libX11: Changes to 'master'

[GitLab Mirror]

 src/PutBEvent.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

New commits:
commit d6d6cba90215d323567fef13d6565756c9956f60
Author: Keith Packard <keithp at keithp.com>
Date:   Sun Dec 11 10:32:26 2022 -0800

    Update XPutBackEvent() to support clients that put back unpadded events
    
    It seems to be common practice of some X11 clients to pass specific event
    types into APIs that take XEvent*.  For example, freeglut does:
    
       XConfigureEvent fakeEvent = {0};
       ...
       XPutBackEvent(fgDisplay.Display, (XEvent*)&fakeEvent);
    
    This can result in reads overflowing the input event when libX11 does:
    
       XEvent store = *event;
    
    =================================================================
    ==75304==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016ee4a8e8 at pc 0x000101c54d14 bp 0x00016ee4a0d0 sp 0x00016ee49888
    READ of size 192 at 0x00016ee4a8e8 thread T0
        #0 0x101c54d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
        #1 0x102848a18 in _XPutBackEvent PutBEvent.c:41
        #2 0x1028490a4 in XPutBackEvent PutBEvent.c:84
        #3 0x1013295c8 in fgOpenWindow freeglut_window.c:1178
        #4 0x101321984 in fgCreateWindow freeglut_structure.c:108
        #5 0x10132b138 in glutCreateWindow freeglut_window.c:1551
        #6 0x100fb7d94 in main+0x78 (checkeredTriangles:arm64+0x100003d94)
        #7 0x197de3e4c  (<unknown module>)
    
    Address 0x00016ee4a8e8 is located in stack of thread T0 at offset 840 in frame
        #0 0x1013282f8 in fgOpenWindow freeglut_window.c:1063
    
      This frame has 8 object(s):
        [32, 40) 'title.addr'
        [64, 176) 'winAttr' (line 1066)
        [208, 240) 'textProperty' (line 1067)
        [272, 352) 'sizeHints' (line 1068)
        [384, 440) 'wmHints' (line 1069)
        [480, 672) 'eventReturnBuffer' (line 1070)
        [736, 740) 'num_FBConfigs' (line 1072)
        [752, 840) 'fakeEvent' (line 1074) <== Memory access at offset 840 overflows this variable
    
    This change allows XPutBackEvent() to support such clients without
    risk of memory read overflow.
    
    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
    Tested-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>