From 773dc997dc8f89baaa4fc079a2763579ed6a96bb Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Fri, 6 Dec 2024 10:07:53 +0100 Subject: [PATCH] Rebase to 1.8.10 Resolves: https://issues.redhat.com/browse/RHEL-70185 --- ...tion-after-freeing-display-structure.patch | 82 +++++++++++++++++ 0001-Fix-deadlock-in-XRebindKeysym.patch | 52 ----------- ...tialized-variable-in-_XimTriggerNoti.patch | 49 ---------- ...S-regression-in-XCopyColormapAndFree.patch | 34 ------- ...nitialized-variable-in-_XimExtension.patch | 49 ---------- ...olormap-add-removal-with-display-loc.patch | 92 ------------------- ...tialized-variable-in-_XimEncodeICATT.patch | 47 ---------- ...ormap-private-interfaces-thread-safe.patch | 92 ------------------- ...that-needed-is-0-in-XkbResizeKeyActi.patch | 62 ------------- ...-memory-leak-in-_XimProtoSetIMValues.patch | 64 ------------- ...ix-buffer-overrun-in-parse_omit_name.patch | 57 ------------ dont-forward-keycode-0.patch | 16 ++-- libX11.spec | 26 ++---- sources | 2 +- 14 files changed, 99 insertions(+), 625 deletions(-) create mode 100644 0001-Close-xcb-connection-after-freeing-display-structure.patch delete mode 100644 0001-Fix-deadlock-in-XRebindKeysym.patch delete mode 100644 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch delete mode 100644 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch delete mode 100644 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch delete mode 100644 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch delete mode 100644 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch delete mode 100644 0003-Make-colormap-private-interfaces-thread-safe.patch delete mode 100644 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch delete mode 100644 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch delete mode 100644 0006-Fix-buffer-overrun-in-parse_omit_name.patch diff --git a/0001-Close-xcb-connection-after-freeing-display-structure.patch b/0001-Close-xcb-connection-after-freeing-display-structure.patch new file mode 100644 index 0000000..299e515 --- /dev/null +++ b/0001-Close-xcb-connection-after-freeing-display-structure.patch @@ -0,0 +1,82 @@ +From f3d6ebac35301d4ad068e307f0fbe6aa12ccbccb Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Fri, 9 Aug 2024 09:21:31 +0200 +Subject: [PATCH libX11] Close xcb connection after freeing display structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 1472048b7 to fix a colormap threading issue added a display +lock/unlock and a call to SyncHandle() to _XcmsFreeClientCmaps(). + +When running synchronized, that means calling XSync(). + +_XcmsFreeClientCmaps() is called from _XFreeDisplayStructure() via +XCloseDisplay() after the xcb connection is closed. + +So when running synchronized, we may end up calling XSync() after the +xcb connection to the display is closed, which will generate a spurious +XIO error: + + | #0 in _XDefaultIOError () at /lib64/libX11.so.6 + | #1 in _XIOError () at /lib64/libX11.so.6 + | #2 in _XReply () at /lib64/libX11.so.6 + | #3 in XSync () at /lib64/libX11.so.6 + | #4 in _XSyncFunction () at /lib64/libX11.so.6 + | 8#5 in _XFreeDisplayStructure () at /lib64/libX11.so.6 + | 8#6 in XCloseDisplay () at /lib64/libX11.so.6 + +To avoid that issue, closed the xcb connection to the display last. + +v2: And same in OutOfMemory() as well (José Expósito) + +Signed-off-by: Olivier Fourdan +Reviewed-by: José Expósito +Part-of: +--- + src/ClDisplay.c | 4 +++- + src/OpenDis.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/ClDisplay.c b/src/ClDisplay.c +index aa904e51..31d3a841 100644 +--- a/src/ClDisplay.c ++++ b/src/ClDisplay.c +@@ -47,6 +47,7 @@ XCloseDisplay ( + { + register _XExtension *ext; + register int i; ++ xcb_connection_t *connection; + + if (!(dpy->flags & XlibDisplayClosing)) + { +@@ -68,7 +69,8 @@ XCloseDisplay ( + if (X_DPY_GET_REQUEST(dpy) != X_DPY_GET_LAST_REQUEST_READ(dpy)) + XSync(dpy, 1); + } +- xcb_disconnect(dpy->xcb->connection); ++ connection = dpy->xcb->connection; + _XFreeDisplayStructure (dpy); ++ xcb_disconnect(connection); + return 0; + } +diff --git a/src/OpenDis.c b/src/OpenDis.c +index 89a0ebdf..6cc43ba3 100644 +--- a/src/OpenDis.c ++++ b/src/OpenDis.c +@@ -709,7 +709,10 @@ void _XFreeDisplayStructure(Display *dpy) + + static void OutOfMemory(Display *dpy) + { +- if(dpy->xcb->connection) +- xcb_disconnect(dpy->xcb->connection); ++ xcb_connection_t *connection = dpy->xcb->connection; ++ + _XFreeDisplayStructure (dpy); ++ ++ if(connection) ++ xcb_disconnect(connection); + } +-- +2.47.1 + diff --git a/0001-Fix-deadlock-in-XRebindKeysym.patch b/0001-Fix-deadlock-in-XRebindKeysym.patch deleted file mode 100644 index 386d746..0000000 --- a/0001-Fix-deadlock-in-XRebindKeysym.