parent
398d91bbd6
commit
773dc997dc
@ -0,0 +1,82 @@
|
||||
From f3d6ebac35301d4ad068e307f0fbe6aa12ccbccb Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 9 Aug 2024 09:21:31 +0200
|
||||
Subject: [PATCH libX11] Close xcb connection after freeing display structure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 1472048b7 to fix a colormap threading issue added a display
|
||||
lock/unlock and a call to SyncHandle() to _XcmsFreeClientCmaps().
|
||||
|
||||
When running synchronized, that means calling XSync().
|
||||
|
||||
_XcmsFreeClientCmaps() is called from _XFreeDisplayStructure() via
|
||||
XCloseDisplay() after the xcb connection is closed.
|
||||
|
||||
So when running synchronized, we may end up calling XSync() after the
|
||||
xcb connection to the display is closed, which will generate a spurious
|
||||
XIO error:
|
||||
|
||||
| #0 in _XDefaultIOError () at /lib64/libX11.so.6
|
||||
| #1 in _XIOError () at /lib64/libX11.so.6
|
||||
| #2 in _XReply () at /lib64/libX11.so.6
|
||||
| #3 in XSync () at /lib64/libX11.so.6
|
||||
| #4 in _XSyncFunction () at /lib64/libX11.so.6
|
||||
| 8#5 in _XFreeDisplayStructure () at /lib64/libX11.so.6
|
||||
| 8#6 in XCloseDisplay () at /lib64/libX11.so.6
|
||||
|
||||
To avoid that issue, closed the xcb connection to the display last.
|
||||
|
||||
v2: And same in OutOfMemory() as well (José Expósito)
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Reviewed-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264>
|
||||
---
|
||||
src/ClDisplay.c | 4 +++-
|
||||
src/OpenDis.c | 7 +++++--
|
||||
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/ClDisplay.c b/src/ClDisplay.c
|
||||
index aa904e51..31d3a841 100644
|
||||
--- a/src/ClDisplay.c
|
||||
+++ b/src/ClDisplay.c
|
||||
@@ -47,6 +47,7 @@ XCloseDisplay (
|
||||
{
|
||||
register _XExtension *ext;
|
||||
register int i;
|
||||
+ xcb_connection_t *connection;
|
||||
|
||||
if (!(dpy->flags & XlibDisplayClosing))
|
||||
{
|
||||
@@ -68,7 +69,8 @@ XCloseDisplay (
|
||||
if (X_DPY_GET_REQUEST(dpy) != X_DPY_GET_LAST_REQUEST_READ(dpy))
|
||||
XSync(dpy, 1);
|
||||
}
|
||||
- xcb_disconnect(dpy->xcb->connection);
|
||||
+ connection = dpy->xcb->connection;
|
||||
_XFreeDisplayStructure (dpy);
|
||||
+ xcb_disconnect(connection);
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/OpenDis.c b/src/OpenDis.c
|
||||
index 89a0ebdf..6cc43ba3 100644
|
||||
--- a/src/OpenDis.c
|
||||
+++ b/src/OpenDis.c
|
||||
@@ -709,7 +709,10 @@ void _XFreeDisplayStructure(Display *dpy)
|
||||
|
||||
static void OutOfMemory(Display *dpy)
|
||||
{
|
||||
- if(dpy->xcb->connection)
|
||||
- xcb_disconnect(dpy->xcb->connection);
|
||||
+ xcb_connection_t *connection = dpy->xcb->connection;
|
||||
+
|
||||
_XFreeDisplayStructure (dpy);
|
||||
+
|
||||
+ if(connection)
|
||||
+ xcb_disconnect(connection);
|
||||
}
|
||||
--
|
||||
2.47.1
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 21 Jun 2024 14:37:24 +0200
|
||||
Subject: [PATCH] Fix deadlock in XRebindKeysym()
|
||||
|
||||
Xlib is now built with threading support enabled from the constructor
|
||||
by default.
