Hello community, here is the log from the commit of package libXi for openSUSE:Factory checked in at 2016-11-05 21:21:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libXi (Old) and /work/SRC/openSUSE:Factory/.libXi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXi" Changes: -------- --- /work/SRC/openSUSE:Factory/libXi/libXi.changes 2016-01-05 09:40:58.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libXi.new/libXi.changes 2016-11-05 21:21:58.000000000 +0100 @@ -1,0 +2,8 @@ +Fri Oct 28 23:26:17 UTC 2016 - [email protected] + +- Update to version 1.7.8: + The changes of 1.7.7 are included. + + Fix a crash introduced in the 1.7.7 release. + + Properly validate server responses. + +------------------------------------------------------------------- Old: ---- libXi-1.7.6.tar.bz2 New: ---- libXi-1.7.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXi.spec ++++++ --- /var/tmp/diff_new_pack.1Jscmz/_old 2016-11-05 21:21:59.000000000 +0100 +++ /var/tmp/diff_new_pack.1Jscmz/_new 2016-11-05 21:21:59.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libXi # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: libXi %define lname libXi6 -Version: 1.7.6 +Version: 1.7.8 Release: 0 Summary: X Input Extension library License: MIT ++++++ libXi-1.7.6.tar.bz2 -> libXi-1.7.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/ChangeLog new/libXi-1.7.8/ChangeLog --- old/libXi-1.7.6/ChangeLog 2015-12-22 02:21:12.000000000 +0100 +++ new/libXi-1.7.8/ChangeLog 2016-10-25 04:45:17.000000000 +0200 @@ -1,3 +1,70 @@ +commit 1bdeb431c3cc9eec7e12fdd29a83237f2f228865 +Author: Peter Hutterer <[email protected]> +Date: Tue Oct 25 12:43:44 2016 +1000 + + libXi 1.7.8 + + Signed-off-by: Peter Hutterer <[email protected]> + +commit 43904c9c5a0f5750a03a9bd8c96ccda182eb5a9a +Author: Peter Hutterer <[email protected]> +Date: Thu Oct 13 13:33:11 2016 +1000 + + XListInputDevices: don't touch ndevices in case of error + + We used to always set *ndevices to the number of devices returned by the + server. This magically worked because we pretty much never returned an error + except on faulty server or library implementations. With 19a9cd60 we now have + more chances of getting an error, so the polite thing is to just leave *ndevices + alone when we error out. + + Document it as such in the man page, just in case someone accidentally reads + it. + + Signed-off-by: Peter Hutterer <[email protected]> + CC: Niels Ole Salscheider <[email protected]> + Reviewed-by: Emil Velikov <[email protected]> + +commit b843fe1c0a6b4dbaae9f364042c6a247249305ef +Author: Niels Ole Salscheider <[email protected]> +Date: Fri Oct 7 21:46:44 2016 +0200 + + SizeClassInfo can return 0 even without an error + + Catch the error case separately. Commit 19a9cd607d added length checking to + SizeClassInfo but re-used the return value of 0 for an error. A device without + classes (as is initialized by xf86-input-libinput for tablets) can + legitimately return 0 and erroneously triggers an error. + Fix this by using a separate value for the error. + + Reproducible by calling XListInputDevices() with a tablet attached. + + This fixes a regression introduced in commit 19a9cd607d. + + Signed-off-by: Niels Ole Salscheider <[email protected]> + Signed-off-by: Peter Hutterer <[email protected]> + Reviewed-by: Emil Velikov <[email protected]> + +commit 8e0476653dd134cee84f4e893f656b2f93c4e3b0 +Author: Matthieu Herrb <[email protected]> +Date: Tue Oct 4 21:14:01 2016 +0200 + + libXi 1.7.7 + + Signed-off-by: Matthieu Herrb <[email protected]> + +commit 19a9cd607de73947fcfb104682f203ffe4e1f4e5 +Author: Tobias Stoeckmann <[email protected]> +Date: Sun Sep 25 22:31:34 2016 +0200 + + Properly validate server responses. + + By validating length fields from server responses, out of boundary + accesses and endless loops can be mitigated. + + Signed-off-by: Tobias Stoeckmann <[email protected]> + Reviewed-by: Matthieu Herrb <[email protected]> + commit 2286282f965064176b3b1492646c6e2e0f4ab7dd Author: Peter Hutterer <[email protected]> Date: Tue Dec 22 11:20:01 2015 +1000 @@ -971,7 +1038,7 @@ Merge branch 'multitouch' Conflicts: - configure.ac + configure.ac commit 82a631263ef4e6f46c1f33748089db8bf603b095 Author: Peter Hutterer <[email protected]> @@ -1176,7 +1243,7 @@ Merge branch 'smooth-scrolling' Conflicts: - src/XExtInt.c + src/XExtInt.c commit 3ed1b463205295a5ebba7d570a4cb8dfade51a38 Author: Peter Hutterer <[email protected]> @@ -2992,7 +3059,7 @@ Merge branch 'master' into xi2 Conflicts: - man/XI.xml + man/XI.xml commit 8ea9ebcedcb99480a5774c7755329a2ca8fda07b Author: Benjamin Close <[email protected]> @@ -3830,16 +3897,16 @@ src/XExtInt.c:xinput_extension_hooks field event_to_wire of type XExtensionHooks that has the prototype Status (*event_to_wire)( - Display* /* display */, - XEvent* /* re */, - xEvent* /* event */ + Display* /* display */, + XEvent* /* re */, + xEvent* /* event */ ); does not match Status _XiEventToWire( - register Display *dpy, /* pointer to display structure */ - register XEvent *re, /* pointer to client event */ - register xEvent **event, /* wire protocol event */ - register int *count); + register Display *dpy, /* pointer to display structure */ + register XEvent *re, /* pointer to client event */ + register xEvent **event, /* wire protocol event */ + register int *count); Signed-off-by: Peter Hutterer <[email protected]> @@ -3858,9 +3925,9 @@ Conflicts: - .gitignore - man/XGrabDeviceKey.man - man/XListInputDevices.man + .gitignore + man/XGrabDeviceKey.man + man/XListInputDevices.man commit 7d0977bc02ce4f29c0ed335fcdcce4ed7c328259 Author: Peter Hutterer <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/Makefile.in new/libXi-1.7.8/Makefile.in --- old/libXi-1.7.6/Makefile.in 2015-12-22 02:20:11.000000000 +0100 +++ new/libXi-1.7.8/Makefile.in 2016-10-25 04:43:50.000000000 +0200 @@ -629,7 +629,7 @@ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz + tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 @@ -654,7 +654,7 @@ @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 - shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz + shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir @@ -672,7 +672,7 @@ distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ @@ -682,7 +682,7 @@ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/aclocal.m4 new/libXi-1.7.8/aclocal.m4 --- old/libXi-1.7.6/aclocal.m4 2015-12-22 02:20:10.000000000 +0100 +++ new/libXi-1.7.8/aclocal.m4 2016-10-25 04:43:49.000000000 +0200 @@ -9052,32 +9052,63 @@ m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])]) m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])]) -# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -# serial 1 (pkg-config-0.24) -# -# Copyright © 2004 Scott James Remnant <[email protected]>. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# PKG_PROG_PKG_CONFIG([MIN-VERSION]) -# ---------------------------------- +dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +dnl serial 11 (pkg-config-0.29.1) +dnl +dnl Copyright © 2004 Scott James Remnant <[email protected]>. +dnl Copyright © 2012-2015 Dan Nicholson <[email protected]> +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; either version 2 of the License, or +dnl (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +dnl 02111-1307, USA. +dnl +dnl As a special exception to the GNU General Public License, if you +dnl distribute this file as part of a program that contains a +dnl configuration script generated by Autoconf, you may include it under +dnl the same distribution terms that you use for the rest of that +dnl program. + +dnl PKG_PREREQ(MIN-VERSION) +dnl ----------------------- +dnl Since: 0.29 +dnl +dnl Verify that the version of the pkg-config macros are at least +dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's +dnl installed version of pkg-config, this checks the developer's version +dnl of pkg.m4 when generating configure. +dnl +dnl To ensure that this macro is defined, also add: +dnl m4_ifndef([PKG_PREREQ], +dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])]) +dnl +dnl See the "Since" comment for each macro you use to see what version +dnl of the macros you require. +m4_defun([PKG_PREREQ], +[m4_define([PKG_MACROS_VERSION], [0.29.1]) +m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, + [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) +])dnl PKG_PREREQ + +dnl PKG_PROG_PKG_CONFIG([MIN-VERSION]) +dnl ---------------------------------- +dnl Since: 0.16 +dnl +dnl Search for the pkg-config tool and set the PKG_CONFIG variable to +dnl first found in the path. Checks that the version of pkg-config found +dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is +dnl used since that's the first version where most current features of +dnl pkg-config existed. AC_DEFUN([PKG_PROG_PKG_CONFIG], [m4_pattern_forbid([^_?PKG_[A-Z_]+$]) m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) @@ -9099,18 +9130,19 @@ PKG_CONFIG="" fi fi[]dnl -])# PKG_PROG_PKG_CONFIG +])dnl PKG_PROG_PKG_CONFIG -# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# -# Check to see whether a particular set of modules exists. Similar -# to PKG_CHECK_MODULES(), but does not set variables or print errors. -# -# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) -# only at the first occurence in configure.ac, so if the first place -# it's called might be skipped (such as if it is within an "if", you -# have to call PKG_CHECK_EXISTS manually -# -------------------------------------------------------------- +dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------------------------------- +dnl Since: 0.18 +dnl +dnl Check to see whether a particular set of modules exists. Similar to +dnl PKG_CHECK_MODULES(), but does not set variables or print errors. +dnl +dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +dnl only at the first occurence in configure.ac, so if the first place +dnl it's called might be skipped (such as if it is within an "if", you +dnl have to call PKG_CHECK_EXISTS manually AC_DEFUN([PKG_CHECK_EXISTS], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl if test -n "$PKG_CONFIG" && \ @@ -9120,8 +9152,10 @@ $3])dnl fi]) -# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) -# --------------------------------------------- +dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +dnl --------------------------------------------- +dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting +dnl pkg_failed based on the result. m4_define([_PKG_CONFIG], [if test -n "$$1"; then pkg_cv_[]$1="$$1" @@ -9133,10 +9167,11 @@ else pkg_failed=untried fi[]dnl -])# _PKG_CONFIG +])dnl _PKG_CONFIG -# _PKG_SHORT_ERRORS_SUPPORTED -# ----------------------------- +dnl _PKG_SHORT_ERRORS_SUPPORTED +dnl --------------------------- +dnl Internal check to see if pkg-config supports short errors. AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then @@ -9144,19 +9179,17 @@ else _pkg_short_errors_supported=no fi[]dnl -])# _PKG_SHORT_ERRORS_SUPPORTED +])dnl _PKG_SHORT_ERRORS_SUPPORTED -# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], -# [ACTION-IF-NOT-FOUND]) -# -# -# Note that if there is a possibility the first call to -# PKG_CHECK_MODULES might not happen, you should be sure to include an -# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac -# -# -# -------------------------------------------------------------- +dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl -------------------------------------------------------------- +dnl Since: 0.4.0 +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES might not happen, you should be sure to include an +dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac AC_DEFUN([PKG_CHECK_MODULES], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl @@ -9210,16 +9243,40 @@ AC_MSG_RESULT([yes]) $3 fi[]dnl -])# PKG_CHECK_MODULES +])dnl PKG_CHECK_MODULES -# PKG_INSTALLDIR(DIRECTORY) -# ------------------------- -# Substitutes the variable pkgconfigdir as the location where a module -# should install pkg-config .pc files. By default the directory is -# $libdir/pkgconfig, but the default can be changed by passing -# DIRECTORY. The user can override through the --with-pkgconfigdir -# parameter. +dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl --------------------------------------------------------------------- +dnl Since: 0.29 +dnl +dnl Checks for existence of MODULES and gathers its build flags with +dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags +dnl and VARIABLE-PREFIX_LIBS from --libs. +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to +dnl include an explicit call to PKG_PROG_PKG_CONFIG in your +dnl configure.ac. +AC_DEFUN([PKG_CHECK_MODULES_STATIC], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +_save_PKG_CONFIG=$PKG_CONFIG +PKG_CONFIG="$PKG_CONFIG --static" +PKG_CHECK_MODULES($@) +PKG_CONFIG=$_save_PKG_CONFIG[]dnl +])dnl PKG_CHECK_MODULES_STATIC + + +dnl PKG_INSTALLDIR([DIRECTORY]) +dnl ------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable pkgconfigdir as the location where a module +dnl should install pkg-config .pc files. By default the directory is +dnl $libdir/pkgconfig, but the default can be changed by passing +dnl DIRECTORY. The user can override through the --with-pkgconfigdir +dnl parameter. AC_DEFUN([PKG_INSTALLDIR], [m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) m4_pushdef([pkg_description], @@ -9230,16 +9287,18 @@ AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) m4_popdef([pkg_default]) m4_popdef([pkg_description]) -]) dnl PKG_INSTALLDIR +])dnl PKG_INSTALLDIR -# PKG_NOARCH_INSTALLDIR(DIRECTORY) -# ------------------------- -# Substitutes the variable noarch_pkgconfigdir as the location where a -# module should install arch-independent pkg-config .pc files. By -# default