Compare commits

..

No commits in common. "c9" and "c8" have entirely different histories.
c9 ... c8

10 changed files with 840 additions and 116 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libX11-1.7.0.tar.bz2 SOURCES/libX11-1.6.8.tar.bz2

View File

@ -1 +1 @@
48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2 f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2

View File

@ -0,0 +1,166 @@
From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Sat, 7 Nov 2020 22:22:47 -0800
Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
adjustment
This patch is based on research done by Dmitry Osipenko to uncover the
cause of a large class of Xlib lockups.
_XError must unlock and re-lock the display around the call to the
user error handler function. When re-locking the display, two
functions are called to ensure that the display is ready to generate a request:
_XIDHandler(dpy);
_XSeqSyncFunction(dpy);
The first ensures that there is at least one XID available to use
(possibly calling _xcb_generate_id to do so). The second makes sure a
reply is received at least every 65535 requests to keep sequence
numbers in sync (possibly generating a GetInputFocus request and
synchronously awaiting the reply).
If the second of these does generate a GetInputFocus request and wait
for the reply, then a pending error will cause recursion into _XError,
which deadlocks the display.
One seemingly easy fix is to have _XError avoid those calls by
invoking InternalLockDisplay instead of LockDisplay. That function
does everything that LockDisplay does *except* call those final two
functions which may end up receiving an error.
However, that doesn't protect the system from applications which call
some legal Xlib function from within their error handler. Any Xlib
function which cannot generate protocol or wait for events is valid,
including many which invoke LockDisplay.
What we need to do is make LockDisplay skip these two function calls
precisely when it is called from within the _XError context for the
same display.
This patch accomplishes this by creating a list of threads in the
display which are in _XError, and then having LockDisplay check the
current thread against those list elements.
Inspired-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
---
include/X11/Xlibint.h | 2 ++
src/OpenDis.c | 1 +
src/XlibInt.c | 10 ++++++++++
src/locking.c | 12 ++++++++++++
src/locking.h | 12 ++++++++++++
5 files changed, 37 insertions(+)
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
index 6b95bcf7..09078e3f 100644
--- a/include/X11/Xlibint.h
+++ b/include/X11/Xlibint.h
@@ -202,6 +202,8 @@ struct _XDisplay
unsigned long last_request_read_upper32bit;
unsigned long request_upper32bit;
#endif
+
+ struct _XErrorThreadInfo *error_threads;
};
#define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
diff --git a/src/OpenDis.c b/src/OpenDis.c
index 82723578..85901168 100644
--- a/src/OpenDis.c
+++ b/src/OpenDis.c
@@ -201,6 +201,7 @@ XOpenDisplay (
X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
dpy->default_screen = iscreen; /* Value returned by ConnectDisplay */
dpy->last_req = (char *)&_dummy_request;
+ dpy->error_threads = NULL;
/* Initialize the display lock */
if (InitDisplayLock(dpy) != 0) {
diff --git a/src/XlibInt.c b/src/XlibInt.c
index 4e45e62b..8771b791 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1482,6 +1482,11 @@ int _XError (
if (_XErrorFunction != NULL) {
int rtn_val;
#ifdef XTHREADS
+ struct _XErrorThreadInfo thread_info = {
+ .error_thread = xthread_self(),
+ .next = dpy->error_threads
+ }, **prev;
+ dpy->error_threads = &thread_info;
if (dpy->lock)
(*dpy->lock->user_lock_display)(dpy);
UnlockDisplay(dpy);
@@ -1491,6 +1496,11 @@ int _XError (
LockDisplay(dpy);
if (dpy->lock)
(*dpy->lock->user_unlock_display)(dpy);
+
+ /* unlink thread_info from the list */
+ for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
+ ;
+ *prev = thread_info.next;
#endif
return rtn_val;
} else {
diff --git a/src/locking.c b/src/locking.c
index 9f4fe067..bcadc857 100644
--- a/src/locking.c
+++ b/src/locking.c
@@ -453,6 +453,9 @@ static void _XLockDisplay(
XTHREADS_FILE_LINE_ARGS
)
{
+#ifdef XTHREADS
+ struct _XErrorThreadInfo *ti;
+#endif
#ifdef XTHREADS_WARN
_XLockDisplayWarn(dpy, file, line);
#else
@@ -460,6 +463,15 @@ static void _XLockDisplay(
#endif
if (dpy->lock->locking_level > 0)
_XDisplayLockWait(dpy);
+#ifdef XTHREADS
+ /*
+ * Skip the two function calls below which may generate requests
+ * when LockDisplay is called from within _XError.
+ */
+ for (ti = dpy->error_threads; ti; ti = ti->next)
+ if (ti->error_thread == xthread_self())
+ return;
+#endif
_XIDHandler(dpy);
_XSeqSyncFunction(dpy);
}
diff --git a/src/locking.h b/src/locking.h
index 5251a60c..59fc866e 100644
--- a/src/locking.h
+++ b/src/locking.h
@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
xmutex_t lock;
} LockInfoRec;
+/* A list of threads currently invoking error handlers on this display
+ * LockDisplay operates differently for these threads, avoiding
+ * generating any requests or reading any events as that can cause
+ * recursion into the error handling code, which will deadlock the
+ * thread.
+ */
+struct _XErrorThreadInfo
+{
+ struct _XErrorThreadInfo *next;
+ xthread_t error_thread;
+};
+
/* XOpenDis.c */
extern int (*_XInitDisplayLock_fn)(Display *dpy);
extern void (*_XFreeDisplayLock_fn)(Display *dpy);
--
2.43.0

