libX11: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Mon Jul 22 23:55:13 PDT 2013
specs/libX11/AppC.xml | 4 +++-
src/Host.c | 8 ++++++++
src/ModMap.c | 10 +++++++---
src/XlibInt.c | 8 ++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
New commits:
commit feb131b18aee31c2c125dc3275b0260940245882
Author: Kees Cook <kees at outflux.net>
Date: Sun Jun 9 11:13:43 2013 -0700
libX11: check "req" when calling GetReqExtra
This fixes the two callers of GetReqExtra to check that "req" is non-NULL
to avoid crashing now that GetReqExtra does internal bounds-checking on
the resulting buffer sizes.
Additionally updates comment describing return values to use names
instead of only literal values.
Signed-off-by: Kees Cook <kees at outflux.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 54540d7cba0c2bfe9176221c7bca910058d304df
Author: Kees Cook <kees at outflux.net>
Date: Sun Jun 9 11:13:42 2013 -0700
libX11: check size of GetReqExtra after XFlush
Two users of GetReqExtra pass arbitrarily sized allocations from the
caller (ModMap and Host). Adjust _XGetRequest() (called by the GetReqExtra
macro) to double-check the requested length and invalidate "req" when
this happens. Users of GetReqExtra passing lengths greater than the Xlib
buffer size (normally 16K) must check "req" and fail gracefully instead
of crashing.
Any callers of GetReqExtra that do not check "req" for NULL
will experience this change, in the pathological case, as a NULL
dereference instead of a buffer overflow. This is an improvement, but
the documentation for GetReqExtra has been updated to reflect the need
to check the value of "req" after the call.
Bug that manifested the problem:
https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/792628
Signed-off-by: Kees Cook <kees at outflux.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list