1. 18 Jul, 2022 3 commits
  2. 08 Dec, 2018 1 commit
  3. 20 Nov, 2018 1 commit
  4. 26 Jan, 2017 3 commits
  5. 04 Oct, 2016 1 commit
  6. 28 Sep, 2016 1 commit
    • Tobias Stoeckmann's avatar
      Protocol handling issues in libXv - CVE-2016-5407 · d9da580b
      Tobias Stoeckmann authored and Matthieu Herrb's avatar Matthieu Herrb committed
      
      
      The Xv query functions for adaptors and encodings suffer from out of
      boundary accesses if a hostile X server sends a maliciously crafted
      response.
      
      A previous fix already checks the received length against fixed values
      but ignores additional length specifications which are stored inside
      the received data.
      
      These lengths are accessed in a for-loop. The easiest way to guarantee
      a correct processing is by validating all lengths against the
      remaining size left before accessing referenced memory.
      
      This makes the previously applied check obsolete, therefore I removed
      it.
      Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
      Reviewed-by: Matthieu Herrb's avatarMatthieu Herrb <matthieu@herrb.eu>
      d9da580b
  7. 29 Jul, 2014 1 commit
  8. 08 Sep, 2013 1 commit
  9. 06 Jul, 2013 8 commits
    • Alan Coopersmith's avatar
      Remove fallback for _XEatDataWords, require libX11 1.6 for it · 4a7d2ca2
      Alan Coopersmith authored
      
      
      _XEatDataWords was orignally introduced with the May 2013 security
      patches, and in order to ease the process of delivering those,
      fallback versions of _XEatDataWords were included in the X extension
      library patches so they could be applied to older versions that didn't
      have libX11 1.6 yet.   Now that we're past that hurdle, we can drop
      the fallbacks and just require libX11 1.6 for building new versions
      of the extension libraries.
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      4a7d2ca2
    • Alan Coopersmith's avatar
      Refactor error handling · 06d27595
      Alan Coopersmith authored
      
      
      Reduce code duplication, make error checking & cleanup more consistent
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      06d27595
    • Alan Coopersmith's avatar
      Add missing calls to _XEatDataWords when we are skipping _XRead · 29b23d38
      Alan Coopersmith authored
      
      
      If we failed to allocate the buffer to _XRead into, discard the
      rest of the reply, instead of leaving it to confuse the reading
      of the next reply.
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      29b23d38
    • Alan Coopersmith's avatar
      Replace custom copy of GetReq macro with call to Xlib 1.5's _XGetRequest · 5a09a55b
      Alan Coopersmith authored
      
      
      xvproto.h names don't match those required by the Xlibint.h GetReq* macros,
      but at least we can rely on the _XGetRequest function for the bulk of the
      work now, instead of duplicating it.
      
      Also clears clang warnings repeated for every request function:
      
      Xv.c:137:5: warning: cast from 'char *' to 'xvQueryExtensionReq *' increases re
      quired alignment from 1 to 2 [-Wcast-align]
          XvGetReq(QueryExtension, req);
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ./Xvlibint.h:52:8: note: expanded from macro 'XvGetReq'
              req = (xv##name##Req *)(dpy->last_req = dpy->bufptr);\
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Xv.c:137:5: warning: implicit conversion loses integer precision: 'int' to 'CAR
      D8' (aka 'unsigned char') [-Wconversion]
          XvGetReq(QueryExtension, req);
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ./Xvlibint.h:53:30: note: expanded from macro 'XvGetReq'
              req->reqType = info->codes->major_opcode;\
                           ~ ~~~~~~~~~~~~~^~~~~~~~~~~~
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      5a09a55b
    • Alan Coopersmith's avatar
    • Alan Coopersmith's avatar
      Use pad_to_int32 macro instead of repeated (x + 3) & ~3 pattern · e73a2199
      Alan Coopersmith authored
      
      
      Makes code clearer, and using ~3U instead of ~3 clears some signed int
      warnings.
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      e73a2199
    • Alan Coopersmith's avatar
      Fix sign conversion & comparison warnings from clang · 4ced4419
      Alan Coopersmith authored
      