the directory is $datadir/pkgconfig, but the default can be -# changed by passing DIRECTORY. The user can override through the -# --with-noarch-pkgconfigdir parameter. +dnl PKG_NOARCH_INSTALLDIR([DIRECTORY]) +dnl -------------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable noarch_pkgconfigdir as the location where a +dnl module should install arch-independent pkg-config .pc files. By +dnl default the directory is $datadir/pkgconfig, but the default can be +dnl changed by passing DIRECTORY. The user can override through the +dnl --with-noarch-pkgconfigdir parameter. AC_DEFUN([PKG_NOARCH_INSTALLDIR], [m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) m4_pushdef([pkg_description], @@ -9250,13 +9309,15 @@ AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) m4_popdef([pkg_default]) m4_popdef([pkg_description]) -]) dnl PKG_NOARCH_INSTALLDIR +])dnl PKG_NOARCH_INSTALLDIR -# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, -# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# ------------------------------------------- -# Retrieves the value of the pkg-config variable for the given module. +dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, +dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------- +dnl Since: 0.28 +dnl +dnl Retrieves the value of the pkg-config variable for the given module. AC_DEFUN([PKG_CHECK_VAR], [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl @@ -9265,7 +9326,7 @@ AS_VAR_COPY([$1], [pkg_cv_][$1]) AS_VAR_IF([$1], [""], [$5], [$4])dnl -])# PKG_CHECK_VAR +])dnl PKG_CHECK_VAR # Copyright (C) 2002-2014 Free Software Foundation, Inc. # @@ -10399,7 +10460,7 @@ dnl xorg-macros.m4. Generated from xorg-macros.m4.in xorgversion.m4 by configure. dnl -dnl Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. +dnl Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. dnl dnl Permission is hereby granted, free of charge, to any person obtaining a dnl copy of this software and associated documentation files (the "Software"), @@ -10529,8 +10590,9 @@ if test x$FILE_MAN_SUFFIX = x ; then case $host_os in - solaris*) FILE_MAN_SUFFIX=4 ;; - *) FILE_MAN_SUFFIX=5 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[[01]]) FILE_MAN_SUFFIX=4 ;; + *) FILE_MAN_SUFFIX=5 ;; esac fi if test x$FILE_MAN_DIR = x ; then @@ -10539,8 +10601,9 @@ if test x$MISC_MAN_SUFFIX = x ; then case $host_os in - solaris*) MISC_MAN_SUFFIX=5 ;; - *) MISC_MAN_SUFFIX=7 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[[01]]) MISC_MAN_SUFFIX=5 ;; + *) MISC_MAN_SUFFIX=7 ;; esac fi if test x$MISC_MAN_DIR = x ; then @@ -10549,8 +10612,9 @@ if test x$DRIVER_MAN_SUFFIX = x ; then case $host_os in - solaris*) DRIVER_MAN_SUFFIX=7 ;; - *) DRIVER_MAN_SUFFIX=4 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[[01]]) DRIVER_MAN_SUFFIX=7 ;; + *) DRIVER_MAN_SUFFIX=4 ;; esac fi if test x$DRIVER_MAN_DIR = x ; then @@ -10559,8 +10623,9 @@ if test x$ADMIN_MAN_SUFFIX = x ; then case $host_os in - solaris*) ADMIN_MAN_SUFFIX=1m ;; - *) ADMIN_MAN_SUFFIX=8 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[[01]]) ADMIN_MAN_SUFFIX=1m ;; + *) ADMIN_MAN_SUFFIX=8 ;; esac fi if test x$ADMIN_MAN_DIR = x ; then @@ -10822,13 +10887,24 @@ fi]) # Test for the ability of xmlto to generate a text target +# +# NOTE: xmlto 0.0.27 or higher return a non-zero return code in the +# following test for empty XML docbook files. +# For compatibility reasons use the following empty XML docbook file and if +# it fails try it again with a non-empty XML file. have_xmlto_text=no cat > conftest.xml << "EOF" EOF AS_IF([test "$have_xmlto" = yes], [AS_IF([$XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1], [have_xmlto_text=yes], - [AC_MSG_WARN([xmlto cannot generate text format, this format skipped])])]) + [# Try it again with a non-empty XML file. + cat > conftest.xml << "EOF" +<x></x> +EOF + AS_IF([$XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1], + [have_xmlto_text=yes], + [AC_MSG_WARN([xmlto cannot generate text format, this format skipped])])])]) rm -f conftest.xml AM_CONDITIONAL([HAVE_XMLTO_TEXT], [test $have_xmlto_text = yes]) AM_CONDITIONAL([HAVE_XMLTO], [test "$have_xmlto" = yes]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/configure new/libXi-1.7.8/configure --- old/libXi-1.7.6/configure 2015-12-22 02:20:11.000000000 +0100 +++ new/libXi-1.7.8/configure 2016-10-25 04:43:50.