Commits:
-
61d18bed
by John D Pell at 2022-12-14T00:19:57-08:00
XQuartz: stub: Call LSOpenApplication instead of fork()/exec()
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-
becf9d51
by Jeremy Huddleston Sequoia at 2022-12-14T00:20:00-08:00
xquartz: Fix some formatting
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-
5dbb2b52
by Peter Hutterer at 2022-12-14T12:27:17+01:00
xkb: proof GetCountedString against request length attacks
GetCountedString did a check for the whole string to be within the
request buffer but not for the initial 2 bytes that contain the length
field. A swapped client could send a malformed request to trigger a
swaps() on those bytes, writing into random memory.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 11beef0b7f1ed290348e45618e5fa0d2bffcb72e)
-
69ab3bca
by Peter Hutterer at 2022-12-14T12:27:17+01:00
xkb: fix some possible memleaks in XkbGetKbdByName
GetComponentByName returns an allocated string, so let's free that if we
fail somewhere.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 18f91b950e22c2a342a4fbc55e9ddf7534a707d2)
-
b7760d41
by Peter Hutterer at 2022-12-19T13:49:37+10:00
Xext: fix invalid event type mask in XTestSwapFakeInput
In commit b320ca0 the mask was inadvertently changed from octal 0177 to
hexadecimal 0x177.
Fixes commit b320ca0ffe4c0c872eeb3a93d9bde21f765c7c63
Xtest: disallow GenericEvents in XTestSwapFakeInput
Found by Stuart Cassoff
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bb1711b7fba42f2a0c7d1c09beee241a1b2bcc30)
-
59b6fc88
by Olivier Fourdan at 2022-12-19T10:48:21+01:00
xserver 21.1.6
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
5 changed files:
Changes:
Xext/xtest.c
... |
... |
@@ -502,7 +502,7 @@ XTestSwapFakeInput(ClientPtr client, xReq * req) |
502
|
502
|
|
503
|
503
|
nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent);
|
504
|
504
|
for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) {
|
505
|
|
- int evtype = ev->u.u.type & 0x177;
|
|
505
|
+ int evtype = ev->u.u.type & 0177;
|
506
|
506
|
/* Swap event */
|
507
|
507
|
proc = EventSwapVector[evtype];
|
508
|
508
|
/* no swapping proc; invalid event type? */
|
configure.ac
... |
... |
@@ -26,8 +26,8 @@ dnl |
26
|
26
|
dnl Process this file with autoconf to create configure.
|
27
|
27
|
|
28
|
28
|
AC_PREREQ(2.60)
|
29
|
|
-AC_INIT([xorg-server], 21.1.5, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
|
30
|
|
-RELEASE_DATE="2022-12-14"
|
|
29
|
+AC_INIT([xorg-server], 21.1.6, [https://gitlab.freedesktop.org/xorg/xserver/issues], xorg-server)
|
|
30
|
+RELEASE_DATE="2022-12-19"
|
31
|
31
|
RELEASE_NAME="Caramel Ice Cream"
|
32
|
32
|
AC_CONFIG_SRCDIR([Makefile.am])
|
33
|
33
|
AC_CONFIG_MACRO_DIR([m4])
|
hw/xquartz/mach-startup/stub.c
... |
... |
@@ -52,39 +52,25 @@ |
52
|
52
|
|
53
|
53
|
#include "launchd_fd.h"
|
54
|
54
|
|
55
|
|
-static char x11_path[PATH_MAX + 1];
|
|
55
|
+static CFURLRef x11appURL;
|
|
56
|
+static FSRef x11_appRef;
|
56
|
57
|
static pid_t x11app_pid = 0;
|
57
|
58
|
aslclient aslc;
|
58
|
59
|
|
59
|
60
|
static void
|
60
|
61
|
set_x11_path(void)
|
61
|
62
|
{
|
62
|
|
- CFURLRef appURL = NULL;
|
63
|
|
- OSStatus osstatus =
|
64
|
|
- LSFindApplicationForInfo(kLSUnknownCreator, CFSTR(
|
65
|
|
- kX11AppBundleId), nil, nil, &appURL);
|
|
63
|
+ OSStatus osstatus = LSFindApplicationForInfo(kLSUnknownCreator, CFSTR(kX11AppBundleId),
|
|
64
|
+ nil, &x11_appRef, &x11appURL);
|
66
|
65
|
