ChangeLog | 84 ++++++++++++++++++++++++++++++++++++++++ configure.ac | 2 debian/changelog | 10 ++++ debian/control | 12 ++--- debian/copyright | 2 debian/upstream/signing-key.asc | 64 ++++++++++++++++++++++++++++++ debian/watch | 2 src/XrrConfig.c | 32 +++++++++------ src/XrrCrtc.c | 83 ++++++++++++++++++++++++++++++--------- src/XrrMonitor.c | 25 ++++++++++- src/XrrOutput.c | 11 +++++ src/XrrProvider.c | 28 +++++++++++-- src/XrrScreen.c | 56 +++++++++++++++++--------- 13 files changed, 344 insertions(+), 67 deletions(-)
New commits: commit b195413968237dc5015c982e738838d087b70c2b Author: Andreas Boll <[email protected]> Date: Fri Oct 7 13:42:08 2016 +0200 Bump Standards-Version to 3.9.8, no changes needed. diff --git a/debian/changelog b/debian/changelog index 4e08f6d..0fb9c20 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ libxrandr (2:1.5.1-1) UNRELEASED; urgency=medium - Fixes CVE-2016-7947 and CVE-2016-7948. * Update d/upstream/signing-key.asc with Matthieu Herrb's key. * Update a bunch of URLs in packaging to https. + * Bump Standards-Version to 3.9.8, no changes needed. -- Andreas Boll <[email protected]> Fri, 07 Oct 2016 13:38:27 +0200 diff --git a/debian/control b/debian/control index 9b97265..510e461 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ Build-Depends: automake, libtool, xutils-dev (>= 1:7.5+4), -Standards-Version: 3.9.6 +Standards-Version: 3.9.8 Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxrandr.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-xorg/lib/libxrandr.git commit 0d5009c4d391b9aecdf5364d81d7bb103d7dfb08 Author: Andreas Boll <[email protected]> Date: Fri Oct 7 13:41:45 2016 +0200 Update a bunch of URLs in packaging to https. diff --git a/debian/changelog b/debian/changelog index 88b0347..4e08f6d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ libxrandr (2:1.5.1-1) UNRELEASED; urgency=medium * New upstream release. - Fixes CVE-2016-7947 and CVE-2016-7948. * Update d/upstream/signing-key.asc with Matthieu Herrb's key. + * Update a bunch of URLs in packaging to https. -- Andreas Boll <[email protected]> Fri, 07 Oct 2016 13:38:27 +0200 diff --git a/debian/control b/debian/control index 3493e47..9b97265 100644 --- a/debian/control +++ b/debian/control @@ -18,8 +18,8 @@ Build-Depends: libtool, xutils-dev (>= 1:7.5+4), Standards-Version: 3.9.6 -Vcs-Git: git://git.debian.org/git/pkg-xorg/lib/libxrandr -Vcs-Browser: http://git.debian.org/?p=pkg-xorg/lib/libxrandr.git +Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxrandr.git +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-xorg/lib/libxrandr.git Package: libxrandr2 Section: libs @@ -35,7 +35,7 @@ Description: X11 RandR extension library such as resolution, rotation, and reflection. . More information about X.Org can be found at: - <URL:http://www.X.org> + <URL:https://www.X.org> . This module can be found at git://anongit.freedesktop.org/git/xorg/lib/libXrandr @@ -57,7 +57,7 @@ Description: X11 RandR extension library (debug package) Non-developers likely have little use for this package. . More information about X.Org can be found at: - <URL:http://www.X.org> + <URL:https://www.X.org> . This module can be found at git://anongit.freedesktop.org/git/xorg/lib/libXrandr @@ -85,7 +85,7 @@ Description: X11 RandR extension library (development headers) libxrandr2. Non-developers likely have little use for this package. . More information about X.Org can be found at: - <URL:http://www.X.org> + <URL:https://www.X.org> . This module can be found at git://anongit.freedesktop.org/git/xorg/lib/libXrandr diff --git a/debian/copyright b/debian/copyright index 0cb8d6c..674e200 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,5 +1,5 @@ This package was downloaded from -http://xorg.freedesktop.org/releases/individual/lib/ +https://xorg.freedesktop.org/releases/individual/lib/ Copyright © 2000, Compaq Computer Corporation, Copyright © 2002, Hewlett Packard, Inc. diff --git a/debian/watch b/debian/watch index 673b481..b91c305 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ #git=git://anongit.freedesktop.org/xorg/lib/libXrandr version=3 opts=pgpsigurlmangle=s/$/.sig/ \ -http://xorg.freedesktop.org/releases/individual/lib/ libXrandr-(.*)\.tar\.gz +https://xorg.freedesktop.org/releases/individual/lib/ libXrandr-(.*)\.tar\.gz commit 0d44adf959c9c1370d5e25fabe9374859d78de62 Author: Andreas Boll <[email protected]> Date: Fri Oct 7 13:39:26 2016 +0200 Update d/upstream/signing-key.asc with Matthieu Herrb's key. diff --git a/debian/changelog b/debian/changelog index 9b827b9..88b0347 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ libxrandr (2:1.5.1-1) UNRELEASED; urgency=medium * New upstream release. - Fixes CVE-2016-7947 and CVE-2016-7948. + * Update d/upstream/signing-key.asc with Matthieu Herrb's key. -- Andreas Boll <[email protected]> Fri, 07 Oct 2016 13:38:27 +0200 diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc index dfe9054..add0104 100644 --- a/debian/upstream/signing-key.asc +++ b/debian/upstream/signing-key.asc @@ -109,3 +109,67 @@ xjRzzOuOtaxMftMlZwRNXm1zh5CTzMOYpXeetPXrLwUOSF5VeN8AK//gGlbjZt1o iQyTzgz/F98QzHzNrRk8DdK4kxVkpvk= =G7Eh -----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFeKY50BEADAX0lod3IVceb/IWJn3kTAcO2P7PWlcBiyUDaq5b2kFkliKleZ +ec4LoCHakQBlkRBMPNwOOxvADNk3tLQjBDpbYr6lQIrN+AxMGkXBhJ82T3bsDvlj +3Z1wRJ1zVA7eMIktsk0FAoJxV1y7e3sBKcP0eTlXqXvR2djhi+FW+ueJDAJIFSkb +uFirgwtX5t8nt8jCmIl75KNUKOakoENY3hLWtr16W8fO1JGkEhghI2mXcz664KTd +MPZp6JH0/8UHTHzmATOCTqNxoDtMTi2l5059Lh/nhmso9moTYqyKmaJP2rnZUr62 +97sRMG4WcxaYfWpPyO3MCmDyGeh4sW0OC06PpED3i9xMzf/kMkMdY4ZIFcLRcPtf +LIJhw+lc/GE1Rqe961IB5xCgnZezB7ZIL+ZlOAMwKGkq7lLbcZr2QZn84lpABKF0 +AvxECoJ4etmIcdbDVmsw18AhA3u9sr98hS5IXDyeos3Xwz6Abml8aPrhqhkKvo+J +Kcq9FNYHg0RRlos0TqocjDzGnUjEYrmIopLcwIu2SnsNSJTygZGtqrpT+2sGEqvm +k6Oyk95QCa580zqldvxe3CG0vrAfPvoG7irllM68TS4JcqqDHTq6eupUv9ZdIzXf +eyTHa5cytGahgVtUcui1lzqcCBkqwN8TKl+0wCcEnxRasHJy3A2Gp+AG3wARAQAB +tCJNYXR0aGlldSBIZXJyYiA8bWF0dGhpZXVAaGVycmIuZXU+iQI+BBMBAgAoBQJX +imOdAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo ++PF1EACldzZPNYaC9H5E9sMn9pMsJTucBYVUy74Aw6MWAiAzRpxb9DmySmC2oEYW +JJkwDTwv6M0Na0ed6zD79GKtAalORz2GppZpS7uoINClElWoM5TCYph6linyv9Wj +OTlcbpX0Jqw0tdHNI2UOEjvBP3vW9kVYpEhfnHET8Ncp55j1hzoqxOhGIBE/67zc +cLAenONAvA3YN3tHTGaOaFv+vuCFRJx9FpKbGHmdUPd3MtLqtaA4EQvDvDEholEI +eWrjmdXJibSet6Amc5AIdFaQevZiADjjMh8MINw/6OEy9OB4s+z1RzgOrHgLiIZm +dlP6WrNjXQwl2gmNPhctGaSHM+j2+3gckNGlI4LQYxNtKvI4iv/CoHDYmwgrcrZO +TwFHfqt0LwqjpsU203Hw609oWYcxLeGZdITBjDz20UcfsmKQDqrBq3P1FuC5GBW3 +5bEa3wAhyE+/WKhJ94bXiHmpKsp50va3bEe17uQcYd8+E8L53aR7XP87qaHx//Mu ++OQa5Wc2d1OFHf1Mi62nbzr7pws/Mf7OSf/tnhRthuwtlfYnsUVo8usUKL/xStqo +Ul4kc/Q81AlyaZfr7dbxsQWm2q3ksLaMaAxnk0p+kMXVzXZ9GKNOgUOJdbahORs5 +RU2f44xzfNavb63u3McADtaXskl+KHB4uDbGbGESVhm5PULk37QnTWF0dGhpZXUg +SGVycmIgPG1hdHRoaWV1LmhlcnJiQGxhYXMuZnI+iQI+BBMBAgAoBQJXlJ63AhsD +BQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo+PKID/wM +II+2d11clp1X7eZgkxkAHUhI2W3NSesuFnjkkQRKQoVMokDdeSOkBhMJuWoFfbZk +jYs2VHU9029rDqcoDSqGwo2IffvrXXJ4SjOTjlvXS1lr/H2VdWRbq8ImnDwSsoiD +dWB3dZyqzf7ABKZ7ccA+NMSs6NxeEN/0+0sTJ386Zp480ByNX0uPqYSq5lX/VEke +nI8r02u2ZfuykhGkT0sM013VprfYLa+6HvF+QT9KfP220mqRbonaDkYvCxwjCMzd +rUmvyqw3VsooUpg/W/PmDNeShSuOxebaGnFyGTNvTarElCBdynFD01dqOecOqfY8 +gy+PJ1aF1qjmf+RQD/SZq+gvgyXqyBhJy7zgJnzzNWzDlUIw0ZOLyZxzFR7lRV79 +2mrGgczlQr5rLAgBy2pgwsCmP7nFx50r4ft2juugnQixoOBU/YfhBplM76EROaCc +MTs5nPEqzJ9p4SNkPcK8AroR2Ka3+f7t+XOoHpx/XhJOBYlPaUmoFkWKr0Y8BWWh +1nJxyFKrSNbwUgam8ypZzwzbI1vDiX8Ol6NpEeOLwzFNT0pyTdC9UN93M1VIyKWC +1vaeMogUREKT6SmDjRn3fISktZ0IGVf2AnFMhtgZ46TJO4BZgDdZAjTkZc/lP0yF +Nl6MpGwnaymmL50ckT77OdlfIcXFwvNPFwWlFPlcyrkCDQRXimOdARAA4otssvZm +sKg+g0bVyJHhn/YOHLYMih+Xf07xJHyalH0UCGnGdHZwl0B97G950SwQ7yVXtGa9 +CAPe97clE6dPD6jaumQ13BHavXM+ThgjCe8V56ayYcdzqFkxlCx0Uocoa63G0/cE +TiOqeqhNZs8JY+D7l83jCa4lU/1pLusbkCpCQ7d5/FFLz7QSihzJWp+UTsjbNik5 +spaseEMGFRKUcB3SZ/l1dTgc0wBQ1hlvLX+h4/sG0iUs1pVpo5ORC+bUfWRokl96 +uj5QZz5rY21FaNSP1rB1HKHNkwhxifBCHQMhYGTXvD7GH+JNyF2TdRmo7eBCfAPJ +aP3mX9t2SkCipdSsUs+Uuyib9MLA71ApW90AGiRm6HtOCxR0c3+qQRNIdFVm8mnM +hCxXRexf6Z2wZdXXy6uY0LVRgI0o31NPJPk8l2Hnb/kHGxjyUFzEWh65J/eA368d +4m8uF+Rr7WWlpQjwgWHU12kGThEVFFBFh2gmeIjYZdDDVhCi2mQ6lGSV2Pt7pZYL +/PPChWLBqrVBkIUQ0GV22nRYvGdaIv2LVPu8PggbPs/wwh35nJ3rUQyJF55CFV5y +WIWAWXfRYTKG9jkt+ncjZLEBxDO26zzO/MjIVPZxGyYryXEOgr6xp38xbyX9FpjL +KBaIueLWEyphVjBb1uUpDGx+UDYe9vbJjPUAEQEAAYkCJQQYAQIADwUCV4pjnQIb +DAUJA8JnAAAKCRBoc5PuN9Eo+D8dEACa60Q3ta6BWyHG0SOgfYGHE15LodACVHNI +N6Ou+JtmLarMW/AvPclNC25mxZV0ywLbun4CnJ9qYbt/Kx7djn48mrNa0rKN8Q+V +K5RvQA1kD890yzwu5jH6r5BQ8VBcfsPvsvatgbquzFn+NNiH9U4xRf/9BSY2Zk3G +yA15xG0T9zoklOMg8MWbeRaJPkDELyaHPWerbO7rebynePENSFPz3o3g+K9WcCM2 +xkEL571SmT4z3Mp/p0pwemWBCP2WoKCnSjAGiiHpCFru3SlZhRIvNJyK5jeS/IU6 +d5qeTBse6TXzp6Q4xkzACIN66P5SG/YY3/ONbfs6wB3lIkvVC9n7jEXjMK1T0fK8 +9DBDjzvAkJcKLLuIljjkMhRWSCED74sn+MlaWm0xMeo276EnaVILNcrHecSr8+eX +pVXSWEJ1+ErzZladJC+CrqUm0QljPV8Smtmk9MvOLHZ4qL4bI4Hu7MywuGNrLSol +qO0pAT1AjaYTRuH2MhZ6mJe/EtSl0EHXEkcDteE4jbYj3lwVhA1c/So0CdayImmD +/0tdqUfekw4va8PpbQ0wroL0XUvf3wl6HOhFhahWSqqb1fVr2slVttkaMb8M4MPt +Ka2m4qiiuGYivPIAVapSEA4DYc+krVqVXV/yDd3T7XcNtnClVo+rmOn5WiGq24am +79+hF4bWyw== +=WW1Z +-----END PGP PUBLIC KEY BLOCK----- commit 3a0b5ca3a3af9bae8c203876430a679edaad4f15 Author: Andreas Boll <[email protected]> Date: Fri Oct 7 13:39:14 2016 +0200 Bump changelogs diff --git a/ChangeLog b/ChangeLog index c43ecd3..46edca6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,87 @@ +commit 54ac1eb5d14636002b018607227c6d52cca0b754 +Author: Matthieu Herrb <[email protected]> +Date: Tue Oct 4 21:23:23 2016 +0200 + + libXrandr 1.5.1 + + Signed-off-by: Matthieu Herrb <[email protected]> + +commit a0df3e1c7728205e5c7650b2e6dce684139254a6 +Author: Tobias Stoeckmann <[email protected]> +Date: Sun Sep 25 22:21:40 2016 +0200 + + Avoid out of boundary accesses on illegal responses + + The responses of the connected X server have to be properly checked + to avoid out of boundary accesses that could otherwise be triggered + by a malicious server. + + Signed-off-by: Tobias Stoeckmann <[email protected]> + Reviewed-by: Matthieu Herrb <[email protected]> + +commit 8ac94020b018105240ea45a87df2603d1eb5808b +Author: walter harms <[email protected]> +Date: Thu Jul 28 19:32:46 2016 +0200 + + fix: redundant null check on calling free() + + janitorial patch: remove some unneeded if() before free() + + Signed-off-by: Hans de