- 19 Oct, 2016 40 commits
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
Matthieu Herrb <matthieu.herrb@laas.fr> Backported-to-NX-by:
Ulrich Sibiller <uli42@gmx.de>
-
Alan Coopersmith authored
Previous code seemed to assume that printf("%s", NULL) would result in a 0-length string, not "(null)" or similar, but since there's no point looking for files in "(null)/filepath...", instead we just skip over NULL entries in search paths when generating file names. In the *DirName() functions, this effectively just moves the "bail on NULL in arg[i]" check up from the later code that assigned it to targetdir and then bailed if that was NULL. Not sure how there ever could be a NULL in arg[i], given the current implementation of XlcParsePath, but it's easy enough to check once and reject up front instead of on every reference. Signed-off-by: -
Alan Coopersmith authored
File Leak: Leaked File fp at line 219 of lib/libX11/nx-X11/lib/X11/XlcDL.c in function 'resolve_object'. fp initialized at line 198 with fopen [ This bug was found by the Parfait 1.2.0 bug checking tool. http://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13 ] Signed-off-by: -
ISHIKAWA,chiaki authored
Fix bogus timestamp generted by XIM due to uninitialized data field. Also set appropriate serial, too. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=39367Signed-off-by:
Chiaki ISHIKAWA <ishikawa@yk.rim.or.jp> Signed-off-by:
-
Egbert Eich authored
When synthesized key events are sent on commit XIM sets the 'fabricated' flag so that the keypress handler knows that these were not real events. This also happens when committing due to the loss of focus. However in this case the keypress/release filters which consume and unset this flag are no longer in the filter chain. So the flag is erronously set when a real keyboard event is received after focus has been regained. So the first event is wrongly treated as a fabricated key in the keypress handler which will at the same time reset the flag so the second key event is treated correctly. This fix only sets the flag when at least one of the keyboard filters is in place. How to reproduce this bug: run scim, choose a Japanese input method start two instances of xterm: start typing in one xterm (this should pop up an IM window). Without comitting (hitting 'enter') move focus to the other xterm, then move focus back. Start typing again. The first character will be committed immediately without popping up an input window. With this fix this behavior is gone. See also: https://bugzilla.novell.com/show_bug.cgi?id=239698Signed-off-by:
Egbert Eich <eich@freedesktop.org> Backported-to-NX-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
Handle arbitrary length data in the same fashion as other calls, avoiding need to ensure it fits all in the request buffer. Signed-off-by:
-
Kees Cook authored
Two users of GetReqExtra pass arbitrarily sized allocations from the caller (ModMap and Host). Adjust _XGetRequest() (called by the GetReqExtra macro) to double-check the requested length and invalidate "req" when this happens. Users of GetReqExtra passing lengths greater than the Xlib buffer size (normally 16K) must check "req" and fail gracefully instead of crashing. Any callers of GetReqExtra that do not check "req" for NULL will experience this change, in the pathological case, as a NULL dereference instead of a buffer overflow. This is an improvement, but the documentation for GetReqExtra has been updated to reflect the need to check the value of "req" after the call. Bug that manifested the problem: https://bugs.launchpad.net/ubuntu/+source/x11-xserver-utils/+bug/792628Signed-off-by:
Kees Cook <kees@outflux.net> Reviewed-by:
-
Thomas Klausner authored
[For all of these, LONG_MAX was the correct value to prevent overflows for the recent CVEs. Lowering to INT_MAX catches buggy replies from the server that 32-bit clients would reject but 64-bit would accept, so we catch bugs sooner, and really, no sane & working server should ever report more than 2gb of extension names, font path entries, key modifier maps, etc. -alan- ] Reviewed-by:
-
Thomas Klausner authored
clang complained (correctly): warning: comparison of constant 768614336404564650 with expression of type 'CARD32' (aka 'unsigned int') is always true [-Wtautological-constant-out-of-range-compare] [While LONG_MAX is correct, since it's used in size_t math, the numbers have to be limited to 32-bit range to be usable by 32-bit clients, and values beyond that range are far more likely to be bugs in the data from the server than valid numbers of characters in a font. -alan- ] Reviewed-by:
-
Thomas Klausner authored
Reviewed-by:
Jamey Sharp <jamey@minilop.net> Signed-off-by:
-
Thomas Klausner authored
It seems useless to do that since the code tests for both source length and destination to be non-zero. This fixes a cut'n'paste problem in xterm where the paste length was limited to 1024 (BUFSIZ) in button.c. Signed-off-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Ulrich Sibiller authored
-
Ulrich Sibiller authored
This commit looks a bit crazy at first glance. It (re-)introduces lots of whitespaces and bad formatting. Explanation: Backporting upstream changes lead to commits being applied out of order. This meant a lot of manual intervention which in turn lead to slight differences between upstream and NX. With this commit these slight differences are minimized which will be of great help when adding further upstream patches.
