summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2013-05-23integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]Alan Coopersmith1-6/+19
If the number of events or masks reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, or the sizes overflow as they are totaled up, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so that we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XIGetProperty() [CVE-2013-1984 5/8]Alan Coopersmith1-4/+7
If the number of items reported by the server is large enough that it overflows when multiplied by the size of the appropriate item type, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]Alan Coopersmith1-5/+17
If the number of events or axes reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]Alan Coopersmith1-3/+5
If the number of event classes reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. V2: EatData if count is 0 but length is > 0 to avoid XIOErrors Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]Alan Coopersmith1-5/+19
If the number of feedbacks reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, or if the total size of all the feedback structures overflows when added together, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]Alan Coopersmith1-7/+24
If the number of valuators reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]Alan Coopersmith1-5/+12
If the lengths given for each class state in the reply add up to more than the rep.length, we could read past the end of the buffer allocated to hold the data read from the server. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]Alan Coopersmith1-1/+1
If the server returned more modifiers than the caller asked for, we'd just keep copying past the end of the array provided by the caller, writing over who-knows-what happened to be there. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]Alan Coopersmith1-8/+13
We copy the entire reply sent by the server into the fixed size mapping[] array on the stack, even if the server says it's a larger size than the mapping array can hold. HULK SMASH STACK! Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-23Use _XEatDataWords to avoid overflow of rep.length bit shiftingAlan Coopersmith15-20/+36
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-05-20Copy the sequence number into the target event too (#64687)Peter Hutterer1-0/+9
X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2013-04-30Expand comment on the memory vs. reply ordering in XIGetSelectedEvents()Alan Coopersmith1-2/+8
Unpacking from the wire involves un-interleaving the structs & masks, which wasn't obvious to me the first time I read it, so make notes before I forget again. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-04-05libXi 1.7.1libXi-1.7.1Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-04-05Require XFixes for PointerBarrier, remove duplicate typedefPeter Hutterer4-2/+5
The PointerBarrier typedef is duplicate if a client includes both Xfixes.h and XInput2.h. gcc 4.6 won't complain about that, but earlier versions do: http://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=ce3765bf44e49ef0568a1ad4a0b7f807591d6412 gcc 4.6 with -pedantic-errors shows: /opt/xorg/include/X11/extensions/XInput2.h:172:13: error: redefinition of typedef ‘PointerBarrier’ [-pedantic] In file included from test.c:1:0: /opt/xorg/include/X11/extensions/Xfixes.h:255:13: note: previous declaration of ‘PointerBarrier’ was here Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2013-03-07libXi 1.7libXi-1.7Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-01-15autogen.sh: Implement GNOME Build APIColin Walters1-1/+3
http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-01-15configure: Remove AM_MAINTAINER_MODEAdam Jackson1-1/+0
Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-01-15Add missing XI_RawTouch* in XInputCopyCookieBenjamin Tissoires1-0/+3
Looks like XI_RawTouch* events are missing in the big switch in this function. When running XIT tests for multitouch devices, several following errors appears: XInputCopyCookie: Failed to copy evtype 22 XInputCopyCookie: Failed to copy evtype 23 XInputCopyCookie: Failed to copy evtype 24 Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-26libXi 1.6.99.1libXi-1.6.99.1Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-17Merge branch 'barriers'Peter Hutterer8-3/+274
2012-12-09man: add man-page for XIBarrierReleasePointerPeter Hutterer2-0/+79
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-09Add support for pointer barrier eventsJasper St. Pierre6-2/+194
Signed-off-by: Jasper St. Pierre <jstpierre@mecheye.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-09Bump to 1.6.99Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-12-10Fix const compiler warningsPeter Hutterer1-2/+2
XExtInt.c:80:38: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:150:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:151:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:152:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:153:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] XExtInt.c:154:5: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
2012-12-10Fix compiler warningsPeter Hutterer4-41/+15
XIQueryVersion.c: In function '_xiQueryVersion': XIQueryVersion.c:63:26: warning: declaration of 'info' shadows a parameter [-Wshadow] XIQueryVersion.c:53:73: warning: shadowed declaration is here [-Wshadow] XExtInt.c: In function 'XInputWireToEvent': XExtInt.c:823:25: warning: declaration of 'i' shadows a previous local [-Wshadow] XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow] XExtInt.c:850:25: warning: declaration of 'i' shadows a previous local [-Wshadow] XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:166:17: note: previous declaration of '_xidevicebusy' was here XExtInt.c:101:12: warning: redundant redeclaration of '_XiGetDevicePresenceNotifyEvent' [-Wredundant-decls] XExtInt.c:76:13: warning: redundant redeclaration of '_xibaddevice' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:162:17: note: previous declaration of '_xibaddevice' was here XExtInt.c:81:13: warning: redundant redeclaration of '_xibadclass' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:163:17: note: previous declaration of '_xibadclass' was here XExtInt.c:86:13: warning: redundant redeclaration of '_xibadevent' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:164:17: note: previous declaration of '_xibadevent' was here XExtInt.c:91:13: warning: redundant redeclaration of '_xibadmode' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:165:17: note: previous declaration of '_xibadmode' was here XExtInt.c:96:13: warning: redundant redeclaration of '_xidevicebusy' [-Wredundant-decls] In file included from XExtInt.c:64:0: ../include/X11/extensions/XInput.h:166:17: note: previous declaration of '_xidevicebusy' was here XListDev.c: In function 'ParseClassInfo': XListDev.c:116:33: warning: declaration of 'k' shadows a previous local [-Wshadow] XListDev.c:109:12: warning: shadowed declaration is here [-Wshadow] XGetFCtl.c: In function 'XGetFeedbackControl': XGetFCtl.c:184:26: warning: declaration of 'i' shadows a previous local [-Wshadow] XGetFCtl.c:72:17: warning: shadowed declaration is here [-Wshadow] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>
