rpms/libX11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add upstream patch to fix use-after-free that makes clients crash.

Browse Source
This commit is contained in:
Bill Nottingham 2010-08-10 11:15:58 -04:00
parent b2465172d4
commit 926552e6e9
2 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
54a963608d23d35cd9233b2223f880ac3671f10b.patch Normal file
View File

@ -0,0 +1,33 @@
From 54a963608d23d35cd9233b2223f880ac3671f10b Mon Sep 17 00:00:00 2001
From: Jamey Sharp <jamey@minilop.net>
Date: Fri, 06 Aug 2010 22:51:56 +0000
Subject: Fix use-after-free in _XReply on X errors.
_XReply would always call dequeue_pending_request on errors. When it
got an error for the current request, it would call dequeue, then break
out of the loop; then, if it had an error in the event queue, it would
compare it with the sequence number of the now-freed pending request.
_XReply already stored that sequence number in dpy->last_request_read
before freeing it, so look at that instead.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
(cherry picked from commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18)
---
diff --git a/src/xcb_io.c b/src/xcb_io.c
index dac7622..72881d8 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -579,7 +579,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard)
xcb_generic_event_t *event = dpy->xcb->next_event;
unsigned long event_sequence = dpy->last_request_read;
widen(&event_sequence, event->full_sequence);
- if(event_sequence == current->sequence)
+ if(event_sequence == dpy->last_request_read)
{
error = (xcb_generic_error_t *) event;
dpy->xcb->next_event = NULL;
--
cgit v0.8.3-6-g21f6

8
libX11.spec
View File

@ -4,7 +4,7 @@
Summary: Core X11 protocol client library Summary: Core X11 protocol client library
Name: libX11 Name: libX11
Version: 1.3.4 Version: 1.3.4
Release: 2%{?dist} Release: 3%{?dist}
License: MIT License: MIT
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.x.org URL: http://www.x.org
@ -16,7 +16,7 @@ Source0: http://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.t
#Source1: make-git-snapshot.sh #Source1: make-git-snapshot.sh
Patch2: dont-forward-keycode-0.patch Patch2: dont-forward-keycode-0.patch
Patch3: 54a963608d23d35cd9233b2223f880ac3671f10b.patch
BuildRequires: xorg-x11-util-macros BuildRequires: xorg-x11-util-macros
BuildRequires: pkgconfig(xproto) >= 7.0.15 BuildRequires: pkgconfig(xproto) >= 7.0.15
BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@ -48,6 +48,7 @@ X.Org X11 libX11 development package
%setup -q %setup -q
#setup -q -n %{tarball}-%{gitdate} #setup -q -n %{tarball}-%{gitdate}
%patch2 -p1 -b .dont-forward-keycode-0 %patch2 -p1 -b .dont-forward-keycode-0
%patch3 -p1
%build %build
# sodding libtool # sodding libtool
@ -114,6 +115,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/*.5* %{_mandir}/man5/*.5*
%changelog %changelog
* Tue Aug 10 2010 Bill Nottingham <notting@redhat.com> - 1.3.4-3
- Merge upstream commit 54a96360, fixes use-after-free (fd.o 29412)
* Mon Jul 19 2010 Matěj Cepl <mcepl@redhat.com> - 1.3.4-2 * Mon Jul 19 2010 Matěj Cepl <mcepl@redhat.com> - 1.3.4-2
- don't own /usr/share/X11, filesystem owns it already (#569395) - don't own /usr/share/X11, filesystem owns it already (#569395)