1. 19 Oct, 2013 2 commits
  2. 18 Oct, 2013 7 commits
  3. 15 Oct, 2013 4 commits
    • Alan Coopersmith's avatar
      Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] · 73b2660d
      Alan Coopersmith authored
      
      
      Save a pointer to the passed in closure structure before copying it
      and overwriting the *c pointer to point to our copy instead of the
      original.  If we hit an error, once we free(c), reset c to point to
      the original structure before jumping to the cleanup code that
      references *c.
      
      Since one of the errors being checked for is whether the server was
      able to malloc(c->nChars * itemSize), the client can potentially pass
      a number of characters chosen to cause the malloc to fail and the
      error path to be taken, resulting in the read from freed memory.
      
      Since the memory is accessed almost immediately afterwards, and the
      X server is mostly single threaded, the odds of the free memory having
      invalid contents are low with most malloc implementations when not using
      memory debugging features, but some allocators will definitely overwrite
      the memory there, leading to a likely crash.
      Reported-by: Pedro Ribeiro's avatarPedro Ribeiro <pedrib@gmail.com>
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      Reviewed-by: Julien Cristau's avatarJulien Cristau <jcristau@debian.org>
      73b2660d
    • Alan Coopersmith's avatar
    • Alan Coopersmith's avatar
      DMX glxproxy: Don't allocate & copy data just to free it unused · 2704bdb2
      Alan Coopersmith authored
      
      
      Two functions in the DMX glxproxy code loop over all the backend
      screens, starting at the highest numbered and counting down to
      the lowest.
      
      Previously, for each screen, the code would allocate a buffer
      large enough to read the reply from the backend, copy that reply
      into the buffer, and then if it wasn't the final screen, free it.
      Only the buffer from the final screen is used, to pass on to the
      client in the reply.
      
      This modifies it to just immediately discard the responses from
      the screens as we loop through it, only doing the allocate & copy
      work for the one buffer we pass back to the client.
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      Reviewed-by: default avatarAlex Deucher <aleander.deucher@amd.com>
      2704bdb2
    • Alan Coopersmith's avatar
      Skip damage calls if DamageCreate fails in exa functions · 6c06c268
      Alan Coopersmith authored
      Fixes parfait errors such as:
         Null pointer dereference (CWE 476): Write to null pointer pDamage
              at line 1833 of miext/damage/damage.c in function 'DamageRegister'.
                Function DamageCreate may return constant 'NULL' at line 1775,
                    called at line 232 of exa/exa_migration_mixed.c
                    in function 'exaPrepareAccessReg_mixed'.
                Constant 'NULL' passed into function DamageRegister,
                    argument pDamage, from call at line 237.
                Null pointer introduced at line 1775 of miext/damage/damage.c
                    in function 'DamageCreate'.
         Null pointer dereference (CWE 476): Write to null pointer pDamage
              at line 1833 of miext/damage/damage.c in function 'DamageRegister'.
                Function DamageCreate may return constant 'NULL' at line 1775,
                    called at line 104 of exa/exa_mixed.c
                    in function 'exaCreatePixmap_mixed'.
                Constant 'NULL' passed into function DamageRegister,
                    argument pDamage, from call at line 109.
                Null pointer introduced at line 1775 of miext/damage/damage.c
                    in function 'DamageCreate'.
      
      Checks are similar to handling results of other calls to DamageCreate.
      
      [ This bug was found by the Parfait 1.3.0 bug checking tool.
        http://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13
      
       ]
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      6c06c268
  4. 14 Oct, 2013 7 commits
  5. 09 Oct, 2013 1 commit
  6. 08 Oct, 2013 1 commit
  7. 07 Oct, 2013 1 commit
  8. 06 Oct, 2013 2 commits
  9. 05 Oct, 2013 2 commits
  10. 04 Oct, 2013 12 commits
  11. 24 Sep, 2013 1 commit