The CVE fix in:
commit 97015a07b9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Jan 22 22:37:15 2014 -0800
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
offended the C++ demons:
../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
Normally this isn't a problem, because around here we have the sense and
common decency to not use C++, but this does make tigervnc fail to build,
which is a little rude of us.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
/usr/include/xorg/regionstr.h:130:36: warning: implicit conversion changes
signedness: 'int' to 'unsigned long' [-Wsign-conversion]
return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
^ ~
Really only just pushes the problem to the caller, but maybe that motivates
someone to fix it.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This allocates a new region structure and copies a source region into
it in a single API rather than forcing the caller to do both steps themselves.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
The interface to RegionInit():
RegionInit (RegionPtr pReg, BoxPtr rect, int size);
is very confusing because it doesn't take a list of boxes, it takes
*one* box, but if that box is NULL, it initializes an empty region
with 'size' rectangles preallocated.
Most callers of this function were correctly passing either NULL or
just one box, but there were three confused cases, where the code
seems to expect a region to be created from a list of boxes.
This patch adds a new function RegionInitBoxes() and fixes those
instances to call that instead.
And yes, the pixman function to initialize a region from a list of
boxes is called init_rects() because pixman is also awesome.
V2: Make RegionInitBoxes() return a Bool indicating whether the call
succeeded, and fix the callers to check this return value.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Søren Sandmann <ssp@redhat.com>
This makes the region code changes source compatible with existing
code, although none of them are used within the server source itself.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
This makes all of the previous macros into inline functions and also
turns all of the direct calls to pixman region code into inline
functions as well.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
This is a combination of a huge mechanical patch and a few small
fixups required to finish the job. They were reviewed separately, but
because the server does not build without both pieces, I've merged
them together at this time.
The mechanical changes were performed by running the included
'fix-region' script over the whole tree:
$ git ls-files | grep -v '^fix-' | xargs ./fix-region
And then, the white space errors in the resulting patch were fixed
using the provided fix-patch-whitespace script.
$ sh ./fix-patch-whitespace
Thanks to Jamey Sharp for the mighty fine sed-generating sed script.
The hand-done changes involve removing functions from dix/region.c
that duplicate inline functions in include/regionstr.h, along with
their declarations in regionstr.h, mi.h and mispans.h.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
This prepares the file to be moved from mi to dix. This patch
was done mechanically with the included scripts 'fix-miregion' run over
the entire X server and 'fix-miregion-private' run over
include/regionstr.h and mi/miregion.c.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Save in a few special cases, _X_EXPORT should not be used in C source
files. Instead, it should be used in headers, and the proper C source
include that header. Some special cases are symbols that need to be
shared between modules, but not expected to be used by external drivers,
and symbols that are accessible via LoaderSymbol/dlopen.
This patch also adds conditionally some new sdk header files, depending
on extensions enabled. These files were added to match pattern for
other extensions/modules, that is, have the headers "deciding" symbol
visibility in the sdk. These headers are:
o Xext/panoramiXsrv.h, Xext/panoramiX.h
o fbpict.h (unconditionally)
o vidmodeproc.h
o mioverlay.h (unconditionally, used only by xaa)
o xfixes.h (unconditionally, symbols required by dri2)
LoaderSymbol and similar functions now don't have different prototypes,
in loaderProcs.h and xf86Module.h, so that both headers can be included,
without the need of defining IN_LOADER.
xf86NewInputDevice() device prototype readded to xf86Xinput.h, but
not exported (and with a comment about it).
Evaluating the address of a BoxRec as a boolean gives this warning:
i830_driver.c:2317: warning: the address of 'ScreenBox' will always
evaluate as 'true'
which is pretty annoying. This patch compares the address to NULL to
avoid the pointer->bool conversion and gets rid of the warning. Seems
like a lame hack, but the warning is worse.
Fix up prototypes for PrintChildren and PrintWindowTree in the dix.
Make miPrintRegion be unconditionally defined, and move the prototype into
regionstr.h.
Change a bunch of ScreenPtr pScreen = foo; to
ScreenPtr pScreen; pScreen = foo; in window.c, so we avoid unused variable
references (as inline REGION_* doesn't reference pScreen).
Add XSERV_t, TRANS_SERVER, TRANS_REOPEN to quash warnings.
Add #include <dix-config.h> or <xorg-config.h>, as appropriate, to all
source files in the xserver/xorg tree, predicated on defines of
HAVE_{DIX,XORG}_CONFIG_H. Change all Xfont includes to
<X11/fonts/foo.h>.
Adam Jackson
Alan Coopersmith
Peter Hutterer
Keith Packard
Søren Sandmann Pedersen
Mikhail Gusarov
Paulo Cesar Pereira de Andrade
Daniel Stone
Kristian Høgsberg
Soren Sandmann Pedersen
Adam Jackson
Adam Jackson
Zack Rusin
Stuart Kreitman
Egbert Eich
Kaleb Keithley