ChangeLog | 44 +++++++++++++++++++++++++++
configure.ac | 10 +-----
debian/changelog | 14 +++++++-
debian/control | 17 +++++-----
debian/copyright | 2 -
debian/upstream/signing-key.asc | 64 ++++++++++++++++++++++++++++++++++++++++
debian/watch | 3 +
src/XRecord.c | 54 ++++++++++++++++++++++++---------
8 files changed, 172 insertions(+), 36 deletions(-)
New commits:
commit 2e1d4fb1bbb73e7ece946666dc254506f8a8479a
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 15:29:42 2016 +0200
Fix lintian error: pre-depends-directly-on-multiarch-support.
diff --git a/debian/changelog b/debian/changelog
index e3f74de..22346c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ libxtst (2:1.2.3-1) UNRELEASED; urgency=low
* Let uscan verify tarball signatures.
* Remove Cyril from Uploaders.
* Update a bunch of URLs in packaging to https.
+ * Fix lintian error: pre-depends-directly-on-multiarch-support.
[ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
diff --git a/debian/control b/debian/control
index 63f71ad..71bf723 100644
--- a/debian/control
+++ b/debian/control
@@ -29,7 +29,7 @@ Package: libxtst6
Section: libs
Architecture: any
Multi-Arch: same
-Pre-Depends: multiarch-support
+Pre-Depends: ${misc:Pre-Depends}
Depends: ${shlibs:Depends}, ${misc:Depends}, x11-common
Description: X11 Testing -- Record extension library
libXtst provides an X Window System client interface to the Record
commit 45bcf14288e06351d481f69e98c54fccf26cbcc8
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 15:01:11 2016 +0200
Update a bunch of URLs in packaging to https.
diff --git a/debian/changelog b/debian/changelog
index 3009be1..e3f74de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ libxtst (2:1.2.3-1) UNRELEASED; urgency=low
* Bump libx11-dev build-dep to 2:1.6.0 per configure.ac.
* Let uscan verify tarball signatures.
* Remove Cyril from Uploaders.
+ * Update a bunch of URLs in packaging to https.
[ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
diff --git a/debian/control b/debian/control
index a3003a8..63f71ad 100644
--- a/debian/control
+++ b/debian/control
@@ -22,8 +22,8 @@ Build-Depends:
xorg-sgml-doctools (>= 1:1.8),
w3m,
Standards-Version: 3.8.3
-Vcs-Git: git://git.debian.org/git/pkg-xorg/lib/libxtst
-Vcs-Browser: http://git.debian.org/?p=pkg-xorg/lib/libxtst.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxtst.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-xorg/lib/libxtst.git
Package: libxtst6
Section: libs
@@ -39,7 +39,7 @@ Description: X11 Testing -- Record extension library
is useful for automated testing.
.
More information about X.Org can be found at:
- <URL:http://www.X.org>
+ <URL:https://www.X.org>
.
This module can be found at
git://anongit.freedesktop.org/git/xorg/lib/libXtst
@@ -69,7 +69,7 @@ Description: X11 Record extension library (debug package)
Non-developers likely have little use for this package.
.
More information about X.Org can be found at:
- <URL:http://www.X.org>
+ <URL:https://www.X.org>
.
This module can be found at
git://anongit.freedesktop.org/git/xorg/lib/libXtst
@@ -101,7 +101,7 @@ Description: X11 Record extension library (development
headers)
libxtst6. Non-developers likely have little use for this package.
.
More information about X.Org can be found at:
- <URL:http://www.X.org>
+ <URL:https://www.X.org>
.
This module can be found at
git://anongit.freedesktop.org/git/xorg/lib/libXtst
@@ -127,7 +127,7 @@ Description: X11 Record extension library (documentation)
extension libraries. Non-developers likely have little use for this package.
.
More information about X.Org can be found at:
- <URL:http://www.X.org>
+ <URL:https://www.X.org>
.
This module can be found at
git://anongit.freedesktop.org/git/xorg/lib/libXtst
diff --git a/debian/copyright b/debian/copyright
index 86acfb6..94c9caa 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,5 +1,5 @@
This package was downloaded from
-http://xorg.freedesktop.org/releases/individual/lib/
+https://xorg.freedesktop.org/releases/individual/lib/
Copyright 1990, 1991 by UniSoft Group Limited
Copyright 1992, 1993, 1995, 1998 The Open Group
diff --git a/debian/watch b/debian/watch
index e28968c..b3c5654 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,4 +1,4 @@
#git=git://anongit.freedesktop.org/xorg/lib/libXtst
version=3
opts=pgpsigurlmangle=s/$/.sig/ \
-http://xorg.freedesktop.org/releases/individual/lib/ libXtst-(.*)\.tar\.gz
+https://xorg.freedesktop.org/releases/individual/lib/ libXtst-(.*)\.tar\.gz
commit 44669586e7e4495e81763b507ee449e100927bed
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 14:58:48 2016 +0200
Remove Cyril from Uploaders.
diff --git a/debian/changelog b/debian/changelog
index f0d0f70..3009be1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ libxtst (2:1.2.3-1) UNRELEASED; urgency=low
- Fixes CVE-2016-7951 and CVE-2016-7952.
* Bump libx11-dev build-dep to 2:1.6.0 per configure.ac.
* Let uscan verify tarball signatures.
+ * Remove Cyril from Uploaders.
[ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
diff --git a/debian/control b/debian/control
index 00d5aff..a3003a8 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,6 @@ Source: libxtst
Section: x11
Priority: optional
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
-Uploaders: Cyril Brulebois <k...@debian.org>
Build-Depends:
dpkg-dev (>= 1.16.1),
debhelper (>= 8.1.3),
commit f6b173a008c7fdbbb7543ef89ef1a5508f31d15c
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 14:58:12 2016 +0200
Let uscan verify tarball signatures.
diff --git a/debian/changelog b/debian/changelog
index 4488ab0..f0d0f70 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxtst (2:1.2.3-1) UNRELEASED; urgency=low
* New upstream release.
- Fixes CVE-2016-7951 and CVE-2016-7952.
* Bump libx11-dev build-dep to 2:1.6.0 per configure.ac.
+ * Let uscan verify tarball signatures.
[ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..b4e5575
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFeKY50BEADAX0lod3IVceb/IWJn3kTAcO2P7PWlcBiyUDaq5b2kFkliKleZ
+ec4LoCHakQBlkRBMPNwOOxvADNk3tLQjBDpbYr6lQIrN+AxMGkXBhJ82T3bsDvlj
+3Z1wRJ1zVA7eMIktsk0FAoJxV1y7e3sBKcP0eTlXqXvR2djhi+FW+ueJDAJIFSkb
+uFirgwtX5t8nt8jCmIl75KNUKOakoENY3hLWtr16W8fO1JGkEhghI2mXcz664KTd
+MPZp6JH0/8UHTHzmATOCTqNxoDtMTi2l5059Lh/nhmso9moTYqyKmaJP2rnZUr62
+97sRMG4WcxaYfWpPyO3MCmDyGeh4sW0OC06PpED3i9xMzf/kMkMdY4ZIFcLRcPtf
