1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-10-30 21:49:25 +00:00
freebsd-ports/x11/XFree86/files/patch-h
2000-09-25 19:00:49 +00:00

559 lines
17 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

diff -u lib/ICE/ICElibint.h:1.1 X11/xc/lib/ICE/ICElibint.h:1.2
--- lib/ICE/ICElibint.h:1.1 Fri Sep 5 02:58:32 1997
+++ lib/ICE/ICElibint.h Mon Jul 10 15:17:09 2000
@@ -288,20 +288,21 @@
}
-#define SKIP_STRING(_pBuf, _swap) \
+#define SKIP_STRING(_pBuf, _swap, _end, _bail) \
{ \
CARD16 _len; \
EXTRACT_CARD16 (_pBuf, _swap, _len); \
- _pBuf += _len; \
- if (PAD32 (2 + _len)) \
- _pBuf += PAD32 (2 + _len); \
-}
+ _pBuf += _len + PAD32(2+_len); \
+ if (_pBuf > _end) { \
+ _bail; \
+ } \
+}
-#define SKIP_LISTOF_STRING(_pBuf, _swap, _count) \
+#define SKIP_LISTOF_STRING(_pBuf, _swap, _count, _end, _bail) \
{ \
int _i; \
for (_i = 0; _i < _count; _i++) \
- SKIP_STRING (_pBuf, _swap); \
+ SKIP_STRING (_pBuf, _swap, _end, _bail); \
}
Index: lib/ICE/process.c
diff -u lib/ICE/process.c:1.1 X11/xc/lib/ICE/process.c:1.2
--- lib/ICE/process.c:1.1 Fri Sep 5 02:58:32 1997
+++ lib/ICE/process.c Mon Jul 10 15:17:10 2000
@@ -63,7 +63,11 @@
return (0); \
}
-
+#define BAIL_STRING(_iceConn, _opcode, _pStart) {\
+ _IceErrorBadLength (_iceConn, 0, _opcode, IceFatalToConnection);\
+ IceDisposeCompleteMessage (_iceConn, _pStart);\
+ return (0);\
+}
/*
* IceProcessMessages:
@@ -819,7 +823,7 @@
int myAuthCount, hisAuthCount;
int found, i, j;
char *myAuthName, **hisAuthNames;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
char *vendor = NULL;
char *release = NULL;
int myAuthIndex = 0;
@@ -843,10 +847,18 @@
}
pData = pStart;
-
- SKIP_STRING (pData, swap); /* vendor */
- SKIP_STRING (pData, swap); /* release */
- SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */
+ pEnd = pStart + (length << 3);
+
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ConnectionSetup,
+ pStart)); /* vendor */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ConnectionSetup,
+ pStart)); /* release */
+ SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd,
+ BAIL_STRING(iceConn, ICE_ConnectionSetup,
+ pStart)); /* auth names */
+
pData += (message->versionCount * 4); /* versions */
CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionSetup,
@@ -1685,7 +1697,7 @@
{
iceConnectionReplyMsg *message;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
Bool replyReady;
CHECK_AT_LEAST_SIZE (iceConn, ICE_ConnectionReply,
@@ -1701,9 +1713,14 @@
}
pData = pStart;
+ pEnd = pStart + (length << 3);
- SKIP_STRING (pData, swap); /* vendor */
- SKIP_STRING (pData, swap); /* release */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING (iceConn, ICE_ConnectionReply,
+ pStart)); /* vendor */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING (iceConn, ICE_ConnectionReply,
+ pStart)); /* release */
CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionReply,
length, pData - pStart + SIZEOF (iceConnectionReplyMsg),
@@ -1789,7 +1806,7 @@
int found, i, j;
char *myAuthName, **hisAuthNames;
char *protocolName;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
char *vendor = NULL;
char *release = NULL;
int accept_setup_now = 0;
@@ -1824,11 +1841,20 @@
}
pData = pStart;
+ pEnd = pStart + (length << 3);
- SKIP_STRING (pData, swap); /* proto name */
- SKIP_STRING (pData, swap); /* vendor */
- SKIP_STRING (pData, swap); /* release */
- SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolSetup,
+ pStart)); /* proto name */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolSetup,
+ pStart)); /* vendor */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolSetup,
+ pStart)); /* release */
+ SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolSetup,
+ pStart)); /* auth names */
pData += (message->versionCount * 4); /* versions */
CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolSetup,
@@ -2170,7 +2196,7 @@
{
iceProtocolReplyMsg *message;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
Bool replyReady;
CHECK_AT_LEAST_SIZE (iceConn, ICE_ProtocolReply,
@@ -2186,9 +2212,14 @@
}
pData = pStart;
+ pEnd = pStart + (length << 3);
- SKIP_STRING (pData, swap); /* vendor */
- SKIP_STRING (pData, swap); /* release */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolReply,
+ pStart)); /* vendor */
+ SKIP_STRING (pData, swap, pEnd,
+ BAIL_STRING(iceConn, ICE_ProtocolReply,
+ pStart)); /* release */
CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolReply,
length, pData - pStart + SIZEOF (iceProtocolReplyMsg),
Index: lib/X11/GetProp.c
diff -u lib/X11/GetProp.c:1.1 X11/xc/lib/X11/GetProp.c:1.2
--- lib/X11/GetProp.c:1.1 Fri Sep 5 02:58:44 1997
+++ lib/X11/GetProp.c Mon Jul 10 15:20:35 2000
@@ -76,21 +76,24 @@
*/
case 8:
nbytes = netbytes = reply.nItems;
- if (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))
+ if (nbytes + 1 > 0 &&
+ (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
_XReadPad (dpy, (char *) *prop, netbytes);
break;
case 16:
nbytes = reply.nItems * sizeof (short);
netbytes = reply.nItems << 1;
- if (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))
+ if (nbytes + 1 > 0 &&
+ (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
_XRead16Pad (dpy, (short *) *prop, netbytes);
break;
case 32:
nbytes = reply.nItems * sizeof (long);
netbytes = reply.nItems << 2;
- if (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))
+ if (nbytes + 1 > 0 &&
+ (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
_XRead32 (dpy, (long *) *prop, netbytes);
break;
Index: lib/X11/OpenDis.c
diff -u lib/X11/OpenDis.c:1.1 X11/xc/lib/X11/OpenDis.c:1.2
--- lib/X11/OpenDis.c:1.1 Fri Sep 5 02:58:48 1997
+++ lib/X11/OpenDis.c Mon Jul 10 15:20:35 2000
@@ -371,6 +371,14 @@
dpy->max_request_size = u.setup->maxRequestSize;
mask = dpy->resource_mask;
dpy->resource_shift = 0;
+ if (!mask)
+ {
+ fprintf (stderr, "Xlib: connection to \"%s\" invalid setup\n",
+ fullname);
+ OutOfMemory(dpy, setup);
+ return (NULL);
+ }
+
while (!(mask & 1)) {
dpy->resource_shift++;
mask = mask >> 1;
@@ -390,6 +398,13 @@
(void) strncpy(dpy->vendor, u.vendor, vendorlen);
dpy->vendor[vendorlen] = '\0';
vendorlen = (vendorlen + 3) & ~3; /* round up */
+/*
+ * validate setup length
+ */
+ if ((int) setuplength - sz_xConnSetup - vendorlen < 0) {
+ OutOfMemory(dpy, setup);
+ return (NULL);
+ }
memmove (setup, u.vendor + vendorlen,
(int) setuplength - sz_xConnSetup - vendorlen);
u.vendor = setup;
@@ -568,6 +583,8 @@
if (_XReply (dpy, (xReply *) &reply, 0, xFalse)) {
if (reply.format == 8 && reply.propertyType == XA_STRING &&
+ (reply.nItems + 1 > 0) &&
+ (reply.nItems <= req->longLength * 4) &&
(dpy->xdefaults = Xmalloc (reply.nItems + 1))) {
_XReadPad (dpy, dpy->xdefaults, reply.nItems);
dpy->xdefaults[reply.nItems] = '\0';
Index: lib/X11/XlibInt.c
diff -u lib/X11/XlibInt.c:1.3 X11/xc/lib/X11/XlibInt.c:1.4
--- lib/X11/XlibInt.c:1.3 Tue Aug 24 12:11:19 1999
+++ lib/X11/XlibInt.c Mon Jul 10 15:20:35 2000
@@ -38,6 +38,8 @@
#define NEED_EVENTS
#define NEED_REPLIES
+#define GENERIC_LENGTH_LIMIT (1 << 29)
+
#include "Xlibint.h"
#include <X11/Xpoll.h>
#include <X11/Xtrans.h>
@@ -1689,6 +1691,17 @@
!= (char *)rep)
continue;
}
+ /*
+ * Don't accept ridiculously large values for
+ * generic.length; doing so could cause stack-scribbling
+ * problems elsewhere.
