Commit db1e74cf authored by Natanael Copa's avatar Natanael Copa
Browse files

main/libx11: security fix (CVE-2013-1981,CVE-2013-1997,CVE-2013-2004)

ref #1931
fixes #1932
parent 1a41cbf7
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libx11
pkgver=1.5.0
pkgrel=0
pkgrel=1
pkgdesc="X11 client-side library"
url="http://xorg.freedesktop.org/"
arch="all"
......@@ -12,20 +12,36 @@ depends_dev="libxcb-dev xproto xextproto xf86bigfontproto xtrans kbproto
inputproto"
makedepends="$depends_dev util-macros pkgconfig"
source="http://xorg.freedesktop.org/releases/individual/lib/libX11-$pkgver.tar.bz2
CVE-2013-1981_CVE-2013-1997_CVE-2013-2004.patch
"
_builddir="$srcdir"/libX11-$pkgver
prepare() {
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
build() {
cd "$srcdir"/libX11-$pkgver
cd "$_builddir"
./configure --prefix=/usr \
--with-xcb || return 1
make
}
package() {
cd "$srcdir"/libX11-$pkgver
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
md5sums="78b4b3bab4acbdf0abcfca30a8c70cc6 libX11-1.5.0.tar.bz2"
md5sums="78b4b3bab4acbdf0abcfca30a8c70cc6 libX11-1.5.0.tar.bz2
9b09fd2ec7d077f610eca0aad4f51927 CVE-2013-1981_CVE-2013-1997_CVE-2013-2004.patch"
sha256sums="c382efd7e92bfc3cef39a4b7f1ecf2744ba4414a705e3bc1e697f75502bd4d86 libX11-1.5.0.tar.bz2
fa236b5b55b4df0117f6e3c3ea1d857139b122a1e143270968bb02a06aef7cb7 CVE-2013-1981_CVE-2013-1997_CVE-2013-2004.patch"
sha512sums="bbcfbaf306d4fff62d2f63daa5312f05bce1dc9655b0b259d77fbd3a39f51e31f9d127ab874a4895868c0ab70599c0b2e05bc984d9ed81c844ae456f77785083 libX11-1.5.0.tar.bz2
7526bd438b930a22249907ea797548335b4a8b61e8b37348e57a9869225f340328e3833187ca755bf55af8afa81c49889f0af4d48cf179bffb11a0d13b43ee95 CVE-2013-1981_CVE-2013-1997_CVE-2013-2004.patch"
diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
index 80edeec..d56482a 100644
--- a/include/X11/Xlibint.h
+++ b/include/X11/Xlibint.h
@@ -693,19 +693,10 @@ extern void _XRead32(
}
-#ifdef MUSTCOPY
-
-/* for when 32-bit alignment is not good enough */
-#define OneDataCard32(dpy,dstaddr,srcvar) \
- { dpy->bufptr -= 4; Data32 (dpy, (char *) &(srcvar), 4); }
-
-#else
-
/* srcvar must be a variable for large architecture version */
#define OneDataCard32(dpy,dstaddr,srcvar) \
{ *(CARD32 *)(dstaddr) = (srcvar); }
-#endif /* MUSTCOPY */
typedef struct _XInternalAsync {
struct _XInternalAsync *next;
@@ -860,6 +851,15 @@ typedef struct _XExten { /* private to extension mechanism */
struct _XExten *next_flush; /* next in list of those with flushes */
} _XExtension;
+/* Temporary definition until we can depend on an xproto release with it */
+#ifdef _X_COLD
+# define _XLIB_COLD _X_COLD
+#elif defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 403) /* 4.3+ */
+# define _XLIB_COLD __attribute__((__cold__))
+#else
+# define _XLIB_COLD /* nothing */
+#endif
+
/* extension hooks */
#ifdef DataRoutineIsProcedure
@@ -882,7 +882,14 @@ extern int (*_XErrorFunction)(
extern void _XEatData(
Display* /* dpy */,
unsigned long /* n */
-);
+) _XLIB_COLD;
+extern void _XEatDataWords(
+ Display* /* dpy */,
+ unsigned long /* n */
+) _XLIB_COLD;
+#if defined(__SUNPRO_C) /* Studio compiler alternative to "cold" attribute */
+# pragma rarely_called(_XEatData, _XEatDataWords)
+#endif
extern char *_XAllocScratch(
Display* /* dpy */,
unsigned long /* nbytes */
diff --git a/modules/im/ximcp/Makefile.am b/modules/im/ximcp/Makefile.am
index 16a6ca8..8aae839 100644
--- a/modules/im/ximcp/Makefile.am
+++ b/modules/im/ximcp/Makefile.am
@@ -6,6 +6,7 @@ AM_CPPFLAGS= \
-I$(top_srcdir)/src/xcms \
-I$(top_srcdir)/src/xkb \
-I$(top_srcdir)/src/xlibi18n \
+ -I$(top_srcdir)/src \
-D_BSD_SOURCE -DXIM_t -DTRANS_CLIENT
AM_CFLAGS= \
diff --git a/modules/im/ximcp/imLcPrs.c b/modules/im/ximcp/imLcPrs.c
index 4e54385..f3627a0 100644
--- a/modules/im/ximcp/imLcPrs.c
+++ b/modules/im/ximcp/imLcPrs.c
@@ -41,6 +41,8 @@ OR PERFORMANCE OF THIS SOFTWARE.