View File

@ -0,0 +1,64 @@
From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Wed, 11 Dec 2019 11:53:11 -0500
Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
XCopyColormapAndFree/5 threw an assertion:
520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A)
520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap,
520|4 5 00014017 1 4|then a BadColor error occurs.
520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap.
520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument.
520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs.
520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received
220|4 5 2 15:05:53|UNRESOLVED
410|4 5 1 15:05:53|IC End
510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV)
More specifically:
lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed.
This bug was introduced (by following my advice, d'oh) in:
commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d
Author: Tapani Pälli <tapani.palli@intel.com>
Date: Mon May 13 08:29:49 2019 +0300
Protect colormap add/removal with display lock
In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the
display lock. The problem is said routine has side effects, including
trying to implicitly create a colormap in some cases. Since we don't run
the XID handler until SyncHandle() we would see inconsistent internal
xlib state, triggering the above assert.
Fix this by dropping and re-taking the display lock before calling into
XCMS.
---
src/CopyCmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/CopyCmap.c b/src/CopyCmap.c
index b4954b01..b37aba73 100644
--- a/src/CopyCmap.c
+++ b/src/CopyCmap.c
@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree(
mid = req->mid = XAllocID(dpy);
req->srcCmap = src_cmap;
+ /* re-lock the display to keep XID handling in sync */
+ UnlockDisplay(dpy);
+ SyncHandle();
+ LockDisplay(dpy);
+
#if XCMS
_XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
#endif
--
2.23.0

View File

@ -0,0 +1,37 @@
From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Thu, 13 Aug 2020 18:02:58 +0200
Subject: [PATCH] Fix an integer overflow in init_om()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2020-14363
This can lead to a double free later, as reported by Jayden Rivers.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d)
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
---
modules/om/generic/omGeneric.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
index 22f826ec..bcfb9ab8 100644
--- a/modules/om/generic/omGeneric.c
+++ b/modules/om/generic/omGeneric.c
@@ -1908,7 +1908,8 @@ init_om(
char **required_list;
XOrientation *orientation;
char **value, buf[BUFSIZ], *bufptr;
- int count = 0, num = 0, length = 0;
+ int count = 0, num = 0;
+ unsigned int length = 0;
_XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
--
2.28.0