|
||||
|
||||
XRebindKeysym() acquires the display lock, then calls:
|
||||
|
||||
| XRebindKeysym()
|
||||
| LockDisplay()
|
||||
| ComputeMaskFromKeytrans()
|
||||
| -> XkbKeysymToModifiers()
|
||||
| -> _XkbLoadDpy()
|
||||
| -> XkbGetMap()
|
||||
| -> XkbGetUpdatedMap()
|
||||
| LockDisplay()
|
||||
|
||||
And the dead lock:
|
||||
|
||||
| Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already
|
||||
| locked at KeyBind.c line 937
|
||||
|
||||
To avoid the issue, call ComputeMaskFromKeytrans() from outside the display
|
||||
lock.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/256>
|
||||
---
|
||||
src/KeyBind.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/KeyBind.c b/src/KeyBind.c
|
||||
index a8181b91..a5e22131 100644
|
||||
--- a/src/KeyBind.c
|
||||
+++ b/src/KeyBind.c
|
||||
@@ -958,8 +958,9 @@ XRebindKeysym (
|
||||
memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb);
|
||||
p->key = keysym;
|
||||
p->mlen = nm;
|
||||
- ComputeMaskFromKeytrans(dpy, p);
|
||||
UnlockDisplay(dpy);
|
||||
+ ComputeMaskFromKeytrans(dpy, p);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:37:21 +0200
|
||||
Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`_XimRead()` is being called with `reply` as target buffer instead of
|
||||
using `preply`, accessing uninitialized memory a few lines later.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
|
||||
Calling "malloc" which returns uninitialized memory.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
|
||||
Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
|
||||
which points to uninitialized data.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
|
||||
Using uninitialized value "*((CARD8 *)preply)".
|
||||
# 571| }
|
||||
# 572| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
|
||||
# 573|-> if (*((CARD8 *)preply) == XIM_ERROR) {
|
||||
# 574| _XimProcError(im, 0, (XPointer)&buf_s[3]);
|
||||
# 575| if(reply != preply)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imDefLkup.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
|
||||
index 2e53ab23..8ccaee26 100644
|
||||
--- a/modules/im/ximcp/imDefLkup.c
|
||||
+++ b/modules/im/ximcp/imDefLkup.c
|
||||
@@ -635,7 +635,7 @@ _XimTriggerNotify(
|
||||
} else {
|
||||
buf_size = len;
|
||||
preply = Xmalloc(len);
|
||||
- ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
|
||||
+ ret_code = _XimRead(im, &len, preply, buf_size,
|
||||
_XimTriggerNotifyCheck, (XPointer)ic);
|
||||
if(ret_code != XIM_TRUE) {
|
||||
Xfree(preply);
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,34 +0,0 @@
|
||||
From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Thu, 6 Jun 2024 16:25:26 +0200
|
||||
Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree"
|
||||
|
||||
This change was to fix the next change that we are to revert as well.
|
||||
|
||||
This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0.
|
||||
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
|
||||
---
|
||||
src/CopyCmap.c | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
|
||||
index b37aba73..b4954b01 100644
|
||||
--- a/src/CopyCmap.c
|
||||
+++ b/src/CopyCmap.c
|
||||
@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree(
|
||||
mid = req->mid = XAllocID(dpy);
|
||||
req->srcCmap = src_cmap;
|
||||
|
||||
- /* re-lock the display to keep XID handling in sync */
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
- LockDisplay(dpy);
|
||||
-
|
||||
#if XCMS
|
||||
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
|
||||
#endif
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,49 +0,0 @@
|
||||
From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:41:40 +0200
|
||||
Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`_XimRead()` is being called with `reply` as target buffer instead of
|
||||
using `preply`, accessing uninitialized memory a few lines later.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn:
|
||||
Calling "malloc" which returns uninitialized memory.
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign:
|
||||
Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))",
|
||||
which points to uninitialized data.
|
||||
libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use:
|
||||
Using uninitialized value "*((CARD8 *)preply)".
|
||||
# 477| return False;
|
||||
# 478| buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
|
||||
# 479|-> if (*((CARD8 *)preply) == XIM_ERROR) {
|
||||
# 480| _XimProcError(im, 0, (XPointer)&buf_s[3]);
|
||||
# 481| if(reply != preply)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imExten.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c
|
||||
index c2e48a89..a25f00d0 100644
|
||||
--- a/modules/im/ximcp/imExten.c
|
||||
+++ b/modules/im/ximcp/imExten.c
|
||||
@@ -466,7 +466,7 @@ _XimExtension(
|
||||
} else {
|
||||
buf_size = len;
|
||||
preply = Xmalloc(buf_size);
|
||||
- ret_code = _XimRead(im, &len, reply, buf_size,
|
||||
+ ret_code = _XimRead(im, &len, preply, buf_size,
|
||||
_XimQueryExtensionCheck, 0);
|
||||
if(ret_code != XIM_TRUE) {
|
||||
Xfree(preply);
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,92 +0,0 @@
|
||||
From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 7 Jun 2024 09:07:39 +0200
|
||||
Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock"
|
||||
|
||||
That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*()
|
||||
family of functions within a display lock to make the XCMS colormap
|
||||
functions thread safe.
|
||||
|
||||
Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because
|
||||
_XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls
|
||||
XGetVisualInfo() which also tries to acquire the display lock.
|
||||
|
||||
So, instead of moving the entire functions within the display lock,
|
||||
let's try to make the functions themselves thread safe in the following
|
||||
commit, and revert this change which causes a deadlock.
|
||||
|
||||
This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d.
|
||||
|
||||
Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
|
||||
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
|
||||
---
|
||||
src/CopyCmap.c | 6 +++---
|
||||
src/CrCmap.c | 6 +++---
|
||||
src/FreeCmap.c | 6 +++---
|
||||
3 files changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
|
||||
index b4954b01..5444550c 100644
|
||||
--- a/src/CopyCmap.c
|
||||
+++ b/src/CopyCmap.c
|
||||
@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree(
|
||||
mid = req->mid = XAllocID(dpy);
|
||||
req->srcCmap = src_cmap;
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#if XCMS
|
||||
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return(mid);
|
||||
}
|
||||
diff --git a/src/CrCmap.c b/src/CrCmap.c
|
||||
index 1b18a15b..9904c7dd 100644
|
||||
--- a/src/CrCmap.c
|
||||
+++ b/src/CrCmap.c
|
||||
@@ -48,12 +48,12 @@ Colormap XCreateColormap(
|
||||
if (visual == CopyFromParent) req->visual = CopyFromParent;
|
||||
else req->visual = visual->visualid;
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#ifdef XCMS
|
||||
_XcmsAddCmapRec(dpy, mid, w, visual);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return(mid);
|
||||
}
|
||||
diff --git a/src/FreeCmap.c b/src/FreeCmap.c
|
||||
index 68496dd8..e2b76fa6 100644
|
||||
--- a/src/FreeCmap.c
|
||||
+++ b/src/FreeCmap.c
|
||||
@@ -41,12 +41,12 @@ XFreeColormap(
|
||||
LockDisplay(dpy);
|
||||
GetResReq(FreeColormap, cmap, req);
|
||||
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
+
|
||||
#ifdef XCMS
|
||||
_XcmsDeleteCmapRec(dpy, cmap);
|
||||
#endif
|
||||
|
||||
- UnlockDisplay(dpy);
|
||||
- SyncHandle();
|
||||
-
|
||||
return 1;
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 16:49:26 +0200
|
||||
Subject: [PATCH 3/6] Fix use of uninitialized variable in
|
||||
_XimEncodeICATTRIBUTE
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In the `res->resource_size == XimType_NEST` code path, if
|
||||
`res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can
|
||||
be used uninitialized.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: UNINIT (CWE-457):
|
||||
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl:
|
||||
Declaring variable "len" without initializer.
|
||||
libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use:
|
||||
Using uninitialized value "len".
|
||||
# 1177| }
|
||||
# 1178|
|
||||
# 1179|-> if (len == 0) {
|
||||
# 1180| continue;
|
||||
# 1181| } else if (len < 0) {
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imRmAttr.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
|
||||
index 709e64ab..c56bd62e 100644
|
||||
--- a/modules/im/ximcp/imRmAttr.c
|
||||
+++ b/modules/im/ximcp/imRmAttr.c
|
||||
@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE(
|
||||
|
||||
*ret_len = 0;
|
||||
for (p = arg; p && p->name; p++) {
|
||||
+ len = 0;
|
||||
buf_s = (CARD16 *)buf;
|
||||
if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) {
|
||||
if (_XimSetInnerICAttributes(ic, top, p, mode))
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,92 +0,0 @@
|
||||
From 1472048b7a02d1b7fc25cfeda761db23fba21eac Mon Sep 17 00:00:00 2001
|
||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
||||
Date: Fri, 7 Jun 2024 09:05:55 +0200
|
||||
Subject: [PATCH 3/3] Make colormap private interfaces thread safe.