#include "Ximint.h"
#include <sys/stat.h>
#include <stdio.h>
+#include <limits.h>
+#include "pathmax.h"
#define XLC_BUFSIZE 256
@@ -56,6 +58,8 @@ extern int _Xmbstoutf8(
int len
);
+static void parsestringfile(FILE *fp, Xim im, int depth);
+
/*
* Parsing File Format:
*
@@ -304,9 +308,9 @@ static char*
TransFileName(Xim im, char *name)
{
char *home = NULL, *lcCompose = NULL;
- char dir[XLC_BUFSIZE];
- char *i = name, *ret, *j;
- int l = 0;
+ char dir[XLC_BUFSIZE] = "";
+ char *i = name, *ret = NULL, *j;
+ size_t l = 0;
while (*i) {
if (*i == '%') {
@@ -316,30 +320,51 @@ TransFileName(Xim im, char *name)
l++;
break;
case 'H':
- home = getenv("HOME");
- if (home)
- l += strlen(home);
+ if (home == NULL)
+ home = getenv("HOME");
+ if (home) {
+ size_t Hsize = strlen(home);
+ if (Hsize > PATH_MAX)
+ /* your home directory length is ridiculous */
+ goto end;
+ l += Hsize;
+ }
break;
case 'L':
if (lcCompose == NULL)
lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
- if (lcCompose)
- l += strlen(lcCompose);
+ if (lcCompose) {
+ size_t Lsize = strlen(lcCompose);
+ if (Lsize > PATH_MAX)
+ /* your compose pathname length is ridiculous */
+ goto end;
+ l += Lsize;
+ }
break;
case 'S':
- xlocaledir(dir, XLC_BUFSIZE);
- l += strlen(dir);
+ if (dir[0] == '\0')
+ xlocaledir(dir, XLC_BUFSIZE);
+ if (dir[0]) {
+ size_t Ssize = strlen(dir);
+ if (Ssize > PATH_MAX)
+ /* your locale directory path length is ridiculous */
+ goto end;
+ l += Ssize;
+ }
break;
}
} else {
l++;
}
i++;
+ if (l > PATH_MAX)
+ /* your expanded path length is ridiculous */
+ goto end;
}
j = ret = Xmalloc(l+1);
if (ret == NULL)
- return ret;
+ goto end;
i = name;
while (*i) {
if (*i == '%') {
@@ -371,6 +396,7 @@ TransFileName(Xim im, char *name)
}
}
*j = '\0';
+end:
Xfree(lcCompose);
return ret;
}
@@ -423,7 +449,8 @@ static int
parseline(
FILE *fp,
Xim im,
- char* tokenbuf)
+ char* tokenbuf,
+ int depth)
{
int token;
DTModifier modifier_mask;
@@ -470,11 +497,13 @@ parseline(
goto error;
if ((filename = TransFileName(im, tokenbuf)) == NULL)
goto error;
+ if (++depth > 100)
+ goto error;
infp = _XFopenFile(filename, "r");
Xfree(filename);
if (infp == NULL)
goto error;
- _XimParseStringFile(infp, im);
+ parsestringfile(infp, im, depth);
fclose(infp);
return (0);
} else if ((token == KEY) && (strcmp("None", tokenbuf) == 0)) {
@@ -668,17 +697,28 @@ _XimParseStringFile(
FILE *fp,
Xim im)
{
+ parsestringfile(fp, im, 0);
+}
+
+static void
+parsestringfile(
+ FILE *fp,
+ Xim im,
+ int depth)
+{
char tb[8192];
char* tbp;
struct stat st;
if (fstat (fileno (fp), &st) != -1) {
unsigned long size = (unsigned long) st.st_size;
+ if (st.st_size >= INT_MAX)
+ return;
if (size <= sizeof tb) tbp = tb;
else tbp = malloc (size);
if (tbp != NULL) {