View File

@ -0,0 +1,63 @@
From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Wed, 29 Jan 2020 09:06:54 +0000
Subject: [PATCH libX11] Fix poll_for_response race condition
In poll_for_response is it possible that event replies are skipped
and a more up to date message reply is returned.
This will cause next poll_for_event call to fail aborting the program.
This was proved using some slow ssh tunnel or using some program
to slow down server replies (I used a combination of xtrace and strace).
How the race happens:
- program enters into poll_for_response;
- poll_for_event is called but the server didn't still send the reply;
- pending_requests is not NULL because we send a request (see call
to append_pending_request in _XSend);
- xcb_poll_for_reply64 is called from poll_for_response;
- xcb_poll_for_reply64 will read from server, at this point
server reply with an event (say sequence N) and the reply to our
last request (say sequence N+1);
- xcb_poll_for_reply64 returns the reply for the request we asked;
- last_request_read is set to N+1 sequence in poll_for_response;
- poll_for_response returns the response to the request;
- poll_for_event is called (for instance from another poll_for_response);
- event with sequence N is retrieved;
- the N sequence is widen, however, as the "new" number computed from
last_request_read is less than N the number is widened to N + 2^32
(assuming last_request_read is still contained in 32 bit);
- poll_for_event enters the nested if statement as req is NULL;
- we compare the widen N (which now does not fit into 32 bit) with
request (which fits into 32 bit) hitting the throw_thread_fail_assert.
I propose to change the widen to not go too far from the wide number
instead of supposing the result is always bigger than the wide number
passed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
src/xcb_io.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/xcb_io.c b/src/xcb_io.c
index 6a12d150..2aacbda3 100644
--- a/src/xcb_io.c
+++ b/src/xcb_io.c
@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
}
/* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
*/
static void widen(uint64_t *wide, unsigned int narrow)
{
- uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
- *wide = new + (((uint64_t)(new < *wide)) << 32);
+ *wide += (int32_t) (narrow - *wide);
}
/* Thread-safety rules:
--
2.23.0

View File

@ -0,0 +1,40 @@
From 623b77d4f30b47258a40f89262e5aa5d25e95fa7 Mon Sep 17 00:00:00 2001
From: Benno Schulenberg <bensberg@telfort.nl>
Date: Mon, 14 Feb 2022 11:33:25 +0100
Subject: [PATCH] imDefLkup: verify that a pointer isn't NULL before using it
It is possible for _XimICOfXICID() to return NULL, so it is necessary
to check this isn't actually the case before dereferencing the pointer.
All other callers of _XimICOfXICID() do this check too.
(The check itself is ugly, but it follows the style of the code in the
rest of the module.)
Fixes issue #45.
Reported-by: Bhavi Dhingra
Original-patch-by: Bhavi Dhingra
Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
---
modules/im/ximcp/imDefLkup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
index dea7f66d..dd1adf53 100644
--- a/modules/im/ximcp/imDefLkup.c
+++ b/modules/im/ximcp/imDefLkup.c
@@ -88,7 +88,8 @@ _XimSetEventMaskCallback(
if (imid == im->private.proto.imid) {
if (icid) {
- ic = _XimICOfXICID(im, icid);
+ if (!(ic = _XimICOfXICID(im, icid)))
+ return False;
_XimProcICSetEventMask(ic, (XPointer)&buf_s[2]);
} else {
_XimProcIMSetEventMask(im, (XPointer)&buf_s[2]);
--
2.46.0

View File

@ -1,43 +0,0 @@
From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 27 Jul 2021 11:46:19 +1000
Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
These keys are all defined through a macro in the form:
#define XF86XK_BrightnessAuto _EVDEVK(0x0F4)
The _EVDEVK macro is simply an offset of 0x10081000.
Let's parse these lines correctly so those keysyms end up in our
hashtables.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
src/util/makekeys.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/util/makekeys.c b/src/util/makekeys.c
index e847ef4c..4896cc53 100644
--- a/src/util/makekeys.c
+++ b/src/util/makekeys.c
@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
return 1;
}
+ /* See if we can parse one of the _EVDEVK symbols */
+ i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
+ if (i == 2 && (tmp = strstr(key, "XK_"))) {
+ memcpy(prefix, key, (size_t)(tmp - key));
+ prefix[tmp - key] = '\0';
+ tmp += 3;
+ memmove(key, tmp, strlen(tmp) + 1);
+
+ *val += 0x10081000;
+ return 1;
+ }
+
/* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
* immediately: if the target is in the form XF86XK_foo, we need to
* canonicalise this to XF86foo before we do the lookup. */
--
2.31.1

