Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: debia...@lists.debian.org
Please unblock package libx11 This fixes CVE-2021-31535, a bug in libX11 which could lead to the execution of additional X requests due to insufficient buffer checks. I have done some manual tests (run an X server with various applications) The risks are minor as the changes are pretty much limited to the security fix, with minor changes aside of that. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing The debdiff is a little large due to the autotools version the tarball was generated with. I'm attaching a debdiff filtered with filterdiff -x '*/Makefile.in' -x '*.man' -x '*/aclocal.m4' -x '*/configure' (the *.man changes are actual manpage syntax fixes, but make it harder to review the actually important code fixes in this update, so I filtered them). unblock libx11/2:1.7.1-1
diff -Nru libx11-1.7.0/compile libx11-1.7.1/compile --- libx11-1.7.0/compile 2020-11-20 20:08:19.000000000 +0100 +++ libx11-1.7.1/compile 2021-05-18 16:14:45.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <tro...@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN* | MSYS*) + CYGWIN*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/* | msys/*) + cygwin/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff -Nru libx11-1.7.0/configure.ac libx11-1.7.1/configure.ac --- libx11-1.7.0/configure.ac 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/configure.ac 2021-05-18 16:14:20.000000000 +0200 @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libX11], [1.7.0], +AC_INIT([libX11], [1.7.1], [https://gitlab.freedesktop.org/xorg/lib/libx11/issues], [libX11]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h]) diff -Nru libx11-1.7.0/debian/changelog libx11-1.7.1/debian/changelog --- libx11-1.7.0/debian/changelog 2021-05-20 10:05:15.000000000 +0200 +++ libx11-1.7.1/debian/changelog 2021-05-20 10:05:15.000000000 +0200 @@ -1,3 +1,16 @@ +libx11 (2:1.7.1-1) unstable; urgency=medium + + [ Julien Cristau ] + * libx11-6 Breaks old libx11-xcb1, as further mitigation for bug + #979590. + + [ Emilio Pozuelo Monfort ] + * New upstream release. + * CVE-2021-31535: X protocol command injection due to missing request + length checks (closes: #988737) + + -- Emilio Pozuelo Monfort <po...@debian.org> Wed, 19 May 2021 17:22:09 +0200 + libx11 (2:1.7.0-2) unstable; urgency=medium * Set a strict dependency of libx11-xcb1 on libx11-6, as internal ABI diff -Nru libx11-1.7.0/debian/control libx11-1.7.1/debian/control --- libx11-1.7.0/debian/control 2021-05-20 10:05:15.000000000 +0200 +++ libx11-1.7.1/debian/control 2021-05-20 10:05:15.000000000 +0200 @@ -28,6 +28,8 @@ ${misc:Depends}, libx11-data, Pre-Depends: ${misc:Pre-Depends} +Breaks: + libx11-xcb1 (<< 2:1.7.0-2), Multi-Arch: same Description: X11 client-side library This package provides a client interface to the X Window System, otherwise diff -Nru libx11-1.7.0/depcomp libx11-1.7.1/depcomp --- libx11-1.7.0/depcomp 2020-11-20 20:08:19.000000000 +0100 +++ libx11-1.7.1/depcomp 2021-05-18 16:14:46.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff -Nru libx11-1.7.0/include/X11/Xlib.h libx11-1.7.1/include/X11/Xlib.h --- libx11-1.7.0/include/X11/Xlib.h 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/include/X11/Xlib.h 2021-05-18 16:14:20.000000000 +0200 @@ -367,7 +367,7 @@ int bitmap_bit_order; /* LSBFirst, MSBFirst */ int bitmap_pad; /* 8, 16, 32 either XY or ZPixmap */ int depth; /* depth of image */ - int bytes_per_line; /* accelarator to next line */ + int bytes_per_line; /* accelerator to next line */ int bits_per_pixel; /* bits per pixel (ZPixmap) */ unsigned long red_mask; /* bits in z arrangement */ unsigned long green_mask; diff -Nru libx11-1.7.0/install-sh libx11-1.7.1/install-sh --- libx11-1.7.0/install-sh 2020-11-20 20:08:19.000000000 +0100 +++ libx11-1.7.1/install-sh 2021-05-18 16:14:45.000000000 +0200 @@ -451,18 +451,7 @@ trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. - (umask $cp_umask && - { test -z "$stripcmd" || { - # Create $dsttmp read-write so that cp doesn't create it read-only, - # which would cause strip to fail. - if test -z "$doit"; then - : >"$dsttmp" # No need to fork-exec 'touch'. - else - $doit touch "$dsttmp" - fi - } - } && - $doit_exec $cpprog "$src" "$dsttmp") && + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # diff -Nru libx11-1.7.0/missing libx11-1.7.1/missing --- libx11-1.7.0/missing 2020-11-20 20:08:19.000000000 +0100 +++ libx11-1.7.1/missing 2021-05-18 16:14:45.