Edit

IABSD.fr/xenocara/lib/libXi/src/XIint.h

Branch :

  • Show log

    Commit

  • Author : matthieu
    Date : 2013-05-23 22:42:07
    Hash : 52f6d0ba
    Message : Merge upstream fixes for several X libs vulnerabilities discovered by Ilja van Sprundel. CVE-2013-1981 X.org libX11 1.5.99.901 (1.6 RC1) integer overflows CVE-2013-1982 X.org libXext 1.3.1 integer overflows CVE-2013-1983 X.org libXfixes 5.0 integer overflows CVE-2013-1984 X.org libXi 1.7.1 integer overflows CVE-2013-1985 X.org libXinerama 1.1.2 integer overflows CVE-2013-1986 X.org libXrandr 1.4.0 integer overflows CVE-2013-1987 X.org libXrender 0.9.7 integer overflows CVE-2013-1988 X.org libXRes 1.0.6 integer overflows CVE-2013-1989 X.org libXv 1.0.7 integer overflows CVE-2013-1990 X.org libXvMC 1.0.7 integer overflows CVE-2013-1991 X.org libXxf86dga 1.1.3 integer overflows CVE-2013-1992 X.org libdmx 1.1.2 integer overflows CVE-2013-1994 X.org libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 integer overflows CVE-2013-1995 X.org libXi 1.7.1 sign extension issues CVE-2013-1996 X.org libFS 1.0.4 sign extension issues CVE-2013-1997 X.org libX11 1.5.99.901 (1.6 RC1) buffer overflows CVE-2013-1998 X.org libXi 1.7.1 buffer overflows CVE-2013-1999 X.org libXvMC 1.0.7 buffer overflows CVE-2013-2000 X.org libXxf86dga 1.1.3 buffer overflows CVE-2013-2001 X.org libXxf86vm 1.1.2 buffer overflows CVE-2013-2002 X.org libXt 1.1.3 buffer overflows CVE-2013-2003 X.org libXcursor 1.1.13 integer overflows CVE-2013-2004 X.org libX11 1.5.99.901 (1.6 RC1) unbounded recursion CVE-2013-2005 X.org libXt 1.1.3 memory corruption CVE-2013-2066 X.org libXv 1.0.7 buffer overflows

  • lib/libXi/src/XIint.h
  • /*
     *	XIint.h - Header definition and support file for the internal
     *	support routines used by the Xi library.
     */
    
    #ifndef _XIINT_H_
    #define _XIINT_H_
    #include <X11/extensions/XI.h>
    
    /* inputproto 2.0 still shipped with these defined in the proto headers */
    #ifndef XInput_Initial_Release
    /* Indices into the versions[] array (XExtInt.c). Used as a index to
     * retrieve the minimum version of XI from _XiCheckExtInit */
    #define Dont_Check			0
    #define XInput_Initial_Release		1
    #define XInput_Add_XDeviceBell		2
    #define XInput_Add_XSetDeviceValuators	3
    #define XInput_Add_XChangeDeviceControl	4
    #define XInput_Add_DevicePresenceNotify	5
    #define XInput_Add_DeviceProperties	6
    #define XInput_2_0			7
    #endif
    #define XInput_2_1			8
    #define XInput_2_2			9
    
    extern XExtDisplayInfo *XInput_find_display(Display *);
    
    extern int _XiCheckExtInit(Display *, int, XExtDisplayInfo *);
    extern int _XiCheckVersion(XExtDisplayInfo *info, int version_index);
    
    extern XExtensionVersion *_XiGetExtensionVersion(Display *, _Xconst char *, XExtDisplayInfo *);
    extern XExtensionVersion* _XiGetExtensionVersionRequest(Display *dpy, _Xconst char *name, int xi_opcode);
    extern Status _xiQueryVersion(Display *dpy, int*, int*, XExtDisplayInfo *);
    
    extern Status _XiEventToWire(
        register Display *		/* dpy */,
        register XEvent *		/* re */,
        register xEvent **		/* event */,
        register int *		/* count */
    );
    
    typedef struct _XInputData
    {
        XEvent data;
        XExtensionVersion *vers;
    } XInputData;
    
    
    /**
     * Returns the next valid memory block of the given size within the block
     * previously allocated.
     * Use letting pointers inside a struct point to bytes after the same
     * struct, e.g. during protocol parsing etc.
     *
     * Caller is responsible for allocating enough memory.
     *
     * Example:
     *    void *ptr;
     *    struct foo {
     *       int num_a;
     *       int num_b;
     *       int *a;
     *       int *b;
     *    } bar;
     *
     *    ptr = malloc(large_enough);
     *    bar = next_block(&ptr, sizeof(struct foo));
     *    bar->num_a = 10;
     *    bar->num_b = 20;
     *    bar->a = next_block(&ptr, bar->num_a);
     *    bar->b = next_block(&ptr, bar->num_b);
     */
    static inline void*
    next_block(void **ptr, int size) {
        void *ret = *ptr;
    
        if (!*ptr)
            return NULL;
    
        *(unsigned char**)ptr += size;
    
        return ret;
    }
    
    #ifndef HAVE__XEATDATAWORDS
    #include <X11/Xmd.h>  /* for LONG64 on 64-bit platforms */
    #include <limits.h>
    
    static inline void _XEatDataWords(Display *dpy, unsigned long n)
    {
    # ifndef LONG64
        if (n >= (ULONG_MAX >> 2))
            _XIOError(dpy);
    # endif
        _XEatData (dpy, n << 2);
    }
    #endif
    
    #endif