View File

@ -0,0 +1,411 @@
From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@herrb.eu>
Date: Fri, 19 Feb 2021 15:30:39 +0100
Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending
them on the wire
The X protocol uses CARD16 values to represent the length so
this would overflow.
CVE-2021-31535
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
[mustard: backported 10 1.6.8 by merging the warning fixes from
upstream commimt 84427130 first - ajax]
---
src/Font.c | 10 ++++++----
src/FontInfo.c | 5 ++++-
src/FontNames.c | 5 ++++-
src/GetColor.c | 6 +++++-
src/LoadFont.c | 6 +++++-
src/LookupCol.c | 6 ++++--
src/ParseCol.c | 7 +++++--
src/QuExt.c | 7 ++++++-
src/SetFPath.c | 12 +++++++++---
src/SetHints.c | 9 ++++++++-
src/StNColor.c | 5 ++++-
src/StName.c | 11 ++++++++---
12 files changed, 68 insertions(+), 21 deletions(-)
diff --git a/src/Font.c b/src/Font.c
index 09d2ae91..1cd89cca 100644
--- a/src/Font.c
+++ b/src/Font.c
@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont(
XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
#endif
+ if (strlen(name) >= USHRT_MAX)
+ return NULL;
if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
return font_result;
LockDisplay(dpy);
GetReq(OpenFont, req);
seq = dpy->request; /* Can't use extended sequence number here */
- nbytes = req->nbytes = name ? strlen(name) : 0;
+ nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0);
req->fid = fid = XAllocID(dpy);
req->length += (nbytes+3)>>2;
Data (dpy, name, nbytes);
@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
if (!name)
return 0;
- l = strlen(name);
- if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+ l = (int) strlen(name);
+ if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
return 0;
charset = NULL;
/* next three lines stolen from _XkbGetCharset() */
@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont(
return 0;
if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
return 0;
- if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
+ if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
return 0;
strcpy(buf, name);
strcpy(buf + l - 1, p + 1);
diff --git a/src/FontInfo.c b/src/FontInfo.c
index f870e431..6644b3fa 100644
--- a/src/FontInfo.c
+++ b/src/FontInfo.c
@@ -58,10 +58,13 @@ XFontStruct **info) /* RETURN */
register xListFontsReq *req;
int j;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFontsWithInfo, req);
req->maxNames = maxNames;
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
req->length += (nbytes + 3) >> 2;
_XSend (dpy, pattern, nbytes);
/* use _XSend instead of Data, since subsequent _XReply will flush buffer */
diff --git a/src/FontNames.c b/src/FontNames.c
index b78792d6..458d80c9 100644
--- a/src/FontNames.c
+++ b/src/FontNames.c
@@ -51,10 +51,13 @@ int *actualCount) /* RETURN */
register xListFontsReq *req;
unsigned long rlen = 0;
+ if (strlen(pattern) >= USHRT_MAX)
+ return NULL;
+
LockDisplay(dpy);
GetReq(ListFonts, req);
req->maxNames = maxNames;
- nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
+ nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
req->length += (nbytes + 3) >> 2;
_XSend (dpy, pattern, nbytes);
/* use _XSend instead of Data, since following _XReply will flush buffer */
diff --git a/src/GetColor.c b/src/GetColor.c
index cd0eb9f6..c8178067 100644
--- a/src/GetColor.c
+++ b/src/GetColor.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
XcmsColor cmsColor_exact;
Status ret;
+ if (strlen(colorname) >= USHRT_MAX)
+ return (0);
+
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */
GetReq(AllocNamedColor, req);
req->cmap = cmap;
- nbytes = req->nbytes = strlen(colorname);
+ nbytes = req->nbytes = (CARD16) strlen(colorname);
req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */
_XSend(dpy, colorname, nbytes);
diff --git a/src/LoadFont.c b/src/LoadFont.c
index f547976b..3996436f 100644
--- a/src/LoadFont.c
+++ b/src/LoadFont.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include "Xlibint.h"
Font
@@ -38,12 +39,15 @@ XLoadFont (
Font fid;
register xOpenFontReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return (0);
+
if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
return fid;
LockDisplay(dpy);
GetReq(OpenFont, req);
- nbytes = req->nbytes = name ? strlen(name) : 0;
+ nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0;
req->fid = fid = XAllocID(dpy);
req->length += (nbytes+3)>>2;
Data (dpy, name, nbytes);
diff --git a/src/LookupCol.c b/src/LookupCol.c
index f7f969f5..cd9b1368 100644
--- a/src/LookupCol.c
+++ b/src/LookupCol.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,9 @@ XLookupColor (
XcmsCCC ccc;
XcmsColor cmsColor_exact;
+ n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -77,8 +81,6 @@ XLookupColor (
* Xcms and i18n methods failed, so lets pass it to the server
* for parsing.
*/
-
- n = strlen (spec);
LockDisplay(dpy);
GetReq (LookupColor, req);
req->cmap = cmap;