|
||||
|
||||
Protect access to the dpy structure by a display lock, so that these can
|
||||
be called outside of a global display lock.
|
||||
|
||||
That allows the XCMS colormap functions to be thread safe without having
|
||||
the whole functions within a display lock, to avoid deadlocks.
|
||||
|
||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||||
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
|
||||
See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
|
||||
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
|
||||
---
|
||||
src/xcms/cmsCmap.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/src/xcms/cmsCmap.c b/src/xcms/cmsCmap.c
|
||||
index c7087ecb..4b229477 100644
|
||||
--- a/src/xcms/cmsCmap.c
|
||||
+++ b/src/xcms/cmsCmap.c
|
||||
@@ -87,12 +87,17 @@ CmapRecForColormap(
|
||||
_XAsyncHandler async;
|
||||
_XAsyncErrorState async_state;
|
||||
|
||||
+ LockDisplay(dpy);
|
||||
for (pRec = (XcmsCmapRec *)dpy->cms.clientCmaps; pRec != NULL;
|
||||
pRec = pRec->pNext) {
|
||||
if (pRec->cmapID == cmap) {
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
return(pRec);
|
||||
}
|
||||
}
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
|
||||
/*
|
||||
* Can't find an XcmsCmapRec associated with cmap in our records.
|
||||
@@ -258,9 +263,12 @@ _XcmsAddCmapRec(
|
||||
pNew->dpy = dpy;
|
||||
pNew->windowID = windowID;
|
||||
pNew->visual = visual;
|
||||
+ LockDisplay(dpy);
|
||||
pNew->pNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
|
||||
dpy->cms.clientCmaps = (XPointer)pNew;
|
||||
dpy->free_funcs->clientCmaps = _XcmsFreeClientCmaps;
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
|
||||
/*
|
||||
* Note, we don't create the XcmsCCC for pNew->ccc here because
|
||||
@@ -342,6 +350,7 @@ _XcmsDeleteCmapRec(
|
||||
}
|
||||
|
||||
/* search for it in the list */
|
||||
+ LockDisplay(dpy);
|
||||
pPrevPtr = (XcmsCmapRec **)&dpy->cms.clientCmaps;
|
||||
while ((pRec = *pPrevPtr) && (pRec->cmapID != cmap)) {
|
||||
pPrevPtr = &pRec->pNext;
|
||||
@@ -354,6 +363,8 @@ _XcmsDeleteCmapRec(
|
||||
*pPrevPtr = pRec->pNext;
|
||||
Xfree(pRec);
|
||||
}
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
}
|
||||
|
||||
|
||||
@@ -378,6 +389,7 @@ _XcmsFreeClientCmaps(
|
||||
{
|
||||
XcmsCmapRec *pRecNext, *pRecFree;
|
||||
|
||||
+ LockDisplay(dpy);
|
||||
pRecNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
|
||||
while (pRecNext != NULL) {
|
||||
pRecFree = pRecNext;
|
||||
@@ -390,6 +402,8 @@ _XcmsFreeClientCmaps(
|
||||
Xfree(pRecFree);
|
||||
}
|
||||
dpy->cms.clientCmaps = (XPointer)NULL;
|
||||
+ UnlockDisplay(dpy);
|
||||
+ SyncHandle();
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,62 +0,0 @@
|
||||
From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 17:37:39 +0200
|
||||
Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
|
||||
XkbResizeKeyActions
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Passing a negative value in `needed` to the `XkbResizeKeyActions()`
|
||||
function can create a `newActs` array of an unespected size.
|
||||
Check the value and return if it is invalid.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
|
||||
Checking "xkb->server->size_acts == 0" implies that
|
||||
"xkb->server->size_acts" is 0 on the true branch.
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
|
||||
"calloc" allocates 8 bytes dictated by parameters
|
||||
"(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
|
||||
and "8UL".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
|
||||
Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
|
||||
Assigning: "nActs" = "1".