+ */
+ if (rep->generic.length > GENERIC_LENGTH_LIMIT) {
+ rep->generic.length = GENERIC_LENGTH_LIMIT;
+ (void) fprintf(stderr,
+ "Xlib: suspiciously long reply length %d set to %d",
+ rep->generic.length, GENERIC_LENGTH_LIMIT);
+ }
if (extra <= rep->generic.length) {
if (extra > 0)
/*
@@ -1827,6 +1840,13 @@
#endif
if (len > *lenp)
_XEatData(dpy, len - *lenp);
+ }
+ if (len < SIZEOF(xReply))
+ {
+ _XIOError (dpy);
+ buf += *lenp;
+ *lenp = 0;
+ return buf;
}
if (len >= *lenp) {
buf += *lenp;
Index: programs/Xserver/os/secauth.c
diff -u programs/Xserver/os/secauth.c:1.1 X11/xc/programs/Xserver/os/secauth.c:1.3
--- programs/Xserver/os/secauth.c:1.1 Fri Sep 5 03:15:14 1997
+++ programs/Xserver/os/secauth.c Mon Jul 10 15:23:26 2000
@@ -47,7 +47,7 @@
ClientPtr client;
char **reason;
{
- char *policy = *dataP;
+ CARD8 *policy = *(CARD8 **)dataP;
int length;
Bool permit;
int nPolicies;
@@ -61,13 +61,13 @@
}
permit = (*policy++ == 0);
- nPolicies = *policy++;
+ nPolicies = (CARD8) *policy++;
length -= 2;
sitePolicies = SecurityGetSitePolicyStrings(&nSitePolicies);
- while (nPolicies) {
+ while (nPolicies > 0) {
int strLen, sitePolicy;
if (length == 0) {
@@ -75,7 +75,7 @@
return FALSE;
}
- strLen = *policy++;
+ strLen = (CARD8) *policy++;
if (--length < strLen) {
*reason = InvalidPolicyReason;
return FALSE;
@@ -87,7 +87,7 @@
{
char *testPolicy = sitePolicies[sitePolicy];
if ((strLen == strlen(testPolicy)) &&
- (strncmp(policy, testPolicy, strLen) == 0))
+ (strncmp((char *)policy, testPolicy, strLen) == 0))
{
found = TRUE; /* need to continue parsing the policy... */
break;
@@ -107,7 +107,7 @@
}
*data_lengthP = length;
- *dataP = policy;
+ *dataP = (char *)policy;
return TRUE;
}
Index: programs/Xserver/os/xdmcp.c
diff -u programs/Xserver/os/xdmcp.c:1.1.1.2 X11/xc/programs/Xserver/os/xdmcp.c:1.2
--- programs/Xserver/os/xdmcp.c:1.1.1.2 Fri Jan 8 10:56:48 1999
+++ programs/Xserver/os/xdmcp.c Mon Jul 10 15:26:07 2000
@@ -1,5 +1,5 @@
/* $XConsortium: xdmcp.c /main/34 1996/12/02 10:23:29 lehors $ */
-/* $XFree86: xc/programs/Xserver/os/xdmcp.c,v 3.9.2.1 1998/12/18 11:56:34 dawes Exp $ */
+/* $XFree86: xc/programs/Xserver/os/xdmcp.c,v 3.9.2.2 2000/02/08 20:32:12 dawes Exp $ */
/*
* Copyright 1989 Network Computing Devices, Inc., Mountain View, California.