+LIJhw+lc/GE1Rqe961IB5xCgnZezB7ZIL+ZlOAMwKGkq7lLbcZr2QZn84lpABKF0
+AvxECoJ4etmIcdbDVmsw18AhA3u9sr98hS5IXDyeos3Xwz6Abml8aPrhqhkKvo+J
+Kcq9FNYHg0RRlos0TqocjDzGnUjEYrmIopLcwIu2SnsNSJTygZGtqrpT+2sGEqvm
+k6Oyk95QCa580zqldvxe3CG0vrAfPvoG7irllM68TS4JcqqDHTq6eupUv9ZdIzXf
+eyTHa5cytGahgVtUcui1lzqcCBkqwN8TKl+0wCcEnxRasHJy3A2Gp+AG3wARAQAB
+tCJNYXR0aGlldSBIZXJyYiA8bWF0dGhpZXVAaGVycmIuZXU+iQI+BBMBAgAoBQJX
+imOdAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo
++PF1EACldzZPNYaC9H5E9sMn9pMsJTucBYVUy74Aw6MWAiAzRpxb9DmySmC2oEYW
+JJkwDTwv6M0Na0ed6zD79GKtAalORz2GppZpS7uoINClElWoM5TCYph6linyv9Wj
+OTlcbpX0Jqw0tdHNI2UOEjvBP3vW9kVYpEhfnHET8Ncp55j1hzoqxOhGIBE/67zc
+cLAenONAvA3YN3tHTGaOaFv+vuCFRJx9FpKbGHmdUPd3MtLqtaA4EQvDvDEholEI
+eWrjmdXJibSet6Amc5AIdFaQevZiADjjMh8MINw/6OEy9OB4s+z1RzgOrHgLiIZm
+dlP6WrNjXQwl2gmNPhctGaSHM+j2+3gckNGlI4LQYxNtKvI4iv/CoHDYmwgrcrZO
+TwFHfqt0LwqjpsU203Hw609oWYcxLeGZdITBjDz20UcfsmKQDqrBq3P1FuC5GBW3
+5bEa3wAhyE+/WKhJ94bXiHmpKsp50va3bEe17uQcYd8+E8L53aR7XP87qaHx//Mu
++OQa5Wc2d1OFHf1Mi62nbzr7pws/Mf7OSf/tnhRthuwtlfYnsUVo8usUKL/xStqo
+Ul4kc/Q81AlyaZfr7dbxsQWm2q3ksLaMaAxnk0p+kMXVzXZ9GKNOgUOJdbahORs5
+RU2f44xzfNavb63u3McADtaXskl+KHB4uDbGbGESVhm5PULk37QnTWF0dGhpZXUg
+SGVycmIgPG1hdHRoaWV1LmhlcnJiQGxhYXMuZnI+iQI+BBMBAgAoBQJXlJ63AhsD
+BQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo+PKID/wM
+II+2d11clp1X7eZgkxkAHUhI2W3NSesuFnjkkQRKQoVMokDdeSOkBhMJuWoFfbZk
+jYs2VHU9029rDqcoDSqGwo2IffvrXXJ4SjOTjlvXS1lr/H2VdWRbq8ImnDwSsoiD
+dWB3dZyqzf7ABKZ7ccA+NMSs6NxeEN/0+0sTJ386Zp480ByNX0uPqYSq5lX/VEke
+nI8r02u2ZfuykhGkT0sM013VprfYLa+6HvF+QT9KfP220mqRbonaDkYvCxwjCMzd
+rUmvyqw3VsooUpg/W/PmDNeShSuOxebaGnFyGTNvTarElCBdynFD01dqOecOqfY8
+gy+PJ1aF1qjmf+RQD/SZq+gvgyXqyBhJy7zgJnzzNWzDlUIw0ZOLyZxzFR7lRV79
+2mrGgczlQr5rLAgBy2pgwsCmP7nFx50r4ft2juugnQixoOBU/YfhBplM76EROaCc
+MTs5nPEqzJ9p4SNkPcK8AroR2Ka3+f7t+XOoHpx/XhJOBYlPaUmoFkWKr0Y8BWWh
+1nJxyFKrSNbwUgam8ypZzwzbI1vDiX8Ol6NpEeOLwzFNT0pyTdC9UN93M1VIyKWC
+1vaeMogUREKT6SmDjRn3fISktZ0IGVf2AnFMhtgZ46TJO4BZgDdZAjTkZc/lP0yF
+Nl6MpGwnaymmL50ckT77OdlfIcXFwvNPFwWlFPlcyrkCDQRXimOdARAA4otssvZm
+sKg+g0bVyJHhn/YOHLYMih+Xf07xJHyalH0UCGnGdHZwl0B97G950SwQ7yVXtGa9
+CAPe97clE6dPD6jaumQ13BHavXM+ThgjCe8V56ayYcdzqFkxlCx0Uocoa63G0/cE
+TiOqeqhNZs8JY+D7l83jCa4lU/1pLusbkCpCQ7d5/FFLz7QSihzJWp+UTsjbNik5
+spaseEMGFRKUcB3SZ/l1dTgc0wBQ1hlvLX+h4/sG0iUs1pVpo5ORC+bUfWRokl96
+uj5QZz5rY21FaNSP1rB1HKHNkwhxifBCHQMhYGTXvD7GH+JNyF2TdRmo7eBCfAPJ
+aP3mX9t2SkCipdSsUs+Uuyib9MLA71ApW90AGiRm6HtOCxR0c3+qQRNIdFVm8mnM
+hCxXRexf6Z2wZdXXy6uY0LVRgI0o31NPJPk8l2Hnb/kHGxjyUFzEWh65J/eA368d
+4m8uF+Rr7WWlpQjwgWHU12kGThEVFFBFh2gmeIjYZdDDVhCi2mQ6lGSV2Pt7pZYL
+/PPChWLBqrVBkIUQ0GV22nRYvGdaIv2LVPu8PggbPs/wwh35nJ3rUQyJF55CFV5y
+WIWAWXfRYTKG9jkt+ncjZLEBxDO26zzO/MjIVPZxGyYryXEOgr6xp38xbyX9FpjL
+KBaIueLWEyphVjBb1uUpDGx+UDYe9vbJjPUAEQEAAYkCJQQYAQIADwUCV4pjnQIb