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify diff -Nru libx11-1.7.0/nls/en_US.UTF-8/Compose.pre libx11-1.7.1/nls/en_US.UTF-8/Compose.pre --- libx11-1.7.0/nls/en_US.UTF-8/Compose.pre 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/nls/en_US.UTF-8/Compose.pre 2021-05-18 16:14:29.000000000 +0200 @@ -924,9 +924,11 @@ <Multi_key> <e> <minus> : "ē" U0113 # LATIN SMALL LETTER E WITH MACRON <dead_breve> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE <Multi_key> <U> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE +<Multi_key> <u> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE <Multi_key> <b> <E> : "Ĕ" U0114 # LATIN CAPITAL LETTER E WITH BREVE <dead_breve> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE <Multi_key> <U> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE +<Multi_key> <u> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE <Multi_key> <b> <e> : "ĕ" U0115 # LATIN SMALL LETTER E WITH BREVE <dead_abovedot> <E> : "Ė" U0116 # LATIN CAPITAL LETTER E WITH DOT ABOVE <Multi_key> <period> <E> : "Ė" U0116 # LATIN CAPITAL LETTER E WITH DOT ABOVE @@ -960,14 +962,18 @@ <Multi_key> <asciicircum> <g> : "ĝ" U011D # LATIN SMALL LETTER G WITH CIRCUMFLEX <dead_breve> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <U> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE +<Multi_key> <u> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <G> <U> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE +<Multi_key> <G> <u> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <b> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <breve> <G> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <G> <breve> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <Multi_key> <G> <parenleft> : "Ğ" U011E # LATIN CAPITAL LETTER G WITH BREVE <dead_breve> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE <Multi_key> <U> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE +<Multi_key> <u> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE <Multi_key> <g> <U> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE +<Multi_key> <g> <u> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE <Multi_key> <b> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE <Multi_key> <breve> <g> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE <Multi_key> <g> <breve> : "ğ" U011F # LATIN SMALL LETTER G WITH BREVE @@ -1016,9 +1022,11 @@ <Multi_key> <i> <minus> : "ī" U012B # LATIN SMALL LETTER I WITH MACRON <dead_breve> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE <Multi_key> <U> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE +<Multi_key> <u> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE <Multi_key> <b> <I> : "Ĭ" U012C # LATIN CAPITAL LETTER I WITH BREVE <dead_breve> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE <Multi_key> <U> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE +<Multi_key> <u> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE <Multi_key> <b> <i> : "ĭ" U012D # LATIN SMALL LETTER I WITH BREVE <dead_ogonek> <I> : "Į" U012E # LATIN CAPITAL LETTER I WITH OGONEK <Multi_key> <semicolon> <I> : "Į" U012E # LATIN CAPITAL LETTER I WITH OGONEK @@ -1123,9 +1131,11 @@ <Multi_key> <o> <minus> : "ō" U014D # LATIN SMALL LETTER O WITH MACRON <dead_breve> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE <Multi_key> <U> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE +<Multi_key> <u> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE <Multi_key> <b> <O> : "Ŏ" U014E # LATIN