Timo Aaltonen pushed to branch upstream-unstable at X Strike Force / lib / libx11
Commits: 93fce3f4 by Yichao Yu at 2020-08-02T13:43:58-04:00 Fix size calculation in `_XimAttributeToValue`. The check here guards the read below. For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. (There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this function and doesn't need to be checked.) The old code here used the native datatype size instead of the wire protocol size causing the check to always fail. Also fix the size calculation for the header (size). It is 2 x CARD16 for both types despite the unused `CARD16` for `XimType_XIMStyles`. [1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. Fix #116 - - - - - 0d8f038d by Alan Coopersmith at 2020-08-06T08:07:57-07:00 libX11 1.6.11 Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 29a8251a by Felix Yan at 2020-08-06T17:23:53+00:00 Correct a typo in GetStCmap.c - - - - - 780d2223 by Christopher Chavez at 2020-08-10T17:08:39+00:00 Fix typo GCCLipYOrigin -> GCClipYOrigin in XCreateGC() manpage - - - - - 6dd618e5 by Maya Rashish at 2020-08-15T00:48:56+03:00 Avoid the use of "register" keyword in XkbTranslateKeySym. This causes issues when compiling code for C++17. While here, make function prototype match the header with regards to removal of another register keyword. - - - - - d15c24c8 by Niclas Zeising at 2020-08-17T02:21:40+00:00 Fix input clients connecting to server Fix a bug where some input clients can't connect to the input server. This fixes #117. FreeBSD bugzilla reference: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248549 Signed-off-by: Niclas Zeising <[email protected]> - - - - - acdaaadc by Matthieu Herrb at 2020-08-19T12:46:57+02:00 Fix an integer overflow in init_om() CVE-2020-14363 This can lead to a double free later, as reported by Jayden Rivers. Signed-off-by: Matthieu Herrb <[email protected]> - - - - - 50542066 by Matthieu Herrb at 2020-08-24T15:42:25+02:00 libX11 1.6.12 Signed-off-by: Matthieu Herrb <[email protected]> - - - - - 7 changed files: - configure.ac - include/X11/XKBlib.h - man/XCreateGC.man - modules/im/ximcp/imRmAttr.c - modules/om/generic/omGeneric.c - src/GetStCmap.c - src/xkb/XKBBind.c Changes: ===================================== configure.ac ===================================== @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libX11], [1.6.10], +AC_INIT([libX11], [1.6.12], [https://gitlab.freedesktop.org/xorg/lib/libx11/issues], [libX11]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([src/config.h include/X11/XlibConf.h]) ===================================== include/X11/XKBlib.h ===================================== @@ -396,7 +396,7 @@ extern Bool XkbTranslateKeyCode( extern int XkbTranslateKeySym( Display * /* dpy */, - register KeySym * /* sym_return */, + KeySym * /* sym_return */, unsigned int /* modifiers */, char * /* buffer */, int /* nbytes */, ===================================== man/XCreateGC.man ===================================== @@ -178,7 +178,7 @@ If the valuemask contains a valid set of GC mask bits .BR GCSubwindowMode , .BR GCGraphicsExposures , .BR GCClipXOrigin , -.BR GCCLipYOrigin , +.BR GCClipYOrigin , .BR GCDashOffset , or .BR GCArcMode ) ===================================== modules/im/ximcp/imRmAttr.c ===================================== @@ -265,7 +265,7 @@ _XimAttributeToValue( if (num > (USHRT_MAX / sizeof(XIMStyle))) return False; - if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) + if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) return False; alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; if (alloc_len < sizeof(XIMStyles)) @@ -379,7 +379,7 @@ _XimAttributeToValue( if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) return False; - if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) + if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) return False; alloc_len = sizeof(XIMHotKeyTriggers) + sizeof(XIMHotKeyTrigger) * num; @@ -1407,7 +1407,7 @@ _XimCountNumberOfAttr( *names_len = 0; while (total > min_len) { len = attr[2]; - if (len >= (total - min_len)) { + if (len > (total - min_len)) { return 0; } *names_len += (len + 1); ===================================== modules/om/generic/omGeneric.c ===================================== @@ -1908,7 +1908,8 @@ init_om( char **required_list; XOrientation *orientation; char **value, buf[BUFSIZ], *bufptr; - int count = 0, num = 0, length = 0; + int count = 0, num = 0; + unsigned int length = 0; _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) ===================================== src/GetStCmap.c ===================================== @@ -1,4 +1,3 @@ - /*********************************************************** Copyright 1987, 1998 The Open Group @@ -111,7 +110,7 @@ Status XGetStandardColormap ( cmap->blue_mult = use->blue_mult; cmap->base_pixel = use->base_pixel; - Xfree (stdcmaps); /* don't need alloced memory */ + Xfree (stdcmaps); /* don't need allocated memory */ } return stat; } ===================================== src/xkb/XKBBind.c ===================================== @@ -587,8 +587,8 @@ _XkbReloadDpy(Display *dpy) } int -XkbTranslateKeySym(register Display *dpy, - register KeySym *sym_rtrn, +XkbTranslateKeySym(Display *dpy, + KeySym *sym_rtrn, unsigned int mods, char *buffer, int nbytes, View it on GitLab: https://salsa.debian.org/xorg-team/lib/libx11/-/compare/9949364ea761ab7efa2a9930ec7718f966a740c0...505420662577749e36640db48f6b6b9ae0236e09 -- View it on GitLab: https://salsa.debian.org/xorg-team/lib/libx11/-/compare/9949364ea761ab7efa2a9930ec7718f966a740c0...505420662577749e36640db48f6b6b9ae0236e09 You're receiving this email because of your account on salsa.debian.org.
