forked from pool/xorg-x11-server
- Update to version 21.1
* This release fixes 2 recently reported security vulnerabilities in xkb, several regressions since 1.20.x and a number of miscellaneous bugs. - supersedes the following security patches * U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch * U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch * U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch - supersedes U_Fix-build-with-gcc-12.patch OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=829
This commit is contained in:
parent
70daf87975
commit
51271c424a
@ -1,89 +0,0 @@
|
|||||||
From c6b0dcb82d4db07a2f32c09a8c09c85a5f57248e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
||||||
Date: Thu, 20 Jan 2022 10:20:38 +0100
|
|
||||||
Subject: [PATCH] render: Fix build with gcc 12
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The xserver fails to compile with the latest gcc 12:
|
|
||||||
|
|
||||||
render/picture.c: In function ‘CreateSolidPicture’:
|
|
||||||
render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds]
|
|
||||||
874 | pPicture->pSourcePict->type = SourcePictTypeSolidFill;
|
|
||||||
| ^~
|
|
||||||
render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’
|
|
||||||
868 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill));
|
|
||||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
render/picture.c: In function ‘CreateLinearGradientPicture’:
|
|
||||||
render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
|
|
||||||
906 | pPicture->pSourcePict->linear.type = SourcePictTypeLinear;
|
|
||||||
| ^~
|
|
||||||
render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’
|
|
||||||
899 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient));
|
|
||||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
render/picture.c: In function ‘CreateConicalGradientPicture’:
|
|
||||||
render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
|
|
||||||
989 | pPicture->pSourcePict->conical.type = SourcePictTypeConical;
|
|
||||||
| ^~
|
|
||||||
render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’
|
|
||||||
982 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient));
|
|
||||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
cc1: some warnings being treated as errors
|
|
||||||
ninja: build stopped: subcommand failed.
|
|
||||||
|
|
||||||
This is because gcc 12 has become stricter and raises a warning now.
|
|
||||||
|
|
||||||
Fix the warning/error by allocating enough memory to store the union
|
|
||||||
struct.
|
|
||||||
|
|
||||||
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
||||||
Acked-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
||||||
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1256
|
|
||||||
---
|
|
||||||
render/picture.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/render/picture.c b/render/picture.c
|
|
||||||
index afa0d258f..2be4b1954 100644
|
|
||||||
--- a/render/picture.c
|
|
||||||
+++ b/render/picture.c
|
|
||||||
@@ -865,7 +865,7 @@ CreateSolidPicture(Picture pid, xRenderColor * color, int *error)
|
|
||||||
}
|
|
||||||
|
|
||||||
pPicture->id = pid;
|
|
||||||
- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill));
|
|
||||||
+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict));
|
|
||||||
if (!pPicture->pSourcePict) {
|
|
||||||
*error = BadAlloc;
|
|
||||||
free(pPicture);
|
|
||||||
@@ -896,7 +896,7 @@ CreateLinearGradientPicture(Picture pid, xPointFixed * p1, xPointFixed * p2,
|
|
||||||
}
|
|
||||||
|
|
||||||
pPicture->id = pid;
|
|
||||||
- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient));
|
|
||||||
+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict));
|
|
||||||
if (!pPicture->pSourcePict) {
|
|
||||||
*error = BadAlloc;
|
|
||||||
free(pPicture);
|
|
||||||
@@ -936,7 +936,7 @@ CreateRadialGradientPicture(Picture pid, xPointFixed * inner,
|
|
||||||
}
|
|
||||||
|
|
||||||
pPicture->id = pid;
|
|
||||||
- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictRadialGradient));
|
|
||||||
+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict));
|
|
||||||
if (!pPicture->pSourcePict) {
|
|
||||||
*error = BadAlloc;
|
|
||||||
free(pPicture);
|
|
||||||
@@ -979,7 +979,7 @@ CreateConicalGradientPicture(Picture pid, xPointFixed * center, xFixed angle,
|
|
||||||
}
|
|
||||||
|
|
||||||
pPicture->id = pid;
|
|
||||||
- pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient));
|
|
||||||
+ pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(SourcePict));
|
|
||||||
if (!pPicture->pSourcePict) {
|
|
||||||
*error = BadAlloc;
|
|
||||||
free(pPicture);
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,155 +0,0 @@
|
|||||||
From 04a2689e96b42330718517b2a3950aa2bb1ca017 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Date: Mon, 4 Jul 2022 09:42:53 +1000
|
|
||||||
Subject: [PATCH] xkb: rename xkb.h to xkb-procs.h
|
|
||||||
|
|
||||||
This header merely defines the various protocol request handlers, so
|
|
||||||
let's rename it to something less generic and remove its include from
|
|
||||||
all the files that don't actually need it (which is almost all of them).