CAPITAL LETTER O WITH BREVE <dead_breve> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE <Multi_key> <U> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE +<Multi_key> <u> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE <Multi_key> <b> <o> : "ŏ" U014F # LATIN SMALL LETTER O WITH BREVE <dead_doubleacute> <O> : "Ő" U0150 # LATIN CAPITAL LETTER O WITH DOUBLE ACUTE <Multi_key> <equal> <O> : "Ő" U0150 # LATIN CAPITAL LETTER O WITH DOUBLE ACUTE @@ -6019,8 +6029,7 @@ <Multi_key> <minus> <U2191> : "⍏" U234f # - ↑ APL FUNCTIONAL SYMBOL UPWARDS VANE <Multi_key> <U2191> <U2395> : "⍐" U2350 # ↑ ⎕ APL FUNCTIONAL SYMBOL QUAD UPWARDS ARROW <Multi_key> <U2395> <U2191> : "⍐" U2350 # ⎕ ↑ APL FUNCTIONAL SYMBOL QUAD UPWARDS ARROW -XCOMM I cannot get anything to work with <macron>. Given that no extant APLs use ⍑ I will just leave the lines -XCOMM in place. +XCOMM The next two somehow don't work. However, no extant APL uses "⍑". <Multi_key> <macron> <U22a4> : "⍑" U2351 # ¯ ⊤ APL FUNCTIONAL SYMBOL UP TACK OVERBAR <Multi_key> <U22a4> <macron> : "⍑" U2351 # ⊤ ¯ APL FUNCTIONAL SYMBOL UP TACK OVERBAR <Multi_key> <U2207> <bar> : "⍒" U2352 # ∇ | APL FUNCTIONAL SYMBOL DEL STILE @@ -6035,10 +6044,7 @@ <Multi_key> <minus> <U2193> : "⍖" U2356 # - ↓ APL FUNCTIONAL SYMBOL DOWNWARDS VANE <Multi_key> <U2193> <U2395> : "⍗" U2357 # ↓ ⎕ APL FUNCTIONAL SYMBOL QUAD DOWNWARDS ARROW <Multi_key> <U2395> <U2193> : "⍗" U2357 # ⎕ ↓ APL FUNCTIONAL SYMBOL QUAD DOWNWARDS ARROW -XCOMM This line clashes with the <apostrophe> <underscore> <E> (and similar) that appear to be there to provide -XCOMM a work around for the problems with <macron>. Or to cope with keyboards that do not have <macron> (more likely). -XCOMM All APL keyboards have <macron>, it is used as the -ve sign for numbers. -XCOMM I do not know of an extant APL using ⍘ +XCOMM The <apostrophe> <underscore> is used elsewhere. However, no extant APL uses "⍘". <Multi_key> <underscore> <apostrophe> : "⍘" U2358 # _ ' APL FUNCTIONAL SYMBOL QUOTE UNDERBAR <Multi_key> <U2206> <underscore> : "⍙" U2359 # ∆ _ APL FUNCTIONAL SYMBOL DELTA UNDERBAR <Multi_key> <underscore> <U2206> : "⍙" U2359 # _ ∆ APL FUNCTIONAL SYMBOL DELTA UNDERBAR @@ -6079,10 +6085,7 @@ <Multi_key> <asciitilde> <0> : "⍬" U236c # ~ 0 APL FUNCTIONAL SYMBOL ZILDE <Multi_key> <bar> <asciitilde> : "⍭" U236d # | ~ APL FUNCTIONAL SYMBOL STILE TILDE <Multi_key> <asciitilde> <bar> : "⍭" U236d # ~ | APL FUNCTIONAL SYMBOL STILE TILDE -XCOMM This line does not work. It clashes with -XCOMM <underscore> <semicolon> <O> for Ǭ and -XCOMM <underscore> <semicolon> <o> for ǭ. -XCOMM Given that no extant APLs use ⍮ I will just leave the line in place. +XCOMM The <underscore> <semicolon> is used elsewhere. However, no extant APL uses "⍮". <Multi_key> <semicolon> <underscore> : "⍮" U236e # ; _ APL FUNCTIONAL SYMBOL SEMICOLON UNDERBAR <Multi_key> <U2260> <U2395> : "⍯" U236f # ≠ ⎕ APL FUNCTIONAL SYMBOL QUAD NOT EQUAL <Multi_key> <U2395> <U2260> : "⍯" U236f # ⎕ ≠ APL FUNCTIONAL SYMBOL QUAD NOT EQUAL diff -Nru libx11-1.7.0/nls/locale.alias.pre libx11-1.7.1/nls/locale.alias.pre --- libx11-1.7.0/nls/locale.alias.pre 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/nls/locale.alias.pre 2021-05-18 16:14:30.000000000 +0200 @@ -16,6 +16,7 @@ Cextend.en: en_US.ISO8859-1 English_United-States.437: C C.UTF-8: en_US.UTF-8 +C.utf8: en_US.UTF-8 XCOMM a3 is not an ISO 639 language code, but in Cyrillic, "Z" looks like "3". a3: az_AZ.KOI8-C a3_AZ: az_AZ.KOI8-C diff -Nru libx11-1.7.0/README.md libx11-1.7.1/README.md --- libx11-1.7.0/README.md 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/README.md 2021-05-18 16:14:20.000000000 +0200 @@ -31,6 +31,17 @@ https://www.x.org/wiki/Development/Documentation/SubmittingPatches +## Release 1.7.1 + +This is a bug fix release, including a security fix for +CVE-2021-31535, nls and documentation corrections. + + * Reject string longer than USHRT_MAX before sending them on the wire + * Fix out-of-bound access in KeySymToUcs4() + * nls: allow composing all breved letters also with a lowercase "u" + * nls: add 'C.utf8' as an alias for 'en_US.UTF-8' + * Nroff code fixes + * Comments fixes ## Release 1.7.0 diff -Nru libx11-1.7.0/src/Font.c libx11-1.7.1/src/Font.c --- libx11-1.7.0/src/Font.