libXi: Changes to 'libXi-1.6-branch'
Peter Hutterer
whot at kemper.freedesktop.org
Thu May 23 18:49:09 PDT 2013
configure.ac | 6 ++++
src/XExtInt.c | 7 +++++
src/XGMotion.c | 24 ++++++++++++++-----
src/XGetBMap.c | 21 ++++++++++-------
src/XGetDCtl.c | 33 ++++++++++++++++++++------
src/XGetDProp.c | 64 ++++++++++++++++++++++++++++++----------------------
src/XGetFCtl.c | 26 ++++++++++++++++-----
src/XGetKMap.c | 2 -
src/XGetMMap.c | 2 -
src/XGetProp.c | 12 ++++-----
src/XGtSelect.c | 2 -
src/XIPassiveGrab.c | 2 -
src/XIProperties.c | 18 ++++++++------
src/XISelEv.c | 35 +++++++++++++++++++++-------
src/XIint.h | 14 +++++++++++
src/XListDProp.c | 2 -
src/XListDev.c | 28 +++++++++++++---------
src/XOpenDev.c | 2 -
src/XQueryDv.c | 19 ++++++++++-----
19 files changed, 220 insertions(+), 99 deletions(-)
New commits:
commit 49307ef3e8b4a24b501729f0a9551d10cc53b9c5
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Tue May 21 12:23:05 2013 +1000
Don't overwrite the cookies serial number
serial != sequenceNumber, see _XSetLastRequestRead()
cookie->serial is already set at this point, setting it again directly from
the sequenceNumber of the event causes a bunch of weird issues such as
scrollbars and text drag-n-drop breaking.
https://bugzilla.redhat.com/show_bug.cgi?id=965347
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9)
commit 62c1e47de0448242a0dd1f5226be93f92a06824f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Mar 10 00:16:22 2013 -0800
sign extension issue in XListInputDevices() [CVE-2013-1995]
nptr is (signed) char, which can be negative, and will sign extend
when added to the int size, which means size can be subtracted from,
leading to allocating too small a buffer to hold the data being copied
from the X server's reply.
v2: check that string size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 81b4df8ac6aa1520c41c3526961014a6f115cc46)
commit f888a17af24945e2b583625c7d85ebed1518fc05
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Mar 10 00:22:14 2013 -0800
Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]
If the length of the reply as reported by the Xserver is too long, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit ef82512288d8ca36ac0beeb289f158195b0a8cae)
commit 7be9dcc311e29ed326e53117904648cb51ee21df
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Mar 10 13:30:55 2013 -0700
Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
If the number of items as reported by the Xserver is too large, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c)
commit cabe9d3f00a28aa05dcb14c114196a30278b5e22
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845)
commit 6d992e2b31f58e716e63f9a1e5d910a66f51a11b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
If the number of items reported by the server is large enough that
it overflows when multiplied by the size of the appropriate item type,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 242f92b490a695fbab244af5bad11b71f897c732)
commit b273909309cfdde0369ee728b17c15984eb84e49
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit bb922ed4253b35590f0369f32a917ff89ade0830)
commit 843e1e83de77df8e7e2fc0e992955871498e8432
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff)
commit bb14753444842d74de61293ba61863b6c8e12e22
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 322ee3576789380222d4403366e4fd12fb24cb6a)
commit e7ebe26edd40996a9b36b0c7a068728781eb41bb
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:55:23 2013 -0800
integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec)
commit 2736e93eb52109e5bab5bd14395142cc750f2614
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 26 22:48:36 2013 -0700
unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 5398ac0797f7516f2c9b8f2869a6c6d071437352)
commit f0c0f2ff06c8f9ec36f3f344dda4bec71ca5698b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 23:37:23 2013 -0800
memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 91434737f592e8f5cc1762383882a582b55fc03a)
commit d7537ad6fba36af4536c576220c135a63507789c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 22:26:52 2013 -0800
Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold. HULK SMASH STACK!
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit f3e08e4fbe40016484ba795feecf1a742170ffc1)
commit 4579fadd11883c62db486ecc64c40342c2ab5506
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed May 1 23:58:39 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit 59b8e1388a687f871831ac5a9e0ac11de75e2516)
commit 768c64aaf9d89b1b94f873c68b6b5b38a3af79fa
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Fri May 17 09:07:44 2013 +1000
Copy the sequence number into the target event too (#64687)
X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Jasper St. Pierre <jstpierre at mecheye.net>
(cherry picked from commit 5d43d4914dcabb6de69859567061e99300e56ef4)
Conflicts:
src/XExtInt.c
commit 362c9058dcbeedacaae0190c279e076a5db1d564
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Apr 29 18:39:34 2013 -0700
Expand comment on the memory vs. reply ordering in XIGetSelectedEvents()
Unpacking from the wire involves un-interleaving the structs & masks,
which wasn't obvious to me the first time I read it, so make notes
before I forget again.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit bb82c72a1d69eaf60b7586570faf797df967f661)
More information about the xorg-commit
mailing list