NULL strings before getting their lengths
  
  Problem reported by Karsten Trulsen
  
  Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
  

• 51b73ac0
  by Tobias Stoeckmann at 2021-05-31T18:39:15+02:00

  Protect against overly long strings
  
  Checking against upper limit of USHRT_MAX must happen before truncating
  size_t to int. On 64 bit systems with strings larger than 2 GB this
  could otherwise lead to negative ints or ints smaller than USHRT_MAX.
  
  In XParseColor this could lead to out of boundary access with strings
  starting with a # (color sequence). A modulo 12 operation is performed
  to validate the string length, but with an overflown length, the for
  loop would eventually read behind terminating '\0' character.
  
  Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
  

• f906fe8e
  by Alan Coopersmith at 2021-06-05T09:36:54-07:00

  libX11 1.7.2
  
  Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  

13 changed files:

• README.md
• configure.ac
• src/Font.c
• src/FontInfo.c
• src/FontNames.c
• src/GetColor.c
• src/LoadFont.c
• src/LookupCol.c
• src/ParseCol.c
• src/QuExt.c
• src/SetFPath.c
• src/StNColor.c
• src/StName.c

Changes:

README.md

---

...	...	@@ -31,6 +31,11 @@ For patch submission instructions, see:
31	31
32	32	https://www.x.org/wiki/Development/Documentation/SubmittingPatches
33	33
	34	+## Release 1.7.2
	35	+
	36	+This is a bug fix release, correcting a regression introduced by and
	37	+improving the checks from the fix for CVE-2021-31535.
	38	+
34	39	## Release 1.7.1
35	40
36	41	This is a bug fix release, including a security fix for

configure.ac

---

1	1
2	2	# Initialize Autoconf
3	3	AC_PREREQ([2.60])
4		-AC_INIT([libX11], [1.7.1],
	4	+AC_INIT([libX11], [1.7.2],
5	5	[https://gitlab.freedesktop.org/xorg/lib/libx11/issues], [libX11])
6	6	AC_CONFIG_SRCDIR([Makefile.am])
7	7	AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h])

src/Font.c

---

...	...	@@ -102,7 +102,7 @@ XFontStruct *XLoadQueryFont(
102	102	XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
103	103	#endif
104	104
105		- if (strlen(name) >= USHRT_MAX)
	105	+ if (name != NULL && strlen(name) >= USHRT_MAX)
106	106	return NULL;
107	107	if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
108	108	return font_result;
...	...	@@ -656,7 +656,7 @@ int _XF86LoadQueryLocaleFont(
656	656	XFontStruct **xfp,
657	657	Font *fidp)
658	658	{
659		- int l;
	659	+ size_t l;
660	660	const char *charset, *p;
661	661	char buf[256];
662	662	XFontStruct *fs;
...	...	@@ -664,7 +664,7 @@ int _XF86LoadQueryLocaleFont(
664	664
665	665	if (!name)
666	666	return 0;
667		- l = (int) strlen(name);
	667	+ l = strlen(name);
668	668	if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
669	669	return 0;
670	670	charset = NULL;
...	...	@@ -677,11 +677,11 @@ int _XF86LoadQueryLocaleFont(
677	677	charset = "ISO8859-1";
678	678	p = charset + 7;
679	679	}
680		- if (l - 2 - (p - charset) < 0)
	680	+ if (l - 2 < p - charset)
681	681	return 0;
682	682	if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
683	683	return 0;
684		- if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
	684	+ if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
685	685	return 0;
686	686	strcpy(buf, name);
687	687	strcpy(buf + l - 1, p + 1);

src/FontInfo.c

---

...	...	@@ -58,7 +58,7 @@ XFontStruct **info) /* RETURN */
58	58	register xListFontsReq *req;
59	59	int j;
60	60
61		- if (strlen(pattern) >= USHRT_MAX)
	61	+ if (pattern != NULL && strlen(pattern) >= USHRT_MAX)
62	62	return NULL;
63	63
64	64	LockDisplay(dpy);

src/FontNames.c

---

...	...	@@ -51,7 +51,7 @@ int *actualCount) /* RETURN */
51	51	register xListFontsReq *req;
52	52	unsigned long rlen = 0;
53	53
54		- if (strlen(pattern) >= USHRT_MAX)
	54	+ if (pattern != NULL && strlen(pattern) >= USHRT_MAX)
55	55	return NULL;
56	56
57	57	LockDisplay(dpy);

src/GetColor.c

---

...	...	@@ -49,7 +49,7 @@ XColor *exact_def) /* RETURN */
49	49	XcmsColor cmsColor_exact;
50	50	Status ret;
51	51
52		- if (strlen(colorname) >= USHRT_MAX)
	52	+ if (colorname != NULL && strlen(colorname) >= USHRT_MAX)
53	53	return (0);
54	54
55	55	#ifdef XCMS

src/LoadFont.c

---

...	...	@@ -39,7 +39,7 @@ XLoadFont (
39	39	Font fid;
40	40	register xOpenFontReq *req;
41	41
42		- if (strlen(name) >= USHRT_MAX)
	42	+ if (name != NULL && strlen(name) >= USHRT_MAX)
43	43	return (0);
44	44
45	45	if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))

