configure.ac | 10 ++-------- doc/libXrender.txt | 5 ++++- src/Filter.c | 13 ++++++++++++- src/Glyph.c | 2 +- src/Xrender.c | 18 ++++++++++++++++++ src/Xrenderint.h | 14 -------------- 6 files changed, 37 insertions(+), 25 deletions(-)
New commits: commit 845716f8f14963d338e5a8d5d2424baafc90fb30 Author: Matthieu Herrb <[email protected]> Date: Tue Oct 4 21:24:55 2016 +0200 libXrender 0.9.10 Signed-off-by: Matthieu Herrb <[email protected]> diff --git a/configure.ac b/configure.ac index ff83023..e5b82b1 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ AC_PREREQ([2.60]) # digit in the version number to track changes which don't affect the # protocol, so Xrender version l.n.m corresponds to protocol version l.n # -AC_INIT(libXrender, [0.9.9], +AC_INIT(libXrender, [0.9.10], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 9362c7ddd1af3b168953d0737877bc52d79c94f4 Author: Tobias Stoeckmann <[email protected]> Date: Sun Sep 25 21:43:09 2016 +0200 Validate lengths while parsing server data. Individual lengths inside received server data can overflow the previously reserved memory. It is therefore important to validate every single length field to not overflow the previously agreed sum of all invidual length fields. v2: consume remaining bytes in the reply buffer on error. Signed-off-by: Tobias Stoeckmann <[email protected]> Reviewed-by: Matthieu [email protected] diff --git a/src/Xrender.c b/src/Xrender.c index 3102eb2..71cf3e6 100644 --- a/src/Xrender.c +++ b/src/Xrender.c @@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); screen->subpixel = SubPixelUnknown; xDepth = (xPictDepth *) (xScreen + 1); + if (screen->ndepths > rep.numDepths) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numDepths -= screen->ndepths; for (nd = 0; nd < screen->ndepths; nd++) { depth->depth = xDepth->depth; depth->nvisuals = xDepth->nPictVisuals; depth->visuals = visual; xVisual = (xPictVisual *) (xDepth + 1); + if (depth->nvisuals > rep.numVisuals) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numVisuals -= depth->nvisuals; for (nv = 0; nv < depth->nvisuals; nv++) { visual->visual = _XRenderFindVisual (dpy, xVisual->visual); commit 8fad00b0b647ee662ce4737ca15be033b7a21714 Author: Tobias Stoeckmann <[email protected]> Date: Sun Sep 25 21:42:09 2016 +0200 Avoid OOB write in XRenderQueryFilters The memory for filter names is reserved right after receiving the reply. After that, filters are iterated and each individual filter name is stored in that reserved memory. The individual name lengths are not checked for validity, which means that a malicious server can reserve less memory than it will write to during each iteration. v2: consume remaining bytes in reply buffer on error. Signed-off-by: Tobias Stoeckmann <[email protected]> Reviewed-by: Matthieu Herrb <[email protected]> diff --git a/src/Filter.c b/src/Filter.c index edfa572..8d701eb 100644 --- a/src/Filter.c +++ b/src/Filter.c @@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) char *name; char len; int i; - unsigned long nbytes, nbytesAlias, nbytesName; + unsigned long nbytes, nbytesAlias, nbytesName, reply_left; if (!RenderHasExtension (info)) return NULL; @@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) * Read the filter aliases */ _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); + reply_left = 8 + rep.length - 2 * rep.numAliases;; /* * Read the filter names @@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) { int l; _XRead (dpy, &len, 1); + reply_left--; l = len & 0xff; + if ((unsigned long)l + 1 > nbytesName) { + _XEatDataWords(dpy, reply_left); + Xfree(filters); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + nbytesName -= l + 1; filters->filter[i] = name; _XRead (dpy, name, l); + reply_left -= l; name[l] = '\0'; name += l + 1; } commit b2df5bc42f64b45e44dbad61f3386bcb5ec1383d Author: Lauri Kasanen <[email protected]> Date: Mon May 18 19:41:03 2015 +0300 Fix documentation to explicitly mention premultiplied alpha Before this patch, it wasn't mentioned in this file at all, which is a monumental oversight. Signed-off-by: Lauri Kasanen <[email protected]> diff --git a/doc/libXrender.txt b/doc/libXrender.txt index 27cc75d..753ee98 100644 --- a/doc/libXrender.txt +++ b/doc/libXrender.txt @@ -84,7 +84,8 @@ as a separate argument which marks the valid entries. 