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libXi 1.7.6. +# Generated by GNU Autoconf 2.69 for libXi 1.7.8. # # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>. # @@ -651,8 +651,8 @@ # Identity of this package. PACKAGE_NAME='libXi' PACKAGE_TARNAME='libXi' -PACKAGE_VERSION='1.7.6' -PACKAGE_STRING='libXi 1.7.6' +PACKAGE_VERSION='1.7.8' +PACKAGE_STRING='libXi 1.7.8' PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg' PACKAGE_URL='' @@ -1450,7 +1450,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libXi 1.7.6 to adapt to many kinds of systems. +\`configure' configures libXi 1.7.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1520,7 +1520,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libXi 1.7.6:";; + short | recursive ) echo "Configuration of libXi 1.7.8:";; esac cat <<\_ACEOF @@ -1661,7 +1661,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libXi configure 1.7.6 +libXi configure 1.7.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1985,7 +1985,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libXi $as_me 1.7.6, which was +It was created by libXi $as_me 1.7.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2853,7 +2853,7 @@ # Define the identity of the package. PACKAGE='libXi' - VERSION='1.7.6' + VERSION='1.7.8' cat >>confdefs.h <<_ACEOF @@ -18264,8 +18264,9 @@ if test x$FILE_MAN_SUFFIX = x ; then case $host_os in - solaris*) FILE_MAN_SUFFIX=4 ;; - *) FILE_MAN_SUFFIX=5 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[01]) FILE_MAN_SUFFIX=4 ;; + *) FILE_MAN_SUFFIX=5 ;; esac fi if test x$FILE_MAN_DIR = x ; then @@ -18274,8 +18275,9 @@ if test x$MISC_MAN_SUFFIX = x ; then case $host_os in - solaris*) MISC_MAN_SUFFIX=5 ;; - *) MISC_MAN_SUFFIX=7 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[01]) MISC_MAN_SUFFIX=5 ;; + *) MISC_MAN_SUFFIX=7 ;; esac fi if test x$MISC_MAN_DIR = x ; then @@ -18284,8 +18286,9 @@ if test x$DRIVER_MAN_SUFFIX = x ; then case $host_os in - solaris*) DRIVER_MAN_SUFFIX=7 ;; - *) DRIVER_MAN_SUFFIX=4 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[01]) DRIVER_MAN_SUFFIX=7 ;; + *) DRIVER_MAN_SUFFIX=4 ;; esac fi if test x$DRIVER_MAN_DIR = x ; then @@ -18294,8 +18297,9 @@ if test x$ADMIN_MAN_SUFFIX = x ; then case $host_os in - solaris*) ADMIN_MAN_SUFFIX=1m ;; - *) ADMIN_MAN_SUFFIX=8 ;; + # Solaris 2.0 - 11 use SysV man page sections + solaris2.?|solaris2.1[01]) ADMIN_MAN_SUFFIX=1m ;; + *) ADMIN_MAN_SUFFIX=8 ;; esac fi if test x$ADMIN_MAN_DIR = x ; then @@ -18567,6 +18571,11 @@ fi # Test for the ability of xmlto to generate a text target +# +# NOTE: xmlto 0.0.27 or higher return a non-zero return code in the +# following test for empty XML docbook files. +# For compatibility reasons use the following empty XML docbook file and if +# it fails try it again with a non-empty XML file. have_xmlto_text=no cat > conftest.xml << "EOF" EOF @@ -18574,10 +18583,18 @@ if $XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1; then : have_xmlto_text=yes else + # Try it again with a non-empty XML file. + cat > conftest.xml << "EOF" +<x></x> +EOF + if $XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1; then : + have_xmlto_text=yes +else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: xmlto cannot generate text format, this format skipped" >&5 $as_echo "$as_me: WARNING: xmlto cannot generate text format, this format skipped" >&2;} fi fi +fi rm -f conftest.xml if test $have_xmlto_text = yes; then HAVE_XMLTO_TEXT_TRUE= @@ -19902,7 +19919,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libXi $as_me 1.7.6, which was +This file was extended by libXi $as_me 1.7.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19968,7 +19985,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libXi config.status 1.7.6 +libXi config.status 1.7.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/configure.ac new/libXi-1.7.8/configure.ac --- old/libXi-1.7.6/configure.ac 2015-12-22 02:19:42.000000000 +0100 +++ new/libXi-1.7.8/configure.ac 2016-10-25 04:43:32.000000000 +0200 @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXi], [1.7.6], +AC_INIT([libXi], [1.7.8], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXi]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([src/config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/man/XListInputDevices.man new/libXi-1.7.8/man/XListInputDevices.man --- old/libXi-1.7.6/man/XListInputDevices.man 2013-03-09 08:49:58.000000000 +0100 +++ new/libXi-1.7.8/man/XListInputDevices.man 2016-10-13 05:45:12.000000000 +0200 @@ -1,13 +1,13 @@ '\" t .\" Title: xlistinputdevices .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] -.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/> -.