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/Font.c 2021-05-18 16:14:33.000000000 +0200 @@ -102,6 +102,8 @@ XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); #endif + if (strlen(name) >= USHRT_MAX) + return NULL; if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0)) return font_result; LockDisplay(dpy); @@ -663,7 +665,7 @@ if (!name) return 0; l = (int) strlen(name); - if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') + if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) return 0; charset = NULL; /* next three lines stolen from _XkbGetCharset() */ diff -Nru libx11-1.7.0/src/FontInfo.c libx11-1.7.1/src/FontInfo.c --- libx11-1.7.0/src/FontInfo.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/FontInfo.c 2021-05-18 16:14:33.000000000 +0200 @@ -58,6 +58,9 @@ register xListFontsReq *req; int j; + if (strlen(pattern) >= USHRT_MAX) + return NULL; + LockDisplay(dpy); GetReq(ListFontsWithInfo, req); req->maxNames = maxNames; diff -Nru libx11-1.7.0/src/FontNames.c libx11-1.7.1/src/FontNames.c --- libx11-1.7.0/src/FontNames.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/FontNames.c 2021-05-18 16:14:33.000000000 +0200 @@ -51,6 +51,9 @@ register xListFontsReq *req; unsigned long rlen = 0; + if (strlen(pattern) >= USHRT_MAX) + return NULL; + LockDisplay(dpy); GetReq(ListFonts, req); req->maxNames = maxNames; diff -Nru libx11-1.7.0/src/GetColor.c libx11-1.7.1/src/GetColor.c --- libx11-1.7.0/src/GetColor.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/GetColor.c 2021-05-18 16:14:33.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include "Xlibint.h" #include "Xcmsint.h" @@ -48,6 +49,9 @@ XcmsColor cmsColor_exact; Status ret; + if (strlen(colorname) >= USHRT_MAX) + return (0); + #ifdef XCMS /* * Let's Attempt to use Xcms and i18n approach to Parse Color diff -Nru libx11-1.7.0/src/LoadFont.c libx11-1.7.1/src/LoadFont.c --- libx11-1.7.0/src/LoadFont.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/LoadFont.c 2021-05-18 16:14:34.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include "Xlibint.h" Font @@ -38,6 +39,9 @@ Font fid; register xOpenFontReq *req; + if (strlen(name) >= USHRT_MAX) + return (0); + if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid)) return fid; diff -Nru libx11-1.7.0/src/LookupCol.c libx11-1.7.1/src/LookupCol.c --- libx11-1.7.0/src/LookupCol.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/LookupCol.c 2021-05-18 16:14:34.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include "Xlibint.h" #include "Xcmsint.h" @@ -46,6 +47,9 @@ XcmsCCC ccc; XcmsColor cmsColor_exact; + n = (int) strlen (spec); + if (n >= USHRT_MAX) + return 0; #ifdef XCMS /* * Let's Attempt to use Xcms and i18n approach to Parse Color @@ -77,8 +81,6 @@ * Xcms and i18n methods failed, so lets pass it to the server * for parsing. */ - - n = (int) strlen (spec); LockDisplay(dpy); GetReq (LookupColor, req); req->cmap = cmap; diff -Nru libx11-1.7.0/src/ParseCol.c libx11-1.7.1/src/ParseCol.c --- libx11-1.7.0/src/ParseCol.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/ParseCol.c 2021-05-18 16:14:34.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include "Xlibint.h" #include "Xcmsint.h" @@ -47,6 +48,8 @@ if (!spec) return(0); n = (int) strlen (spec); + if (n >= USHRT_MAX) + return(0); if (*spec == '#') { /* * RGB diff -Nru libx11-1.7.0/src/QuExt.c libx11-1.7.1/src/QuExt.c --- libx11-1.7.0/src/QuExt.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/QuExt.c 2021-05-18 16:14:34.000000000 +0200 @@ -27,6 +27,8 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> +#include <stdbool.h> #include "Xlibint.h" Bool @@ -40,6 +42,9 @@ xQueryExtensionReply rep; register xQueryExtensionReq *req; + if (strlen(name) >= USHRT_MAX) + return false; + LockDisplay(dpy); GetReq(QueryExtension, req); req->nbytes = name ? (CARD16) strlen(name) : 0; diff -Nru libx11-1.7.0/src/SetFPath.c libx11-1.7.1/src/SetFPath.c --- libx11-1.7.0/src/SetFPath.