From f9ed5009022f69a1a8b753577315d2bc5953e41b Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Fri, 23 Mar 2018 14:43:43 +1000 Subject: [PATCH] Fix FTBS caused by fake size in the XimCacheStruct (#1556616) --- ...le-array-member-instead-of-fake-size.patch | 66 +++++++++++++++++++ libX11.spec | 7 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0001-Use-flexible-array-member-instead-of-fake-size.patch diff --git a/0001-Use-flexible-array-member-instead-of-fake-size.patch b/0001-Use-flexible-array-member-instead-of-fake-size.patch new file mode 100644 index 0000000..1891db9 --- /dev/null +++ b/0001-Use-flexible-array-member-instead-of-fake-size.patch @@ -0,0 +1,66 @@ +From a9dafdd57c71473fa3a2ec4887e973e4e9876d83 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Thu, 15 Mar 2018 09:50:58 +0100 +Subject: [PATCH libX11] Use flexible array member instead of fake size. + +The _XimCacheStruct structure is followed in memory by two strings containing +fname and encoding. The memory was accessed using the last member of the +structure `char fname[1]`. That is a lie, prohibits us from using sizeof and +confuses checkers. Lets declare it properly as a flexible array, so compilers +don't complain about writing past that array. As bonus we can replace the +XOffsetOf with regular sizeof. + +Fixes GCC8 error: + In function 'strcpy', + inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5, + inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2, + inlined from '_XimLocalOpenIM' at imLcIm.c:700:5: + /usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy' + forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds] + return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); + +Caused by this line seemingly writing past the fname[1] array: + imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding); + +Reviewed-by: Keith Packard +Signed-off-by: Peter Hutterer +--- + modules/im/ximcp/imLcIm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/im/ximcp/imLcIm.c b/modules/im/ximcp/imLcIm.c +index c19695df..743df77b 100644 +--- a/modules/im/ximcp/imLcIm.c ++++ b/modules/im/ximcp/imLcIm.c +@@ -82,8 +82,8 @@ struct _XimCacheStruct { + DTCharIndex mbused; + DTCharIndex wcused; + DTCharIndex utf8used; +- char fname[1]; +- /* char encoding[1] */ ++ char fname[]; ++ /* char encoding[] */ + }; + + static struct _XimCacheStruct* _XimCache_mmap = NULL; +@@ -281,7 +281,7 @@ _XimReadCachedDefaultTree( + assert (m->id == XIM_CACHE_MAGIC); + assert (m->version == XIM_CACHE_VERSION); + if (size != m->size || +- size < XOffsetOf (struct _XimCacheStruct, fname) + namelen + encodinglen) { ++ size < sizeof (struct _XimCacheStruct) + namelen + encodinglen) { + fprintf (stderr, "Ignoring broken XimCache %s [%s]\n", name, encoding); + munmap (m, size); + return False; +@@ -442,7 +442,7 @@ _XimWriteCachedDefaultTree( + int fd; + FILE *fp; + struct _XimCacheStruct *m; +- int msize = (XOffsetOf(struct _XimCacheStruct, fname) ++ int msize = (sizeof(struct _XimCacheStruct) + + strlen(name) + strlen(encoding) + 2 + + XIM_CACHE_TREE_ALIGNMENT-1) & -XIM_CACHE_TREE_ALIGNMENT; + DefTreeBase *b = &im->private.local.base; +-- +2.14.3 + diff --git a/libX11.spec b/libX11.spec index 8b38ebc..a1415bb 100644 --- a/libX11.spec +++ b/libX11.spec @@ -5,7 +5,7 @@ Summary: Core X11 protocol client library Name: libX11 Version: 1.6.5 -Release: 6%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} +Release: 7%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org @@ -19,6 +19,7 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}. %endif Patch2: dont-forward-keycode-0.patch +Patch01: 0001-Use-flexible-array-member-instead-of-fake-size.patch BuildRequires: xorg-x11-util-macros >= 1.11 BuildRequires: pkgconfig(xproto) >= 7.0.15 @@ -60,6 +61,7 @@ libX11/libxcb interoperability library %prep %setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} %patch2 -p1 -b .dont-forward-keycode-0 +%patch01 -p1 %build autoreconf -v --install --force @@ -124,6 +126,9 @@ make %{?_smp_mflags} check %{_mandir}/man5/*.5* %changelog +* Fri Mar 23 2018 Peter Hutterer 1.6.5-7 +- Fix FTBS caused by fake size in the XimCacheStruct (#1556616) + * Wed Feb 07 2018 Fedora Release Engineering - 1.6.5-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild