From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 16 Sep 2013 21:47:16 -0700
Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
Reported-by: Pedro Ribeiro <pedrib@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Bump PKGREVISION.
are only a handful of changes in this dot release, and with the pending
release of 1.13 next month, it's likely that this may be the final scheduled
release from the 1.12 branch; we will likely put out additional releases
from this branch, but they will no longer follow the standard 6-week
development cycle.
This version is identical to the previous release candidate except for
version numbers.
== Known Issues ==
Currently open bugs the 1.12 Tracker:
https://bugs.freedesktop.org/show_bug.cgi?id=xserver-1.12
23938: keys occasionally get stuck with xorg-server 1.6.99.901
http://bugs.freedesktop.org/23938
31501: crash accessing font info with xfs in fontpath
http://bugs.freedesktop.org/31501
39094: WaitFor does not handle EIO (causes 100% cpu load)
http://bugs.freedesktop.org/39094
39383: X server crashes when restarting KDE from Alt+F2
http://bugs.freedesktop.org/39383
39949: RandR panning & scaling don't work
http://bugs.freedesktop.org/39949
43988: crtc->desiredMode.name can point to freed memory.
http://bugs.freedesktop.org/43988
44038: some 3D wine apps no longer work (bisected)
http://bugs.freedesktop.org/44038
45445: Key press crashes the xserver when kdm is running
http://bugs.freedesktop.org/45445
49170: crash when starting or after some time of using psi
http://bugs.freedesktop.org/49170
50641: xorg-server-1.12.0 - When SELinux is enabled the xserver fails
http://bugs.freedesktop.org/50641
== New Issues ==
If you encounter an issue that you think should block a future 1.12
release,
please follow the instructions listed in the wiki to raise this to our
attention.
http://www.x.org/wiki/Server112Branch
== Changes since 1.12.3 ==
Aaron Plattner (1):
randr: Fix REQUEST vs. REQUEST_SIZE_MATCH mismatch
Adam Jackson (3):
ephyr: Fix up some bizarre formatting
randr: Fix up yet another corner case in preferred mode selection
sync: Fix logic error from b55bf248581dc66321b24b29f199f6dc8d02db1b
Alan Coopersmith (10):
OtherClientGone: Remove unreachable return statement
Fix some overly indented/poorly line wrapped comments in dix/events.c
Remove obsolete tab stop comments from hw/xfree86/parser/*.c
ProcRRGetScreenInfo: swap configTimestamp as well
xf86dga2.c & xf86vmode.c: Move REQUEST_SIZE_MATCH checks before using stuff
Use calloc to zero fill buffers being allocated for replies & events
Set padding bytes to 0 in WriteToClient
Initialize padding bits to 0 in ErrorConnMax()
Fix up formatting of initializers for arrays of structs
Make indentation of dix/tables.c much more consistent and readable
Daniel Stone (5):
DRI2: Remove prototype for DRI2DestroyDrawable
Don't make failure to -nolisten fatal
Xorg: Link XKB DDX library after core server libs
Xinerama: Fix ExtensionInit prototype
AllocDevicePair: Ensure XKB privates are initialised
Dave Airlie (2):
xf86: cursor code got mangled by indenting
kinput: allocate enough space for null character.
Jaroslav Šmíd (1):
Bug 51375: Xorg doesn't set status for RRGetOutputInfo
Jeremy Huddleston (3):
XQuartz: Silence an unused-variable warning
XQuartz: Fix incorrect PseudoramiXExtensionInit prototype
XQuartz: Call xp_window_bring_all_to_front if available in libXplugin
Jeremy Huddleston Sequoia (7):
XQuartz: Fix xp_window_bring_all_to_front linking on OS versions with older libXplugin
configure.ac: Version bump to 1.12.3.901 (1.12.4 RC1)
XQuartz: console_redirect: Set the correct location for reading into the buffer
XQuartz: console_redirect: Properly zero-out the tail of the array on realloc()
configure.ac: Version bump to 1.12.3.902 (1.12.4 RC2)
XQuartz: Bump version to 2.7.3
configure.ac: Version bump to 1.12.4
Jon TURNEY (1):
hw/xquartz: Various fixes for pseudoramiX.c
Julien Cristau (1):
Bump video ABI version to 12.1
Keith Packard (4):
randr: Clean up compiler warnings about unused and shadowing variables
randr: Catch two more potential unset rrScrPriv uses
Add 'install-headers' target in the top-level Makefile
Only free Render filter names on last screen close
Michal Srb (1):
Look for ModuleData only in appropriate library
Michel Dänzer (2):
dri2: Add DRI2CreateDrawable2.
glx: Free DRI2 drawable reference to destroyed GLX drawable.
Peter Hutterer (4):
xkb: use local variable instead of casting arg
dix: fix dereference before null check
list.h: don't crash when removing an element from a NULL list
dix: make sure the mask is set for emulated scroll events (#52508)
Ricardo Salveti de Araujo (1):
randr: first check pScrPriv before using the pointer at RRFirstOutput
Simon Schubert (1):
fb: reorder Bresenham error correction to avoid overshoot.
Vic Lee (1):
ephyr: Resize screen automatically when parent window is resized
git tag: xorg-server-1.12.4
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file. Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Fix CVE-2011-4029: File permission change vulnerability.
