Xext/EVI.c | 15 +++++++++++-
Xext/cup.c | 3 ++
Xext/sampleEVI.c | 29 +++++++++++++++++++----
Xext/security.c | 4 +--
Xext/shm.c | 50 +++++++++++++++++++++++++++++++++-------
Xi/chgfctl.c | 7 -----
Xi/chgkmap.c | 13 ++++------
Xi/chgprop.c | 10 ++------
Xi/grabdev.c | 12 ++++-----
Xi/grabdevb.c | 10 ++------
Xi/grabdevk.c | 9 +------
Xi/selectev.c | 11 +++-----
Xi/sendexev.c | 14 ++++++-----
dix/dixfonts.c | 7 +++++
hw/kdrive/ephyr/ephyr.c | 1
hw/xfree86/common/xf86MiscExt.c | 4 +++
os/io.c | 2 -
xkb/xkbUtils.c | 1
18 files changed, 131 insertions(+), 71 deletions(-)
New commits:
commit b6d4cdf64f43ae805beada6122c8be2ed138742c
Author: Adam Jackson <[EMAIL PROTECTED]>
Date: Fri Jan 18 14:41:20 2008 -0500
CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8. If bpp < 8 then we're already
protected from overflow by the width and height checks.
(cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)
diff --git a/Xext/shm.c b/Xext/shm.c
index 5633be9..6f99e90 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap(
}
if (width > 32767 || height > 32767)
return BadAlloc;
- size = PixmapBytePad(width, depth) * height;
- if (sizeof(size) == 4) {
- if (size < width * height)
- return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
- }
if (stuff->depth != 1)
{
@@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client)
}
if (width > 32767 || height > 32767)
return BadAlloc;
- size = PixmapBytePad(width, depth) * height;
- if (sizeof(size) == 4) {
- if (size < width * height)
- return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
- }
if (stuff->depth != 1)
{
@@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
commit 19b95cdd1d14a1e7d1abba1880ab023c96f19bf5
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 17:03:39 2008 +0100
Fix for CVE-2007-5958 - File existence disclosure.
diff --git a/Xext/security.c b/Xext/security.c
index ba057de..e9d48c9 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -1563,7 +1563,7 @@ SecurityLoadPropertyAccessList(void)
if (!SecurityPolicyFile)
return;
- f = fopen(SecurityPolicyFile, "r");
+ f = Fopen(SecurityPolicyFile, "r");
if (!f)
{
ErrorF("error opening security policy file %s\n",
@@ -1646,7 +1646,7 @@ SecurityLoadPropertyAccessList(void)
}
#endif /* PROPDEBUG */
- fclose(f);
+ Fclose(f);
} /* SecurityLoadPropertyAccessList */
commit f09b8007e7f6e60e0b9c9665ec632b578ae08b6f
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:29:06 2008 +0100
Fix for CVE-2008-0006 - PCF Font parser buffer overflow.
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index c21b3ec..7bb2404 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -325,6 +325,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;
commit 8b14f7b74284900b95a319ec80c4333e63af2296
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:28:42 2008 +0100
Fix for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.
diff --git a/Xext/EVI.c b/Xext/EVI.c
index 8fe3481..13bd32a 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "modinit.h"
+#include "scrnintstr.h"
#if 0
static unsigned char XEVIReqCode = 0;
@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1],
(int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
static int sampleGetVisualInfo(
VisualID32 *visual,
int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
VisualID32 **conflict_rn,
int *n_conflict_rn)
{
- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+ unsigned int max_sz_evi;
VisualID32 *temp_conflict;
xExtendedVisualInfo *evi;
- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
- if (!*evi_rn)
- return BadAlloc;
+
+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
+ return BadAlloc;
+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
if (screenInfo.screens[scrI]->numVisuals > max_visuals)
max_visuals = screenInfo.screens[scrI]->numVisuals;
}
+
+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
+ * max_visuals))
+ return BadAlloc;
max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens *
max_visuals;
+
+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+ if (!*evi_rn)
+ return BadAlloc;
+
temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
if (!temp_conflict) {
xfree(*evi_rn);
return BadAlloc;
}
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/Xext/shm.c b/Xext/shm.c
index ac587be..5633be9 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -711,6 +711,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result, rc;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -724,11 +726,26 @@ ProcPanoramiXShmCreatePixmap(
return rc;
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -739,9 +756,7 @@ ProcPanoramiXShmCreatePixmap(
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1040,6 +1055,8 @@ ProcShmCreatePixmap(client)
register int i, rc;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1052,11 +1069,26 @@ ProcShmCreatePixmap(client)
return rc;
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1067,9 +1099,7 @@ ProcShmCreatePixmap(client)
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
commit d244c8272e0ac47c41a9416e37293903b842a78b
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:27:34 2008 +0100
Fix for CVE-2007-6427 - Xinput extension memory corruption.
