IABSD.fr/xenocara/lib/libXrandr/src/XrrOutput.c

Branch : - branch - master - tag -

• Show log

  Commit

• Author : matthieu
  Date : 2013-05-23 22:42:07
  Hash : 52f6d0ba
  Message : Merge upstream fixes for several X libs vulnerabilities discovered by Ilja van Sprundel. CVE-2013-1981 X.org libX11 1.5.99.901 (1.6 RC1) integer overflows CVE-2013-1982 X.org libXext 1.3.1 integer overflows CVE-2013-1983 X.org libXfixes 5.0 integer overflows CVE-2013-1984 X.org libXi 1.7.1 integer overflows CVE-2013-1985 X.org libXinerama 1.1.2 integer overflows CVE-2013-1986 X.org libXrandr 1.4.0 integer overflows CVE-2013-1987 X.org libXrender 0.9.7 integer overflows CVE-2013-1988 X.org libXRes 1.0.6 integer overflows CVE-2013-1989 X.org libXv 1.0.7 integer overflows CVE-2013-1990 X.org libXvMC 1.0.7 integer overflows CVE-2013-1991 X.org libXxf86dga 1.1.3 integer overflows CVE-2013-1992 X.org libdmx 1.1.2 integer overflows CVE-2013-1994 X.org libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 integer overflows CVE-2013-1995 X.org libXi 1.7.1 sign extension issues CVE-2013-1996 X.org libFS 1.0.4 sign extension issues CVE-2013-1997 X.org libX11 1.5.99.901 (1.6 RC1) buffer overflows CVE-2013-1998 X.org libXi 1.7.1 buffer overflows CVE-2013-1999 X.org libXvMC 1.0.7 buffer overflows CVE-2013-2000 X.org libXxf86dga 1.1.3 buffer overflows CVE-2013-2001 X.org libXxf86vm 1.1.2 buffer overflows CVE-2013-2002 X.org libXt 1.1.3 buffer overflows CVE-2013-2003 X.org libXcursor 1.1.13 integer overflows CVE-2013-2004 X.org libX11 1.5.99.901 (1.6 RC1) unbounded recursion CVE-2013-2005 X.org libXt 1.1.3 memory corruption CVE-2013-2066 X.org libXv 1.0.7 buffer overflows

• lib/libXrandr/src/XrrOutput.c

• /*
   * Copyright © 2006 Keith Packard
   * Copyright © 2008 Red Hat, Inc.
   *
   * Permission to use, copy, modify, distribute, and sell this software and its
   * documentation for any purpose is hereby granted without fee, provided that
   * the above copyright notice appear in all copies and that both that copyright
   * notice and this permission notice appear in supporting documentation, and
   * that the name of the copyright holders not be used in advertising or
   * publicity pertaining to distribution of the software without specific,
   * written prior permission.  The copyright holders make no representations
   * about the suitability of this software for any purpose.  It is provided "as
   * is" without express or implied warranty.
   *
   * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
   * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
   * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
   * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
   * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
   * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
   * OF THIS SOFTWARE.
   */
  
  #ifdef HAVE_CONFIG_H
  #include <config.h>
  #endif
  
  #include <stdio.h>
  #include <X11/Xlib.h>
  /* we need to be able to manipulate the Display structure on events */
  #include <X11/Xlibint.h>
  #include <X11/extensions/render.h>
  #include <X11/extensions/Xrender.h>
  #include "Xrandrint.h"
  
  #define OutputInfoExtra	(SIZEOF(xRRGetOutputInfoReply) - 32)
  
  XRROutputInfo *
  XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
  {
      XExtDisplayInfo		*info = XRRFindDisplay(dpy);
      xRRGetOutputInfoReply	rep;
      xRRGetOutputInfoReq		*req;
      int				nbytes, nbytesRead, rbytes;
      XRROutputInfo		*xoi;
  
      RRCheckExtension (dpy, info, NULL);
  
      LockDisplay (dpy);
      GetReq (RRGetOutputInfo, req);
      req->reqType = info->codes->major_opcode;
      req->randrReqType = X_RRGetOutputInfo;
      req->output = output;
      req->configTimestamp = resources->configTimestamp;
  
      if (!_XReply (dpy, (xReply *) &rep, OutputInfoExtra >> 2, xFalse))
      {
  	UnlockDisplay (dpy);
  	SyncHandle ();
  	return NULL;
      }
  
      nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
  
      nbytesRead = (long) (rep.nCrtcs * 4 +
  			 rep.nModes * 4 +
  			 rep.nClones * 4 +
  			 ((rep.nameLength + 3) & ~3));
  