|
|
||||||
|
|
||||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
||||||
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
||||||
---
|
|
||||||
test/test_xkb.c | 1 -
|
|
||||||
xkb/ddxLoad.c | 1 -
|
|
||||||
xkb/{xkb.h => xkb-procs.h} | 0
|
|
||||||
xkb/xkb.c | 2 +-
|
|
||||||
xkb/xkbActions.c | 1 -
|
|
||||||
xkb/xkbEvents.c | 1 -
|
|
||||||
xkb/xkbInit.c | 1 -
|
|
||||||
xkb/xkbLEDs.c | 1 -
|
|
||||||
xkb/xkbSwap.c | 2 +-
|
|
||||||
xkb/xkbUtils.c | 1 -
|
|
||||||
xkb/xkbfmisc.c | 1 -
|
|
||||||
11 files changed, 2 insertions(+), 10 deletions(-)
|
|
||||||
rename xkb/{xkb.h => xkb-procs.h} (100%)
|
|
||||||
|
|
||||||
diff --git a/test/test_xkb.c b/test/test_xkb.c
|
|
||||||
index f81a7ed65..a13107390 100644
|
|
||||||
--- a/test/test_xkb.c
|
|
||||||
+++ b/test/test_xkb.c
|
|
||||||
@@ -48,7 +48,6 @@
|
|
||||||
#include "../xkb/xkbgeom.h"
|
|
||||||
#include <X11/extensions/XKMformat.h>
|
|
||||||
#include "xkbfile.h"
|
|
||||||
-#include "../xkb/xkb.h"
|
|
||||||
#include <assert.h>
|
|
||||||
|
|
||||||
#include "tests-common.h"
|
|
||||||
diff --git a/xkb/ddxLoad.c b/xkb/ddxLoad.c
|
|
||||||
index f9b7b06d9..2d203ce11 100644
|
|
||||||
--- a/xkb/ddxLoad.c
|
|
||||||
+++ b/xkb/ddxLoad.c
|
|
||||||
@@ -43,7 +43,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#define XKBSRV_NEED_FILE_FUNCS
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
#include <X11/extensions/XI.h>
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
#define PRE_ERROR_MSG "\"The XKEYBOARD keymap compiler (xkbcomp) reports:\""
|
|
||||||
#define ERROR_PREFIX "\"> \""
|
|
||||||
diff --git a/xkb/xkb.h b/xkb/xkb-procs.h
|
|
||||||
similarity index 100%
|
|
||||||
rename from xkb/xkb.h
|
|
||||||
rename to xkb/xkb-procs.h
|
|
||||||
diff --git a/xkb/xkb.c b/xkb/xkb.c
|
|
||||||
index 820cd7166..21c046913 100644
|
|
||||||
--- a/xkb/xkb.c
|
|
||||||
+++ b/xkb/xkb.c
|
|
||||||
@@ -38,7 +38,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#include "extnsionst.h"
|
|
||||||
#include "extinit.h"
|
|
||||||
#include "xace.h"
|
|
||||||
-#include "xkb.h"
|
|
||||||
+#include "xkb-procs.h"
|
|
||||||
#include "protocol-versions.h"
|
|
||||||
|
|
||||||
#include <X11/extensions/XI.h>
|
|
||||||
diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
|
|
||||||
index db29091e7..5e9a6b6d6 100644
|
|
||||||
--- a/xkb/xkbActions.c
|
|
||||||
+++ b/xkb/xkbActions.c
|
|
||||||
@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#include "exevents.h"
|
|
||||||
#include "eventstr.h"
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
-#include "xkb.h"
|
|
||||||
#include <ctype.h>
|
|
||||||
#include "mi.h"
|
|
||||||
#include "mipointer.h"
|
|
||||||
diff --git a/xkb/xkbEvents.c b/xkb/xkbEvents.c
|
|
||||||
index 0bbd66186..f8f65d4a7 100644
|
|
||||||
--- a/xkb/xkbEvents.c
|
|
||||||
+++ b/xkb/xkbEvents.c
|
|
||||||
@@ -39,7 +39,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#include "exglobals.h"
|
|
||||||
#include "windowstr.h"
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
/***====================================================================***/
|
|
||||||
|
|
||||||
diff --git a/xkb/xkbInit.c b/xkb/xkbInit.c
|
|
||||||
index 4108e1b26..de1dd3fe3 100644
|
|
||||||
--- a/xkb/xkbInit.c
|
|
||||||
+++ b/xkb/xkbInit.c
|
|
||||||