diff --git a/src/ParseCol.c b/src/ParseCol.c
index e997b1b8..7a84a17b 100644
--- a/src/ParseCol.c
+++ b/src/ParseCol.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,7 +47,9 @@ XParseColor (
XcmsColor cmsColor;
if (!spec) return(0);
- n = strlen (spec);
+ n = (int) strlen (spec);
+ if (n >= USHRT_MAX)
+ return(0);
if (*spec == '#') {
/*
* RGB
@@ -119,7 +122,7 @@ XParseColor (
LockDisplay(dpy);
GetReq (LookupColor, req);
req->cmap = cmap;
- req->nbytes = n = strlen(spec);
+ req->nbytes = (CARD16) (n = (int) strlen(spec));
req->length += (n + 3) >> 2;
Data (dpy, spec, (long)n);
if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {
diff --git a/src/QuExt.c b/src/QuExt.c
index 4e230e77..4cb99fcf 100644
--- a/src/QuExt.c
+++ b/src/QuExt.c
@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
+#include <stdbool.h>
#include "Xlibint.h"
Bool
@@ -40,9 +42,12 @@ XQueryExtension(
xQueryExtensionReply rep;
register xQueryExtensionReq *req;
+ if (strlen(name) >= USHRT_MAX)
+ return false;
+
LockDisplay(dpy);
GetReq(QueryExtension, req);
- req->nbytes = name ? strlen(name) : 0;
+ req->nbytes = name ? (CARD16) strlen(name) : 0;
req->length += (req->nbytes+(unsigned)3)>>2;
_XSend(dpy, name, (long)req->nbytes);
(void) _XReply (dpy, (xReply *)&rep, 0, xTrue);
diff --git a/src/SetFPath.c b/src/SetFPath.c
index 60aaef01..13fce49e 100644
--- a/src/SetFPath.c
+++ b/src/SetFPath.c
@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
+#include <limits.h>
#endif
#include "Xlibint.h"
@@ -48,7 +49,12 @@ XSetFontPath (
GetReq (SetFontPath, req);
req->nFonts = ndirs;
for (i = 0; i < ndirs; i++) {
- n += safestrlen (directories[i]) + 1;
+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
+ if (n >= USHRT_MAX) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
}
nbytes = (n + 3) & ~3;
req->length += nbytes >> 2;
@@ -59,9 +65,9 @@ XSetFontPath (
char *tmp = p;
for (i = 0; i < ndirs; i++) {
- register int length = safestrlen (directories[i]);
+ register int length = (int) safestrlen (directories[i]);
*p = length;
- memcpy (p + 1, directories[i], length);
+ memcpy (p + 1, directories[i], (size_t)length);
p += length + 1;
}
Data (dpy, tmp, nbytes);
diff --git a/src/SetHints.c b/src/SetHints.c
index bc46498a..61cb0684 100644
--- a/src/SetHints.c
+++ b/src/SetHints.c
@@ -49,6 +49,7 @@ SOFTWARE.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include "Xatomtype.h"
@@ -214,6 +215,8 @@ XSetCommand (
register char *buf, *bp;
for (i = 0, nbytes = 0; i < argc; i++) {
nbytes += safestrlen(argv[i]) + 1;
+ if (nbytes >= USHRT_MAX)
+ return 1;
}
if ((bp = buf = Xmalloc(nbytes))) {
/* copy arguments into single buffer */
@@ -256,11 +259,13 @@ XSetStandardProperties (
if (name != NULL) XStoreName (dpy, w, name);
+ if (safestrlen(icon_string) >= USHRT_MAX)
+ return 1;
if (icon_string != NULL) {
XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace,
(_Xconst unsigned char *)icon_string,
- safestrlen(icon_string));
+ (int)safestrlen(icon_string));
}
if (icon_pixmap != None) {
@@ -298,6 +303,8 @@ XSetClassHint(
len_nm = safestrlen(classhint->res_name);
len_cl = safestrlen(classhint->res_class);
+ if (len_nm + len_cl >= USHRT_MAX)
+ return 1;
if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
if (len_nm) {
strcpy(s, classhint->res_name);
diff --git a/src/StNColor.c b/src/StNColor.c
index 8b821c3e..16dc9cbc 100644
--- a/src/StNColor.c
+++ b/src/StNColor.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <stdio.h>
#include "Xlibint.h"
#include "Xcmsint.h"
@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
XcmsColor cmsColor_exact;
XColor scr_def;
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
#ifdef XCMS
/*
* Let's Attempt to use Xcms approach to Parse Color
@@ -76,7 +79,7 @@ int flags) /* DoRed, DoGreen, DoBlue */
req->cmap = cmap;
req->flags = flags;
req->pixel = pixel;
- req->nbytes = nbytes = strlen(name);
+ req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name));
req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */
Data(dpy, name, (long)nbytes);
UnlockDisplay(dpy);
diff --git a/src/StName.c b/src/StName.c
index b4048bff..04bb3aa6 100644
--- a/src/StName.c
+++ b/src/StName.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include <X11/Xlibint.h>
#include <X11/Xatom.h>
@@ -36,9 +37,11 @@ XStoreName (
Window w,
_Xconst char *name)
{
- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+ if (strlen(name) >= USHRT_MAX)
+ return 0;
+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
8, PropModeReplace, (_Xconst unsigned char *)name,
- name ? strlen(name) : 0);
+ name ? (int) strlen(name) : 0);
}
int
@@ -47,7 +50,9 @@ XSetIconName (
Window w,
_Xconst char *icon_name)
{
+ if (strlen(icon_name) >= USHRT_MAX)
+ return 0;
return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
PropModeReplace, (_Xconst unsigned char *)icon_name,
- icon_name ? strlen(icon_name) : 0);
+ icon_name ? (int) strlen(icon_name) : 0);
}
--
2.30.1