|
67
|
66
|
switch (osstatus) {
|
68
|
67
|
case noErr:
|
69
|
|
- if (appURL == NULL) {
|
70
|
|
- asl_log(
|
71
|
|
- aslc, NULL, ASL_LEVEL_ERR,
|
72
|
|
- "Xquartz: Invalid response from LSFindApplicationForInfo(%s)",
|
73
|
|
- kX11AppBundleId);
|
74
|
|
- exit(1);
|
75
|
|
- }
|
76
|
|
-
|
77
|
|
- if (!CFURLGetFileSystemRepresentation(appURL, true,
|
78
|
|
- (unsigned char *)x11_path,
|
79
|
|
- sizeof(x11_path))) {
|
|
68
|
+ if (x11appURL == NULL) {
|
80
|
69
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
81
|
|
- "Xquartz: Error resolving URL for %s",
|
|
70
|
+ "Xquartz: Invalid response from LSFindApplicationForInfo(%s)",
|
82
|
71
|
kX11AppBundleId);
|
83
|
|
- exit(3);
|
|
72
|
+ exit(1);
|
84
|
73
|
}
|
85
|
|
-
|
86
|
|
- strlcat(x11_path, kX11AppBundlePath, sizeof(x11_path));
|
87
|
|
- asl_log(aslc, NULL, ASL_LEVEL_INFO, "Xquartz: X11.app = %s", x11_path);
|
88
|
74
|
break;
|
89
|
75
|
|
90
|
76
|
case kLSApplicationNotFoundErr:
|
... |
... |
@@ -96,8 +82,7 @@ set_x11_path(void) |
96
|
82
|
default:
|
97
|
83
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
98
|
84
|
"Xquartz: Unable to find application for %s, error code = %d",
|
99
|
|
- kX11AppBundleId,
|
100
|
|
- (int)osstatus);
|
|
85
|
+ kX11AppBundleId, (int)osstatus);
|
101
|
86
|
exit(11);
|
102
|
87
|
}
|
103
|
88
|
}
|
... |
... |
@@ -122,18 +107,15 @@ connect_to_socket(const char *filename) |
122
|
107
|
ret_fd = socket(PF_UNIX, SOCK_STREAM, 0);
|
123
|
108
|
if (ret_fd == -1) {
|
124
|
109
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
125
|
|
- "Xquartz: Failed to create socket: %s - %s", filename,
|
126
|
|
- strerror(
|
127
|
|
- errno));
|
|
110
|
+ "Xquartz: Failed to create socket: %s - %d - %s",
|
|
111
|
+ filename, errno, strerror(errno));
|
128
|
112
|
return -1;
|
129
|
113
|
}
|
130
|
114
|
|
131
|
115
|
if (connect(ret_fd, servaddr, servaddr_len) < 0) {
|
132
|
116
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
133
|
117
|
"Xquartz: Failed to connect to socket: %s - %d - %s",
|
134
|
|
- filename, errno,
|
135
|
|
- strerror(
|
136
|
|
- errno));
|
|
118
|
+ filename, errno, strerror(errno));
|
137
|
119
|
close(ret_fd);
|
138
|
120
|
return -1;
|
139
|
121
|
}
|
... |
... |
@@ -176,10 +158,9 @@ send_fd_handoff(int connected_fd, int launchd_fd) |
176
|
158
|
*((int *)CMSG_DATA(cmsg)) = launchd_fd;
|
177
|
159
|
|
178
|
160
|
if (sendmsg(connected_fd, &msg, 0) < 0) {
|
179
|
|
- asl_log(
|
180
|
|
- aslc, NULL, ASL_LEVEL_ERR,
|
181
|
|
- "Xquartz: Error sending $DISPLAY file descriptor over fd %d: %d -- %s",
|
182
|
|
- connected_fd, errno, strerror(errno));
|
|
161
|
+ asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
|
162
|
+ "Xquartz: Error sending $DISPLAY file descriptor over fd %d: %d -- %s",
|
|
163
|
+ connected_fd, errno, strerror(errno));
|
183
|
164
|
return;
|
184
|
165
|
}
|
185
|
166
|
|
... |
... |
@@ -253,26 +234,25 @@ main(int argc, char **argv, char **envp) |
253
|
234
|
server_bootstrap_name);
|
254
|
235
|
set_x11_path();
|
255
|
236
|
|
256
|
|
- /* This forking is ugly and will be cleaned up later */
|
257
|
|
- child = fork();
|
258
|
|
- if (child == -1) {
|
259
|
|
- asl_log(aslc, NULL, ASL_LEVEL_ERR, "Xquartz: Could not fork: %s",
|
260
|
|
- strerror(
|
261
|
|
- errno));
|
|
237
|
+ char *listenOnlyArg = "--listenonly";
|
|
238
|
+ CFStringRef silentLaunchArg = CFStringCreateWithCString(NULL, listenOnlyArg, kCFStringEncodingUTF8);