@@ -49,7 +49,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#include "xkbgeom.h"
|
|
||||||
#include <X11/extensions/XKMformat.h>
|
|
||||||
#include "xkbfile.h"
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
#define CREATE_ATOM(s) MakeAtom(s,sizeof(s)-1,1)
|
|
||||||
|
|
||||||
diff --git a/xkb/xkbLEDs.c b/xkb/xkbLEDs.c
|
|
||||||
index 5792d9fb7..d4690dad9 100644
|
|
||||||
--- a/xkb/xkbLEDs.c
|
|
||||||
+++ b/xkb/xkbLEDs.c
|
|
||||||
@@ -38,7 +38,6 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
|
|
||||||
#include <X11/extensions/XI.h>
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
/***====================================================================***/
|
|
||||||
|
|
||||||
diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c
|
|
||||||
index 50cabb90e..efbdb81c1 100644
|
|
||||||
--- a/xkb/xkbSwap.c
|
|
||||||
+++ b/xkb/xkbSwap.c
|
|
||||||
@@ -36,7 +36,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
#include "xkbstr.h"
|
|
||||||
#include "extnsionst.h"
|
|
||||||
-#include "xkb.h"
|
|
||||||
+#include "xkb-procs.h"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* REQUEST SWAPPING
|
|
||||||
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
|
|
||||||
index 8975ade8d..dd089c204 100644
|
|
||||||
--- a/xkb/xkbUtils.c
|
|
||||||
+++ b/xkb/xkbUtils.c
|
|
||||||
@@ -67,7 +67,6 @@ DEALINGS IN THE SOFTWARE.
|
|
||||||
#define XKBSRV_NEED_FILE_FUNCS
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
#include "xkbgeom.h"
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
/***====================================================================***/
|
|
||||||
|
|
||||||
diff --git a/xkb/xkbfmisc.c b/xkb/xkbfmisc.c
|
|
||||||
index 2ecdcd555..fc9197f2d 100644
|
|
||||||
--- a/xkb/xkbfmisc.c
|
|
||||||
+++ b/xkb/xkbfmisc.c
|
|
||||||
@@ -46,7 +46,6 @@
|
|
||||||
#define XKBSRV_NEED_FILE_FUNCS 1
|
|
||||||
#include <xkbsrv.h>
|
|
||||||
#include "xkbgeom.h"
|
|
||||||
-#include "xkb.h"
|
|
||||||
|
|
||||||
unsigned
|
|
||||||
_XkbKSCheckCase(KeySym ks)
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,160 +0,0 @@
|
|||||||
@@ -, +, @@
|
|
||||||
---
|
|
||||||
xkb/xkb.c | 43 ++++++++++++++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 38 insertions(+), 5 deletions(-)
|
|
||||||
Index: xorg-server-21.1.3/xkb/xkb.c
|
|
||||||
===================================================================
|
|
||||||
--- xorg-server-21.1.3.orig/xkb/xkb.c
|
|
||||||
+++ xorg-server-21.1.3/xkb/xkb.c
|
|
||||||
@@ -5157,7 +5157,7 @@ _GetCountedString(char **wire_inout, Cli
|
|
||||||
}
|
|
||||||
|
|
||||||
static Status
|
|
||||||
-_CheckSetDoodad(char **wire_inout,
|
|
||||||
+_CheckSetDoodad(char **wire_inout, xkbSetGeometryReq *req,
|
|
||||||
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
|
|
||||||
{
|
|
||||||
char *wire;
|
|
||||||
@@ -5168,6 +5168,9 @@ _CheckSetDoodad(char **wire_inout,
|
|
||||||
Status status;
|
|
||||||
|
|
||||||
dWire = (xkbDoodadWireDesc *) (*wire_inout);
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, dWire, dWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
any = dWire->any;
|
|
||||||
wire = (char *) &dWire[1];
|
|
||||||
if (client->swapped) {
|
|
||||||
@@ -5270,7 +5273,7 @@ _CheckSetDoodad(char **wire_inout,
|
|
||||||
}
|
|
||||||
|
|
||||||
static Status