*
@@ -290,7 +290,10 @@
return (i + 1);
}
if (strcmp(argv[i], "-port") == 0) {
- ++i;
+ if (++i == argc) {
+ ErrorF("Xserver: missing port number in command line\n");
+ exit(1);
+ }
xdm_udp_port = atoi(argv[i]);
return (i + 1);
}
@@ -300,18 +303,28 @@
}
if (strcmp(argv[i], "-class") == 0) {
++i;
+ if (++i == argc) {
+ ErrorF("Xserver: missing class name in command line\n");
+ exit(1);
+ }
defaultDisplayClass = argv[i];
return (i + 1);
}
#ifdef HASXDMAUTH
if (strcmp(argv[i], "-cookie") == 0) {
- ++i;
+ if (++i == argc) {
+ ErrorF("Xserver: missing cookie data in command line\n");
+ exit(1);
+ }
xdmAuthCookie = argv[i];
return (i + 1);
}
#endif
if (strcmp(argv[i], "-displayID") == 0) {
- ++i;
+ if (++i == argc) {
+ ErrorF("Xserver: missing displayID in command line\n");
+ exit(1);
+ }
XdmcpRegisterManufacturerDisplayID (argv[i], strlen (argv[i]));
return (i + 1);
}
Index: programs/Xserver/xkb/ddxLoad.c
diff -u programs/Xserver/xkb/ddxLoad.c:1.1.1.3 X11/xc/programs/Xserver/xkb/ddxLoad.c:1.2
--- programs/Xserver/xkb/ddxLoad.c:1.1.1.3 Sat Nov 28 01:49:13 1998
+++ programs/Xserver/xkb/ddxLoad.c Mon Jul 10 15:28:10 2000
@@ -24,7 +24,7 @@
THE USE OR PERFORMANCE OF THIS SOFTWARE.
********************************************************/
-/* $XFree86: xc/programs/Xserver/xkb/ddxLoad.c,v 3.19.2.3 1998/09/27 12:59:29 hohndel Exp $ */
+/* $XFree86: xc/programs/Xserver/xkb/ddxLoad.c,v 3.19.2.4 2000/06/15 23:24:07 dawes Exp $ */
#include <stdio.h>
#include <ctype.h>
@@ -139,10 +139,8 @@
+strlen(file)+strlen(xkm_output_dir)
+strlen(outFile)+53 > PATH_MAX)
{
-#ifdef DEBUG
ErrorF("compiler command for keymap (%s) exceeds max length\n",
names->keymap);
-#endif
return False;
}
#ifndef __EMX__
@@ -169,10 +167,8 @@
+strlen(file)+strlen(xkm_output_dir)
+strlen(outFile)+49 > PATH_MAX)
{
-#ifdef DEBUG
ErrorF("compiler command for keymap (%s) exceeds max length\n",
names->keymap);
-#endif
return False;
}
sprintf(cmd,"xkbcomp -w %d -xkm %s%s -em1 %s -emp %s -eml %s keymap/%s %s%s.xkm",
@@ -236,6 +232,10 @@
sprintf(keymap,"server-%s",display);
}
else {
+ if (strlen(names->keymap) > PATH_MAX - 1) {
+ ErrorF("name of keymap (%s) exceeds max length\n", names->keymap);
+ return False;
+ }
strcpy(keymap,names->keymap);
}
@@ -254,10 +254,8 @@
+strlen(POST_ERROR_MSG1)+strlen(xkm_output_dir)
+strlen(keymap)+48 > PATH_MAX)
{
-#ifdef DEBUG
ErrorF("compiler command for keymap (%s) exceeds max length\n",
names->keymap);
-#endif
return False;
}
#ifndef WIN32
@@ -294,10 +292,8 @@
+strlen(ERROR_PREFIX)+strlen(POST_ERROR_MSG1)
+strlen(xkm_output_dir)+strlen(keymap)+44 > PATH_MAX)
{
-#ifdef DEBUG
ErrorF("compiler command for keymap (%s) exceeds max length\n",
names->keymap);
-#endif
return False;
}
#ifndef WIN32
Index: programs/Xserver/xkb/xkbInit.c
diff -u programs/Xserver/xkb/xkbInit.c:1.1.1.2 X11/xc/programs/Xserver/xkb/xkbInit.c:1.3
--- programs/Xserver/xkb/xkbInit.c:1.1.1.2 Sat Mar 7 09:21:55 1998
+++ programs/Xserver/xkb/xkbInit.c Mon Jul 10 15:28:10 2000
@@ -24,7 +24,7 @@
THE USE OR PERFORMANCE OF THIS SOFTWARE.
