- 23 Feb, 2019 7 commits
-
-
Alan Coopersmith authored
Fixes: commit bcf7b5aaSigned-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes: commit 5538b3e4Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes: xorg/lib/libx11#86 aka: https://bugs.freedesktop.org/show_bug.cgi?id=23550Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes: #85 aka: https://bugs.freedesktop.org/show_bug.cgi?id=23549Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes: #84 aka: https://bugs.freedesktop.org/show_bug.cgi?id=23548Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes: #82 aka: https://bugs.freedesktop.org/show_bug.cgi?id=23520Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 17 Feb, 2019 1 commit
-
-
Alan Coopersmith authored
Reported-by:
Daniel Hahler <git@thequod.de> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 16 Jan, 2019 2 commits
-
-
Adam Jackson authored
Currently, when the X server crashes or a client is disconnected with XKillClient, you get a somewhat confusing error message from libX11 along the lines of: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":0" after 98 requests (40 known processed) with 0 events remaining. What's happening here is the previous recvmsg has thrown EAGAIN, since the socket is non-blocking. In this case, check whether the socket has any more data to read, and if not treat it like EPIPE. Signed-off-by:
Adam Jackson <ajax@redhat.com>
-
Adam Jackson authored
Signed-off-by:
Adam Jackson <ajax@redhat.com> Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 01 Jan, 2019 3 commits
-
-
Alan Coopersmith authored
Fixes gitlab issue #49Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
lcCharSet.c:187:50: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion] tmp = Xmalloc(name_len + 1 + ct_sequence_len + 1); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ ../../include/X11/Xlibint.h:453:32: note: expanded from macro 'Xmalloc' ~~~~~~ ^~~~ lcCharSet.c:192:31: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion] memcpy(tmp, name, name_len+1); ~~~~~~ ~~~~~~~~^~ lcCharSet.c:216:45: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion] memcpy(tmp, ct_sequence, ct_sequence_len+1); ~~~~~~ ~~~~~~~~~~~~~~~^~ lcCharSet.c:183:16: warning: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Wshorten-64-to-32] name_len = strlen(name); ~ ^~~~~~~~~~~~ lcCharSet.c:184:23: warning: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Wshorten-64-to-32] ct_sequence_len = strlen(ct_sequence); ~ ^~~~~~~~~~~~~~~~~~~ lcCharSet.c:198:37: warning: implicit conversion loses integer precision: 'long' to 'unsigned int' [-Wshorten-64-to-32] unsigned int length = colon - charset->name; ~~~~~~ ~~~~~~^~~~~~~~~~~~~~~ Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Fixes gcc warning: GetAtomNm.c: In function ‘_XGetAtomName’: GetAtomNm.c:39:11: warning: unused variable ‘name’ [-Wunused-variable] char *name; ^~~~ Introduced by commit 336c1e7aSigned-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 29 Dec, 2018 1 commit
-
-
Alan Coopersmith authored
In-tree builds found reallocarray.h in $(top_builddir)/src but the out-of-tree build didn't find it at all. Reported-by: Emmanuele Bassi <ebassi@gmail.com> from GNOME continuous integration pipeline Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 08 Dec, 2018 8 commits
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Makes resizing & clearing more consistent and gets rid of some weird quirks like always subtracting 1 from the size passed to _XkbClearElems so it could always add 1 to the size passed in. Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
Alan Coopersmith authored
-
Alan Coopersmith authored
Wrapper for realloc() that checks for overflow when multiplying arguments together, so we don't have to add overflow checks to every single call. For documentation on usage, see: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 20 Nov, 2018 1 commit
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 12 Nov, 2018 2 commits
-
-
Albert Astals Cid authored
With this patch xev properly reports XLookupString gives 2 bytes: (c2 b4) "´" for the dead_acute key when using the Asturian locale
-
Albert Astals Cid authored
With this patch one can properly type dead keys like á when using the Asturian locale
-
- 10 Nov, 2018 1 commit
-
-
Alan Coopersmith authored
Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 09 Oct, 2018 1 commit
-
-
Matt Turner authored
Signed-off-by:
Matt Turner <mattst88@gmail.com>
-
- 28 Sep, 2018 1 commit
-
-
Michel Dänzer authored
It avoids reading from the display connection again in cases where that was already done. Suggested-by:
Uli Schlachter <psychon@znc.in> Reviewed-by:
Uli Schlachter <psychon@znc.in>
-
- 25 Sep, 2018 1 commit
-
-
Michel Dänzer authored