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
|
||||
Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
|
||||
true branch.
|
||||
libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
|
||||
Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
|
||||
passing it to a function which accesses it at byte offset 15
|
||||
using argument "nCopy * 8UL" (which evaluates to 8).
|
||||
# 828|
|
||||
# 829| if (nCopy > 0)
|
||||
# 830|-> memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
|
||||
# 831| nCopy * sizeof(XkbAction));
|
||||
# 832| if (nCopy < nKeyActs)
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
src/xkb/XKBMAlloc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
|
||||
index 8b3be303..0563a688 100644
|
||||
--- a/src/xkb/XKBMAlloc.c
|
||||
+++ b/src/xkb/XKBMAlloc.c
|
||||
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
|
||||
register int i, nActs;
|
||||
XkbAction *newActs;
|
||||
|
||||
- if (needed == 0) {
|
||||
+ if (needed <= 0) {
|
||||
xkb->server->key_acts[key] = 0;
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,64 +0,0 @@
|
||||
From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 18:04:35 +0200
|
||||
Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: RESOURCE_LEAK (CWE-772):
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn:
|
||||
Storage is returned from allocation function "calloc".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign:
|
||||
Assigning: "tmp" = storage returned from
|
||||
"calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape:
|
||||
Resource "tmp" is not freed or pointed-to in "memcpy".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign:
|
||||
Assigning: "buf" = "tmp".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign:
|
||||
Assigning: "data" = "buf".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape:
|
||||
Resource "data" is not freed or pointed-to in
|
||||
"_XimEncodeIMATTRIBUTE".
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "data" going out of scope leaks the storage it points to.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "buf" going out of scope leaks the storage it points to.
|
||||
libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
|
||||
Variable "tmp" going out of scope leaks the storage it points to.
|
||||
# 1331|
|
||||
# 1332| if (!total)
|
||||
# 1333|-> return (char *)NULL;
|
||||
# 1334|
|
||||
# 1335| buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/im/ximcp/imDefIm.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
|
||||
index a12d2970..e3075398 100644
|
||||
--- a/modules/im/ximcp/imDefIm.c
|
||||
+++ b/modules/im/ximcp/imDefIm.c
|
||||
@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues(
|
||||
}
|
||||
_XimSetCurrentIMValues(im, &im_values);
|
||||
|
||||
- if (!total)
|
||||
- return (char *)NULL;
|
||||
+ if (!total) {
|
||||
+ if (buf != tmp_buf)
|
||||
+ Xfree(buf);
|
||||
+ return (char *)NULL;
|
||||
+ }
|
||||
|
||||
buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
|
||||
buf_s[0] = im->private.proto.imid;
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,57 +0,0 @@
|
||||
From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
||||
Date: Tue, 30 Apr 2024 18:21:08 +0200
|
||||
Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When `num_fields == 12`, if the last character of the pattern is '-',
|
||||
the `buf` array is overrun.
|
||||
|
||||
This error has been found by a static analysis tool. This is the report:
|
||||
|
||||
Error: OVERRUN (CWE-119):
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
|
||||
Checking "length > 255" implies that "length" may be up to 255 on
|
||||
the false branch.
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
|
||||
Assigning: "last" = "buf + length - 1". "last" may now point to as
|
||||
high as byte 254 of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
|
||||
Incrementing "last". "last" may now point to as high as byte 255
|
||||
of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
|
||||
Incrementing "last". "last" may now point to as high as byte 256
|
||||
of "buf" (which consists of 256 bytes).
|
||||
libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
|
||||
Overrunning array of 256 bytes at byte offset 256 by
|
||||
dereferencing pointer "++last".