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 21 Jun 2024 14:37:24 +0200 -Subject: [PATCH] Fix deadlock in XRebindKeysym() - -Xlib is now built with threading support enabled from the constructor -by default. - -XRebindKeysym() acquires the display lock, then calls: - -| XRebindKeysym() -| LockDisplay() -| ComputeMaskFromKeytrans() -| -> XkbKeysymToModifiers() -| -> _XkbLoadDpy() -| -> XkbGetMap() -| -> XkbGetUpdatedMap() -| LockDisplay() - -And the dead lock: - -| Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already -| locked at KeyBind.c line 937 - -To avoid the issue, call ComputeMaskFromKeytrans() from outside the display -lock. - -Signed-off-by: Olivier Fourdan -Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216 -Part-of: ---- - src/KeyBind.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/KeyBind.c b/src/KeyBind.c -index a8181b91..a5e22131 100644 ---- a/src/KeyBind.c -+++ b/src/KeyBind.c -@@ -958,8 +958,9 @@ XRebindKeysym ( - memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb); - p->key = keysym; - p->mlen = nm; -- ComputeMaskFromKeytrans(dpy, p); - UnlockDisplay(dpy); -+ ComputeMaskFromKeytrans(dpy, p); -+ - return 0; - } - --- -2.45.2 - diff --git a/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch b/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch deleted file mode 100644 index 97656e6..0000000 --- a/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 16:37:21 +0200 -Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -`_XimRead()` is being called with `reply` as target buffer instead of -using `preply`, accessing uninitialized memory a few lines later. - -This error has been found by a static analysis tool. This is the report: - - Error: UNINIT (CWE-457): - libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn: - Calling "malloc" which returns uninitialized memory. - libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign: - Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))", - which points to uninitialized data. - libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use: - Using uninitialized value "*((CARD8 *)preply)". - # 571| } - # 572| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE); - # 573|-> if (*((CARD8 *)preply) == XIM_ERROR) { - # 574| _XimProcError(im, 0, (XPointer)&buf_s[3]); - # 575| if(reply != preply) - -Signed-off-by: José Expósito -Part-of: ---- - modules/im/ximcp/imDefLkup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c -index 2e53ab23..8ccaee26 100644 ---- a/modules/im/ximcp/imDefLkup.c -+++ b/modules/im/ximcp/imDefLkup.c -@@ -635,7 +635,7 @@ _XimTriggerNotify( - } else { - buf_size = len; - preply = Xmalloc(len); -- ret_code = _XimRead(im, &len, (XPointer)reply, buf_size, -+ ret_code = _XimRead(im, &len, preply, buf_size, - _XimTriggerNotifyCheck, (XPointer)ic); - if(ret_code != XIM_TRUE) { - Xfree(preply); --- -2.45.2 - diff --git a/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch b/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch deleted file mode 100644 index 8e07803..0000000 --- a/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Thu, 6 Jun 2024 16:25:26 +0200 -Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree" - -This change was to fix the next change that we are to revert as well. - -This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0. - -Reviewed-by: Adam Jackson -Part-of: ---- - src/CopyCmap.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/CopyCmap.c b/src/CopyCmap.c -index b37aba73..b4954b01 100644 ---- a/src/CopyCmap.c -+++ b/src/CopyCmap.c -@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree( - mid = req->mid = XAllocID(dpy); - req->srcCmap = src_cmap; - -- /* re-lock the display to keep XID handling in sync */ -- UnlockDisplay(dpy); -- SyncHandle(); -- LockDisplay(dpy); -- - #if XCMS - _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid); - #endif --- -2.45.2 - diff --git a/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch b/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch deleted file mode 100644 index bbb797e..0000000 --- a/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch +++ /dev/null @@ -1,49 +0,0 @@ -From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 16:41:40 +0200 -Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -`_XimRead()` is being called with `reply` as target buffer instead of -using `preply`, accessing uninitialized memory a few lines later. - -This error has been found by a static analysis tool. This is the report: - - Error: UNINIT (CWE-457): - libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn: - Calling "malloc" which returns uninitialized memory. - libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign: - Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))", - which points to uninitialized data. - libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use: - Using uninitialized value "*((CARD8 *)preply)". - # 477| return False; - # 478| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE); - # 479|-> if (*((CARD8 *)preply) == XIM_ERROR) { - # 480| _XimProcError(im, 0, (XPointer)&buf_s[3]); - # 481| if(reply != preply) - -Signed-off-by: José Expósito -Part-of: ---- - modules/im/ximcp/imExten.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c -index c2e48a89..a25f00d0 100644 ---- a/modules/im/ximcp/imExten.c -+++ b/modules/im/ximcp/imExten.c -@@ -466,7 +466,7 @@ _XimExtension( - } else { - buf_size = len; - preply = Xmalloc(buf_size); -- ret_code = _XimRead(im, &len, reply, buf_size, -+ ret_code = _XimRead(im, &len, preply, buf_size, - _XimQueryExtensionCheck, 0); - if(ret_code != XIM_TRUE) { - Xfree(preply); --- -2.45.2 - diff --git a/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch b/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch deleted file mode 100644 index 539b98f..0000000 --- a/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 7 Jun 2024 09:07:39 +0200 -Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock" - -That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*() -family of functions within a display lock to make the XCMS colormap -functions thread safe. - -Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because -_XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls -XGetVisualInfo() which also tries to acquire the display lock. - -So, instead of moving the entire functions within the display lock, -let's try to make the functions themselves thread safe in the following -commit, and revert this change which causes a deadlock. - -This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d. - -Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215 -See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94 -Reviewed-by: Adam Jackson -Part-of: ---- - src/CopyCmap.c | 6 +++--- - src/CrCmap.c | 6 +++--- - src/FreeCmap.c | 6 +++--- - 3 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/CopyCmap.c b/src/CopyCmap.c -index b4954b01..5444550c 100644 ---- a/src/CopyCmap.c -+++ b/src/CopyCmap.c -@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree( - mid = req->mid = XAllocID(dpy); - req->srcCmap = src_cmap; - -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ - #if XCMS - _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid); - #endif - -- UnlockDisplay(dpy); -- SyncHandle(); -- - return(mid); - } -diff --git a/src/CrCmap.c b/src/CrCmap.c -index 1b18a15b..9904c7dd 100644 ---- a/src/CrCmap.c -+++ b/src/CrCmap.c -@@ -48,12 +48,12 @@ Colormap XCreateColormap( - if (visual == CopyFromParent) req->visual = CopyFromParent; - else req->visual = visual->visualid; - -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ - #ifdef XCMS - _XcmsAddCmapRec(dpy, mid, w, visual); - #endif - -- UnlockDisplay(dpy); -- SyncHandle(); -- - return(mid); - } -diff --git a/src/FreeCmap.c b/src/FreeCmap.c -index 68496dd8..e2b76fa6 100644 ---- a/src/FreeCmap.c -+++ b/src/FreeCmap.c -@@ -41,12 +41,12 @@ XFreeColormap( - LockDisplay(dpy); - GetResReq(FreeColormap, cmap, req); - -+ UnlockDisplay(dpy); -+ SyncHandle(); -+ - #ifdef XCMS - _XcmsDeleteCmapRec(dpy, cmap); - #endif - -- UnlockDisplay(dpy); -- SyncHandle(); -- - return 1; - } --- -2.45.2 - diff --git a/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch b/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch deleted file mode 100644 index 0b5d749..0000000 --- a/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 16:49:26 +0200 -Subject: [PATCH 3/6] Fix use of uninitialized variable in - _XimEncodeICATTRIBUTE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In the `res->resource_size == XimType_NEST` code path, if -`res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can -be used uninitialized. - -This error has been found by a static analysis tool. This is the report: - - Error: UNINIT (CWE-457): - libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl: - Declaring variable "len" without initializer. - libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use: - Using uninitialized value "len". - # 1177| } - # 1178| - # 1179|-> if (len == 0) { - # 1180| continue; - # 1181| } else if (len < 0) { - -Signed-off-by: José Expósito -Part-of: ---- - modules/im/ximcp/imRmAttr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c -index 709e64ab..c56bd62e 100644 ---- a/modules/im/ximcp/imRmAttr.c -+++ b/modules/im/ximcp/imRmAttr.c -@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE( - - *ret_len = 0; - for (p = arg; p && p->name; p++) { -+ len = 0; - buf_s = (CARD16 *)buf; - if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) { - if (_XimSetInnerICAttributes(ic, top, p, mode)) --- -2.45.2 - diff --git a/0003-Make-colormap-private-interfaces-thread-safe.patch b/0003-Make-colormap-private-interfaces-thread-safe.patch deleted file mode 100644 index 9166a74..0000000 --- a/0003-Make-colormap-private-interfaces-thread-safe.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 1472048b7a02d1b7fc25cfeda761db23fba21eac Mon Sep 17 00:00:00 2001 -From: Olivier Fourdan -Date: Fri, 7 Jun 2024 09:05:55 +0200 -Subject: [PATCH 3/3] Make colormap private interfaces thread safe. - -Protect access to the dpy structure by a display lock, so that these can -be called outside of a global display lock. - -That allows the XCMS colormap functions to be thread safe without having -the whole functions within a display lock, to avoid deadlocks. - -Signed-off-by: Olivier Fourdan -See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215 -See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94 -Reviewed-by: Adam Jackson -Part-of: ---- - src/xcms/cmsCmap.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/xcms/cmsCmap.c b/src/xcms/cmsCmap.c -index c7087ecb..4b229477 100644 ---- a/src/xcms/cmsCmap.c -+++ b/src/xcms/cmsCmap.c -@@ -87,12 +87,17 @@ CmapRecForColormap( - _XAsyncHandler async; - _XAsyncErrorState async_state; - -+ LockDisplay(dpy); - for (pRec = (XcmsCmapRec *)dpy->cms.clientCmaps; pRec != NULL; - pRec = pRec->pNext) { - if (pRec->cmapID == cmap) { -+ UnlockDisplay(dpy); -+ SyncHandle(); - return(pRec); - } - } -+ UnlockDisplay(dpy); -+ SyncHandle(); - - /* - * Can't find an XcmsCmapRec associated with cmap in our records. -@@ -258,9 +263,12 @@ _XcmsAddCmapRec( - pNew->dpy = dpy; - pNew->windowID = windowID; - pNew->visual = visual; -+ LockDisplay(dpy); - pNew->pNext = (XcmsCmapRec *)dpy->cms.clientCmaps; - dpy->cms.clientCmaps = (XPointer)pNew; - dpy->free_funcs->clientCmaps = _XcmsFreeClientCmaps; -+ UnlockDisplay(dpy); -+ SyncHandle(); - - /* - * Note, we don't create the XcmsCCC for pNew->ccc here because -@@ -342,6 +350,7 @@ _XcmsDeleteCmapRec( - } - - /* search for it in the list */ -+ LockDisplay(dpy); - pPrevPtr = (XcmsCmapRec **)&dpy->cms.clientCmaps; - while ((pRec = *pPrevPtr) && (pRec->cmapID != cmap)) { - pPrevPtr = &pRec->pNext; -@@ -354,6 +363,8 @@ _XcmsDeleteCmapRec( - *pPrevPtr = pRec->pNext; - Xfree(pRec); - } -+ UnlockDisplay(dpy); -+ SyncHandle(); - } - - -@@ -378,6 +389,7 @@ _XcmsFreeClientCmaps( - { - XcmsCmapRec *pRecNext, *pRecFree; - -+ LockDisplay(dpy); - pRecNext = (XcmsCmapRec *)dpy->cms.clientCmaps; - while (pRecNext != NULL) { - pRecFree = pRecNext; -@@ -390,6 +402,8 @@ _XcmsFreeClientCmaps( - Xfree(pRecFree); - } - dpy->cms.clientCmaps = (XPointer)NULL; -+ UnlockDisplay(dpy); -+ SyncHandle(); - } - - --- -2.45.2 - diff --git a/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch b/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch deleted file mode 100644 index 0a3d9fe..0000000 --- a/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch +++ /dev/null @@ -1,62 +0,0 @@ -From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 17:37:39 +0200 -Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in - XkbResizeKeyActions -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Passing a negative value in `needed` to the `XkbResizeKeyActions()` -function can create a `newActs` array of an unespected size. -Check the value and return if it is invalid. - -This error has been found by a static analysis tool. This is the report: - - Error: OVERRUN (CWE-119): - libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const: - Checking "xkb->server->size_acts == 0" implies that - "xkb->server->size_acts" is 0 on the true branch. - libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc: - "calloc" allocates 8 bytes dictated by parameters - "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)" - and "8UL". - libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign: - Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)". - libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment: - Assigning: "nActs" = "1". - libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least: - Checking "nCopy > 0" implies that "nCopy" is at least 1 on the - true branch. - libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg: - Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by - passing it to a function which accesses it at byte offset 15 - using argument "nCopy * 8UL" (which evaluates to 8). - # 828| - # 829| if (nCopy > 0) - # 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i), - # 831| nCopy * sizeof(XkbAction)); - # 832| if (nCopy < nKeyActs) - -Signed-off-by: José Expósito -Part-of: ---- - src/xkb/XKBMAlloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c -index 8b3be303..0563a688 100644 ---- a/src/xkb/XKBMAlloc.c -+++ b/src/xkb/XKBMAlloc.c -@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed) - register int i, nActs; - XkbAction *newActs; - -- if (needed == 0) { -+ if (needed <= 0) { - xkb->server->key_acts[key] = 0; - return NULL; - } --- -2.45.2 - diff --git a/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch b/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch deleted file mode 100644 index 06cc018..0000000 --- a/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch +++ /dev/null @@ -1,64 +0,0 @@ -From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 18:04:35 +0200 -Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This error has been found by a static analysis tool. This is the report: - - Error: RESOURCE_LEAK (CWE-772): - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn: - Storage is returned from allocation function "calloc". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign: - Assigning: "tmp" = storage returned from - "calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape: - Resource "tmp" is not freed or pointed-to in "memcpy". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign: - Assigning: "buf" = "tmp". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign: - Assigning: "data" = "buf". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape: - Resource "data" is not freed or pointed-to in - "_XimEncodeIMATTRIBUTE". - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: - Variable "data" going out of scope leaks the storage it points to. - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: - Variable "buf" going out of scope leaks the storage it points to. - libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage: - Variable "tmp" going out of scope leaks the storage it points to. - # 1331| - # 1332| if (!total) - # 1333|-> return (char *)NULL; - # 1334| - # 1335| buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; - -Signed-off-by: José Expósito -Part-of: ---- - modules/im/ximcp/imDefIm.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c -index a12d2970..e3075398 100644 ---- a/modules/im/ximcp/imDefIm.c -+++ b/modules/im/ximcp/imDefIm.c -@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues( - } - _XimSetCurrentIMValues(im, &im_values); - -- if (!total) -- return (char *)NULL; -+ if (!total) { -+ if (buf != tmp_buf) -+ Xfree(buf); -+ return (char *)NULL; -+ } - - buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE]; - buf_s[0] = im->private.proto.imid; --- -2.45.2 - diff --git a/0006-Fix-buffer-overrun-in-parse_omit_name.patch b/0006-Fix-buffer-overrun-in-parse_omit_name.patch deleted file mode 100644 index caeaccc..0000000 --- a/0006-Fix-buffer-overrun-in-parse_omit_name.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= -Date: Tue, 30 Apr 2024 18:21:08 +0200 -Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When `num_fields == 12`, if the last character of the pattern is '-', -the `buf` array is overrun. - -This error has been found by a static analysis tool. This is the report: - - Error: OVERRUN (CWE-119): - libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most: - Checking "length > 255" implies that "length" may be up to 255 on - the false branch. - libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias: - Assigning: "last" = "buf + length - 1". "last" may now point to as - high as byte 254 of "buf" (which consists of 256 bytes). - libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr: - Incrementing "last". "last" may now point to as high as byte 255 - of "buf" (which consists of 256 bytes). - libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr: - Incrementing "last". "last" may now point to as high as byte 256 - of "buf" (which consists of 256 bytes). - libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local: - Overrunning array of 256 bytes at byte offset 256 by - dereferencing pointer "++last". - # 718| *++last = '*'; - # 719| - # 720|-> *++last = '-'; - # 721| break; - # 722| case 13: - -Signed-off-by: José Expósito -Part-of: ---- - modules/om/generic/omGeneric.