This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch CVE-2015-0255 in repository nx-libs. at a1cd16d xkb: Don't swap XkbSetGeometry data in the input buffer This branch includes the following new commits: new dc596f0 Do proper input validation to fix for CVE-2011-2895. new a1cd16d xkb: Don't swap XkbSetGeometry data in the input buffer The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch CVE-2015-0255 in repository nx-libs. commit dc596f07319a123dc59e16a4485d9fc1523dbf82 Author: Joerg Sonnenberger <joerg@britannica.bec.de> Date: Sun Aug 21 18:51:53 2011 +0200 Do proper input validation to fix for CVE-2011-2895. It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com> --- nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c index 553b315..c7e649f 100644 --- a/nx-X11/lib/font/fontfile/decompress.c +++ b/nx-X11/lib/font/fontfile/decompress.c @@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 8192 +#define STACK_SIZE 65300 typedef struct _compressedFILE { BufFilePtr file; @@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) file->tab_suffix[code] = (char_type) code; } file->free_ent = ((file->block_compress) ? FIRST : 256 ); + file->oldcode = -1; file->clear_flg = 0; file->offset = 0; file->size = 0; file->stackp = file->de_stack; bzero(file->buf, BITS); - file->finchar = file->oldcode = getcode (file); - if (file->oldcode != -1) - *file->stackp++ = file->finchar; return BufFileCreate ((char *) file, BufCompressedFill, 0, @@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) if (buf == bufend) break; - if (oldcode == -1) - break; - code = getcode (file); if (code == -1) break; @@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f) for ( code = 255; code >= 0; code-- ) file->tab_prefix[code] = 0; file->clear_flg = 1; - file->free_ent = FIRST - 1; - if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ - break; + file->free_ent = FIRST; + oldcode = -1; + continue; } incode = code; /* * Special case for KwKwK string. */ if ( code >= file->free_ent ) { + if ( code > file->free_ent || oldcode == -1 ) { + /* Bad stream. */ + return BUFFILEEOF; + } *stackp++ = finchar; code = oldcode; } - + /* + * The above condition ensures that code < free_ent. + * The construction of tab_prefixof in turn guarantees that + * each iteration decreases code and therefore stack usage is + * bound by 1 << BITS - 256. + */ + /* * Generate output characters in reverse order */ while ( code >= 256 ) { - if (stackp - de_stack >= STACK_SIZE - 1) - return BUFFILEEOF; *stackp++ = file->tab_suffix[code]; code = file->tab_prefix[code]; } @@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f) /* * Generate the new entry. */ - if ( (code=file->free_ent) < file->maxmaxcode ) { + if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { file->tab_prefix[code] = (unsigned short)oldcode; file->tab_suffix[code] = finchar; file->free_ent = code+1; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch CVE-2015-0255 in repository nx-libs. commit a1cd16d6d05b197fff110d26b458d8bd6cf3c560 Author: Olivier Fourdan <ofourdan@redhat.com> Date: Fri Jan 16 20:08:59 2015 +0100 xkb: Don't swap XkbSetGeometry data in the input buffer The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. v3: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd) (cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945) Signed-off-by: Julien Cristau <jcristau@debian.org> index 2405090..7db0959 100644 --- nx-X11/programs/Xserver/xkb/xkb.c | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/nx-X11/programs/Xserver/xkb/xkb.c b/nx-X11/programs/Xserver/xkb/xkb.c index 2405090..7db0959 100644 --- a/nx-X11/programs/Xserver/xkb/xkb.c +++ b/nx-X11/programs/Xserver/xkb/xkb.c @@ -4441,15 +4441,14 @@ static char * _GetCountedString(char **wire_inout,Bool swap) { char * wire,*str; -CARD16 len,*plen; +CARD16 len; wire= *wire_inout; - plen= (CARD16 *)wire; + len= (CARD16 *)wire; if (swap) { register int n; - swaps(plen,n); + swaps(&len, n); } - len= *plen; str= (char *)_XkbAlloc(len+1); if (str) { memcpy(str,&wire[2],len); @@ -4468,26 +4467,29 @@ _CheckSetDoodad( char ** wire_inout, { char * wire; xkbDoodadWireDesc * dWire; +xkbAnyDoodadWireDesc any; +xkbTextDoodadWireDesc text; XkbDoodadPtr doodad; dWire= (xkbDoodadWireDesc *)(*wire_inout); + any = dWire->any; wire= (char *)&dWire[1]; if (client->swapped) { register int n; - swapl(&dWire->any.name,n); - swaps(&dWire->any.top,n); - swaps(&dWire->any.left,n); - swaps(&dWire->any.angle,n); + swapl(&any.name, n); + swaps(&any.top, n); + swaps(&any.left, n); + swaps(&any.angle, n); } CHK_ATOM_ONLY(dWire->any.name); - doodad= XkbAddGeomDoodad(geom,section,dWire->any.name); + doodad = XkbAddGeomDoodad(geom, section, any.name); if (!doodad) return BadAlloc; doodad->any.type= dWire->any.type; doodad->any.priority= dWire->any.priority; - doodad->any.top= dWire->any.top; - doodad->any.left= dWire->any.left; - doodad->any.angle= dWire->any.angle; + doodad->any.top = any.top; + doodad->any.left = any.left; + doodad->any.angle = any.angle; switch (doodad->any.type) { case XkbOutlineDoodad: case XkbSolidDoodad: @@ -4510,13 +4512,14 @@ XkbDoodadPtr doodad; dWire->text.colorNdx); return BadMatch; } + text = dWire->text; if (client->swapped) { register int n; - swaps(&dWire->text.width,n); - swaps(&dWire->text.height,n); + swaps(&text.width, n); + swaps(&text.height, n); } - doodad->text.width= dWire->text.width; - doodad->text.height= dWire->text.height; + doodad->text.width= text.width; + doodad->text.height= text.height; doodad->text.color_ndx= dWire->text.colorNdx; doodad->text.text= _GetCountedString(&wire,client->swapped); doodad->text.font= _GetCountedString(&wire,client->swapped); -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
-
git-admin@x2go.org