|
|
||||||
-_CheckSetOverlay(char **wire_inout,
|
|
||||||
+_CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req,
|
|
||||||
XkbGeometryPtr geom, XkbSectionPtr section, ClientPtr client)
|
|
||||||
{
|
|
||||||
register int r;
|
|
||||||
@@ -5281,6 +5284,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
||||||
|
|
||||||
wire = *wire_inout;
|
|
||||||
olWire = (xkbOverlayWireDesc *) wire;
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (client->swapped) {
|
|
||||||
swapl(&olWire->name);
|
|
||||||
}
|
|
||||||
@@ -5292,6 +5298,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
||||||
xkbOverlayKeyWireDesc *kWire;
|
|
||||||
XkbOverlayRowPtr row;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (rWire->rowUnder > section->num_rows) {
|
|
||||||
client->errorValue = _XkbErrCode4(0x20, r, section->num_rows,
|
|
||||||
rWire->rowUnder);
|
|
||||||
@@ -5300,6 +5309,9 @@ _CheckSetOverlay(char **wire_inout,
|
|
||||||
row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys);
|
|
||||||
kWire = (xkbOverlayKeyWireDesc *) &rWire[1];
|
|
||||||
for (k = 0; k < rWire->nKeys; k++, kWire++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (XkbAddGeomOverlayKey(ol, row,
|
|
||||||
(char *) kWire->over,
|
|
||||||
(char *) kWire->under) == NULL) {
|
|
||||||
@@ -5333,6 +5345,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
||||||
register int r;
|
|
||||||
xkbRowWireDesc *rWire;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, sWire, sWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (client->swapped) {
|
|
||||||
swapl(&sWire->name);
|
|
||||||
swaps(&sWire->top);
|
|
||||||
@@ -5358,6 +5373,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
||||||
XkbRowPtr row;
|
|
||||||
xkbKeyWireDesc *kWire;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (client->swapped) {
|
|
||||||
swaps(&rWire->top);
|
|
||||||
swaps(&rWire->left);
|
|
||||||
@@ -5372,6 +5390,9 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
||||||
for (k = 0; k < rWire->nKeys; k++) {
|
|
||||||
XkbKeyPtr key;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
key = XkbAddGeomKey(row);
|
|
||||||
if (!key)
|
|
||||||
return BadAlloc;
|
|
||||||
@@ -5397,7 +5418,7 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
||||||
register int d;
|
|
||||||
|
|
||||||
for (d = 0; d < sWire->nDoodads; d++) {
|
|
||||||
- status = _CheckSetDoodad(&wire, geom, section, client);
|
|
||||||
+ status = _CheckSetDoodad(&wire, req, geom, section, client);
|
|
||||||
if (status != Success)
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
@@ -5406,7 +5427,7 @@ _CheckSetSections(XkbGeometryPtr geom,
|
|
||||||
register int o;
|
|
||||||
|
|
||||||
for (o = 0; o < sWire->nOverlays; o++) {
|
|
||||||
- status = _CheckSetOverlay(&wire, geom, section, client);
|
|
||||||
+ status = _CheckSetOverlay(&wire, req, geom, section, client);
|
|
||||||
if (status != Success)
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
@@ -5440,6 +5461,9 @@ _CheckSetShapes(XkbGeometryPtr geom,
|
|
||||||
xkbOutlineWireDesc *olWire;
|
|
||||||
XkbOutlinePtr ol;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, shapeWire, shapeWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
shape =
|
|
||||||
XkbAddGeomShape(geom, shapeWire->name, shapeWire->nOutlines);
|
|