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c -index 406cec93..370072f3 100644 ---- a/modules/om/generic/omGeneric.c -+++ b/modules/om/generic/omGeneric.c -@@ -688,7 +688,7 @@ parse_omit_name( - - length = strlen (pattern); - -- if (length > XLFD_MAX_LEN) -+ if (length > XLFD_MAX_LEN - 1) - return -1; - - strcpy(buf, pattern); --- -2.45.2 - diff --git a/dont-forward-keycode-0.patch b/dont-forward-keycode-0.patch index c16d874..466c583 100644 --- a/dont-forward-keycode-0.patch +++ b/dont-forward-keycode-0.patch @@ -1,19 +1,19 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c --- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400 +++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400 -@@ -142,7 +142,7 @@ _XimProtoKeypressFilter( +@@ -143,7 +143,7 @@ _XimProtoKeypressFilter( { Xim im = (Xim)ic->core.im; -- if (IS_FABRICATED(im)) { -+ if ((ev->keycode == 0) || IS_FABRICATED(im)) { +- if (_XimIsFabricatedSerial(im, ev)) { ++ if ((ev->keycode == 0) || _XimIsFabricatedSerial(im, ev)) { _XimPendingFilter(ic); - UNMARK_FABRICATED(im); + _XimUnfabricateSerial(im, ic, ev); return NOTFILTERD; diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c --- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400 +++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400 -@@ -332,6 +332,17 @@ _XimForwardEvent( +@@ -333,6 +333,17 @@ _XimForwardEvent( XEvent *ev, Bool sync) { @@ -31,9 +31,9 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/xi #ifdef EXT_FORWARD if (((ev->type == KeyPress) || (ev->type == KeyRelease))) if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync)) -@@ -604,6 +615,19 @@ _XimUnregCommitInfo( - Xfree(info->keysym); - ic->private.proto.commit_info = info->next; +@@ -703,6 +714,19 @@ _XimUnregRealCommitInfo( + else + ic->private.proto.commit_info = info->next; Xfree(info); + + /* diff --git a/libX11.spec b/libX11.spec index f816c6f..47fff32 100644 --- a/libX11.spec +++ b/libX11.spec @@ -4,8 +4,8 @@ Summary: Core X11 protocol client library Name: libX11 -Version: 1.8.7 -Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Version: 1.8.10 +Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} License: MIT AND X11 URL: http://www.x.org @@ -19,22 +19,8 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}. Patch02: dont-forward-keycode-0.patch - -# https://issues.redhat.com/browse/RHEL-40132 -Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch -Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch -Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch - -# https://issues.redhat.com/browse/RHEL-34918 -Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch -Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch -Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch -Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch -Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch -Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch - -# https://issues.redhat.com/browse/RHEL-45855 -Patch12: 0001-Fix-deadlock-in-XRebindKeysym.patch +# https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264 +Patch03: 0001-Close-xcb-connection-after-freeing-display-structure.patch BuildRequires: libtool BuildRequires: make @@ -139,6 +125,10 @@ make %{?_smp_mflags} check %{_mandir}/man5/*.5* %changelog +* Thu Dec 05 2024 Olivier Fourdan - 1.8.10-1 +- Rebase to 1.8.10 + Resolves: https://issues.redhat.com/browse/RHEL-70185 + * Tue Oct 29 2024 Troy Dawson - 1.8.7-8 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 diff --git a/sources b/sources index 61762f8..33944c3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libX11-1.8.7.tar.xz) = d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6 +SHA512 (libX11-1.8.10.tar.xz) = f801f5b77cbc55074f73dc95b29fff7b5e1b13b99641f6e397788ad9f31a29793ed4e8e5bd373122c790ef90627e8f9d6d5e271051c1767a479a85c55cd82bc1