+DAUJA8JnAAAKCRBoc5PuN9Eo+D8dEACa60Q3ta6BWyHG0SOgfYGHE15LodACVHNI
+N6Ou+JtmLarMW/AvPclNC25mxZV0ywLbun4CnJ9qYbt/Kx7djn48mrNa0rKN8Q+V
+K5RvQA1kD890yzwu5jH6r5BQ8VBcfsPvsvatgbquzFn+NNiH9U4xRf/9BSY2Zk3G
+yA15xG0T9zoklOMg8MWbeRaJPkDELyaHPWerbO7rebynePENSFPz3o3g+K9WcCM2
+xkEL571SmT4z3Mp/p0pwemWBCP2WoKCnSjAGiiHpCFru3SlZhRIvNJyK5jeS/IU6
+d5qeTBse6TXzp6Q4xkzACIN66P5SG/YY3/ONbfs6wB3lIkvVC9n7jEXjMK1T0fK8
+9DBDjzvAkJcKLLuIljjkMhRWSCED74sn+MlaWm0xMeo276EnaVILNcrHecSr8+eX
+pVXSWEJ1+ErzZladJC+CrqUm0QljPV8Smtmk9MvOLHZ4qL4bI4Hu7MywuGNrLSol
+qO0pAT1AjaYTRuH2MhZ6mJe/EtSl0EHXEkcDteE4jbYj3lwVhA1c/So0CdayImmD
+/0tdqUfekw4va8PpbQ0wroL0XUvf3wl6HOhFhahWSqqb1fVr2slVttkaMb8M4MPt
+Ka2m4qiiuGYivPIAVapSEA4DYc+krVqVXV/yDd3T7XcNtnClVo+rmOn5WiGq24am
+79+hF4bWyw==
+=WW1Z
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
index fa1c906..e28968c 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
#git=git://anongit.freedesktop.org/xorg/lib/libXtst
version=3
+opts=pgpsigurlmangle=s/$/.sig/ \
http://xorg.freedesktop.org/releases/individual/lib/ libXtst-(.*)\.tar\.gz
commit 9fcd2a95a37b0adc2bede495c1bc108e2e1974a3
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 14:57:06 2016 +0200
Bump libx11-dev build-dep to 2:1.6.0 per configure.ac.
diff --git a/debian/changelog b/debian/changelog
index 9c8c0f4..4488ab0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxtst (2:1.2.3-1) UNRELEASED; urgency=low
[ Andreas Boll ]
* New upstream release.
- Fixes CVE-2016-7951 and CVE-2016-7952.
+ * Bump libx11-dev build-dep to 2:1.6.0 per configure.ac.
[ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
diff --git a/debian/control b/debian/control
index d779655..00d5aff 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,7 @@ Uploaders: Cyril Brulebois <k...@debian.org>
Build-Depends:
dpkg-dev (>= 1.16.1),
debhelper (>= 8.1.3),
- libx11-dev (>= 2:0.99.3),
+ libx11-dev (>= 2:1.6.0),
libxext-dev (>= 2:1.0.99.4),
libxi-dev,
x11proto-record-dev (>= 1.13.99.1),
commit 97479c890d1a4394e1d8702d53c7da0a24ee9e69
Author: Andreas Boll <andreas.boll....@gmail.com>
Date: Fri Oct 7 14:51:05 2016 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index c0e3b3c..c65a39a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,47 @@
+commit 9f5621a410f18149d4c76b02daa7f1a98b4a2c16
+Author: Matthieu Herrb <matthieu.he...@laas.fr>
+Date: Tue Oct 4 21:28:17 2016 +0200
+
+ libXtst 1.2.3
+
+ Signed-off-by: Matthieu Herrb <matthieu.he...@laas.fr>
+
+commit 9556ad67af3129ec4a7a4f4b54a0d59701beeae3
+Author: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Sun Sep 25 21:37:01 2016 +0200
+
+ Out of boundary access and endless loop in libXtst
+
+ A lack of range checks in libXtst allows out of boundary accesses.