2012-11-09man: add generation of missing man pages for XIGrabTouchBeginPeter Hutterer2-4/+5
The man page itself already contained the description, but it was missing from NAME so the shadow man pages were not generated. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@ubuntu.com>
2012-10-11man: fix formatting issues in XGetDeviceControl(3)Peter Hutterer1-4/+8
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-05-03libXi 1.6.1libXi-1.6.1Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-04-23man: update XIQueryVersion for current server behaviourPeter Hutterer1-1/+5
XIQueryVersion(v1); XIQueryVersion(v2); is now ok as long as v1 <= v2. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2012-04-23Destroy extension record after last display is removedChase Douglas1-1/+10
The extension record is currently leaked and never freed. Signed-off-by: Chase Douglas <chase.douglas@canonical.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-03-26Set the RawEvent sourceid (#34240)Peter Hutterer1-5/+9
XI 2.2 and later include the sourceid in raw events. X.Org Bug 34240 <http://bugs.freedesktop.org/show_bug.cgi?id=34240> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
2012-03-26Move version comparison into a helper function.Peter Hutterer2-10/+42
No functional changes, this simply introduces a version helper function that returns -1, 0 or 1 depending on the version comparison result. To be used internally only. Needed for fix to #34240 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
2012-03-15Fix wrong button label and mask copy on OS XPeter Hutterer1-2/+8
Regression introduced in c1a5a70b51f12dedf354102217c7cd4247ed3a4b. If double-padding is applied, the length of the mask on the wire may be smaller than libXi's mask_len. When copying, only the wire length must be copied, with the remainder set to 0. When advancing to the button labels, the wire length matters, not libXi's internal length. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com> Tested-by: Jeremy Huddleston <jeremyhu@apple.com>
2012-03-08libXi 1.6.0libXi-1.6.0Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-03-08Fix XIScrollClass increment value on 32-bit machinesChase Douglas1-1/+1
This fixes scroll class increment values on 32-bit machines. Performing 1UL << 32 shifts the bit off the end of a 32-bit unsigned long value. By expanding to 1ULL, we have the full 64-bits of an unsigned long long including on 32-bit machines. Before this change, xinput list --long would output scroll increment values of -nan. Signed-off-by: Chase Douglas <chase.douglas@canonical.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-02-23Fix bus error on MIPS N32 for bug #38331.Michał Masłowski1-36/+102
XIValuatorClassInfo and XIScrollClassInfo might have an address of 4 bytes modulo 8, while they contain doubles which need 8 byte alignment. This is fixed by adding extra padding after each structure or array in sizeDeviceClassType and adding helper functions to determine sizes and padding only in one place. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=38331 Signed-off-by: Michał Masłowski <mtjm@mtjm.eu> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-02-09libXi 1.5.99.3libXi-1.5.99.3Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2012-02-09Handle new XIAllowEvent request sizePeter Hutterer2-10/+15
inputproto 2.1.99.6 restored the previous request for ABI compatibility reasons, and it introduced a new XI 2.2 specific define. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com>
2012-01-18Force class alignment to a multiple of sizeof(XID).Peter Hutterer1-8/+19
Calculate length field to a multiples of sizeof(XID). XIDs are typedefs to ulong and thus may be 8 bytes on some platforms. This can trigger a SIGBUS if a class ends up not being 8-aligned (e.g. after XAxisInfo). Reported-by: Nicolai Stange <nicolai.stange@zmaw.de> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
2012-01-05man: fix typo Mappiing → MappingPeter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-24configure.ac: Fix a typo in comments.Cyril Brulebois1-1/+1
Signed-off-by: Cyril Brulebois <kibi@debian.org> Reviewed-by: Chase Douglas <chase.douglas@canonical.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-22libXi 1.5.99.2libXi-1.5.99.2Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-21Merge branch 'multitouch'Peter Hutterer8-29/+287
Conflicts: configure.ac
2011-12-21libXi 1.5.0libXi-1.5.0Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-21Implement support for XI 2.2Peter Hutterer8-28/+286
Adds support for the new TouchClass for multitouch-capable servers/devices. New events: XITouchOwnershipEvent New event types handled: XITouchBegin, XITouchUpdate, XITouchEnd XIRawTouchBegin, XIRawTouchUpdate, XIRawTouchEnd New functions: XIGrabTouchBegin ... passive grabs on touches XIUngrabTouchBegin XIAllowTouchEvents ... Allow/reject touch event sequences New XIQueryDevice classes: XITouchClassInfo Requires libX11 1.5 for GetReqSized Co-authored by: Chase Douglas <chase.douglas@canonical.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-19Bump to 1.5.99.1Peter Hutterer1-1/+1
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2011-12-19man: minor formatting fix in XIGrabButtonPeter Hutterer1-14/+14
2011-11-12Include config.h from source filesPeter Hutterer52-0/+179
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Gaetan Nadon <memsize@videotron.ca> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-11-12Stop unnecessary calls to size_classesPeter Hutterer1-1/+3
Xmalloc is a macro evaluating its argument twice. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-11-12Fix duplicate sizeof in copy_classesPeter Hutterer1-2/+2
sizeof(bla * sizeof()) is'nt right. Plus add some () to the next_block call too to emphasise that *nclasses is the multiplicator. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>