2.4 Colors The core protocol XColor type doesn't include an alpha component, so Xrender -has a separate type. +has a separate type. Note that XRender expects premultiplied alpha in all +cases except with the gradient operations. typedef struct { unsigned short red; @@ -526,6 +527,8 @@ conceptually built. 7.1 Composite XRenderComposite exposes the RenderComposite protocol request directly. +If a format with alpha is used, make sure it is premultiplied into the +color channels. void XRenderComposite (Display *dpy, commit bb890936bcc6053cb7a46cd9225c257ff1be389f Author: Alan Coopersmith <[email protected]> Date: Thu Apr 30 22:29:55 2015 -0700 libXrender 0.9.9 Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/configure.ac b/configure.ac index b5726f0..ff83023 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ AC_PREREQ([2.60]) # digit in the version number to track changes which don't affect the # protocol, so Xrender version l.n.m corresponds to protocol version l.n # -AC_INIT(libXrender, [0.9.8], +AC_INIT(libXrender, [0.9.9], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 7887382e59b7a06d6b02501205d543fdf76c8249 Author: Clemens Eisserer <[email protected]> Date: Sat Nov 23 22:15:52 2013 -0800 Fix request length calculation for XRenderCompositeText32 Request length calculation inside XRenderCompositeText32 is broken for the case where the number of glyphs fits exactky inside the last xGlyphElt. In XRenderCompositeText8 and XRenderCompositeText16 this case is handled properly, somehow the "-1" got missing in XRenderCompositeText32. Reviewed-by: Keith Packard <[email protected]> diff --git a/src/Glyph.c b/src/Glyph.c index dbeb77e..48e40c3 100644 --- a/src/Glyph.c +++ b/src/Glyph.c @@ -665,7 +665,7 @@ XRenderCompositeText32 (Display *dpy, len += (SIZEOF (xGlyphElt) + 4) >> 2; } nchars = elts[i].nchars; - elen = SIZEOF(xGlyphElt) * ((nchars + MAX_32) / MAX_32) + nchars *4; + elen = SIZEOF(xGlyphElt) * ((nchars + MAX_32-1) / MAX_32) + nchars *4; len += (elen + 3) >> 2; } commit 2222b0fbff96b9f0324bb1e2f56416c84be23c3b Author: Michael Joost <[email protected]> Date: Mon Nov 18 16:11:26 2013 +0100 Remove fallback for _XEatDataWords, require libX11 1.6 for it _XEatDataWords was orignally introduced with the May 2013 security patches, and in order to ease the process of delivering those, fallback versions of _XEatDataWords were included in the X extension library patches so they could be applied to older versions that didn't have libX11 1.6 yet. Now that we're past that hurdle, we can drop the fallbacks and just require libX11 1.6 for building new versions of the extension libraries. Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/configure.ac b/configure.ac index 4e6b271..b5726f0 100644 --- a/configure.ac +++ b/configure.ac @@ -56,13 +56,7 @@ RENDER_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`] AC_SUBST(RENDER_VERSION) # Obtain compiler/linker options for depedencies -PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION) - -# Check for _XEatDataWords function that may be patched into older Xlib release -SAVE_LIBS="$LIBS" -LIBS="$RENDER_LIBS" -AC_CHECK_FUNCS([_XEatDataWords]) -LIBS="$SAVE_LIBS" +PKG_CHECK_MODULES(RENDER, [x11 >= 1.6] renderproto >= $RENDER_VERSION) AC_CONFIG_FILES([Makefile src/Makefile diff --git a/src/Xrenderint.h b/src/Xrenderint.h index daaa6fe..57b13da 100644 --- a/src/Xrenderint.h +++ b/src/Xrenderint.h @@ -109,18 +109,4 @@ XRenderFindDisplay (Display *dpy); #define DataInt32(dpy,d,len) Data(dpy,(char *) (d),len) #endif -#ifndef HAVE__XEATDATAWORDS -#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ -#include <limits.h> - -static inline void _XEatDataWords(Display *dpy, unsigned long n) -{ -# ifndef LONG64 - if (n >= (ULONG_MAX >> 2)) - _XIOError(dpy); -# endif - _XEatData (dpy, n << 2); -} -#endif - #endif /* _XRENDERINT_H_ */