View File

@ -4,9 +4,10 @@
Summary: Core X11 protocol client library Summary: Core X11 protocol client library
Name: libX11 Name: libX11
Version: 1.7.0 Version: 1.6.8
Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist} Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
License: MIT License: MIT
Group: System Environment/Libraries
URL: http://www.x.org URL: http://www.x.org
%if 0%{?gitdate} %if 0%{?gitdate}
@ -18,22 +19,32 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
%endif %endif
Patch2: dont-forward-keycode-0.patch Patch2: dont-forward-keycode-0.patch
Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch
Patch4: 0001-Fix-poll_for_response-race-condition.patch
# CVE-2020-14363
Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
Patch6: CVE-2021-31535.patch
# CVE-2023-3138 # CVE-2023-3138
Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
# CVE-2023-43785 # CVE-2023-43785
Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
# CVE-2023-43786 # CVE-2023-43786
Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
# CVE-2023-43787 # CVE-2023-43787
Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
# RHEL-23452
Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
# https://issues.redhat.com/browse/RHEL-58444
Patch14: 0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch
BuildRequires: make
BuildRequires: xorg-x11-util-macros >= 1.11 BuildRequires: xorg-x11-util-macros >= 1.11
BuildRequires: pkgconfig(xproto) >= 7.0.15 BuildRequires: pkgconfig(xproto) >= 7.0.15
BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@ -48,6 +59,7 @@ Core X11 protocol client library.
%package common %package common
Summary: Common data for libX11 Summary: Common data for libX11
Group: System Environment/Libraries
BuildArch: noarch BuildArch: noarch
%description common %description common
@ -55,6 +67,7 @@ libX11 common data
%package devel %package devel
Summary: Development files for %{name} Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: %{name}-xcb = %{version}-%{release} Requires: %{name}-xcb = %{version}-%{release}
@ -63,13 +76,27 @@ X.Org X11 libX11 development package
%package xcb %package xcb
Summary: XCB interop for libX11 Summary: XCB interop for libX11
Group: System Environment/Libraries
Conflicts: %{name} < %{version}-%{release} Conflicts: %{name} < %{version}-%{release}
%description xcb %description xcb
libX11/libxcb interoperability library libX11/libxcb interoperability library
%prep %prep
%autosetup -p1 -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}} %setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
%patch2 -p1 -b .dont-forward-keycode-0
%patch3 -p1 -b .copycolormapandfree
%patch4 -p1 -b .race
%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
%patch6 -p1 -b .cve-2021-31535
%patch7 -p1 -b .cve-2023-3138
%patch8 -p1 -b .cve-2023-43785
%patch9 -p1 -b .cve-2023-43786
%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe
%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang
%patch12 -p1 -b .cve-2023-43787
%patch13 -p1 -b .rhel-23452
%patch14 -p1 -b .rhel-58444
%build %build
autoreconf -v --install --force autoreconf -v --install --force
@ -100,7 +127,7 @@ make %{?_smp_mflags} check
%files %files
%{_libdir}/libX11.so.6 %{_libdir}/libX11.so.6
%{_libdir}/libX11.so.6.4.0 %{_libdir}/libX11.so.6.3.0
%files xcb %files xcb
%{_libdir}/libX11-xcb.so.1 %{_libdir}/libX11-xcb.so.1
@ -126,7 +153,6 @@ make %{?_smp_mflags} check
%{_includedir}/X11/Xresource.h %{_includedir}/X11/Xresource.h
%{_includedir}/X11/Xutil.h %{_includedir}/X11/Xutil.h