-
Alan Coopersmith authored
Better to silence the compiler warning than break ABI. Signed-off-by:
-
Adam Jackson authored
Inspired by a pattern in NoMachine's NX. Consistently zeroed buffers compress better with ssh and friends. Note that you'll need to rebuild all your protocol libraries to take advantage of this. Signed-off-by:
Adam Jackson <ajax@redhat.com> Reviewed-by:
Jeremy Huddleston <jeremyhu@apple.com> Reviewed-by:
-
Erkki Seppälä authored
Using uninitialized value "error.resourceID" in call to function "_XError" Reviewed-by:
Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by:
Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by:
-
Alan Coopersmith authored
Called from XrmGetFileDatabase() which gets called from InitDefaults() which gets the filename from getenv ("XENVIRONMENT") If file is exactly 0xffffffff bytes long (or longer and truncates to 0xffffffff, on implementations where off_t is larger than an int), then size may be set to a value which overflows causing less memory to be allocated than is written to by the following read() call. size is left limited to an int, because if your Xresources file is larger than 2gb, you're very definitely doing it wrong. Reported-by:Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by:
-
Erkki Seppälä authored
XFree colormap_ret and initialize it when appropriate. Variable "colormap_ret" goes out of scope Reviewed-by:
-
Samuel Thibault authored
_XimLocalMbLookupString can return a braille keysym even if _Xlcwctomb can't convert to the current MB charset. _XimLocalUtf8LookupString needs to set the braille keysym and status too. Signed-off-by:
Samuel Thibault <samuel.thibault@ens-lyon.org> Backported-to-NX-by:
-
Ulrich Sibiller authored
This reverts commit 8866f80d9f42e02093058cab027edbf127118105. That commit had been edited and was incomplete, by reverting and re-applying we get it right.
-
Alan Coopersmith authored
Signed-off-by:
-
Ulrich Sibiller authored
We have the same commit for XKBGAlloc.c but it was missing here since upstream has dropped OpenDis.c when they switched to XCB. Backported-to-NX-by: -
Ulrich Sibiller authored
-
Thomas Klausner authored
Signed-off-by:
-
Niveditha Rau authored
Fixes builds with Solaris Studio 12.3 when lint is enabled, since it no longer ignores *.h files, but complains when they reference undefined typedefs or macros. Signed-off-by:
Niveditha Rau <Niveditha.Rau@Oracle.COM> Signed-off-by:
-
Alan Coopersmith authored
Fixes small memory leak introduced in commit 5669a22081 Reported-by:
Julien Cristau <jcristau@debian.org> Signed-off-by:
-
Julien Cristau authored
The size of the arrays is max_key_code + 1. This makes these functions consistent with the other checks added for CVE-2013-1997. Also check the XkbGetNames reply when names->keys was just allocated. Signed-off-by:
Colin Walters <walters@verbum.org> Reviewed-by:
-
Ulrich Sibiller authored
This reverts commit b092864a39bbcd4f34c5c26a7cd0df90e235815d. We will use the proper libX11 upstream patches now.
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
While the C standard technically allows for the compiler to translate pointer = 0 or pointer = NULL into something other than filling the pointer address with 0 bytes, the rest of the Xlib code already assumes that calloc initializes any pointers in the struct to NULL, and there are no known systems supported by X.Org where this is not true. Signed-off-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
Don't provide a fallback definition #ifdef X_NOT_POSIX anymore. We already use size_t throughout the rest of Xlib, just had this one instance left in XKBGAlloc.c of a fallback definition. Signed-off-by:
-
Alan Coopersmith authored
Leftovers from XKB files that were previously shared between the client and server code, but aren't any more. Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net> Backported-to-NX-by:
-
Alan Coopersmith authored
You could analyze most of these and quickly recognize that there was no chance of buffer overflow already, but why make everyone spend time doing that when we can just make it obviously safe? Signed-off-by:
-
Alan Coopersmith authored
Makes it easier for readers to understand scope of variable usage, and clears up gcc warning: KeysymStr.c: In function 'XKeysymToString': KeysymStr.c:128:13: warning: declaration of 'i' shadows a previous local [-Wshadow] KeysymStr.c:73:18: warning: shadowed declaration is here [-Wshadow] Signed-off-by:
-
Alan Coopersmith authored
Casts were annoying gcc by dropping constness when changing types, when routines simply either copy data into the request buffer or send it directly to the X server, and never modify the input. Fixes gcc warnings including: ChProp.c: In function 'XChangeProperty': ChProp.c:65:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] ChProp.c:65:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] ChProp.c:74:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] ChProp.c:74:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] ChProp.c:83:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] SetHints.c: In function 'XSetStandardProperties': SetHints.c:262:20: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] SetPntMap.c: In function 'XSetPointerMapping': SetPntMap.c:46:5: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] SetPntMap.c:46:5: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] StBytes.c: In function 'XStoreBuffer': StBytes.c:97:33: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] StName.c: In function 'XStoreName': StName.c:40:27: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] StName.c: In function 'XSetIconName': StName.c:51:27: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual] Signed-off-by:
-