|
|
239
|
+ CFStringRef args[] = { silentLaunchArg };
|
|
240
|
+ CFArrayRef passArgv = CFArrayCreate(NULL, (const void**) args, 1, NULL);
|
|
241
|
+ LSApplicationParameters params = { 0, /* CFIndex version == 0 */
|
|
242
|
+ kLSLaunchDefaults, /* LSLaunchFlags flags */
|
|
243
|
+ &x11_appRef, /* FSRef application */
|
|
244
|
+ NULL, /* void* asyncLaunchRefCon*/
|
|
245
|
+ NULL, /* CFDictionaryRef environment */
|
|
246
|
+ passArgv, /* CFArrayRef arguments */
|
|
247
|
+ NULL /* AppleEvent* initialEvent */
|
|
248
|
+ };
|
|
249
|
+
|
|
250
|
+ OSStatus status = LSOpenApplication(¶ms, NULL);
|
|
251
|
+ if (status != noErr) {
|
|
252
|
+ asl_log(aslc, NULL, ASL_LEVEL_ERR, "Xquartz: Unable to launch: %d", (int)status);
|
262
|
253
|
return EXIT_FAILURE;
|
263
|
254
|
}
|
264
|
255
|
|
265
|
|
- if (child == 0) {
|
266
|
|
- char *_argv[3];
|
267
|
|
- _argv[0] = x11_path;
|
268
|
|
- _argv[1] = "--listenonly";
|
269
|
|
- _argv[2] = NULL;
|
270
|
|
- asl_log(aslc, NULL, ASL_LEVEL_NOTICE,
|
271
|
|
- "Xquartz: Starting X server: %s --listenonly",
|
272
|
|
- x11_path);
|
273
|
|
- return execvp(x11_path, _argv);
|
274
|
|
- }
|
275
|
|
-
|
276
|
256
|
/* Try connecting for 10 seconds */
|
277
|
257
|
for (i = 0; i < 80; i++) {
|
278
|
258
|
usleep(250000);
|
... |
... |
@@ -283,8 +263,7 @@ main(int argc, char **argv, char **envp) |
283
|
263
|
|
284
|
264
|
if (kr != KERN_SUCCESS) {
|
285
|
265
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
286
|
|
- "Xquartz: bootstrap_look_up(): %s", bootstrap_strerror(
|
287
|
|
- kr));
|
|
266
|
+ "Xquartz: bootstrap_look_up(): %s", bootstrap_strerror(kr));
|
288
|
267
|
return EXIT_FAILURE;
|
289
|
268
|
}
|
290
|
269
|
}
|
... |
... |
@@ -298,13 +277,10 @@ main(int argc, char **argv, char **envp) |
298
|
277
|
int handoff_fd = -1;
|
299
|
278
|
|
300
|
279
|
for (try = 0, try_max = 5; try < try_max; try++) {
|
301
|
|
- if (request_fd_handoff_socket(mp,
|
302
|
|
- handoff_socket_filename) !=
|
303
|
|
- KERN_SUCCESS) {
|
304
|
|
- asl_log(
|
305
|
|
- aslc, NULL, ASL_LEVEL_INFO,
|
306
|
|
- "Xquartz: Failed to request a socket from the server to send the $DISPLAY fd over (try %d of %d)",
|
307
|
|
- (int)try + 1, (int)try_max);
|
|
280
|
+ if (request_fd_handoff_socket(mp, handoff_socket_filename) != KERN_SUCCESS) {
|
|
281
|
+ asl_log(aslc, NULL, ASL_LEVEL_INFO,
|
|
282
|
+ "Xquartz: Failed to request a socket from the server to send the $DISPLAY fd over (try %d of %d)",
|
|
283
|
+ (int)try + 1, (int)try_max);
|
308
|
284
|
continue;
|
309
|
285
|
}
|
310
|
286
|
|
... |
... |
@@ -312,16 +288,13 @@ main(int argc, char **argv, char **envp) |
312
|
288
|
if (handoff_fd == -1) {
|
313
|
289
|
asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
314
|
290
|
"Xquartz: Failed to connect to socket (try %d of %d)",
|
315
|
|
- (int)try + 1,
|
316
|
|
- (int)try_max);
|
|
291
|
+ (int)try + 1, (int)try_max);
|
317
|
292
|
continue;
|
318
|
293
|
}
|
319
|
294
|
|
320
|
|
- asl_log(
|
321
|
|
- aslc, NULL, ASL_LEVEL_INFO,
|
322
|
|
- "Xquartz: Handoff connection established (try %d of %d) on fd %d, \"%s\". Sending message.",
|
323
|
|
- (int)try + 1, (int)try_max, handoff_fd,
|
324
|
|
- handoff_socket_filename);
|
|
295
|
+ asl_log(aslc, NULL, ASL_LEVEL_INFO,
|
|
296
|
+ "Xquartz: Handoff connection established (try %d of %d) on fd %d, \"%s\". Sending message.",
|
|
297
|
+ (int)try + 1, (int)try_max, handoff_fd, handoff_socket_filename);