- while (parseline(fp, im, tbp) >= 0) {}
+ while (parseline(fp, im, tbp, depth) >= 0) {}
if (tbp != tb) free (tbp);
}
}
diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c
index d85d1d1..d6f4c49 100644
--- a/modules/im/ximcp/imTrX.c
+++ b/modules/im/ximcp/imTrX.c
@@ -372,7 +372,7 @@ _XimXGetReadData(
XFree(prop_ret);
return False;
}
- if (buf_len >= length) {
+ if (buf_len >= (int)nitems) {
(void)memcpy(buf, prop_ret, (int)nitems);
*ret_len = (int)nitems;
if (bytes_after_ret > 0) {
diff --git a/modules/om/generic/omXChar.c b/modules/om/generic/omXChar.c
index ff517d5..c9bbb8e 100644
--- a/modules/om/generic/omXChar.c
+++ b/modules/om/generic/omXChar.c
@@ -262,47 +262,6 @@ _XomGetFontSetFromCharSet(
return (FontSet) NULL;
}
-#ifdef MUSTCOPY
-static void
-cs_to_xchar2b(
- register char *from,
- register XChar2b *to,
- register length)
-{
- while (length-- > 0) {
- to->byte1 = *from++;
- to->byte2 = *from++;
- to++;
- }
-}
-
-static void
-cs_to_xchar2b_gl(
- register char *from,
- register XChar2b *to,
- register length)
-{
- while (length-- > 0) {
- to->byte1 = *from++ & 0x7f;
- to->byte2 = *from++ & 0x7f;
- to++;
- }
-}
-
-static void
-cs_to_xchar2b_gr(
- register char *from,
- register XChar2b *to,
- register length)
-{
- while (length-- > 0) {
- to->byte1 = *from++ | 0x80;
- to->byte2 = *from++ | 0x80;
- to++;
- }
-}
-#endif
-
static void
shift_to_gl(
register char *text,
@@ -358,10 +317,6 @@ _XomConvert(
XlcCharSet charset;
int length, cs_left, ret;
FontSet font_set;
-#ifdef MUSTCOPY
- XChar2b *xchar2b;
- char *buf, buf_local[BUFSIZ];
-#endif
cs = *to;
cs_left = *to_left;
@@ -380,46 +335,18 @@ _XomConvert(
length = *to_left - cs_left;
-#ifdef MUSTCOPY
- if (font_set->is_xchar2b) {
- buf = (length > BUFSIZ) ? Xmalloc(length) : buf_local;
- if (buf == NULL)
- return -1;
- memcpy(buf, (char *) *to, length);
-
- xchar2b = (XChar2b *) *to;
- length >>= 1;
-
- if (font_set->side == charset->side)
- cs_to_xchar2b(buf, xchar2b, length);
- else if (font_set->side == XlcGL)
- cs_to_xchar2b_gl(buf, xchar2b, length);
+ if (font_set->side != charset->side) {
+ if (font_set->side == XlcGL)
+ shift_to_gl(*to, length);
else if (font_set->side == XlcGR)
- cs_to_xchar2b_gr(buf, xchar2b, length);
- else
- cs_to_xchar2b(buf, xchar2b, length);
-
- if (buf != buf_local)
- Xfree(buf);
-
- *to = (XPointer) (xchar2b + length);
- *to_left -= length;
- } else
-#endif
- {
- if (font_set->side != charset->side) {
- if (font_set->side == XlcGL)
- shift_to_gl(*to, length);
- else if (font_set->side == XlcGR)
- shift_to_gr(*to, length);
- }
-
- if (font_set->is_xchar2b)
- length >>= 1;
- *to = cs;
- *to_left -= length;
+ shift_to_gr(*to, length);
}
+ if (font_set->is_xchar2b)
+ length >>= 1;
+ *to = cs;
+ *to_left -= length;
+
