- Jul 01, 2019
-
-
Samuel Thibault authored
-
- Jun 26, 2019
-
-
Colomban Wendling authored
-
- Nov 16, 2018
-
-
Samuel Thibault authored
-
Samuel Thibault authored
-
- Oct 31, 2018
-
-
Andreas Boll authored
Fixes various blending issues with kwin and Mesa >= 18.0 (i.e. Mesa from stretch-backports) (Closes: #908601). Thanks to Nicholas D Steeves and Robert Trebula for testing!
-
- Oct 25, 2018
-
-
Julien Cristau authored
-
- Oct 15, 2018
-
-
Julien Cristau authored
-
- Jun 15, 2018
-
-
Samuel Thibault authored
Fixes grab in qemu&virtualbox.
-
Samuel Thibault authored
-
- Oct 16, 2017
-
-
Julien Cristau authored
-
- Oct 13, 2017
-
-
Julien Cristau authored
-
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by:
Adam Jackson <ajax@redhat.com> (cherry picked from commit ac15d4ce)
-
Julien Cristau authored
-
Reviewed-by:
Julien Cristau <jcristau@debian.org> Signed-off-by:
Nathan Kidd <nkidd@opentext.com> Signed-off-by:
-
v2: Protect against integer overflow (Alan Coopersmith) Reviewed-by:
Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by:
-
Reviewed-by:
-
[jcristau: originally this patch fixed the same issue as commit 211e05ac "Xi: Test exact size of XIBarrierReleasePointer", with the addition of these checks] This addresses CVE-2017-12179 Reviewed-by:
-
This addresses: CVE-2017-12180 in XFree86-VidModeExtension CVE-2017-12181 in XFree86-DGA CVE-2017-12182 in XFree86-DRI Reviewed-by:
-
v2: Use before swap (Jeremy Huddleston Sequoia) v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith) Reviewed-by:
-
v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER Reviewed-by:
-
A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. Signed-off-by:
Eric Anholt <eric@anholt.net> Reviewed-by:
Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 9c236850)
-
Generating strings for XKB data used a single shared static buffer, which offered several opportunities for errors. Use a ring of resizable buffers instead, to avoid problems when strings end up longer than anticipated. Reviewed-by:
Michal Srb <msrb@suse.com> Signed-off-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
-
XkbStringText escapes non-printable characters using octal numbers. Such escape sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes in the buffer. Due to char->unsigned int conversion, it would print much longer string for negative numbers. Reviewed-by: -
Otherwise it can belong to a non-existing client and abort X server with FatalError "client not in use", or overwrite existing segment of another existing client. Signed-off-by:
-
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. Signed-off-by:
-
Julien Cristau authored
-
- Mar 03, 2017
-
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
Emilio Pozuelo Monfort authored
-
- Mar 02, 2017
-
-
Adam Jackson authored
Signed-off-by: -
Adam Jackson authored
Signed-off-by: -
Adam Jackson authored
timingsafe_memcmp.c:21:1: warning: no previous prototype for ‘timingsafe_memcmp’ [-Wmissing-prototypes] timingsafe_memcmp(const void *b1, const void *b2, size_t len) Signed-off-by:
-
Adam Jackson authored
Apparently I need to fight make distcheck some more, so let's not pretend this is released yet. This reverts commit 0b4112bc.
-
Adam Jackson authored
Signed-off-by: -
Olivier Fourdan authored
keyboard_check_repeat() fetches the XWayland seat from the dev->public.devicePrivate do do its thing. If a key event is sent programmatically through Xtest, our device is the virtual core keyboard and that has a dev->public.devicePrivate of NULL, leading to a segfault in keyboard_check_repeat(). This is the case with "antimicro" which sends key events based on the joystick buttons. Don't set the checkRepeat handler on the VCK since it cannot possibly work anyway and it has no effect on the actual checkRepeat intended functionality. Bugzilla: https://bugzilla.redhat.com/1416244 Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
-
Olivier Fourdan authored
During the InitInput() phase, the wayland events get dequeued so we can possibly end up calling dispatch_pointer_motion_event(). If this occurs before xwl_seat->focus_window is set, it leads to a NULL pointer derefence and a segfault. Check for xwl_seat->focus_window in both pointer_handle_frame() and relative_pointer_handle_relative_motion() prior to calling dispatch_pointer_motion_event() like it's done in pointer_handle_motion(). Bugzilla: https://bugzilla.redhat.com/1410804 Signed-off-by:
-
- Mar 01, 2017
-
-
Matthieu Herrb authored
- typo in #ifdef check - also need to add AC_CHECK_FUNCS([arc4random_buf]) Reported-by Eric Engestrom. Thanks Reviewed-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 386fbbe4)
-
- Feb 28, 2017
-
-
Matthieu Herrb authored
And the current code for MitToId has a use-after-free() issue. [Also remove the actual implementations - ajax] Signed-off-by:
-
Matthieu Herrb authored
Reviewed-by:
-
