- 18 Feb, 2015 4 commits
-
-
Olivier Fourdan authored
Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. v3: backport to nx-libs 3.6.x because this is the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by:
Julien Cristau <jcristau@debian.org>
-
Olivier Fourdan authored
The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by:
-
Peter Hutterer authored
This patch adds the following three functions: bits_to_bytes(bits) - the number of bytes needed to hold 'bits' bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes' pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than 'bytes'. All three operations are common in protocol processing and currently the server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set of functions reduce the error rate of these (albeit simple) calculations and improve readability of the code. The functions do not check for overflow. v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo) Signed-off-by: -
Daniel Stone authored
v2: backport to nx-libs 3.6.x as a prereq for the CVE-2015-0255 fix (Mike DePaulo)
-
- 17 Feb, 2015 2 commits
-
-
Mike Gabriel authored
Make nxagent aware of its NX'ish version string (and number).
-
Mike Gabriel authored
This feature copies the way how X.Org version string and number are propagated at build time. First use case: if people start nxagent, it reports its version number on stderr. This is about being human-friendly. Second use case: None, so far. But it will now be easy to use the NXAGENT_VERSION_STRING in later feature add-ons.
-
- 16 Feb, 2015 18 commits
-
-
Mike Gabriel authored
-
Joerg Sonnenberger authored
It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by:
Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by:
Tomas Hoger <thoger@redhat.com>
-
Mike Gabriel authored
This reverts commit 6acafc93.
-
Mike Gabriel authored
-
Mike Gabriel authored
-
Mike Gabriel authored
Makefile.nx-libs: Fix uninstall-lite rule. The nxproxy and nxcomp uninstallation has to be in uninstall-lite, not in uninstall-full.
-
Mike Gabriel authored
-
Mike Gabriel authored
-
Mike Gabriel authored
-
Mike DePaulo authored
Conflicts (resolved by Mike Gabriel): debian/changelog
-
Joerg Sonnenberger authored
It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by:
-
Mihai Moldovan authored
-
Alan Coopersmith authored
GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by:
Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
-
Mihai Moldovan authored
This reverts commit d4c76981.
-
Mike DePaulo authored
CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
-
Mihai Moldovan authored
Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de06.
-
Mike DePaulo authored
CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
-
Mihai Moldovan authored
Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf92.
-
- 14 Feb, 2015 16 commits
-
-
Adam Jackson authored
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
Michal Srb <msrb@suse.com> Reviewed-by:
Andy Ritger <aritger@nvidia.com> Signed-off-by:
Adam Jackson <ajax@redhat.com> Signed-off-by:
Fedora X Ninjas <x@fedoraproject.org> Signed-off-by:
Dave Airlie <airlied@redhat.com>
-
Adam Jackson authored
This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) v3: backport to RHEL5 v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
Keith Packard <keithp@keithp.com> Reviewed-by:
-
Adam Jackson authored
v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Julien Cristau authored
v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) v3: backport to RHEL5 hit old paths v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) v4: RHEL5: add limits.h, use inline v5: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by:
-
Adam Jackson authored
If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. v3: backport to nx-libs 3.6.x (Mike DePaulo) v2: backport to RHEL5 - fix swap paths Reviewed-by:
-
Alan Coopersmith authored
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by:
-
Alan Coopersmith authored
Signed-off-by:
-
Alan Coopersmith authored
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by:
-
Julien Cristau authored
Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by:
-
Alan Coopersmith authored
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by:
-
Alan Coopersmith authored
v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by:
-
