Commit a9923133 authored by Natanael Copa's avatar Natanael Copa

main/libxtst: upgrade to 1.2.2

parent 292a8a8c
From 46ed6283034b5b7d14584009453f5d974cfacf1e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 11:05:27 -0700
Subject: [PATCH 1/2] Use _XEatDataWords to eat data in error cases
Avoids having to do calculcations based on response contents
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XRecord.c | 23 +++++++++++++++++------
2 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index 7ef0153..d83d4d8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -47,6 +47,12 @@ XORG_CHECK_SGML_DOCTOOLS(1.8)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XTST, x11 [xext >= 1.0.99.4] xi [recordproto >= 1.13.99.1] [xextproto >= 7.0.99.3] inputproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XTST_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Determine if the source for man pages is available
# It may already be present (tarball) or can be generated using xmlto
AM_CONDITIONAL([INSTALL_MANPAGES],
diff --git a/src/XRecord.c b/src/XRecord.c
index b65451c..ba628b6 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -49,6 +49,9 @@ from The Open Group.
* By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
#include <stdio.h>
#include <assert.h>
#include <X11/Xlibint.h>
@@ -56,6 +59,18 @@ from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/recordproto.h>
#include <X11/extensions/record.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xrecord_info_data;
static XExtensionInfo *xrecord_info = &_xrecord_info_data;
@@ -427,7 +442,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
ret = (XRecordState*)Xmalloc(sizeof(XRecordState));
if (!ret) {
- /* XXX - eat data */
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return 0;
@@ -446,11 +461,7 @@ XRecordGetContext(Display *dpy, XRecordContext context,
}
if (!client_inf || !client_inf_str)
{
- for(i = 0; i < count; i++)
- {
- _XEatData (dpy, sizeof(xRecordClientInfo));
- _XEatData (dpy, SIZEOF(xRecordRange)); /* XXX - don't know how many */
- }
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay(dpy);
XRecordFreeState(ret);
SyncHandle();
--
1.8.2.3
From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 11:27:26 -0700
Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063]
The nclients and nranges members of the reply are both CARD32 and need
to be bounds checked before multiplying by the size of the structs to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XRecord.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/XRecord.c b/src/XRecord.c
index ba628b6..5bbd5ac 100644
--- a/src/XRecord.c
+++ b/src/XRecord.c
@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
XExtDisplayInfo *info = find_display (dpy);
register xRecordGetContextReq *req;
xRecordGetContextReply rep;
- int count, i, rn;
+ unsigned int count, i, rn;
xRecordRange xrange;
- XRecordRange *ranges = NULL;
xRecordClientInfo xclient_inf;
- XRecordClientInfo **client_inf, *client_inf_str = NULL;
XRecordState *ret;
XRecordCheckExtension (dpy, info, 0);
@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
if (count)
{
- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*));
- ret->client_info = client_inf;
- if (client_inf != NULL) {
- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo));
+ XRecordClientInfo **client_inf = NULL;
+ XRecordClientInfo *client_inf_str = NULL;
+
+ if (count < (INT_MAX / sizeof(XRecordClientInfo))) {
+ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *));
+ if (client_inf != NULL)
+ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo));
}
+ ret->client_info = client_inf;
if (!client_inf || !client_inf_str)
{
+ free(client_inf);
_XEatDataWords (dpy, rep.length);
UnlockDisplay(dpy);
XRecordFreeState(ret);
@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
if (xclient_inf.nRanges)
{
- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*));
- if (client_inf_str[i].ranges != NULL) {
- ranges = (XRecordRange*)
- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
+ XRecordRange *ranges = NULL;
+
+ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) {
+ client_inf_str[i].ranges =
+ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *));
+ if (client_inf_str[i].ranges != NULL)
+ ranges =
+ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
}
+ else
+ client_inf_str[i].ranges = NULL;
+
if (!client_inf_str[i].ranges || !ranges) {
/* XXX eat data */
UnlockDisplay(dpy);
--
1.8.2.3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxtst
pkgver=1.2.1
pkgrel=1
pkgver=1.2.2
pkgrel=0
pkgdesc="X11 Testing -- Resource extension library"
url="http://xorg.freedesktop.org/"
arch="all"
......@@ -9,10 +9,8 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="recordproto libx11-dev libxext-dev inputproto libxi-dev"
makedepends="$depends_dev libtool autoconf automake util-macros"
makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXtst-$pkgver.tar.bz2
0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
"
_builddir="$srcdir"/libXtst-$pkgver
......@@ -23,8 +21,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
}
build() {
......@@ -41,12 +37,6 @@ package() {
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
}
md5sums="e8abc5c00c666f551cf26aa53819d592 libXtst-1.2.1.tar.bz2
ef5006c916511e087973d797a60aaee1 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
641e6194973b4d324f8278faa821b87a 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
sha256sums="7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 libXtst-1.2.1.tar.bz2
bba7db9220b8a91b5ca71133af55414851d350e81c6142e74e7c44a3fc57c052 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
d67b95b9bf1587e48bc4009d1d100ed1ee3a611ed07869bb157290064986db6f 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
sha512sums="287c10a761d30acc988399e23de1ecb7c90d8bd4d363cd03cd0a02eb232e37b0943f359fae76a8e68504ccadc2b7c0117bfebee75e00a0b6f58397658f8ebe0d libXtst-1.2.1.tar.bz2
0144a420f78f5377acd2548355089596439437d1d19945532428a1cc5f263155f03ebfbba668f9c468525c579aa091d4ddf27006ec4d55246bd045a7e6ff9739 0001-Use-_XEatDataWords-to-eat-data-in-error-cases.patch
730a9ad7c8aafd8f161bf7cbbd4bbd2c62d4fc6cf50a69f5575a4c52e9a2d712e36bb4e3b9325f628a2f71115ce8797ac93aa7bf023d0abe7ba3603f33f47e81 0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch"
md5sums="25c6b366ac3dc7a12c5d79816ce96a59 libXtst-1.2.2.tar.bz2"
sha256sums="ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9 libXtst-1.2.2.tar.bz2"
sha512sums="1cf040f16d426e6a6d1cf8c0f966c171418c082165ae6e9bed6285cd45f144e4ef58bf74c6d34fd81e6894534d21df55efe5d0bc0b2a28f9bb9d74e168dd7369 libXtst-1.2.2.tar.bz2"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment