If the X server returns color indexes outside the range of the number of
colors it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
If the X server returns shape indexes outside the range of the number
of shapes it told us to allocate, out of bounds memory access could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
If the X server returns more buttons than are allocated in the XKB
device info structures, out of bounds writes could occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
If a broken server returned larger than requested values for nPixels or
nMasks, XAllocColorCells would happily overflow the buffers provided by
the caller to write the results into.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
If the reported number of host entries is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
If the reported number of motion events is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Ensure nEvents is set to 0 when returning NULL events pointer
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
If the reported number of remaining fonts is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
v3: On error cases, also set values to be returned in pointer args to 0/NULL
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Similar to _XQueryFont, but with more ways to go wrong and overflow.
Only compiled if libX11 is built with XF86BigFont support.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
If the CARD32 reply.nCharInfos * sizeof(XCharStruct) overflows an
unsigned long, then too small of a buffer will be allocated for the
data copied in from the reply.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Matches the units of the length field in X protocol replies, and provides
a single implementation of overflow checking to avoid having to replicate
those checks in every caller.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Lets stop duplicating the mess all over
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
While the C standard technically allows for the compiler to translate
pointer = 0 or pointer = NULL into something other than filling the
pointer address with 0 bytes, the rest of the Xlib code already assumes
that calloc initializes any pointers in the struct to NULL, and there
are no known systems supported by X.Org where this is not true.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
MakeBigReq inserts a length field after the first 4 bytes of the request
(after req->length), pushing everything else back by 4 bytes.
The current memmove moves everything but the first 4 bytes back.
If a request aligns to the end of the buffer pointer when MakeBigReq is
invoked for that request, this runs over the buffer.
Instead, we need to memmove minus the first 4 bytes (which aren't moved),
minus the last 4 bytes (so we still align to the previous tail).
The 4 bytes that fell out are already handled with Data32, which will
handle the buffermax correctly.
The case where req->length = 1 was already not functional.
Reported by Abhishek Arya <inferno@chromium.org>.
https://bugzilla.mozilla.org/show_bug.cgi?id=803762
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Correct instances of dead_double_grave and dead_inverted_breve to
dead_doublegrave and dead_invertedbreve.
Signed-off-by: Ken Moffat <ken@linuxfromscratch.org>
Signed-off-by: James Cloos <cloos@jhcloos.com>
Don't provide a fallback definition #ifdef X_NOT_POSIX anymore.
We already use size_t throughout the rest of Xlib, just had this
one instance left in XKBGAlloc.c of a fallback definition.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Leftovers from XKB files that were previously shared between the client
and server code, but aren't any more.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(mostly performed with unifdef, followed by some manual cleanup of
the remaining code)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
WORD64 seems to have only been defined in <X11/Xmd.h> when building for
CRAY, to handle int being a 64-bit value (ILP64, not LP64) and having
64-bit alignment requirements.
It hadn't been fully supported even before autotooling, as can be
seen by removed code such as:
#ifdef WORD64
_XkbWriteCopyData32 Not Implemented Yet for sizeof(int)==8
#endif
(mostly performed with unifdef, followed by some manual cleanup of
the remaining code)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
MUSTCOPY seems to have only been defined in <X11/Xmd.h> when building for
CRAY, to handle missing some sizes of integer type.
(mostly performed with unifdef, followed by some manual cleanup of
spacing/indenting in the remaining code)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
You could analyze most of these and quickly recognize that there was no
chance of buffer overflow already, but why make everyone spend time doing
that when we can just make it obviously safe?
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Makes it easier for readers to understand scope of variable usage, and
clears up gcc warning:
KeysymStr.c: In function 'XKeysymToString':
KeysymStr.c:128:13: warning: declaration of 'i' shadows a previous local [-Wshadow]
KeysymStr.c:73:18: warning: shadowed declaration is here [-Wshadow]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Casts were annoying gcc by dropping constness when changing types,
when routines simply either copy data into the request buffer or
send it directly to the X server, and never modify the input.
Fixes gcc warnings including:
ChProp.c: In function 'XChangeProperty':
ChProp.c:65:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
ChProp.c:65:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
ChProp.c:74:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
ChProp.c:74:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
ChProp.c:83:6: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
SetHints.c: In function 'XSetStandardProperties':
SetHints.c:262:20: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
SetPntMap.c: In function 'XSetPointerMapping':
SetPntMap.c:46:5: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
SetPntMap.c:46:5: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
StBytes.c: In function 'XStoreBuffer':
StBytes.c:97:33: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
StName.c: In function 'XStoreName':
StName.c:40:27: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
StName.c: In function 'XSetIconName':
StName.c:51:27: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The final } matches the one on the #define line, not one that doesn't
appear after the else statement it was lined up with
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
C89 defines memcpy as taking a const void *, so casting from
const unsigned char * to char * simply angers gcc for no benefit:
KeyBind.c:1017:24: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Fixes gcc warning:
cmsColNm.c: In function 'FirstCmp':
cmsColNm.c:257:20: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
cmsColNm.c:257:45: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
If exactly one of the two reallocs in XListFontsWithInfo() fails, the
subsequent code accesses memory freed by the other realloc.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Has never been converted to build in modular builds, so has been unusable
since X11R7.0 release in 2005. DNETCONN support was removed from xtrans
back in 2008.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Has never been converted to build in modular builds, so has been unusable
since X11R7.0 release in 2005. All known platforms with TLI/XTI support
that X11R7 & later releases run on also have (and mostly prefer) BSD
socket support for their networking API.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The config check of the results of testing for dlfcn.h or dl.h just tests the
value of the ac_cv_ variables, which will be 'yes' or 'no', rather than checking
it is 'yes', so loadable module support would always be detected.
This is necessary for successful compilation for the MinGW target without the
optional dlfcn-win32 library.
v2: Also, fixed typoed name of ac_cv_header_dlfcn_h, so check still works
correctly when dlfcn.h is available
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
This file is an architecture independent data and should be where
other databases are.
This is the Xlib provided sample file, applications are free to
use a different one specifying its location in the XCMSDB env
variable.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The path to this file is configurable at build time. The source
however contains a hard coded path.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Making all occurances of iso8859 upper case in the full local name
makes the alias entries more consistent and match the entries on
locale.dir.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Both locales carry a copyright notice and a prorietary statement:
Copyright 1995 by FUJITSU LIMITED
This is source code modified by FUJITSU LIMITED under the Joint
Development Agreement for the CDEnext PST.
This is unpublished proprietary source code of FUJITSU LIMITED
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Some entries for locale/encoding combinations were missing from
either file or just misspelled, some entries were wrong or just
aliases.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
locale.alias contains a comment:
XCOMM a3 is not an ISO 639 language code, but in Cyrillic, "Z" looks like "3".
Thus lets treat 'a3' as an alias for 'az'.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Magnus Kessler <Magnus.Kessler@gmx.net>
Fixing those typos those names actually match entries in
locale.dir.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Aliases to itself don't make much sense.
This changes occurances of:
xy_UV.UTF-8: xy_UV.UTF-8
to
xy_UV: xy_UV.UTF-8
where applicable.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: James Cloos <cloos@jhcloos.com>