Goede <[email protected]> + +commit 4ed36e386b21c1a65d614d5bf2b2c82d1e74ae2e +Author: walter harms <[email protected]> +Date: Thu Jul 28 19:31:10 2016 +0200 + + fix: doGetScreenResources() info: redundant null check on calling free() + + janitorial patch: remove some unneeded if() before free() + + Signed-off-by: Hans de Goede <[email protected]> + +commit 4437436906cbba5121115e552d564262e8b4c784 +Author: Keith Packard <[email protected]> +Date: Tue Dec 16 01:55:30 2014 -0800 + + Add monitors, update to version 1.5 (v2) + + v2: [airlied] + xrandr was giving the outputs from 0 for each monitor instead of + incrementing the pointer. + add get_active support. + + Reviewed-by: Dave Airlie <[email protected]> + Signed-off-by: Keith Packard <[email protected]> + +commit 7402eaa0185110a60cf4aae32d7b470c1372b45b +Author: Keith Packard <[email protected]> +Date: Tue Dec 16 17:05:18 2014 -0800 + + libXrandr: Clean up compiler warnings + + This removes warnings about shadowing local variables with the same + name, and type mismatches with _XRead32. + + Reviewed-by: Dave Airlie <[email protected]> + Signed-off-by: Keith Packard <[email protected]> + +commit bc00b4fb0b52ed2f6f8544fa3b5da9693ee7ed90 +Author: Michael Joost <[email protected]> +Date: Mon Nov 18 16:11:26 2013 +0100 + + Remove fallback for _XEatDataWords, require libX11 1.6 for it + + _XEatDataWords was orignally introduced with the May 2013 security + patches, and in order to ease the process of delivering those, + fallback versions of _XEatDataWords were included in the X extension + library patches so they could be applied to older versions that didn't + have libX11 1.6 yet. Now that we're past that hurdle, we can drop + the fallbacks and just require libX11 1.6 for building new versions + of the extension libraries. + + Reviewed-by: Alan Coopersmith <[email protected]> + Signed-off-by: Alan Coopersmith <[email protected]> + commit 30a7b506ae2071b8d265ce4eaeed1af60bc7ee7b Author: Alan Coopersmith <[email protected]> Date: Sat Sep 7 21:50:49 2013 -0700 diff --git a/debian/changelog b/debian/changelog index e5e4ed8..9b827b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libxrandr (2:1.5.1-1) UNRELEASED; urgency=medium + + * New upstream release. + - Fixes CVE-2016-7947 and CVE-2016-7948. + + -- Andreas Boll <[email protected]> Fri, 07 Oct 2016 13:38:27 +0200 + libxrandr (2:1.5.0-1) sid; urgency=medium * New upstream release. commit 54ac1eb5d14636002b018607227c6d52cca0b754 Author: Matthieu Herrb <[email protected]> Date: Tue Oct 4 21:23:23 2016 +0200 libXrandr 1.5.1 Signed-off-by: Matthieu Herrb <[email protected]> diff --git a/configure.ac b/configure.ac index d0baa08..90621fc 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ AC_PREREQ([2.60]) # digit in the version number to track changes which don't affect the # protocol, so Xrandr version l.n.m corresponds to protocol version l.n # -AC_INIT([libXrandr], [1.5.0], +AC_INIT([libXrandr], [1.5.1], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrandr]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit a0df3e1c7728205e5c7650b2e6dce684139254a6 Author: Tobias Stoeckmann <[email protected]> Date: Sun Sep 25 22:21:40 2016 +0200 Avoid out of boundary accesses on illegal responses The responses of the connected X server have to be properly checked to avoid out of boundary accesses that could otherwise be triggered by a malicious server. Signed-off-by: Tobias Stoeckmann <[email protected]> Reviewed-by: Matthieu Herrb <[email protected]> diff --git a/src/XrrConfig.c b/src/XrrConfig.c index 2f0282b..e68c45a 100644 --- a/src/XrrConfig.c +++ b/src/XrrConfig.c @@ -29,6 +29,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, rep.rate = 0; rep.nrateEnts = 0; } + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytes = (long) rep.length << 2; + nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + + ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); - nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + - ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + rbytes = sizeof (XRRScreenConfiguration) + + (rep.nSizes * sizeof (XRRScreenSize) + + rep.nrateEnts * sizeof (int)); - rbytes = sizeof (XRRScreenConfiguration) + - (rep.nSizes * sizeof (XRRScreenSize) + - rep.nrateEnts * sizeof (int)); + scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + scp = NULL; + } - scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); if (scp == NULL) { _XEatData (dpy, (unsigned long) nbytes); return NULL; diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c index 5ae35c5..6665092 100644 --- a/src/XrrCrtc.c +++ b/src/XrrCrtc.c @@ -24,6 +24,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) return NULL; } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) + { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nOutput * 4 + - rep.nPossibleOutput * 4); + nbytesRead = (long) (rep.nOutput * 4 + + rep.nPossibleOutput * 4); - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ - rbytes = (sizeof (XRRCrtcInfo) + - rep.nOutput * sizeof (RROutput) + - rep.nPossibleOutput * sizeof (RROutput)); + rbytes = (sizeof (XRRCrtcInfo) + + rep.nOutput * sizeof (RROutput) + + rep.nPossibleOutput * sizeof (RROutput)); + + xci = (XRRCrtcInfo *) Xmalloc(rbytes); + } + else + { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xci = NULL; + } - xci = (XRRCrtcInfo *) Xmalloc(rbytes); if (xci == NULL) { _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); @@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) goto out; - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) + { + nbytes = (long) rep.length << 2; - /* three channels of CARD16 data */ - nbytesRead = (rep.size * 2 * 3); + /* three channels of CARD16 data */ + nbytesRead = (rep.size * 2 * 3); - crtc_gamma = XRRAllocGamma (rep.size); + crtc_gamma = XRRAllocGamma (rep.size); + } + else + { + nbytes = 0; + nbytesRead = 0; + crtc_gamma = NULL; + } if (!crtc_gamma) { @@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, xRRGetCrtcTransformReq *req; int major_version, minor_version; XRRCrtcTransformAttributes *attr; - char *extra = NULL, *e; + char *extra = NULL, *end = NULL, *e; int p; *attributes = NULL; @@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, else { int extraBytes = rep.length * 4 - CrtcTransformExtra; - extra = Xmalloc (extraBytes); + if (rep.length < INT_MAX / 4 && + rep.length * 4 >= CrtcTransformExtra) { + extra = Xmalloc (extraBytes); + end = extra + extraBytes; + } else + extra = NULL; if (!extra) { - _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + if (rep.length > (CrtcTransformExtra >> 2)) + _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); + else + _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy, e = extra; + if (e + rep.pendingNbytesFilter > end) { + XFree (extra); + return False; + } memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; e += (rep.pendingNbytesFilter + 3) & ~3; for (p = 0; p < rep.pendingNparamsFilter; p++) { INT32 f; + if (e + 4 > end) { + XFree (extra); + return False; + } memcpy (&f, e, 4); e += 4; attr->pendingParams[p] = (XFixed) f; } attr->pendingNparams = rep.pendingNparamsFilter; + if (e + rep.currentNbytesFilter > end) { + XFree (extra); + return False; + } memcpy (attr->currentFilter, e, rep.currentNbytesFilter); attr->currentFilter[rep.currentNbytesFilter] = '\0'; e += (rep.currentNbytesFilter + 3) & ~3; for (p = 0; p < rep.currentNparamsFilter; p++) { INT32 f; + if (e + 4 > end) { + XFree (extra); + return False; + } memcpy (&f, e, 4); e += 4; attr->currentParams[p] = (XFixed) f; diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c index a9eaa7b..adc5330 100644 --- a/src/XrrMonitor.c +++ b/src/XrrMonitor.c @@ -24,6 +24,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) return NULL; } + if (rep.length > INT_MAX >> 2 || + rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) || + rep.noutputs > INT_MAX / 4 || + rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) { + _XEatData (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } nbytes = (long) rep.length << 2; nmon = rep.nmonitors; noutput = rep.noutputs; @@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) mon[m].outputs = output; buf += SIZEOF (xRRMonitorInfo); xoutput = (CARD32 *) buf; + if (xmon->noutput > rep.noutputs) { + Xfree(buf); + Xfree(mon); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + rep.noutputs -= xmon->noutput; for (o = 0; o < xmon->noutput; o++) output[o] = xoutput[o]; output += xmon->noutput; diff --git a/src/XrrOutput.c b/src/XrrOutput.c index 85f0b6e..30f3d40 100644 --- a/src/XrrOutput.c +++ b/src/XrrOutput.c @@ -25,6 +25,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) return NULL; } + if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2)) + { + if (rep.length > (OutputInfoExtra >> 2)) + _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); + else + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; nbytesRead = (long) (rep.nCrtcs * 4 + diff --git a/src/XrrProvider.c b/src/XrrProvider.c index 9e620c7..d796cd0 100644 --- a/src/XrrProvider.c +++ b/src/XrrProvider.c @@ -25,6 +25,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window) return NULL; } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nProviders * 4); + nbytesRead = (long) (rep.nProviders * 4); - rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider)); - xrpr = (XRRProviderResources *) Xmalloc(rbytes); + rbytes = (sizeof(XRRProviderResources) + rep.nProviders * + sizeof(RRProvider)); + xrpr = (XRRProviderResources *) Xmalloc(rbytes); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xrpr = NULL; + } if (xrpr == NULL) { _XEatDataWords (dpy, rep.length); @@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi return NULL; } + if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2) + { + if (rep.length < ProviderInfoExtra >> 2) + _XEatDataWords (dpy, rep.length); + else + _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + nbytes = ((long) rep.length << 2) - ProviderInfoExtra; nbytesRead = (long)(rep.nCrtcs * 4 + diff --git a/src/XrrScreen.c b/src/XrrScreen.c index b8ce7e5..1f7ffe6 100644 --- a/src/XrrScreen.c +++ b/src/XrrScreen.c @@ -24,6 +24,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdio.h> #include <X11/Xlib.h> /* we need to be able to manipulate the Display structure on events */ @@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll) xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); } - nbytes = (long) rep.length << 2; + if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; - nbytesRead = (long) (rep.nCrtcs * 4 + - rep.nOutputs * 4 + - rep.nModes * SIZEOF (xRRModeInfo) + - ((rep.nbytesNames + 3) & ~3)); + nbytesRead = (long) (rep.nCrtcs * 4 + + rep.nOutputs * 4 + + rep.nModes * SIZEOF (xRRModeInfo) + + ((rep.nbytesNames + 3) & ~3)); - /* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ + + rbytes = (sizeof (XRRScreenResources) + + rep.nCrtcs * sizeof (RRCrtc) + + rep.nOutputs * sizeof (RROutput) + + rep.nModes * sizeof (XRRModeInfo) + + rep.nbytesNames + rep.nModes); /* '\0' terminate names */ - rbytes = (sizeof (XRRScreenResources) + - rep.nCrtcs * sizeof (RRCrtc) + - rep.nOutputs * sizeof (RROutput) + - rep.nModes * sizeof (XRRModeInfo) + - rep.nbytesNames + rep.nModes); /* '\0' terminate names */ + xrsr = (XRRScreenResources *) Xmalloc(rbytes); + wire_names = (char *) Xmalloc (rep.nbytesNames); + } else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xrsr = NULL; + wire_names = NULL; + } - xrsr = (XRRScreenResources *) Xmalloc(rbytes); - wire_names = (char *) Xmalloc (rep.nbytesNames); if (xrsr == NULL || wire_names == NULL) { Xfree (xrsr); Xfree (wire_names); @@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll) wire_name = wire_names; for (i = 0; i < rep.nModes; i++) { xrsr->modes[i].name = names; + if (xrsr->modes[i].nameLength > rep.nbytesNames) { + Xfree (xrsr); + Xfree (wire_names); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + rep.nbytesNames -= xrsr->modes[i].nameLength; memcpy (names, wire_name, xrsr->modes[i].nameLength); names[xrsr->modes[i].nameLength] = '\0'; names += xrsr->modes[i].nameLength + 1; commit 8ac94020b018105240ea45a87df2603d1eb5808b Author: walter harms <[email protected]> Date: Thu Jul 28 19:32:46 2016 +0200 fix: redundant null check on calling free() janitorial patch: remove some unneeded if() before free() Signed-off-by: Hans de Goede <[email protected]> diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c index 71d3943..a9eaa7b 100644 --- a/src/XrrMonitor.c +++ b/src/XrrMonitor.c @@ -84,8 +84,8 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) mon = Xmalloc (rbytes); if (buf == NULL || mon == NULL) { - if (buf != NULL) Xfree(buf); - if (mon != NULL) Xfree(mon); + Xfree(buf); + Xfree(mon); _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); @@ -194,7 +194,6 @@ XRRAllocateMonitor(Display *dpy, int noutput) void XRRFreeMonitors(XRRMonitorInfo *monitors) { - if (monitors) - Xfree(monitors); + Xfree(monitors); } commit 4ed36e386b21c1a65d614d5bf2b2c82d1e74ae2e Author: walter harms <[email protected]> Date: Thu Jul 28 19:31:10 2016 +0200 fix: doGetScreenResources() info: redundant null check on calling free() janitorial patch: remove some unneeded if() before free() Signed-off-by: Hans de Goede <[email protected]> diff --git a/src/XrrScreen.c b/src/XrrScreen.c index f29071c..b8ce7e5 100644 --- a/src/XrrScreen.c +++ b/src/XrrScreen.c @@ -127,8 +127,8 @@ doGetScreenResources (Display *dpy, Window window, int poll) xrsr = (XRRScreenResources *) Xmalloc(rbytes); wire_names = (char *) Xmalloc (rep.nbytesNames); if (xrsr == NULL || wire_names == NULL) { - if (xrsr) Xfree (xrsr); - if (wire_names) Xfree (wire_names); + Xfree (xrsr); + Xfree (wire_names); _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); SyncHandle ();