src/LookupCol.c

---

...	...	@@ -41,13 +41,15 @@ XLookupColor (
41	41	XColor *def,
42	42	XColor *scr)
43	43	{
44		- register int n;
	44	+ register size_t n;
45	45	xLookupColorReply reply;
46	46	register xLookupColorReq *req;
47	47	XcmsCCC ccc;
48	48	XcmsColor cmsColor_exact;
49	49
50		- n = (int) strlen (spec);
	50	+ if (spec == NULL)
	51	+ return 0;
	52	+ n = strlen (spec);
51	53	if (n >= USHRT_MAX)
52	54	return 0;
53	55	#ifdef XCMS

src/ParseCol.c

---

...	...	@@ -40,14 +40,14 @@ XParseColor (
40	40	_Xconst char *spec,
41	41	XColor *def)
42	42	{
43		- register int n, i;
	43	+ register size_t n, i;
44	44	int r, g, b;
45	45	char c;
46	46	XcmsCCC ccc;
47	47	XcmsColor cmsColor;
48	48
49	49	if (!spec) return(0);
50		- n = (int) strlen (spec);
	50	+ n = strlen (spec);
51	51	if (n >= USHRT_MAX)
52	52	return(0);
53	53	if (*spec == '#') {
...	...	@@ -64,7 +64,7 @@ XParseColor (
64	64	r = g;
65	65	g = b;
66	66	b = 0;
67		- for (i = n; --i >= 0; ) {
	67	+ for (i = 0; i < n; i++) {
68	68	c = *spec++;
69	69	b <<= 4;
70	70	if (c >= '0' && c <= '9')
...	...	@@ -122,7 +122,7 @@ XParseColor (
122	122	LockDisplay(dpy);
123	123	GetReq (LookupColor, req);
124	124	req->cmap = cmap;
125		- req->nbytes = (CARD16) (n = (int) strlen(spec));
	125	+ req->nbytes = (CARD16) (n = strlen(spec));
126	126	req->length += (n + 3) >> 2;
127	127	Data (dpy, spec, (long)n);
128	128	if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {

src/QuExt.c

---

...	...	@@ -42,7 +42,7 @@ XQueryExtension(
42	42	xQueryExtensionReply rep;
43	43	register xQueryExtensionReq *req;
44	44
45		- if (strlen(name) >= USHRT_MAX)
	45	+ if (name != NULL && strlen(name) >= USHRT_MAX)
46	46	return false;
47	47
48	48	LockDisplay(dpy);

src/SetFPath.c

---

...	...	@@ -26,8 +26,8 @@ in this Software without prior written authorization from The Open Group.
26	26
27	27	#ifdef HAVE_CONFIG_H
28	28	#include <config.h>
29		-#include <limits.h>
30	29	#endif
	30	+#include <limits.h>
31	31	#include "Xlibint.h"
32	32
33	33	#define safestrlen(s) ((s) ? strlen(s) : 0)
...	...	@@ -38,7 +38,7 @@ XSetFontPath (
38	38	char **directories,
39	39	int ndirs)
40	40	{
41		- register int n = 0;
	41	+ register size_t n = 0;
42	42	register int i;
43	43	register int nbytes;
44	44	char *p;
...	...	@@ -49,7 +49,7 @@ XSetFontPath (
49	49	GetReq (SetFontPath, req);
50	50	req->nFonts = ndirs;
51	51	for (i = 0; i < ndirs; i++) {
52		- n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
	52	+ n = n + (safestrlen (directories[i]) + 1);
53	53	if (n >= USHRT_MAX) {
54	54	UnlockDisplay(dpy);
55	55	SyncHandle();
...	...	@@ -65,9 +65,9 @@ XSetFontPath (
65	65	char *tmp = p;
66	66
67	67	for (i = 0; i < ndirs; i++) {
68		- register int length = (int) safestrlen (directories[i]);
	68	+ size_t length = safestrlen (directories[i]);
69	69	*p = length;
70		- memcpy (p + 1, directories[i], (size_t)length);
	70	+ memcpy (p + 1, directories[i], length);
71	71	p += length + 1;
72	72	}
73	73	Data (dpy, tmp, nbytes);

src/StNColor.c

---

...	...	@@ -47,7 +47,7 @@ int flags) /* DoRed, DoGreen, DoBlue */
47	47	XcmsColor cmsColor_exact;
48	48	XColor scr_def;
49	49
50		- if (strlen(name) >= USHRT_MAX)
	50	+ if (name != NULL && strlen(name) >= USHRT_MAX)
51	51	return 0;
52	52	#ifdef XCMS
53	53	/*

src/StName.c

---

...	...	@@ -37,7 +37,7 @@ XStoreName (
37	37	Window w,
38	38	_Xconst char *name)
39	39	{
40		- if (strlen(name) >= USHRT_MAX)
	40	+ if (name != NULL && strlen(name) >= USHRT_MAX)
41	41	return 0;
42	42	return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
43	43	8, PropModeReplace, (_Xconst unsigned char *)name,
...	...	@@ -50,7 +50,7 @@ XSetIconName (
50	50	Window w,
51	51	_Xconst char *icon_name)
52	52	{
53		- if (strlen(icon_name) >= USHRT_MAX)
	53	+ if (icon_name != NULL && strlen(icon_name) >= USHRT_MAX)
54	54	return 0;
55	55	return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
56	56	PropModeReplace, (_Xconst unsigned char *)icon_name,

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.