Use fchmod() to change permissions of the lock file instead of
chmod(), thus avoid the race that can be exploited to set a symbolic
link to any file or directory in the system. Signed-off-by: Matthieu
Herrb <matthieu.herrb@laas.fr> Reviewed-by: Alan Coopersmith
<alan.coopersmith@oracle.com>
in an arithmetic expression, leading to surprising results when used later
with arithmetic expressions of the same precedence as parameter a.
This is very old X11 code, copy and pasted to several places over the years.
Fixed in 1.9something (which is in mit/external). OK by wiz@.
This seems to be the root cause of CVE-2010-1166.
Changes in 1.6.3 since 1.6.2.901:
Adam Jackson (1):
selinux: Only activate if policy says to be an object manager
Alan Coopersmith (2):
Don't printf NULL pointers on HAL connection error
Remove hardcoded gcc -Wall option from configure.ac
Ben Skeggs (1):
quirk: use first detailed timing as preferred for PEA prod 9003 (rh#492359)
Keith Packard (1):
Bump release number to 1.6.3
Rémi Cardona (1):
config: add HAL error checks
Changes in 1.6.2.901 since 1.6.2:
Adam Jackson (1):
xdmcp: Don't crash on X -query with more than 255 IP addresses. (#20675)
Alan Coopersmith (1):
Fix build of drivers with 1.6.2 when not using --install-libxf86config
Benjamin Defnet (2):
hw/xf86/modes: Set crtc mode/rotation/transform before calling set_mode_major
randr: fix operation order so that rotation+transform works
Dave Airlie (1):
xfree86: move didLock assignment down to where the function pointer is valid.
Julien Cristau (1):
randr: fix server crash in RRGetScreenInfo
Keith Packard (2):
Replace dixLookupResource by dixLookupResourceBy{Type,Class}
Bump to version 1.6.2.901 (1.6.3 RC1)
Kim Woelders (1):
Fix key repeat problem.
Matthias Hopf (1):
randr: Nuke broken set_origin shortcut
Michel Dänzer (1):
EXA: Only pass CT_YXBANDED to RECTS_TO_REGION() if that is really true.
Robert Noland (1):
One = is more than adequate here. Make is sh safe.
Rémi Cardona (1):
configure: libXinerama isn't needed anymore
Lots of changes since last pkgsrc version 1.4.x.
Based on patches provided by Hasso Tepper on pkgsrc-users.
Enable dri by default.
NOTE: You must install new versions of all dependencies, old ones
won't work!
pull in a patch from upstream which fixes wakeup storms in idletime
counter, reducing the system load significantly if a recent
gnome-screensaver in run
bump PKGREVISION
Apply the following patches from NetBSD xsrc/external/mit/xorg-server/dist;
thanks to joerg for providing a list of changes to apply.
2009-02-19 20:02 macallan
* hw/xfree86/xaa/: xaaFillRect.c (1.2), xaaInitAccel.c (1.2),
xaalocal.h (1.2):
Actually use scanline image writes to upload images if available
2009-02-09 09:49 plunky
* hw/xfree86/os-support/bsd/bsd_mouse.c (1.5):
add horizontal mouse-wheel functionality to USB and WSMOUSE drivers
2009-02-02 03:06 christos
* hw/xfree86/os-support/: bsd/bsd_mouse.c (1.4), xf86OSmouse.h
(1.2):
add a SetupMouse proc to condition the fd. Convert NetBSD's
SetupAuto to SetupMouse.
2009-01-19 00:54 christos
* hw/xfree86/os-support/bsd/bsd_mouse.c (1.3):
fix ioctl.
2009-01-13 18:43 christos
* hw/xfree86/os-support/bsd/bsd_mouse.c (1.2):
Set the mouse event protocol version. (untested, but head will be
broken unless I add this).
revision 1.2
date: 2008/11/23 21:58:25; author: mrg; state: Exp; lines: +1 -0
patch from jmcneill@:
add a log message to notify what VT is in use. helps gdm/consolekit.
group but the keyboard has multiple groups defined, the core description of
the key is a duplication of the single group across all symbols. i.e.
G1L1 G1L2 G1L1 G1L2 G1L3 G1L4 G1L3 G1L4
The previous code generated G1L1 G1L2 G1L3 G1L4 G1L3 G1L4, leading to
"invented" groups when the process is reversed.
Note that this creates wrong key types on reconstruction from core to xkb,
i.e. any single-group key with a key type that is not one of the canonical
four (Sec 12.2.3), will get the assigned type on group 1, and a canonical type
for the other gruops.
X.Org Bug 14373 <http://bugs.freedesktop.org/show_bug.cgi?id=14373>
Patch taken from the bugtracker entry.
This long-overdue update brings many improvements:
- Many improvements to EXA
- Input Hotplugging via HAL or dbus (not enabled yet)
- Support for RandR 1.2. Users using a dual-head configuration are
encouraged to see <http://www.x.org/wiki/Projects/XRandR> for more
information.
- The server now uses the same version of Mesa we have in pkgsrc;
this likely will result in more reliable OpenGL/DRI operation.
I realize that this server is still not the latest release (1.5.0);
upgrading to that version will require an involved mesa update,
libpciaccess, etc. I hope that by the next quarter, that work will be done.
Please file a problem report and/or contact us via the usual means
(mailing lists, etc.) should you encounter any issues.
hardwire it to 1.1, otherwise we announce more than we can support
-add a "glx" option to build the "glx" extension -- this is work in
progress (might need sone CFLAGS, see pkgsrc-wip)
-bump PKGREVISION