*((XFontStruct **) args[0]) = font_set->font;
*((Bool *) args[1]) = font_set->is_xchar2b;
if(num_args >= 3){
diff --git a/src/AllCells.c b/src/AllCells.c
index ddd9c22..6e97e11 100644
--- a/src/AllCells.c
+++ b/src/AllCells.c
@@ -53,8 +53,13 @@ Status XAllocColorCells(
status = _XReply(dpy, (xReply *)&rep, 0, xFalse);
if (status) {
- _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
- _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+ if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) {
+ _XEatDataWords(dpy, rep.length);
+ status = 0; /* Failure */
+ } else {
+ _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
+ _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+ }
}
UnlockDisplay(dpy);
diff --git a/src/ChWindow.c b/src/ChWindow.c
index fbd6e88..89a81e1 100644
--- a/src/ChWindow.c
+++ b/src/ChWindow.c
@@ -43,20 +43,11 @@ XResizeWindow(
req->window = w;
req->mask = CWWidth | CWHeight;
-#ifdef MUSTCOPY
- {
- unsigned long lwidth = width, lheight = height;
- dpy->bufptr -= 8;
- Data32 (dpy, (long *) &lwidth, 4); /* order dictated by values of */
- Data32 (dpy, (long *) &lheight, 4); /* CWWidth and CWHeight */
- }
-#else
{
CARD32 *valuePtr = (CARD32 *) NEXTPTR(req,xConfigureWindowReq);
*valuePtr++ = width;
*valuePtr = height;
}
-#endif /* MUSTCOPY */
UnlockDisplay(dpy);
SyncHandle();
return 1;
diff --git a/src/Cmap.h b/src/Cmap.h
index 062b538..78cc3ea 100644
--- a/src/Cmap.h
+++ b/src/Cmap.h
@@ -2,6 +2,8 @@
#ifndef _CMAP_H_
#define _CMAP_H_
+#include <X11/Xlib.h>
+
extern void
_XcmsDeleteCmapRec(
Display *dpy,
diff --git a/src/ConfWind.c b/src/ConfWind.c
index dd55b44..eefce4d 100644
--- a/src/ConfWind.c
+++ b/src/ConfWind.c
@@ -44,18 +44,6 @@ XMoveResizeWindow(
GetReqExtra(ConfigureWindow, 16, req);
req->window = w;
req->mask = CWX | CWY | CWWidth | CWHeight;
-#ifdef MUSTCOPY
- {
- long lx = x, ly = y;
- unsigned long lwidth = width, lheight = height;
-
- dpy->bufptr -= 16;
- Data32 (dpy, (long *) &lx, 4); /* order must match values of */
- Data32 (dpy, (long *) &ly, 4); /* CWX, CWY, CWWidth, and CWHeight */
- Data32 (dpy, (long *) &lwidth, 4);
- Data32 (dpy, (long *) &lheight, 4);
- }
-#else
{
register CARD32 *valuePtr =
(CARD32 *) NEXTPTR(req,xConfigureWindowReq);
@@ -64,7 +52,6 @@ XMoveResizeWindow(
*valuePtr++ = width;
*valuePtr = height;
}
-#endif /* MUSTCOPY */
UnlockDisplay(dpy);
SyncHandle();
return 1;
diff --git a/src/Context.c b/src/Context.c
index 79ae7d6..4bb465b 100644
--- a/src/Context.c
+++ b/src/Context.c
@@ -111,7 +111,7 @@ static void ResizeTable(DB db)
otable = db->table;
for (i = INITHASHMASK+1; (i + i) < db->numentries; )
i += i;
- db->table = (TableEntry *) Xcalloc((unsigned)i, sizeof(TableEntry));
+ db->table = Xcalloc(i, sizeof(TableEntry));
if (!db->table) {