+ The checks have to be done in-place here, because it cannot be done
+ without in-depth knowledge of the read data.
+
+ If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
+ without a client sequence have attached data, an endless loop would
+ occur. The do-while-loop continues until the current index reaches
+ the end. But in these cases, the current index would not be
+ incremented, leading to an endless processing.
+
+ Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
+ Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
+
+commit 48d2656fa1dd98e9d88b31211fa4f09f813e7b30
+Author: Michael Joost <m...@michael-joost.de>
+Date: Mon Nov 18 16:11:26 2013 +0100
+
+ Remove fallback for _XEatDataWords, require libX11 1.6 for it
+
+ _XEatDataWords was orignally introduced with the May 2013 security
+ patches, and in order to ease the process of delivering those,
+ fallback versions of _XEatDataWords were included in the X extension
+ library patches so they could be applied to older versions that didn't
+ have libX11 1.6 yet. Now that we're past that hurdle, we can drop
+ the fallbacks and just require libX11 1.6 for building new versions
+ of the extension libraries.
+
+ Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
+
commit cdc04f06325e55916e0c95b61db626d22b76e2ff
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Thu May 30 19:09:42 2013 -0700
diff --git a/debian/changelog b/debian/changelog
index 1488270..9c8c0f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,13 @@
-libxtst (2:1.2.2-2) UNRELEASED; urgency=low
+libxtst (2:1.2.3-1) UNRELEASED; urgency=low
+ [ Andreas Boll ]
+ * New upstream release.
+ - Fixes CVE-2016-7951 and CVE-2016-7952.
+
+ [ Julien Cristau ]
* Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}.
- -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:43:29 +0200
+ -- Andreas Boll <andreas.boll....@gmail.com> Fri, 07 Oct 2016 14:48:22 +0200
libxtst (2:1.2.2-1) unstable; urgency=low
commit 9f5621a410f18149d4c76b02daa7f1a98b4a2c16
Author: Matthieu Herrb <matthieu.he...@laas.fr>
Date: Tue Oct 4 21:28:17 2016 +0200
libXtst 1.2.3
Signed-off-by: Matthieu Herrb <matthieu.he...@laas.fr>
diff --git a/configure.ac b/configure.ac
index 34ae352..466f431 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXtst], [1.2.2],
+AC_INIT([libXtst], [1.2.3],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXtst])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 9556ad67af3129ec4a7a4f4b54a0d59701beeae3
Author: Tobias Stoeckmann <tob...@stoeckmann.org>
Date: Sun Sep 25 21:37:01 2016 +0200
Out of boundary access and endless loop in libXtst
A lack of range checks in libXtst allows out of boundary accesses.
The checks have to be done in-place here, because it cannot be done
without in-depth knowledge of the read data.
If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
without a client sequence have attached data, an endless loop would
occur. The do-while-loop continues until the current index reaches
the end. But in these cases, the current index would not be
incremented, leading to an endless processing.
Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
diff --git a/src/XRecord.c b/src/XRecord.c
index 50420c0..fefd842 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -749,15 +749,23 @@ parse_reply_call_callback(
switch (rep->category) {
case XRecordFromServer:
if (rep->elementHeader&XRecordFromServerTime) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->server_time);
current_index += 4;
}
+ if (current_index + 1 > rep->length << 2)
+ return Error;
switch (reply->buf[current_index]) {
case X_Reply: /* reply */
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index+4, datum_bytes);
+ if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
+ return Error;
datum_bytes = (datum_bytes+8) << 2;
break;
default: /* error or event */
@@ -766,52 +774,73 @@ parse_reply_call_callback(
break;
case XRecordFromClient:
if (rep->elementHeader&XRecordFromClientTime) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->server_time);
current_index += 4;
}
if (rep->elementHeader&XRecordFromClientSequence) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->client_seq);
current_index += 4;
}
+ if (current_index + 4 > rep->length<<2)
+ return Error;
if (reply->buf[current_index+2] == 0
&& reply->buf[current_index+3] == 0) /* needn't swap 0 */
{ /* BIG-REQUESTS */
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index+4, datum_bytes);
} else {
EXTRACT_CARD16(rep->clientSwapped,
reply->buf+current_index+2, datum_bytes);
}
+ if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
+ return Error;
datum_bytes <<= 2;
break;
case XRecordClientStarted:
+ if (current_index + 8 > rep->length << 2)
+ return Error;
EXTRACT_CARD16(rep->clientSwapped,
reply->buf+current_index+6, datum_bytes);
datum_bytes = (datum_bytes+2) << 2;
break;
case XRecordClientDied:
if (rep->elementHeader&XRecordFromClientSequence) {
+ if (current_index + 4 > rep->length << 2)
+ return Error;
EXTRACT_CARD32(rep->clientSwapped,
reply->buf+current_index,
data->client_seq);
current_index += 4;
- }
- /* fall through */
+ } else if (current_index < rep->length << 2)
+ return Error;
+ datum_bytes = 0;
+ break;
case XRecordStartOfData:
case XRecordEndOfData:
+ if (current_index < rep->length << 2)
+ return Error;
datum_bytes = 0;
+ break;
}
if (datum_bytes > 0) {
- if (current_index + datum_bytes > rep->length << 2)
+ if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
fprintf(stderr,
"XRecord: %lu-byte reply claims %d-byte element (seq
%lu)\n",
- (long)rep->length << 2, current_index + datum_bytes,
+ (unsigned long)rep->length << 2, current_index +
datum_bytes,
dpy->last_request_read);
+ return Error;
+ }
/*
* This assignment (and indeed the whole buffer sharing
* scheme) assumes arbitrary 4-byte boundaries are
@@ -863,6 +892,12 @@ XRecordEnableContext(Display *dpy, XRecordContext context,
return 0;
}
+ if (rep.length > INT_MAX >> 2) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
+
if (rep.length > 0) {
reply = alloc_reply_buffer(info, rep.length<<2);
if (!reply) {
commit 48d2656fa1dd98e9d88b31211fa4f09f813e7b30
Author: Michael Joost <m...@michael-joost.de>
Date: Mon Nov 18 16:11:26 2013 +0100
Remove fallback for _XEatDataWords, require libX11 1.6 for it
_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet. Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.
Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/configure.ac b/configure.ac
index c169598..34ae352 100644
--- a/configure.ac
+++ b/configure.ac
@@ -45,13 +45,7 @@ XORG_WITH_XSLTPROC
XORG_CHECK_SGML_DOCTOOLS(1.8)
# Obtain compiler/linker options for depedencies
-PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1]
[xextproto >= 7.0.99.3] inputproto)
-
-# Check for _XEatDataWords function that may be patched into older Xlib release
-SAVE_LIBS="$LIBS"
-LIBS="$XTST_LIBS"
-AC_CHECK_FUNCS([_XEatDataWords])
-LIBS="$SAVE_LIBS"
+PKG_CHECK_MODULES(XTST, [x11 >= 1.6] [xext >= 1.0.99.4] xi [recordproto >=
1.13.99.1] [xextproto >= 7.0.99.3] inputproto)
# Determine if the source for man pages is available
# It may already be present (tarball) or can be generated using xmlto
diff --git a/src/XRecord.c b/src/XRecord.c
index 5bbd5ac..50420c0 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -61,17 +61,6 @@ from The Open Group.
#include <X11/extensions/record.h>
#include <limits.h>
-#ifndef HAVE__XEATDATAWORDS
-static inline void _XEatDataWords(Display *dpy, unsigned long n)
-{
-# ifndef LONG64
- if (n >= (ULONG_MAX >> 2))
- _XIOError(dpy);
-# endif
- _XEatData (dpy, n << 2);
-}
-#endif
-
static XExtensionInfo _xrecord_info_data;
static XExtensionInfo *xrecord_info = &_xrecord_info_data;
static const char *xrecord_extension_name = RECORD_NAME;
