- 08 Dec, 2018 8 commits
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Makes resizing & clearing more consistent and gets rid of some weird quirks like always subtracting 1 from the size passed to _XkbClearElems so it could always add 1 to the size passed in. Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
-
Alan Coopersmith authored
Wrapper for realloc() that checks for overflow when multiplying arguments together, so we don't have to add overflow checks to every single call. For documentation on usage, see: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 20 Nov, 2018 1 commit
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 12 Nov, 2018 2 commits
-
-
Albert Astals Cid authored
With this patch xev properly reports XLookupString gives 2 bytes: (c2 b4) "´" for the dead_acute key when using the Asturian locale
-
Albert Astals Cid authored
With this patch one can properly type dead keys like á when using the Asturian locale
-
- 10 Nov, 2018 1 commit
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 09 Oct, 2018 1 commit
-
-
Matt Turner authored
Signed-off-by:
Matt Turner <mattst88@gmail.com>
-
- 28 Sep, 2018 1 commit
-
-
Michel Dänzer authored
It avoids reading from the display connection again in cases where that was already done. Suggested-by:
Uli Schlachter <psychon@znc.in> Reviewed-by:
Uli Schlachter <psychon@znc.in>
-
- 25 Sep, 2018 1 commit
-
-
Michel Dänzer authored
If xcb_poll_for_reply fails to find a reply, poll_for_response would always return NULL. However, xcb_poll_for_reply may have read events from the display connection while looking for a reply. In that case, returning NULL from poll_for_response is wrong and can result in the client hanging, e.g. because it returns to waiting for the display connection file descriptor becoming readable after XPending incorrectly returned 0 pending events. The solution is to call poll_for_event again after xcb_poll_for_reply returned 0. This will return the first of any events read by xcb_poll_for_reply. Fixes issue #79. Reported-by:
Yuxuan Shui <yshuiv7@gmail.com> Bugzilla: https://bugs.freedesktop.org/108008 Bugzilla: https://bugs.freedesktop.org/107992Reviewed-by:
Adam Jackson <ajax@redhat.com>
-
- 22 Sep, 2018 1 commit
-
-
Bhavi Dhingra authored
Fixes #44 aka https://bugs.freedesktop.org/show_bug.cgi?id=92154Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 21 Aug, 2018 5 commits
-
-
Matthieu Herrb authored
Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu>
-
Matthieu Herrb authored
Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu>
-
Tobias Stoeckmann authored
If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call: Xfree (list[0]-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting the freeing functions later on. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
Tobias Stoeckmann authored
The length value is interpreted as signed char on many systems (depending on default signedness of char), which can lead to an out of boundary write up to 128 bytes in front of the allocated storage, but limited to NUL byte(s). Casting the length value to unsigned char fixes the problem and allows string values with up to 255 characters. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
Tobias Stoeckmann authored
The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. The server replies consist of chunks consisting of a length byte followed by actual string, which is not NUL-terminated. While parsing the response, the length byte is overridden with '\0', thus the memory area can be used as storage of C strings later on. To be able to NUL-terminate the last string, the buffer is reserved with an additional byte of space. For a boundary check, the variable chend (end of ch) was introduced, pointing at the end of the buffer which ch initially points to. Unfortunately there is a difference in handling "the end of ch". While chend points at the first byte that must not be written to, the for-loop uses chend as the last byte that can be written to. Therefore, an off-by-one can occur. I have refactored the code so chend actually points to the last byte that can be written to without an out of boundary access. As it is not possible to achieve "ch + length < chend" and "ch + length + 1 > chend" with the corrected chend meaning, I removed the inner if-check. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
- 17 Jul, 2018 1 commit
-
-
Tobias Stoeckmann authored