********************************************************/
-/* $XFree86: xc/programs/Xserver/xkb/xkbInit.c,v 3.12.2.2 1998/02/24 13:20:07 dawes Exp $ */
+/* $XFree86: xc/programs/Xserver/xkb/xkbInit.c,v 3.12.2.3 2000/06/15 21:58:34 dawes Exp $ */
#include <stdio.h>
#include <stdlib.h>
@@ -915,8 +915,13 @@
#endif
else if (strncmp(argv[i], "-xkbmap", 7) == 0) {
if(++i < argc) {
- XkbInitialMap= argv[i];
- return 2;
+ if (strlen(argv[i]) < PATH_MAX) {
+ XkbInitialMap= argv[i];
+ return 2;
+ } else {
+ ErrorF("-xkbmap pathname too long\n");
+ return -1;
+ }
}
else {
return -1;
@@ -924,8 +929,13 @@
}
else if (strncmp(argv[i], "-xkbdb", 7) == 0) {
if(++i < argc) {
- XkbDB= argv[i];
- return 2;
+ if (strlen(argv[i]) < PATH_MAX) {
+ XkbDB= argv[i];
+ return 2;
+ } else {
+ ErrorF("-xkbdb pathname too long\n");
+ return -1;
+ }
}
else {
return -1;
Index: programs/xfs/os/waitfor.c
diff -u programs/xfs/os/waitfor.c:1.1 X11/xc/programs/xfs/os/waitfor.c:1.2
--- programs/xfs/os/waitfor.c:1.1 Fri Sep 5 03:16:07 1997
+++ programs/xfs/os/waitfor.c Mon Jul 10 15:32:38 2000
@@ -1,5 +1,5 @@
/* $XConsortium: waitfor.c /main/15 1996/08/30 14:22:34 kaleb $ */
-/* $XFree86: xc/programs/xfs/os/waitfor.c,v 3.5 1997/01/18 07:02:48 dawes Exp $ */
+/* $XFree86: xc/programs/xfs/os/waitfor.c,v 3.5.2.1 2000/06/15 21:58:35 dawes Exp $ */
/*
* waits for input
*/
@@ -212,7 +212,7 @@
while (clientsReadable.fds_bits[i]) {
curclient = ffs(clientsReadable.fds_bits[i]) - 1;
conn = ConnectionTranslation[curclient + (i << 5)];
- FD_CLR (curclient, &clientsReadable);
+ clientsReadable.fds_bits[i] &= ~(((fd_mask)1L) << curclient);
client = clients[conn];
if (!client)
continue;
--- programs/xauth/process.c.orig Fri Jul 23 15:50:50 1999
+++ programs/xauth/process.c Mon Sep 25 20:48:02 2000
@@ -769,21 +769,18 @@
static int write_auth_file (tmp_nam)
char *tmp_nam;
{
- FILE *fp;
+ FILE *fp = NULL;
AuthList *list;
-
+ int fd;
/*
* xdm and auth spec assumes auth file is 12 or fewer characters
*/
strcpy (tmp_nam, xauth_filename);
strcat (tmp_nam, "-n"); /* for new */
(void) unlink (tmp_nam);
- fp = fopen (tmp_nam, "wb"); /* umask is still set to 0077 */
- if (!fp) {
- fprintf (stderr, "%s: unable to open tmp file \"%s\"\n",
- ProgramName, tmp_nam);
- return -1;
- }
+ /* CPhipps 2000/02/12 - fix file unlink/fopen race */
+ fd = open(tmp_nam, O_WRONLY|O_CREAT|O_EXCL, 0600);
+ if (fd != -1) fp = fdopen(fd, "wb");
/*
* Write MIT-MAGIC-COOKIE-1 first, because R4 Xlib knows