If xcb_poll_for_reply fails to find a reply, poll_for_response would always return NULL. However, xcb_poll_for_reply may have read events from the display connection while looking for a reply. In that case, returning NULL from poll_for_response is wrong and can result in the client hanging, e.g. because it returns to waiting for the display connection file descriptor becoming readable after XPending incorrectly returned 0 pending events. The solution is to call poll_for_event again after xcb_poll_for_reply returned 0. This will return the first of any events read by xcb_poll_for_reply. Fixes issue #79. Reported-by:
Yuxuan Shui <yshuiv7@gmail.com> Bugzilla: https://bugs.freedesktop.org/108008 Bugzilla: https://bugs.freedesktop.org/107992Reviewed-by:
Adam Jackson <ajax@redhat.com>
-
- 22 Sep, 2018 1 commit
-
-
Bhavi Dhingra authored
Fixes #44 aka https://bugs.freedesktop.org/show_bug.cgi?id=92154Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 21 Aug, 2018 5 commits
-
-
Matthieu Herrb authored
Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu>
-
Matthieu Herrb authored
Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu>
-
Tobias Stoeckmann authored
If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call: Xfree (list[0]-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting the freeing functions later on. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
Tobias Stoeckmann authored
The length value is interpreted as signed char on many systems (depending on default signedness of char), which can lead to an out of boundary write up to 128 bytes in front of the allocated storage, but limited to NUL byte(s). Casting the length value to unsigned char fixes the problem and allows string values with up to 255 characters. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
Tobias Stoeckmann authored
The functions XGetFontPath, XListExtensions, and XListFonts are vulnerable to an off-by-one override on malicious server responses. The server replies consist of chunks consisting of a length byte followed by actual string, which is not NUL-terminated. While parsing the response, the length byte is overridden with '\0', thus the memory area can be used as storage of C strings later on. To be able to NUL-terminate the last string, the buffer is reserved with an additional byte of space. For a boundary check, the variable chend (end of ch) was introduced, pointing at the end of the buffer which ch initially points to. Unfortunately there is a difference in handling "the end of ch". While chend points at the first byte that must not be written to, the for-loop uses chend as the last byte that can be written to. Therefore, an off-by-one can occur. I have refactored the code so chend actually points to the last byte that can be written to without an out of boundary access. As it is not possible to achieve "ch + length < chend" and "ch + length + 1 > chend" with the corrected chend meaning, I removed the inner if-check. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org>
-
- 17 Jul, 2018 1 commit
-
-
Tobias Stoeckmann authored
If a server sends an incorrect length in its response, a client is prone to perform an out of boundary read while processing the data. The length field of xHostEntry is used to specify the amount of bytes used to represent the address. It is 16 bit, which means that it is not possible to perform an arbitrary memory access, but it might be enough to read sensitive information, e.g. malloc-related pointers and offsets. Signed-off-by:
Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by:
Matthieu Herrb <matthieu@herrb.eu>
-
- 13 Jun, 2018 1 commit
-
-
Samuel Thibault authored
XkbOpenDisplay returns a pointer to Display, not a Display. Signed-off-by:
Samuel Thibault <samuel.thibault@ens-lyon.org>
-
- 14 May, 2018 1 commit
-
-
Martin Natano authored
ks_tables.h is always considered out of date due to the forced rebuild of the makekeys util. This means the file is also rebuilt during 'make install', which is usually performed as root, which can to lead permission problems later on. Signed-off-by:
Martin Natano <natano@natano.net> Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 05 May, 2018 1 commit
-
-
Alan Coopersmith authored
Needs to match one of the regexps shown under https://gcc.gnu.org/onlinedocs/gcc-7.3.0/gcc/Warning-Options.html#index-Wimplicit-fallthroughSigned-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com>
-
- 30 Mar, 2018 1 commit
-
-
Alan Coopersmith authored
These variables store values returned from strlen() as a size_t and are passed to Xmalloc, which expects a size_t, so lets stop converting back and forth to int along the way. Reported by: Konstantin SKliarov Signed-off-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
Matthieu Herrb <matthieu@herrb.eu>
-