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 2e0e13c..235d659 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -327,18 +327,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
xStringFeedbackCtl * f)
{
char n;
- long *p;
int i, j;
KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1);
if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
- p = (long *)(syms);
- for (i = 0; i < f->num_keysyms; i++) {
- swapl(p, n);
- p++;
- }
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols) {
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index eac520f..f8f85bc 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -79,18 +79,14 @@ int
SProcXChangeDeviceKeyMapping(ClientPtr client)
{
char n;
- long *p;
- int i, count;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
- for (i = 0; i < count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), count);
return (ProcXChangeDeviceKeyMapping(client));
}
@@ -106,10 +102,13 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret;
unsigned len;
DeviceIntPtr dev;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
dev = LookupDeviceIntRec(stuff->deviceid);
if (dev == NULL) {
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index 59a93c6..21bda5b 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -81,19 +81,15 @@ int
SProcXChangeDeviceDontPropagateList(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXChangeDeviceDontPropagateList(client));
}
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index e2809ef..d0b4ae7 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -82,8 +82,6 @@ int
SProcXGrabDevice(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@@ -91,11 +89,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+ return BadLength;
+
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client));
}
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index df62d0c..18db1f7 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -80,8 +80,6 @@ int
SProcXGrabDeviceButton(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+ stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceButton(client));
}
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index b74592f..429b2f7 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -80,8 +80,6 @@ int
SProcXGrabDeviceKey(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceKey(client));
}
diff --git a/Xi/selectev.c b/Xi/selectev.c
index d52db1b..19415c5 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -131,19 +131,16 @@ int
SProcXSelectExtensionEvent(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
return (ProcXSelectExtensionEvent(client));
}
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index eac9abe..9803cf3 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -83,7 +83,7 @@ int
SProcXSendExtensionEvent(ClientPtr client)
{
char n;
- long *p;
+ CARD32 *p;
int i;
xEvent eventT;
xEvent *eventP;
@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
+
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
+ return BadLength;
+
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT;
}
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+ SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}
commit 4848d49d05a318559afe7a17a19ba055947ee1f5
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:28:03 2008 +0100
Fix for CVE-2007-6428 - TOG-cup extension memory corruption.
diff --git a/Xext/cup.c b/Xext/cup.c
index 6bfa278..781b9ce 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -196,6 +196,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;
commit 59a3b83922c810316a374a19484b24901c7437ae
Author: Matthieu Herrb <[EMAIL PROTECTED]>
Date: Thu Jan 17 15:26:41 2008 +0100
Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
index c1b9c60..40c196a 100644
--- a/hw/xfree86/common/xf86MiscExt.c
+++ b/hw/xfree86/common/xf86MiscExt.c
@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype,
const char *msgval,
{
ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+ /* should check this in the protocol, but xf86NumScreens isn't exported */
+ if (scrnIndex >= xf86NumScreens)
+ return BadValue;
+
if (*pScr->HandleMessage == NULL)
return BadImplementation;
return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);
commit 636aa9e7be2822a0148067a11499ad48fe682cd9
Author: Daniel Stone <[EMAIL PROTECTED]>
Date: Sat Jan 5 10:47:39 2008 +0200
Xephyr: One-time keyboard leak fix
Don't leak the originally-allocated keysym map.
(cherry picked from commit e85130c85f727466fc27be1cfa46c88b257499fb)
diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index 27165a5..86e8f1f 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -915,6 +915,7 @@ EphyrKeyboardInit (KdKeyboardInfo *ki)
ki->minScanCode = ki->keySyms.minKeyCode;
ki->maxScanCode = ki->keySyms.maxKeyCode;
ki->keySyms.mapWidth = ephyrKeySyms.mapWidth;
+ xfree(ki->keySyms.map);
ki->keySyms.map = ephyrKeySyms.map;
ki->name = KdSaveString("Xephyr virtual keyboard");
ephyrKbd = ki;
commit 8a3acd3ec41b887b4aeaa0b2932265522c1e2836
Author: Daniel Stone <[EMAIL PROTECTED]>
Date: Sat Jan 5 10:43:53 2008 +0200
XKB: XkbCopyKeymap: Don't leak all the sections
Previously, we'd just keep num_sections at 0, which would break the
geometry and lead us to leak sections. Don't do that.
(cherry picked from commit 0137b0394a248f694448a7d97c9a1a3efcf24e81)
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index c7f9a26..e90df0d 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1770,6 +1770,7 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool
sendNotifies)
if (!tmp)
return FALSE;
dst->geom->sections = tmp;
+ dst->geom->num_sections = src->geom->num_sections;
for (i = 0,
ssection = src->geom->sections,
commit 02e805f0ff4b6af551372ba5fc5fb369c8834d1d
Author: Daniel Stone <[EMAIL PROTECTED]>
Date: Sat Jan 5 10:38:16 2008 +0200
OS: IO: Zero out client buffers
For alignment reasons, we can write out uninitialised bytes, so allocate
the whole thing with xcalloc.
(cherry picked from commit b99a43dfe97c1813e1c61f298b1c83c5d5ca88a2)
diff --git a/os/io.c b/os/io.c
index 9de75ee..a8b84fb 100644
--- a/os/io.c
+++ b/os/io.c
@@ -1197,7 +1197,7 @@ AllocateOutputBuffer(void)
oco = (ConnectionOutputPtr)xalloc(sizeof(ConnectionOutput));
if (!oco)
return (ConnectionOutputPtr)NULL;
- oco->buf = (unsigned char *) xalloc(BUFSIZE);
+ oco->buf = (unsigned char *) xcalloc(1, BUFSIZE);
if (!oco->buf)
{
xfree(oco);
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