db->table = otable;
return;
@@ -180,11 +180,11 @@ int XSaveContext(
UnlockDisplay(display);
}
if (!db) {
- db = (DB) Xmalloc(sizeof(DBRec));
+ db = Xmalloc(sizeof(DBRec));
if (!db)
return XCNOMEM;
db->mask = INITHASHMASK;
- db->table = (TableEntry *)Xcalloc(db->mask + 1, sizeof(TableEntry));
+ db->table = Xcalloc(db->mask + 1, sizeof(TableEntry));
if (!db->table) {
Xfree((char *)db);
return XCNOMEM;
@@ -210,7 +210,7 @@ int XSaveContext(
return 0;
}
}
- entry = (TableEntry) Xmalloc(sizeof(TableEntryRec));
+ entry = Xmalloc(sizeof(TableEntryRec));
if (!entry)
return XCNOMEM;
entry->rid = rid;
diff --git a/src/Cr.h b/src/Cr.h
index 800c9ab..635e9e4 100644
--- a/src/Cr.h
+++ b/src/Cr.h
@@ -2,6 +2,8 @@
#ifndef _CR_H_
#define _CR_H_
+#include <X11/Xlib.h>
+
extern int _XUpdateGCCache(
register GC gc,
register unsigned long mask,
diff --git a/src/CrGC.c b/src/CrGC.c
index 11de94c..2d5f17c 100644
--- a/src/CrGC.c
+++ b/src/CrGC.c
@@ -72,7 +72,7 @@ GC XCreateGC (
register _XExtension *ext;
LockDisplay(dpy);
- if ((gc = (GC)Xmalloc (sizeof(struct _XGC))) == NULL) {
+ if ((gc = Xmalloc (sizeof(struct _XGC))) == NULL) {
UnlockDisplay(dpy);
SyncHandle();
return (NULL);
diff --git a/src/CrWindow.c b/src/CrWindow.c
index 23f7ddc..7b54601 100644
--- a/src/CrWindow.c
+++ b/src/CrWindow.c
@@ -57,20 +57,11 @@ Window XCreateSimpleWindow(
wid = req->wid = XAllocID(dpy);
req->mask = CWBackPixel | CWBorderPixel;
-#ifdef MUSTCOPY
- {
- unsigned long lbackground = background, lborder = border;
- dpy->bufptr -= 8;
- Data32 (dpy, (long *) &lbackground, 4);
- Data32 (dpy, (long *) &lborder, 4);
- }
-#else
{
register CARD32 *valuePtr = (CARD32 *) NEXTPTR(req,xCreateWindowReq);
*valuePtr++ = background;
*valuePtr = border;
}
-#endif /* MUSTCOPY */
UnlockDisplay(dpy);
SyncHandle();
diff --git a/src/Depths.c b/src/Depths.c
index f49655c..a8b719d 100644
--- a/src/Depths.c
+++ b/src/Depths.c
@@ -49,7 +49,7 @@ int *XListDepths (
register Depth *dp;
register int i;
- depths = (int *) Xmalloc (count * sizeof(int));
+ depths = Xmalloc (count * sizeof(int));
if (!depths) return NULL;
for (i = 0, dp = scr->depths; i < count; i++, dp++)
depths[i] = dp->depth;
diff --git a/src/DrArc.c b/src/DrArc.c
index 1dc4a07..d72fac9 100644
--- a/src/DrArc.c
+++ b/src/DrArc.c
@@ -49,12 +49,6 @@ XDrawArc(
{
register xPolyArcReq *req;
register xArc *arc;
-#ifdef MUSTCOPY
- xArc arcdata;
- long len = SIZEOF(xArc);
-
- arc = &arcdata;
-#endif /* MUSTCOPY */
LockDisplay(dpy);
FlushGC(dpy, gc);
@@ -63,9 +57,7 @@ XDrawArc(
req->drawable = d;
req->gc = gc->gid;
-#ifndef MUSTCOPY
arc = (xArc *) NEXTPTR(req,xPolyArcReq);
-#endif /* MUSTCOPY */
arc->x = x;
arc->y = y;
@@ -74,10 +66,6 @@ XDrawArc(
arc->angle1 = angle1;
arc->angle2 = angle2;
-#ifdef MUSTCOPY