\" Date: 03/09/2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 10/13/2016 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "XLISTINPUTDEVICES" "libmansuffix" "03/09/2013" "\ \&" "\ \&" +.TH "XLISTINPUTDEVICES" "libmansuffix" "10/13/2016" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -553,13 +553,27 @@ .if n \{\ .RE .\} +.SH "RETURN VALUE" .sp .if n \{\ .RS 4 .\} .nf -To free the XDeviceInfo array created by XListInputDevices, use -XFreeDeviceList\&. +XListInputDevices returns a pointer to an array of XDeviceInfo +structs and sets ndevices_return to the number of elements in +that array\&. To free the XDeviceInfo array created by +XListInputDevices, use XFreeDeviceList\&. +.fi +.if n \{\ +.RE +.\} +.sp +.if n \{\ +.RS 4 +.\} +.nf +On error, XListInputDevices returns NULL and ndevices_return is +left unmodified\&. .fi .if n \{\ .RE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/man/XListInputDevices.txt new/libXi-1.7.8/man/XListInputDevices.txt --- old/libXi-1.7.6/man/XListInputDevices.txt 2013-02-19 02:39:40.000000000 +0100 +++ new/libXi-1.7.8/man/XListInputDevices.txt 2016-10-13 05:44:30.000000000 +0200 @@ -220,5 +220,13 @@ Floating. If the device is a master device, attached specifies the device ID of the master device this device is paired with. - To free the XDeviceInfo array created by XListInputDevices, use - XFreeDeviceList. +RETURN VALUE +------------ + + XListInputDevices returns a pointer to an array of XDeviceInfo + structs and sets ndevices_return to the number of elements in + that array. To free the XDeviceInfo array created by + XListInputDevices, use XFreeDeviceList. + + On error, XListInputDevices returns NULL and ndevices_return is + left unmodified. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGMotion.c new/libXi-1.7.8/src/XGMotion.c --- old/libXi-1.7.6/src/XGMotion.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XGMotion.c 2016-10-13 02:56:34.000000000 +0200 @@ -114,7 +114,8 @@ } /* rep.axes is a CARD8, so assume max number of axes for bounds check */ if (rep.nEvents < - (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { + (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) && + rep.nEvents * (rep.axes + 1) <= rep.length) { size_t bsize = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); bufp = Xmalloc(bsize); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGetBMap.c new/libXi-1.7.8/src/XGetBMap.c --- old/libXi-1.7.6/src/XGetBMap.c 2013-05-24 03:46:37.000000000 +0200 +++ new/libXi-1.7.8/src/XGetBMap.c 2016-10-13 02:56:34.000000000 +0200 @@ -92,7 +92,8 @@ status = _XReply(dpy, (xReply *) & rep, 0, xFalse); if (status == 1) { - if (rep.length <= (sizeof(mapping) >> 2)) { + if (rep.length <= (sizeof(mapping) >> 2) && + rep.nElts <= (rep.length << 2)) { unsigned long nbytes = rep.length << 2; _XRead(dpy, (char *)mapping, nbytes); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGetDCtl.c new/libXi-1.7.8/src/XGetDCtl.c --- old/libXi-1.7.6/src/XGetDCtl.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XGetDCtl.c 2016-10-13 02:56:34.000000000 +0200 @@ -93,7 +93,8 @@ if (rep.length > 0) { unsigned long nbytes; size_t size = 0; - if (rep.length < (INT_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2) && + (rep.length << 2) >= sizeof(xDeviceState)) { nbytes = (unsigned long) rep.length << 2; d = Xmalloc(nbytes); } @@ -117,7 +118,8 @@ size_t val_size; r = (xDeviceResolutionState *) d; - if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) + if (sizeof(xDeviceResolutionState) > nbytes || + r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) goto out; val_size = 3 * sizeof(int) * r->num_valuators; if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGetFCtl.c new/libXi-1.7.8/src/XGetFCtl.c --- old/libXi-1.7.6/src/XGetFCtl.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XGetFCtl.c 2016-10-13 02:56:34.000000000 +0200 @@ -73,6 +73,7 @@ XFeedbackState *Sav = NULL; xFeedbackState *f = NULL; xFeedbackState *sav = NULL; + char *end = NULL; xGetFeedbackControlReq *req; xGetFeedbackControlReply rep; XExtDisplayInfo *info = XInput_find_display(dpy); @@ -105,10 +106,12 @@ goto out; } sav = f; + end = (char *)f + nbytes; _XRead(dpy, (char *)f, nbytes); for (i = 0; i < *num_feedbacks; i++) { - if (f->length > nbytes) + if ((char *)f + sizeof(*f) > end || + f->length == 0 || f->length > nbytes) goto out; nbytes -= f->length; @@ -125,6 +128,8 @@ case StringFeedbackClass: { xStringFeedbackState *strf = (xStringFeedbackState *) f; + if ((char *)f + sizeof(*strf) > end) + goto out; size += sizeof(XStringFeedbackState) + (strf->num_syms_supported * sizeof(KeySym)); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGetKMap.c new/libXi-1.7.8/src/XGetKMap.c --- old/libXi-1.7.6/src/XGetKMap.