||||||
if (!shape)
|
|
||||||
@@ -5450,12 +5474,18 @@ _CheckSetShapes(XkbGeometryPtr geom,
|
|
||||||
XkbPointPtr pt;
|
|
||||||
xkbPointWireDesc *ptWire;
|
|
||||||
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, olWire, olWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
ol = XkbAddGeomOutline(shape, olWire->nPoints);
|
|
||||||
if (!ol)
|
|
||||||
return BadAlloc;
|
|
||||||
ol->corner_radius = olWire->cornerRadius;
|
|
||||||
ptWire = (xkbPointWireDesc *) &olWire[1];
|
|
||||||
for (p = 0, pt = ol->points; p < olWire->nPoints; p++, pt++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, ptWire, ptWire + 1))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
pt->x = ptWire[p].x;
|
|
||||||
pt->y = ptWire[p].y;
|
|
||||||
if (client->swapped) {
|
|
||||||
@@ -5561,12 +5591,15 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
|
|
||||||
return status;
|
|
||||||
|
|
||||||
for (i = 0; i < req->nDoodads; i++) {
|
|
||||||
- status = _CheckSetDoodad(&wire, geom, NULL, client);
|
|
||||||
+ status = _CheckSetDoodad(&wire, req, geom, NULL, client);
|
|
||||||
if (status != Success)
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < req->nKeyAliases; i++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
|
|
||||||
return BadAlloc;
|
|
||||||
wire += 2 * XkbKeyNameLength;
|
|
@ -1,138 +0,0 @@
|
|||||||
Index: xorg-server-21.1.3/xkb/xkb.c
|
|
||||||
===================================================================
|
|
||||||
--- xorg-server-21.1.3.orig/xkb/xkb.c
|
|
||||||
+++ xorg-server-21.1.3/xkb/xkb.c
|
|
||||||
@@ -6551,7 +6551,8 @@ ProcXkbGetDeviceInfo(ClientPtr client)
|
|
||||||
static char *
|
|
||||||
CheckSetDeviceIndicators(char *wire,
|
|
||||||
DeviceIntPtr dev,
|
|
||||||
- int num, int *status_rtrn, ClientPtr client)
|
|
||||||
+ int num, int *status_rtrn, ClientPtr client,
|
|
||||||
+ xkbSetDeviceInfoReq * stuff)
|
|
||||||
{
|
|
||||||
xkbDeviceLedsWireDesc *ledWire;
|
|
||||||
int i;
|
|
||||||
@@ -6559,6 +6560,11 @@ CheckSetDeviceIndicators(char *wire,
|
|
||||||
|
|
||||||
ledWire = (xkbDeviceLedsWireDesc *) wire;
|
|
||||||
for (i = 0; i < num; i++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
|
|
||||||
+ *status_rtrn = BadLength;
|
|
||||||
+ return (char *) ledWire;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (client->swapped) {
|
|
||||||
swaps(&ledWire->ledClass);
|
|
||||||
swaps(&ledWire->ledID);
|
|
||||||
@@ -6586,6 +6592,11 @@ CheckSetDeviceIndicators(char *wire,
|
|
||||||
atomWire = (CARD32 *) &ledWire[1];
|
|
||||||
if (nNames > 0) {
|
|
||||||
for (n = 0; n < nNames; n++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
|
|
||||||
+ *status_rtrn = BadLength;
|
|
||||||
+ return (char *) atomWire;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (client->swapped) {
|
|
||||||
swapl(atomWire);
|
|
||||||
}
|
|
||||||
@@ -6597,6 +6608,10 @@ CheckSetDeviceIndicators(char *wire,
|
|
||||||
mapWire = (xkbIndicatorMapWireDesc *) atomWire;
|
|
||||||
if (nMaps > 0) {
|
|
||||||
for (n = 0; n < nMaps; n++) {
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
|
|
||||||
+ *status_rtrn = BadLength;
|
|
||||||
+ return (char *) mapWire;
|
|
||||||
+ }
|
|
||||||
if (client->swapped) {
|
|
||||||
swaps(&mapWire->virtualMods);
|
|
||||||
swapl(&mapWire->ctrls);
|
|
||||||