      /*
       * first we must compute how much space to allocate for
       * randr library's use; we'll allocate the structures in a single
       * allocation, on cleanlyness grounds.
       */
  
      rbytes = (sizeof (XRROutputInfo) +
  	      rep.nCrtcs * sizeof (RRCrtc) +
  	      rep.nModes * sizeof (RRMode) +
  	      rep.nClones * sizeof (RROutput) +
  	      rep.nameLength + 1);	    /* '\0' terminate name */
  
      xoi = (XRROutputInfo *) Xmalloc(rbytes);
      if (xoi == NULL) {
  	_XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
  	UnlockDisplay (dpy);
  	SyncHandle ();
  	return NULL;
      }
  
      xoi->timestamp = rep.timestamp;
      xoi->crtc = rep.crtc;
      xoi->mm_width = rep.mmWidth;
      xoi->mm_height = rep.mmHeight;
      xoi->connection = rep.connection;
      xoi->subpixel_order = rep.subpixelOrder;
      xoi->ncrtc = rep.nCrtcs;
      xoi->crtcs = (RRCrtc *) (xoi + 1);
      xoi->nmode = rep.nModes;
      xoi->npreferred = rep.nPreferred;
      xoi->modes = (RRMode *) (xoi->crtcs + rep.nCrtcs);
      xoi->nclone = rep.nClones;
      xoi->clones = (RROutput *) (xoi->modes + rep.nModes);
      xoi->name = (char *) (xoi->clones + rep.nClones);
  
      _XRead32 (dpy, xoi->crtcs, rep.nCrtcs << 2);
      _XRead32 (dpy, xoi->modes, rep.nModes << 2);
      _XRead32 (dpy, xoi->clones, rep.nClones << 2);
  
      /*
       * Read name and '\0' terminate
       */
      _XReadPad (dpy, xoi->name, rep.nameLength);
      xoi->name[rep.nameLength] = '\0';
      xoi->nameLen = rep.nameLength;
  
      /*
       * Skip any extra data
       */
      if (nbytes > nbytesRead)
  	_XEatData (dpy, (unsigned long) (nbytes - nbytesRead));
  
      UnlockDisplay (dpy);
      SyncHandle ();
      return (XRROutputInfo *) xoi;
  }
  
  void
  XRRFreeOutputInfo (XRROutputInfo *outputInfo)
  {
      Xfree (outputInfo);
  }
  
  static Bool
  _XRRHasOutputPrimary (int major, int minor)
  {
      return major > 1 || (major == 1 && minor >= 3);
  }
  
  void
  XRRSetOutputPrimary(Display *dpy, Window window, RROutput output)
  {
      XExtDisplayInfo	    *info = XRRFindDisplay(dpy);
      xRRSetOutputPrimaryReq  *req;
      int			    major_version, minor_version;
  
      RRSimpleCheckExtension (dpy, info);
  
      if (!XRRQueryVersion (dpy, &major_version, &minor_version) ||
  	!_XRRHasOutputPrimary (major_version, minor_version))
  	return;
  
      LockDisplay(dpy);
      GetReq (RRSetOutputPrimary, req);
      req->reqType       = info->codes->major_opcode;
      req->randrReqType  = X_RRSetOutputPrimary;
      req->window        = window;
      req->output	       = output;
  
      UnlockDisplay (dpy);
      SyncHandle ();
  }
  
  RROutput
  XRRGetOutputPrimary(Display *dpy, Window window)
  {
      XExtDisplayInfo	    *info = XRRFindDisplay(dpy);
      xRRGetOutputPrimaryReq  *req;
      xRRGetOutputPrimaryReply rep;
      int			    major_version, minor_version;
  
      RRCheckExtension (dpy, info, 0);
  
      if (!XRRQueryVersion (dpy, &major_version, &minor_version) ||
  	!_XRRHasOutputPrimary (major_version, minor_version))
  	return None;
  
      LockDisplay(dpy);
      GetReq (RRGetOutputPrimary, req);
      req->reqType	= info->codes->major_opcode;
      req->randrReqType	= X_RRGetOutputPrimary;
      req->window		= window;
  
      if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
  	rep.output = None;
  
      UnlockDisplay(dpy);
      SyncHandle();
  
      return rep.output;
  }