|
325
|
298
|
send_fd_handoff(handoff_fd, launchd_fd);
|
326
|
299
|
close(handoff_fd);
|
327
|
300
|
break;
|
... |
... |
@@ -342,8 +315,7 @@ main(int argc, char **argv, char **envp) |
342
|
315
|
free(newargv);
|
343
|
316
|
free(newenvp);
|
344
|
317
|
|
345
|
|
- asl_log(aslc, NULL, ASL_LEVEL_ERR,
|
346
|
|
- "Xquartz: Memory allocation failure");
|
|
318
|
+ asl_log(aslc, NULL, ASL_LEVEL_ERR, "Xquartz: Memory allocation failure");
|
347
|
319
|
return EXIT_FAILURE;
|
348
|
320
|
}
|
349
|
321
|
|
... |
... |
@@ -361,8 +333,7 @@ main(int argc, char **argv, char **envp) |
361
|
333
|
|
362
|
334
|
if (kr != KERN_SUCCESS) {
|
363
|
335
|
asl_log(aslc, NULL, ASL_LEVEL_ERR, "Xquartz: start_x11_server: %s",
|
364
|
|
- mach_error_string(
|
365
|
|
- kr));
|
|
336
|
+ mach_error_string(kr));
|
366
|
337
|
return EXIT_FAILURE;
|
367
|
338
|
}
|
368
|
339
|
return EXIT_SUCCESS;
|
meson.build
... |
... |
@@ -3,10 +3,10 @@ project('xserver', 'c', |
3
|
3
|
'buildtype=debugoptimized',
|
4
|
4
|
'c_std=gnu99',
|
5
|
5
|
],
|
6
|
|
- version: '21.1.5',
|
|
6
|
+ version: '21.1.6',
|
7
|
7
|
meson_version: '>= 0.47.0',
|
8
|
8
|
)
|
9
|
|
-release_date = '2022-12-14'
|
|
9
|
+release_date = '2022-12-19'
|
10
|
10
|
|
11
|
11
|
add_project_arguments('-DHAVE_DIX_CONFIG_H', language: ['c', 'objc'])
|
12
|
12
|
cc = meson.get_compiler('c')
|
xkb/xkb.c
... |
... |
@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) |
5137
|
5137
|
CARD16 len;
|
5138
|
5138
|
|
5139
|
5139
|
wire = *wire_inout;
|
|
5140
|
+
|
|
5141
|
+ if (client->req_len <
|
|
5142
|
+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
|
|
5143
|
+ return BadValue;
|
|
5144
|
+
|
5140
|
5145
|
len = *(CARD16 *) wire;
|
5141
|
5146
|
if (client->swapped) {
|
5142
|
5147
|
swaps(&len);
|
... |
... |
@@ -5935,18 +5940,32 @@ ProcXkbGetKbdByName(ClientPtr client) |
5935
|
5940
|
xkb = dev->key->xkbInfo->desc;
|
5936
|
5941
|
status = Success;
|
5937
|
5942
|
str = (unsigned char *) &stuff[1];
|
5938
|
|
- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
|
5939
|
|
- return BadMatch;
|
|
5943
|
+ {
|
|
5944
|
+ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */
|
|
5945
|
+ if (keymap) {
|
|
5946
|
+ free(keymap);
|
|
5947
|
+ return BadMatch;
|
|
5948
|
+ }
|
|
5949
|
+ }
|
5940
|
5950
|
names.keycodes = GetComponentSpec(&str, TRUE, &status);
|
5941
|
5951
|
names.types = GetComponentSpec(&str, TRUE, &status);
|
5942
|
5952
|
names.compat = GetComponentSpec(&str, TRUE, &status);
|
5943
|
5953
|
names.symbols = GetComponentSpec(&str, TRUE, &status);
|
5944
|
5954
|
names.geometry = GetComponentSpec(&str, TRUE, &status);
|
5945
|
|
- if (status != Success)
|
|
5955
|
+ if (status == Success) {
|
|
5956
|
+ len = str - ((unsigned char *) stuff);
|
|
5957
|
+ if ((XkbPaddedSize(len) / 4) != stuff->length)
|
|
5958
|
+ status = BadLength;
|
|
5959
|
+ }
|
|
5960
|
+
|
|
5961
|
+ if (status != Success) {
|
|
5962
|
+ free(names.keycodes);
|
|
5963
|
+ free(names.types);
|
|
5964
|
+ free(names.compat);
|
|
5965
|
+ free(names.symbols);
|
|
5966
|
+ free(names.geometry);
|
5946
|
5967
|
return status;
|
5947
|
|
- len = str - ((unsigned char *) stuff);
|
5948
|
|
- if ((XkbPaddedSize(len) / 4) != stuff->length)
|
5949
|
|
- return BadLength;
|
|
5968
|
+ }
|
5950
|
5969
|
|
5951
|
5970
|
CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
|
5952
|
5971
|
CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
|
|