@@ -6648,11 +6663,6 @@ SetDeviceIndicators(char *wire,
|
|
||||||
xkbIndicatorMapWireDesc *mapWire;
|
|
||||||
XkbSrvLedInfoPtr sli;
|
|
||||||
|
|
||||||
- if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
|
|
||||||
- *status_rtrn = BadLength;
|
|
||||||
- return (char *) ledWire;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
namec = mapc = statec = 0;
|
|
||||||
sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
|
|
||||||
XkbXI_IndicatorMapsMask);
|
|
||||||
@@ -6671,10 +6681,6 @@ SetDeviceIndicators(char *wire,
|
|
||||||
memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
|
|
||||||
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
|
|
||||||
if (ledWire->namesPresent & bit) {
|
|
||||||
- if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
|
|
||||||
- *status_rtrn = BadLength;
|
|
||||||
- return (char *) atomWire;
|
|
||||||
- }
|
|
||||||
sli->names[n] = (Atom) *atomWire;
|
|
||||||
if (sli->names[n] == None)
|
|
||||||
ledWire->namesPresent &= ~bit;
|
|
||||||
@@ -6692,10 +6698,6 @@ SetDeviceIndicators(char *wire,
|
|
||||||
if (ledWire->mapsPresent) {
|
|
||||||
for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
|
|
||||||
if (ledWire->mapsPresent & bit) {
|
|
||||||
- if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
|
|
||||||
- *status_rtrn = BadLength;
|
|
||||||
- return (char *) mapWire;
|
|
||||||
- }
|
|
||||||
sli->maps[n].flags = mapWire->flags;
|
|
||||||
sli->maps[n].which_groups = mapWire->whichGroups;
|
|
||||||
sli->maps[n].groups = mapWire->groups;
|
|
||||||
@@ -6731,13 +6733,17 @@ SetDeviceIndicators(char *wire,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
|
||||||
+_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
|
|
||||||
xkbSetDeviceInfoReq * stuff)
|
|
||||||
{
|
|
||||||
char *wire;
|
|
||||||
|
|
||||||
wire = (char *) &stuff[1];
|
|
||||||
if (stuff->change & XkbXI_ButtonActionsMask) {
|
|
||||||
+ int sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
|
|
||||||
+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
|
|
||||||
+ return BadLength;
|
|
||||||
+
|
|
||||||
if (!dev->button) {
|
|
||||||
client->errorValue = _XkbErrCode2(XkbErr_BadClass, ButtonClass);
|
|
||||||
return XkbKeyboardErrorCode;
|
|
||||||
@@ -6748,13 +6754,13 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
|
|
||||||
dev->button->numButtons);
|
|
||||||
return BadMatch;
|
|
||||||
}
|
|
||||||
- wire += (stuff->nBtns * SIZEOF(xkbActionWireDesc));
|
|
||||||
+ wire += sz;
|
|
||||||
}
|
|
||||||
if (stuff->change & XkbXI_IndicatorsMask) {
|
|
||||||
int status = Success;
|
|
||||||
|
|
||||||
wire = CheckSetDeviceIndicators(wire, dev, stuff->nDeviceLedFBs,
|
|
||||||
- &status, client);
|
|
||||||
+ &status, client, stuff);
|
|
||||||
if (status != Success)
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
@@ -6765,8 +6771,8 @@ _XkbSetDeviceInfo(ClientPtr client, Devi
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-_XkbSetDeviceInfoCheck(ClientPtr client, DeviceIntPtr dev,
|
|
||||||
- xkbSetDeviceInfoReq * stuff)
|
|
||||||
+_XkbSetDeviceInfo(ClientPtr client, DeviceIntPtr dev,
|
|
||||||
+ xkbSetDeviceInfoReq * stuff)
|
|
||||||
{
|
|
||||||
char *wire;
|
|
||||||
xkbExtensionDeviceNotify ed;
|
|
||||||
@@ -6790,8 +6796,6 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
