1. 26 Jan, 2022 2 commits
  2. 23 Jan, 2022 2 commits
  3. 22 Jan, 2022 2 commits
  4. 19 Jan, 2022 4 commits
  5. 17 Jan, 2022 3 commits
  6. 16 Jan, 2022 1 commit
  7. 14 Jan, 2022 3 commits
  8. 12 Jan, 2022 2 commits
  9. 07 Jan, 2022 1 commit
  10. 10 Dec, 2021 1 commit
  11. 07 Dec, 2021 2 commits
  12. 03 Dec, 2021 4 commits
  13. 01 Dec, 2021 1 commit
  14. 14 Nov, 2021 1 commit
  15. 05 Sep, 2021 1 commit
    • Igor Kovalenko's avatar
      libX11: do not crash in GetResReq() macro · 2356e59f
      Igor Kovalenko authored
      
      
      When _XGetRequest() detects that requested length exceeds remaining display
      output buffer capacity it would return NULL. GetResReq() macro obtains "req"
      pointer from a call to _XGetRequest() and then proceeds to assign request id
      through "req" pointer which leads to NULL pointer dereference in this case.
      
      Fix this by checking if "req" is valid before assigning request id.
      
      Signed-off-by: Igor Kovalenko's avatarIgor V. Kovalenko <igor.v.kovalenko@gmail.com>
      2356e59f
  16. 27 Jul, 2021 1 commit
  17. 16 Jun, 2021 1 commit
    • Alexander Richardson's avatar
      Avoid undefined behaviour after realloc() · d01d2337
      Alexander Richardson authored
      Adding the offset between the realloc result and the old allocation to
      update pointers into the new allocation is undefined behaviour: the
      old pointers are no longer valid after realloc() according to the C
      standard. While this works on almost all architectures and compilers,
      it causes  problems on architectures that track pointer bounds (e.g.
      CHERI or Arm's Morello): the value_list pointers will still have the
      bounds of the previous allocation and therefore any dereference will
      result in a run-time trap.
      
      I found this due to a crash (dereferencing an invalid capability) while
      trying to run `xev` over SSH on a CHERI-RISC-V system. With these two
      realloc changes, and xorg/proto/xorgproto!41
      
      
      I am able to succesfully run `xev` compiled for CHERI-RISC-V.
      
      Signed-off-by: Alexander Richardson's avatarAlex Richardson <Alexander.Richardson@cl.cam.ac.uk>
      d01d2337
  18. 15 Jun, 2021 1 commit
  19. 12 Jun, 2021 1 commit
  20. 05 Jun, 2021 1 commit
  21. 31 May, 2021 1 commit
    • Tobias Stoeckmann's avatar
      Protect against overly long strings · 51b73ac0
      Tobias Stoeckmann authored
      
      
      Checking against upper limit of USHRT_MAX must happen before truncating
      size_t to int. On 64 bit systems with strings larger than 2 GB this
      could otherwise lead to negative ints or ints smaller than USHRT_MAX.
      
      In XParseColor this could lead to out of boundary access with strings
      starting with a # (color sequence). A modulo 12 operation is performed
      to validate the string length, but with an overflown length, the for
      loop would eventually read behind terminating '\0' character.
      
      Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
      51b73ac0
  22. 30 May, 2021 1 commit
  23. 22 May, 2021 1 commit
  24. 18 May, 2021 2 commits