Module Name: xsrc
Committed By: martin
Date: Tue Aug 28 13:27:24 UTC 2018
Modified Files:
xsrc/external/mit/libX11/dist/src [netbsd-8]: FontNames.c GetFPath.c
LiHosts.c ListExt.c
Log Message:
Apply patch, requested by mrg in ticket #995:
xsrc/external/mit/libX11/dist/src/FontNames.c
xsrc/external/mit/libX11/dist/src/GetFPath.c
xsrc/external/mit/libX11/dist/src/LiHosts.c
xsrc/external/mit/libX11/dist/src/ListExt.c
Apply fixes from libX11 1.6.5 for the following vulnerabilities:
Fixed off-by-one writes (CVE-2018-14599)
Validation of server response in XListHosts
Fixed out of boundary write (CVE-2018-14600)
Fixed crash on invalid reply (CVE-2018-14598)
(Backport of upstream git commits b469da1430cdcee06e31c6251b83aede072a1ff0,
d81da209fd4d0c2c9ad0596a8078e58864479d0d,
dbf72805fd9d7b1846fe9a11b46f3994bfc27fea,
e83722768fd5c467ef61fa159e8c6278770b45c2 resp)
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.6.2.1 xsrc/external/mit/libX11/dist/src/FontNames.c
cvs rdiff -u -r1.5 -r1.5.2.1 xsrc/external/mit/libX11/dist/src/GetFPath.c \
xsrc/external/mit/libX11/dist/src/ListExt.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \
xsrc/external/mit/libX11/dist/src/LiHosts.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libX11/dist/src/FontNames.c
diff -u xsrc/external/mit/libX11/dist/src/FontNames.c:1.6 xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.1
--- xsrc/external/mit/libX11/dist/src/FontNames.c:1.6 Sat Mar 4 22:00:21 2017
+++ xsrc/external/mit/libX11/dist/src/FontNames.c Tue Aug 28 13:27:24 2018
@@ -88,24 +88,16 @@ int *actualCount) /* RETURN */
* unpack into null terminated strings.
*/
chstart = ch;
- chend = ch + (rlen + 1);
+ chend = ch + rlen;
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
for (i = 0; i < rep.nFonts; i++) {
if (ch + length < chend) {
flist[i] = ch + 1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- Xfree(chstart);
- Xfree(flist);
- flist = NULL;
- count = 0;
- break;
- }
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
} else {
Xfree(chstart);
Xfree(flist);
Index: xsrc/external/mit/libX11/dist/src/GetFPath.c
diff -u xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5 xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5.2.1
--- xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5 Tue Oct 4 22:04:39 2016
+++ xsrc/external/mit/libX11/dist/src/GetFPath.c Tue Aug 28 13:27:24 2018
@@ -69,15 +69,20 @@ char **XGetFontPath(
/*
* unpack into null terminated strings.
*/
- chend = ch + (nbytes + 1);
- length = *ch;
+ chend = ch + nbytes;
+ length = *(unsigned char *)ch;
for (i = 0; i < rep.nPaths; i++) {
if (ch + length < chend) {
flist[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
+ length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(flist);
+ Xfree(ch);
+ flist = NULL;
+ break;
} else
flist[i] = NULL;
}
Index: xsrc/external/mit/libX11/dist/src/ListExt.c
diff -u xsrc/external/mit/libX11/dist/src/ListExt.c:1.5 xsrc/external/mit/libX11/dist/src/ListExt.c:1.5.2.1
--- xsrc/external/mit/libX11/dist/src/ListExt.c:1.5 Tue Oct 4 22:04:39 2016
+++ xsrc/external/mit/libX11/dist/src/ListExt.c Tue Aug 28 13:27:24 2018
@@ -74,19 +74,20 @@ char **XListExtensions(
/*
* unpack into null terminated strings.
*/
- chend = ch + (rlen + 1);
- length = *ch;
+ chend = ch + rlen;
+ length = *(unsigned char *)ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- list[i] = NULL;
- }
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else if (i == 0) {
+ Xfree(list);
+ Xfree(ch);
+ list = NULL;
+ break;
} else
list[i] = NULL;
}
Index: xsrc/external/mit/libX11/dist/src/LiHosts.c
diff -u xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5 xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5.10.1
--- xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5 Thu May 30 23:04:40 2013
+++ xsrc/external/mit/libX11/dist/src/LiHosts.c Tue Aug 28 13:27:24 2018
@@ -119,11 +119,16 @@ XHostAddress *XListHosts (
_XRead (dpy, (char *) buf, nbytes);
for (i = 0; i < reply.nHosts; i++) {
+ if (bp > buf + nbytes - SIZEOF(xHostEntry))
+ goto fail;
op->family = ((xHostEntry *) bp)->family;
op->length =((xHostEntry *) bp)->length;
if (op->family == FamilyServerInterpreted) {
char *tp = (char *) (bp + SIZEOF(xHostEntry));
- char *vp = memchr(tp, 0, op->length);
+ char *vp;
+ if (tp > (char *) (buf + nbytes - op->length))
+ goto fail;
+ vp = memchr(tp, 0, op->length);
if (vp != NULL) {
sip->type = tp;
@@ -138,6 +143,8 @@ XHostAddress *XListHosts (
sip++;
} else {
op->address = (char *) (bp + SIZEOF(xHostEntry));
+ if (op->address > (char *) (buf + nbytes - op->length))
+ goto fail;
}
bp += SIZEOF(xHostEntry) + (((op->length + 3) >> 2) << 2);
op++;
@@ -149,9 +156,9 @@ XHostAddress *XListHosts (
UnlockDisplay(dpy);
SyncHandle();
return (outbuf);
+fail:
+ *enabled = reply.enabled;
+ *nhosts = 0;
+ Xfree(outbuf);
+ return (NULL);
}
-
-
-
-
-