If a server sends an incorrect length in its response, a client is prone to perform an out of boundary read while processing the data. The length field of xHostEntry is used to specify the amount of bytes used to represent the address. It is 16 bit, which means that it is not possible to perform an arbitrary memory access, but it might be enough to read sensitive information, e.g. malloc-related pointers and offsets. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by:
Matthieu Herrb <matthieu@herrb.eu>
-
- 13 Jun, 2018 1 commit
-
-
Samuel Thibault authored
XkbOpenDisplay returns a pointer to Display, not a Display. Signed-off-by:
Samuel Thibault <samuel.thibault@ens-lyon.org>
-
- 14 May, 2018 1 commit
-
-
Martin Natano authored
ks_tables.h is always considered out of date due to the forced rebuild of the makekeys util. This means the file is also rebuilt during 'make install', which is usually performed as root, which can to lead permission problems later on. Signed-off-by:
Martin Natano <natano@natano.net> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 05 May, 2018 1 commit
-
-
Alan Coopersmith authored
Needs to match one of the regexps shown under https://gcc.gnu.org/onlinedocs/gcc-7.3.0/gcc/Warning-Options.html#index-Wimplicit-fallthroughSigned-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 30 Mar, 2018 1 commit
-
-
Alan Coopersmith authored
These variables store values returned from strlen() as a size_t and are passed to Xmalloc, which expects a size_t, so lets stop converting back and forth to int along the way. Reported by: Konstantin SKliarov Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
Matthieu Herrb <matthieu@herrb.eu>
-
- 24 Mar, 2018 1 commit
-
-
Bhavi Dhingra authored
https://bugs.freedesktop.org/show_bug.cgi?id=96814Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 23 Mar, 2018 1 commit
-
-
Michal Srb authored
The _XimCacheStruct structure is followed in memory by two strings containing fname and encoding. The memory was accessed using the last member of the structure `char fname[1]`. That is a lie, prohibits us from using sizeof and confuses checkers. Lets declare it properly as a flexible array, so compilers don't complain about writing past that array. As bonus we can replace the XOffsetOf with regular sizeof. Fixes GCC8 error: In function 'strcpy', inlined from '_XimWriteCachedDefaultTree' at imLcIm.c:479:5, inlined from '_XimCreateDefaultTree' at imLcIm.c:616:2, inlined from '_XimLocalOpenIM' at imLcIm.c:700:5: /usr/include/bits/string_fortified.h:90:10: error: '__builtin_strcpy' forming offset 2 is out of the bounds [0, 1] [-Werror=array-bounds] return __builtin___strcpy_chk (__dest, __src, __bos (__dest)); Caused by this line seemingly writing past the fname[1] array: imLcIm.c:479: strcpy (m->fname+strlen(name)+1, encoding); Reviewed-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net>
-
- 07 Mar, 2018 1 commit
-
-
Alan Coopersmith authored
Reported by gcc 7.3: GetImage.c:110:25: warning: potential null pointer dereference [-Wnull-dereference] if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || ~~~~~^~~~~~~~ Introduced by 8ea762f9 in Xlib 1.6.4 Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
Emil Velikov <emil.velikov@collabora.com>
-
- 03 Sep, 2017 1 commit
-
-
Walter Harms authored
-
- 20 Aug, 2017 5 commits
-
-
Walter Harms authored
-
Walter Harms authored
-
Walter Harms authored
Fixes: warning: variable 'req' set but not used [-Wunused-but-set-variable] by marking req _X_UNUSED Solution was discussed on xorg-devel ML Peter Hutter, Alan Coopersmith Re: [PATCH libX11 3/5] fix: warning: pointer targets in passing argument 2 of '_XSend' differ in signedness [-Wpointer-sign] Signed-off-by: harms wharms@bfs.de
-
Walter Harms authored
mark _XDefaultIOError as no_return. No one comes back from exit() ... Signed-off-by: harms wharms@bfs.de
-
Walter Harms authored
You can save a bit of code. The is no need to check XFree arguments bring free_fontdataOM in line with other free function and check for NULL arg Signed-off-by: harms wharms@bfs.de
-
- 14 Aug, 2017 5 commits
-
-
Walter Harms authored
free all mem on error Signed-off-by:
walter harms <wharms@bfs.de>
-
Walter Harms authored
V2: remove unneeded NULL (reported by eric.engestrom@imgtec.com) fix mem leak in error path Signed-off-by:
walter harms <wharms@bfs.de>
-
Walter Harms authored
simplify code Signed-off-by:
walter harms <wharms@bfs.de>
-
Walter Harms authored
remove stray extern Signed-off-by:
walter harms <wharms@bfs.de>
-
Walter Harms authored
simplify code by removing unneeded checks Signed-off-by:
walter harms <wharms@bfs.de>
-