|
|
||||||
if (stuff->firstBtn + stuff->nBtns > nBtns)
|
|
||||||
return BadValue;
|
|
||||||
sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
|
|
||||||
- if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
|
|
||||||
- return BadLength;
|
|
||||||
memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
|
|
||||||
wire += sz;
|
|
||||||
ed.reason |= XkbXI_ButtonActionsMask;
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:61d6aad5b6b47a116b960bd7f0cba4ee7e6da95d6bb0b127bde75d7d1acdebe5
|
|
||||||
size 4955948
|
|
3
xorg-server-21.1.4.tar.xz
Normal file
3
xorg-server-21.1.4.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587
|
||||||
|
size 4940176
|
@ -1,3 +1,16 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 13 12:38:05 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- Update to version 21.1
|
||||||
|
* This release fixes 2 recently reported security vulnerabilities
|
||||||
|
in xkb, several regressions since 1.20.x and a number of
|
||||||
|
miscellaneous bugs.
|
||||||
|
- supersedes the following security patches
|
||||||
|
* U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
|
||||||
|
* U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch
|
||||||
|
* U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
|
||||||
|
- supersedes U_Fix-build-with-gcc-12.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jul 6 12:21:11 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
|
Wed Jul 6 12:21:11 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: xorg-x11-server
|
Name: xorg-x11-server
|
||||||
Version: 21.1.3
|
Version: 21.1.4
|
||||||
Release: 0
|
Release: 0
|
||||||
URL: http://xorg.freedesktop.org/
|
URL: http://xorg.freedesktop.org/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -245,16 +245,8 @@ Patch1930: u_xfree86-activate-GPU-screens-on-autobind.patch
|
|||||||
|
|
||||||
Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch
|
Patch1940: U_xephyr-Don-t-check-for-SeatId-anymore.patch
|
||||||
|
|
||||||
Patch1950: U_Fix-build-with-gcc-12.patch
|
|
||||||
|
|
||||||
Patch1960: u_sync-pci-ids-with-Mesa-22.0.0.patch
|
Patch1960: u_sync-pci-ids-with-Mesa-22.0.0.patch
|
||||||
|
|
||||||
#CVE-2022-2320, ZDI-CAN-16070, bsc#1194181
|
|
||||||
Patch2001: U_boo1194181-001-xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch
|
|
||||||
#CVE-2022-2319, ZDI-CAN-16062, bsc#1194179
|
|
||||||
Patch2101: U_boo1194179-001-xkb-rename-xkb_h-to-xkb-procs_h.patch
|
|
||||||
Patch2102: U_boo1194179-002-xkb-add-request-length-validation-for-XkbSetGeometry.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the X.Org Server.
|
This package contains the X.Org Server.
|
||||||
|
|
||||||
@ -411,11 +403,7 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
|||||||
%patch1920 -p1
|
%patch1920 -p1
|
||||||
%patch1930 -p1
|
%patch1930 -p1
|
||||||
%patch1940 -p1
|
%patch1940 -p1
|
||||||
%patch1950 -p1
|
|
||||||
%patch1960 -p1
|
%patch1960 -p1
|
||||||
%patch2001 -p1
|
|
||||||
%patch2101 -p1
|
|
||||||
%patch2102 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# We have some -z now related errors during X default startup (boo#1197994):
|
# We have some -z now related errors during X default startup (boo#1197994):
|
||||||
|
Loading…
Reference in New Issue
Block a user