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XGetKMap.c 2016-10-13 02:56:34.000000000 +0200 @@ -54,6 +54,7 @@ #include <config.h> #endif +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -93,9 +94,16 @@ return (KeySym *) NULL; } if (rep.length > 0) { - *syms_per_code = rep.keySymsPerKeyCode; - nbytes = (long)rep.length << 2; - mapping = (KeySym *) Xmalloc((unsigned)nbytes); + if (rep.length < INT_MAX >> 2 && + rep.length == rep.keySymsPerKeyCode * keycount) { + *syms_per_code = rep.keySymsPerKeyCode; + nbytes = (long)rep.length << 2; + mapping = (KeySym *) Xmalloc((unsigned)nbytes); + } else { + *syms_per_code = 0; + nbytes = 0; + mapping = NULL; + } if (mapping) _XRead(dpy, (char *)mapping, nbytes); else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XGetMMap.c new/libXi-1.7.8/src/XGetMMap.c --- old/libXi-1.7.6/src/XGetMMap.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XGetMMap.c 2016-10-13 02:56:34.000000000 +0200 @@ -53,6 +53,7 @@ #include <config.h> #endif +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -85,8 +86,14 @@ SyncHandle(); return (XModifierKeymap *) NULL; } - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap)); + if (rep.length < (INT_MAX >> 2) && + rep.numKeyPerModifier == rep.length >> 1) { + nbytes = (unsigned long)rep.length << 2; + res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap)); + } else { + nbytes = 0; + res = NULL; + } if (res) { res->modifiermap = (KeyCode *) Xmalloc(nbytes); if (res->modifiermap) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XIQueryDevice.c new/libXi-1.7.8/src/XIQueryDevice.c --- old/libXi-1.7.6/src/XIQueryDevice.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XIQueryDevice.c 2016-10-13 02:56:34.000000000 +0200 @@ -26,6 +26,7 @@ #include <config.h> #endif +#include <limits.h> #include <stdint.h> #include <X11/Xlibint.h> #include <X11/extensions/XI2proto.h> @@ -43,6 +44,7 @@ xXIQueryDeviceReq *req; xXIQueryDeviceReply reply; char *ptr; + char *end; int i; char *buf; @@ -60,14 +62,24 @@ if (!_XReply(dpy, (xReply*) &reply, 0, xFalse)) goto error; - *ndevices_return = reply.num_devices; - info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo)); + if (reply.length < INT_MAX / 4) + { + *ndevices_return = reply.num_devices; + info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo)); + } + else + { + *ndevices_return = 0; + info = NULL; + } + if (!info) goto error; buf = Xmalloc(reply.length * 4); _XRead(dpy, buf, reply.length * 4); ptr = buf; + end = buf + reply.length * 4; /* info is a null-terminated array */ info[reply.num_devices].name = NULL; @@ -79,6 +91,9 @@ XIDeviceInfo *lib = &info[i]; xXIDeviceInfo *wire = (xXIDeviceInfo*)ptr; + if (ptr + sizeof(xXIDeviceInfo) > end) + goto error_loop; + lib->deviceid = wire->deviceid; lib->use = wire->use; lib->attachment = wire->attachment; @@ -87,12 +102,23 @@ ptr += sizeof(xXIDeviceInfo); + if (ptr + wire->name_len > end) + goto error_loop; + lib->name = Xcalloc(wire->name_len + 1, 1); + if (lib->name == NULL) + goto error_loop; strncpy(lib->name, ptr, wire->name_len); + lib->name[wire->name_len] = '\0'; ptr += ((wire->name_len + 3)/4) * 4; sz = size_classes((xXIAnyInfo*)ptr, nclasses); lib->classes = Xmalloc(sz); + if (lib->classes == NULL) + { + Xfree(lib->name); + goto error_loop; + } ptr += copy_classes(lib, (xXIAnyInfo*)ptr, &nclasses); /* We skip over unused classes */ lib->num_classes = nclasses; @@ -103,6 +129,12 @@ SyncHandle(); return info; +error_loop: + while (--i >= 0) + { + Xfree(info[i].name); + Xfree(info[i].classes); + } error: UnlockDisplay(dpy); error_unlocked: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XListDev.c new/libXi-1.7.8/src/XListDev.c --- old/libXi-1.7.6/src/XListDev.c 2013-06-26 21:37:18.000000000 +0200 +++ new/libXi-1.7.8/src/XListDev.c 2016-10-13 05:44:37.000000000 +0200 @@ -73,35 +73,42 @@ return ((base_size + padsize - 1)/padsize) * padsize; } -static size_t -SizeClassInfo(xAnyClassPtr *any, int num_classes) +static int +SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes, size_t *size) { - int size = 0; int j; + size_t sz = 0; + for (j = 0; j < num_classes; j++) { switch ((*any)->class) { case KeyClass: - size += pad_to_xid(sizeof(XKeyInfo)); + sz += pad_to_xid(sizeof(XKeyInfo)); break; case ButtonClass: - size += pad_to_xid(sizeof(XButtonInfo)); + sz += pad_to_xid(sizeof(XButtonInfo)); break; case ValuatorClass: { xValuatorInfoPtr v; + if (len < sizeof(v)) + return 1; v = (xValuatorInfoPtr) *any; - size += pad_to_xid(sizeof(XValuatorInfo) + + sz += pad_to_xid(sizeof(XValuatorInfo) + (v->num_axes * sizeof(XAxisInfo))); break; } default: break; } + if ((*any)->length > len) + return 1; *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length); } - return size; + *size = sz; + + return 0; } static void @@ -168,9 +175,9 @@ XDeviceInfo * XListInputDevices( register Display *dpy, - int *ndevices) + int *ndevices_return) { - size_t size; + size_t s, size; xListInputDevicesReq *req; xListInputDevicesReply rep; xDeviceInfo *list, *slist = NULL; @@ -178,10 +185,12 @@ XDeviceInfo *clist = NULL; xAnyClassPtr any, sav_any; XAnyClassPtr Any; + char *end = NULL; unsigned char *nptr, *Nptr; int i; unsigned long rlen; XExtDisplayInfo *info = XInput_find_display(dpy); + int ndevices; LockDisplay(dpy); if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) @@ -197,8 +206,8 @@ return (XDeviceInfo *) NULL; } - if ((*ndevices = rep.ndevices)) { /* at least 1 input device */ - size = *ndevices * sizeof(XDeviceInfo); + if ((ndevices = rep.ndevices)) { /* at least 1 input device */ + size = ndevices * sizeof(XDeviceInfo); if (rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; /* multiply length by 4 */ slist = list = Xmalloc(rlen); @@ -211,18 +220,21 @@ } _XRead(dpy, (char *)list, rlen); - any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo))); + any = (xAnyClassPtr) ((char *)list + (ndevices * sizeof(xDeviceInfo))); sav_any = any; - for (i = 0; i < *ndevices; i++, list++) { - size += SizeClassInfo(&any, (int)list->num_classes); + end = (char *)list + rlen; + for (i = 0; i < ndevices; i++, list++) { + if(SizeClassInfo(&any, end - (char *)any, (int)list->num_classes, &s)) + goto out; + size += s; } - Nptr = ((unsigned char *)list) + rlen + 1; - for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { + Nptr = ((unsigned char *)list) + rlen; + for (i = 0, nptr = (unsigned char *)any; i < ndevices; i++) { + if (nptr >= Nptr) + goto out; size += *nptr + 1; nptr += (*nptr + 1); - if (nptr > Nptr) - goto out; } clist = (XDeviceInfoPtr) Xmalloc(size); @@ -234,10 +246,10 @@ } sclist = clist; Any = (XAnyClassPtr) ((char *)clist + - (*ndevices * sizeof(XDeviceInfo))); + (ndevices * sizeof(XDeviceInfo))); list = slist; any = sav_any; - for (i = 0; i < *ndevices; i++, list++, clist++) { + for (i = 0; i < ndevices; i++, list++, clist++) { clist->type = list->type; clist->id = list->id; clist->use = list->use; @@ -250,7 +262,7 @@ clist = sclist; nptr = (unsigned char *)any; Nptr = (unsigned char *)Any; - for (i = 0; i < *ndevices; i++, clist++) { + for (i = 0; i < ndevices; i++, clist++) { clist->name = (char *)Nptr; memcpy(Nptr, nptr + 1, *nptr); Nptr += (*nptr); @@ -259,6 +271,8 @@ } } + *ndevices_return = ndevices; + out: XFree((char *)slist); UnlockDisplay(dpy); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XOpenDev.c new/libXi-1.7.8/src/XOpenDev.c --- old/libXi-1.7.6/src/XOpenDev.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XOpenDev.c 2016-10-13 02:56:34.000000000 +0200 @@ -53,6 +53,7 @@ #include <config.h> #endif +#include <limits.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/Xlibint.h> @@ -86,9 +87,15 @@ return (XDevice *) NULL; } - rlen = rep.length << 2; - dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes * - sizeof(XInputClassInfo)); + if (rep.length < INT_MAX >> 2 && + (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) { + rlen = rep.length << 2; + dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes * + sizeof(XInputClassInfo)); + } else { + rlen = 0; + dev = NULL; + } if (dev) { int dlen; /* data length */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libXi-1.7.6/src/XQueryDv.c new/libXi-1.7.8/src/XQueryDv.c --- old/libXi-1.7.6/src/XQueryDv.c 2014-11-03 06:28:35.000000000 +0100 +++ new/libXi-1.7.8/src/XQueryDv.c 2016-10-13 02:56:34.000000000 +0200 @@ -73,7 +73,7 @@ xQueryDeviceStateReply rep; XDeviceState *state = NULL; XInputClass *any, *Any; - char *data = NULL; + char *data = NULL, *end = NULL; XExtDisplayInfo *info = XInput_find_display(dpy); LockDisplay(dpy); @@ -92,6 +92,7 @@ if (rep.length < (INT_MAX >> 2)) { rlen = (unsigned long) rep.length << 2; data = Xmalloc(rlen); + end = data + rlen; } if (!data) { _XEatDataWords(dpy, rep.length); @@ -100,7 +101,8 @@ _XRead(dpy, data, rlen); for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { - if (any->length > rlen) + if ((char *)any + sizeof(XInputClass) > end || + any->length == 0 || any->length > rlen) goto out; rlen -= any->length; @@ -114,6 +116,8 @@ case ValuatorClass: { xValuatorState *v = (xValuatorState *) any; + if ((char *)any + sizeof(xValuatorState) > end) + goto out; size += (sizeof(XValuatorState) + (v->num_valuators * sizeof(int))); }