      
      Clears up:
      Xv.c:196:21: warning: implicit conversion changes signedness: 'CARD32' (aka 'unsigned int') to 'int' [-Wsign-conversion]
        size = rep.length << 2;
             ~ ~~~~~~~~~~~^~~~
      Xv.c:212:41: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) {
                                      ~~~~~~~~^~~~~
      Xv.c:236:43: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion]
            pa->num_adaptors = rep.num_adaptors - ii;
                             ~ ~~~~~~~~~~~~~~~~~^~~~
      Xv.c:243:40: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            if ( (name = (char *)Xmalloc(size+1)) == NULL)
                                 ~~~~~~~~~~~~^~~
      Xv.c:251:37: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            (void)strncpy(name, u.string, size);
                  ~~~~~~~                 ^~~~
      Xv.c:260:36: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            if ((pfs=(XvFormat *)Xmalloc(size))==NULL) {
                                 ~~~~~~~~^~~~~
      Xv.c:269:20: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
            for (jj=0; jj<pa->num_formats; jj++) {
                       ~~^~~~~~~~~~~~~~~~
      Xv.c:259:29: warning: implicit conversion loses integer precision: 'unsigned long' to 'int' [-Wshorten-64-to-32]
            size = pa->num_formats*sizeof(XvFormat);
                 ~ ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
      Xv.c:305:16: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
        for (ii=0; ii<pAdaptors->num_adaptors; ii++, pa++)
                   ~~^~~~~~~~~~~~~~~~~~~~~~~~
      Xv.c:356:21: warning: implicit conversion changes signedness: 'CARD32' (aka 'unsigned int') to 'int' [-Wsign-conversion]
        size = rep.length << 2;
             ~ ~~~~~~~~~~~^~~~
      Xv.c:369:41: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
        if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) {
                                      ~~~~~~~~^~~~~
      Xv.c:392:45: warning: implicit conversion changes signedness: 'int' to 'unsigned long' [-Wsign-conversion]
            pe->num_encodings = rep.num_encodings - jj;
                              ~ ~~~~~~~~~~~~~~~~~~^~~~
      Xv.c:397:40: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            if ( (name = (char *)Xmalloc(size+1)) == NULL) {
                                 ~~~~~~~~~~~~^~~
      Xv.c:404:31: warning: implicit conversion changes signedness: 'int' to 'size_t' (aka 'unsigned long') [-Wsign-conversion]
            strncpy(name, u.string, size);
            ~~~~~~~                 ^~~~
      Xv.c:433:16: warning: comparison of integers of different signs: 'int' and 'unsigned long' [-Wsign-compare]
        for (ii=0; ii<pEncodings->num_encodings; ii++, pe++) {
                   ~~^~~~~~~~~~~~~~~~~~~~~~~~~~
      Xv.c:886:27: warning: comparison of integers of different signs: 'int' and 'CAR
      D32' (aka 'unsigned int') [-Wsign-compare]
                  for (i = 0; i < rep.num_attributes; i++) {
                              ~ ^ ~~~~~~~~~~~~~~~~~~
      Xv.c:946:27: warning: comparison of integers of different signs: 'int' and 'CAR
      D32' (aka 'unsigned int') [-Wsign-compare]
                  for (i = 0; i < rep.num_formats; i++) {
                              ~ ^ ~~~~~~~~~~~~~~~
      Xv.c:1100:5: warning: comparison of integers of different signs: 'int' and 'unsigned int' [-Wsign-compare]
          SetReqLen(req, len, len);
          ^~~~~~~~~~~~~~~~~~~~~~~~
      X11/Xlibint.h:530:27: note: expanded from macro 'SetReqLen'
          if ((req->length + n) > (unsigned)65535) { \
                                ^ ~~~~~~~~~~~~~~~
      Xv.c:1100:20: warning: implicit conversion changes signedness: 'int' to 'unsigned int' [-Wsign-conversion]
          SetReqLen(req, len, len);
          ~~~~~~~~~~~~~~~^~~~~~~~~
      X11/Xlibint.h:532:21: note: expanded from macro 'SetReqLen'
                  MakeBigReq(req,n) \
                                 ^
      X11/Xlibint.h:505:35: note: expanded from macro 'MakeBigReq'
          ((CARD32 *)req)[1] = _BRlen + n + 2; \
                                      ~ ^
      Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
      4ced4419
    • Alan Coopersmith's avatar
  10. 23 Jun, 2013 2 commits
  11. 02 Jun, 2013 2 commits
  12. 01 Jun, 2013 1 commit
  13. 07 May, 2013 3 commits
  14. 26 Apr, 2013 1 commit
  15. 13 Apr, 2013 1 commit
  16. 15 Jan, 2013 2 commits
  17. 25 Aug, 2012 1 commit
  18. 08 Mar, 2012 1 commit
  19. 11 Nov, 2011 1 commit
  20. 06 Oct, 2011 1 commit
  21. 17 Sep, 2011 1 commit
  22. 02 Feb, 2011 1 commit
    • Gaetan Nadon's avatar
      config: comment, minor upgrade, quote and layout configure.ac · 7091e73f
      Gaetan Nadon authored
      Group statements per section as per Autoconf standard layout
      Quote statements where appropriate.
      Autoconf recommends not using dnl instead of # for comments
      
      Use AC_CONFIG_FILES to replace the deprecated AC_OUTPUT with parameters.
      Add AC_CONFIG_SRCDIR([Makefile.am])
      Remove redundant AC_SUBST(*_CFLAGS) and/or *_LIBS
      No functional configuration changes
      
      This helps automated maintenance and release activities.
      Details can be found in http://wiki.x.org/wiki/NewModuleGuidelines
      7091e73f
  23. 29 Jan, 2011 1 commit
  24. 27 Jan, 2011 1 commit