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/SetFPath.c 2021-05-18 16:14:34.000000000 +0200 @@ -26,6 +26,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> +#include <limits.h> #endif #include "Xlibint.h" @@ -49,6 +50,11 @@ req->nFonts = ndirs; for (i = 0; i < ndirs; i++) { n = (int) ((size_t) n + (safestrlen (directories[i]) + 1)); + if (n >= USHRT_MAX) { + UnlockDisplay(dpy); + SyncHandle(); + return 0; + } } nbytes = (n + 3) & ~3; req->length += nbytes >> 2; diff -Nru libx11-1.7.0/src/SetHints.c libx11-1.7.1/src/SetHints.c --- libx11-1.7.0/src/SetHints.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/SetHints.c 2021-05-18 16:14:34.000000000 +0200 @@ -49,6 +49,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <X11/Xlibint.h> #include <X11/Xutil.h> #include "Xatomtype.h" @@ -214,6 +215,8 @@ register char *buf, *bp; for (i = 0, nbytes = 0; i < argc; i++) { nbytes += safestrlen(argv[i]) + 1; + if (nbytes >= USHRT_MAX) + return 1; } if ((bp = buf = Xmalloc(nbytes))) { /* copy arguments into single buffer */ @@ -256,6 +259,8 @@ if (name != NULL) XStoreName (dpy, w, name); + if (safestrlen(icon_string) >= USHRT_MAX) + return 1; if (icon_string != NULL) { XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, PropModeReplace, @@ -298,6 +303,8 @@ len_nm = safestrlen(classhint->res_name); len_cl = safestrlen(classhint->res_class); + if (len_nm + len_cl >= USHRT_MAX) + return 1; if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { if (len_nm) { strcpy(s, classhint->res_name); diff -Nru libx11-1.7.0/src/StName.c libx11-1.7.1/src/StName.c --- libx11-1.7.0/src/StName.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/StName.c 2021-05-18 16:14:35.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <X11/Xlibint.h> #include <X11/Xatom.h> @@ -36,7 +37,9 @@ Window w, _Xconst char *name) { - return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, + if (strlen(name) >= USHRT_MAX) + return 0; + return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */ 8, PropModeReplace, (_Xconst unsigned char *)name, name ? (int) strlen(name) : 0); } @@ -47,6 +50,8 @@ Window w, _Xconst char *icon_name) { + if (strlen(icon_name) >= USHRT_MAX) + return 0; return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8, PropModeReplace, (_Xconst unsigned char *)icon_name, icon_name ? (int) strlen(icon_name) : 0); diff -Nru libx11-1.7.0/src/StNColor.c libx11-1.7.1/src/StNColor.c --- libx11-1.7.0/src/StNColor.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/StNColor.c 2021-05-18 16:14:35.000000000 +0200 @@ -27,6 +27,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include "Xlibint.h" #include "Xcmsint.h" @@ -46,6 +47,8 @@ XcmsColor cmsColor_exact; XColor scr_def; + if (strlen(name) >= USHRT_MAX) + return 0; #ifdef XCMS /* * Let's Attempt to use Xcms approach to Parse Color diff -Nru libx11-1.7.0/src/xlibi18n/imKStoUCS.c libx11-1.7.1/src/xlibi18n/imKStoUCS.c --- libx11-1.7.0/src/xlibi18n/imKStoUCS.c 2020-11-20 20:08:11.000000000 +0100 +++ libx11-1.7.1/src/xlibi18n/imKStoUCS.c 2021-05-18 16:14:36.000000000 +0200 @@ -285,7 +285,7 @@ return keysym_to_unicode_3a2_3fe[keysym - 0x3a2]; else if (keysym > 0x4a0 && keysym < 0x4e0) return keysym_to_unicode_4a1_4df[keysym - 0x4a1]; - else if (keysym > 0x589 && keysym < 0x5ff) + else if (keysym > 0x58f && keysym < 0x5ff) return keysym_to_unicode_590_5fe[keysym - 0x590]; else if (keysym > 0x67f && keysym < 0x700) return keysym_to_unicode_680_6ff[keysym - 0x680]; diff -Nru libx11-1.7.0/test-driver libx11-1.7.1/test-driver --- libx11-1.7.0/test-driver 2020-11-20 20:08:20.000000000 +0100 +++ libx11-1.7.1/test-driver 2021-05-18 16:14:46.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2020 Free Software Foundation, Inc. +# Copyright (C) 2011-2018 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by