%{_includedir}/X11/cursorfont.h %{_includedir}/X11/cursorfont.h
%{_includedir}/X11/extensions/XKBgeom.h
%{_libdir}/libX11.so %{_libdir}/libX11.so
%{_libdir}/libX11-xcb.so %{_libdir}/libX11-xcb.so
%{_libdir}/pkgconfig/x11.pc %{_libdir}/pkgconfig/x11.pc
@ -135,79 +161,39 @@ make %{?_smp_mflags} check
%{_mandir}/man5/*.5* %{_mandir}/man5/*.5*
%changelog %changelog
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9 * Fri Sep 13 2024 José Expósito <jexposit@redhat.com> - 1.6.8-9
- Backport NULL check to avoid a crash
Resolves: https://issues.redhat.com/browse/RHEL-58444
* Tue Jan 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-8
- Backport fix for Xlib lockups due to recursive XError (RHEL-23452)
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.6.8-7
- Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms() - Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
- Fix CVE-2023-43786: stack exhaustion from infinite recursion in - Fix CVE-2023-43786: stack exhaustion from infinite recursion in
PutSubImage() PutSubImage()
- Fix CVE-2023-43787: integer overflow in XCreateImage() leading to - Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
a heap overflow a heap overflow
* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8 * Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
- CVE fix for: CVE-2023-3138 - CVE fix for: CVE-2023-3138
Resolve: rhbz#2213763 Resolve: rhbz#2213762
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-7 * Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Fix CVE-2021-31535 (#1962439)
Related: rhbz#1991688
* Tue Aug 03 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.0-6 * Tue Nov 3 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.6.8-4
- Parse the EVDEVK keysyms (#1988944) - Fix CVE-2020-14363 (#1873923)
* Tue May 04 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-5 * Mon Feb 24 2020 Adam Jackson <ajax@redhat.com> - 1.6.8-3
- Rebuild to pick up the new xorgproto keysyms (#1954345) - Fix race condition in poll_for_reponse
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-4 * Fri Dec 13 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Fix assertion on error in XCopyColormapAndFree
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3 * Tue Nov 19 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-2
- libX11 1.7.0 (with the tarball this time)
* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-1
- libX11 1.7.0
- switch to using the autosetup rpm macro
* Mon Nov 09 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-3
- Fix a race-condition in poll_for_response (#1758384)
* Thu Nov 5 11:12:56 AEST 2020 Peter Hutterer <peter.hutterer@redhat.com> - 1.6.12-2
- Add BuildRequires for make
* Wed Aug 26 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-1
- libX11 1.6.12 (CVE-2020-14363, CVE 2020-14344)
* Fri Jul 31 2020 Adam Jackson <ajax@redhat.com> - 1.6.9-5
- Fix server reply validation issue in XIM (CVE 2020-14344)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Dec 11 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.9-2
- handle ssharp in XConvertCase
* Wed Oct 09 2019 Adam Jackson <ajax@redhat.com> - 1.6.9-1
- libX11 1.6.9
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-2
- rebuild to pick up the new xorgproto keysyms
* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-1
- libX11 1.6.8 - libX11 1.6.8
* Thu Mar 21 2019 Adam Jackson <ajax@redhat.com> - 1.6.7-3
- Rebuild for xtrans 1.4.0
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1 * Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1
- libX11 1.6.7 - libX11 1.6.7