|
||||
# 718| *++last = '*';
|
||||
# 719|
|
||||
# 720|-> *++last = '-';
|
||||
# 721| break;
|
||||
# 722| case 13:
|
||||
|
||||
Signed-off-by: José Expósito <jexposit@redhat.com>
|
||||
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
||||
---
|
||||
modules/om/generic/omGeneric.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
|
||||
index 406cec93..370072f3 100644
|
||||
--- a/modules/om/generic/omGeneric.c
|
||||
+++ b/modules/om/generic/omGeneric.c
|
||||
@@ -688,7 +688,7 @@ parse_omit_name(
|
||||
|
||||
length = strlen (pattern);
|
||||
|
||||
- if (length > XLFD_MAX_LEN)
|
||||
+ if (length > XLFD_MAX_LEN - 1)
|
||||
return -1;
|
||||
|
||||
strcpy(buf, pattern);
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,19 +1,19 @@
|
||||
diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c
|
||||
--- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx 2015-03-09 18:28:45.000000000 -0400
|
||||
+++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c 2015-03-10 12:32:31.912149644 -0400
|
||||
@@ -142,7 +142,7 @@ _XimProtoKeypressFilter(
|
||||
@@ -143,7 +143,7 @@ _XimProtoKeypressFilter(
|
||||
{
|
||||
Xim im = (Xim)ic->core.im;
|
||||
|
||||
- if (IS_FABRICATED(im)) {
|
||||
+ if ((ev->keycode == 0) || IS_FABRICATED(im)) {
|
||||
- if (_XimIsFabricatedSerial(im, ev)) {
|
||||
+ if ((ev->keycode == 0) || _XimIsFabricatedSerial(im, ev)) {
|
||||
_XimPendingFilter(ic);
|
||||
UNMARK_FABRICATED(im);
|
||||
_XimUnfabricateSerial(im, ic, ev);
|
||||
return NOTFILTERD;
|
||||
diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c
|
||||
--- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx 2015-03-09 18:28:45.000000000 -0400
|
||||
+++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c 2015-03-10 12:32:31.911149637 -0400
|
||||
@@ -332,6 +332,17 @@ _XimForwardEvent(
|
||||
@@ -333,6 +333,17 @@ _XimForwardEvent(
|
||||
XEvent *ev,
|
||||
Bool sync)
|
||||
{
|
||||
@ -31,8 +31,8 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/xi
|
||||
#ifdef EXT_FORWARD
|
||||
if (((ev->type == KeyPress) || (ev->type == KeyRelease)))
|
||||
if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync))
|
||||
@@ -604,6 +615,19 @@ _XimUnregCommitInfo(
|
||||
Xfree(info->keysym);
|
||||
@@ -703,6 +714,19 @@ _XimUnregRealCommitInfo(
|
||||
else
|
||||
ic->private.proto.commit_info = info->next;
|
||||
Xfree(info);
|
||||
+
|
||||
|
26
libX11.spec
26
libX11.spec
@ -4,8 +4,8 @@
|
||||
|
||||
Summary: Core X11 protocol client library
|
||||
Name: libX11
|
||||
Version: 1.8.7
|
||||
Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
||||
Version: 1.8.10
|
||||
Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
|
||||
License: MIT AND X11
|
||||
URL: http://www.x.org
|
||||
|
||||
@ -19,22 +19,8 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
|
||||
|
||||
|
||||
Patch02: dont-forward-keycode-0.patch
|
||||
|
||||
# https://issues.redhat.com/browse/RHEL-40132
|
||||
Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
|
||||
Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
|
||||
Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch
|
||||
|
||||
# https://issues.redhat.com/browse/RHEL-34918
|
||||
Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
|
||||
Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
|
||||
Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
|
||||
Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
|
||||
Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
|
||||
Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch
|
||||
|
||||
# https://issues.redhat.com/browse/RHEL-45855
|
||||
Patch12: 0001-Fix-deadlock-in-XRebindKeysym.patch
|
||||
# https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264
|
||||
Patch03: 0001-Close-xcb-connection-after-freeing-display-structure.patch
|
||||
|
||||
BuildRequires: libtool
|
||||
BuildRequires: make
|
||||
@ -139,6 +125,10 @@ make %{?_smp_mflags} check
|
||||
%{_mandir}/man5/*.5*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 05 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.8.10-1
|
||||
- Rebase to 1.8.10
|
||||
Resolves: https://issues.redhat.com/browse/RHEL-70185
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.8.7-8
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (libX11-1.8.7.tar.xz) = d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6
|
||||
SHA512 (libX11-1.8.10.tar.xz) = f801f5b77cbc55074f73dc95b29fff7b5e1b13b99641f6e397788ad9f31a29793ed4e8e5bd373122c790ef90627e8f9d6d5e271051c1767a479a85c55cd82bc1
|
||||
|
Loading…
Reference in New Issue
Block a user