diff --git a/files/Fix-size-calculation-in-_XimAttributeToValue.patch b/files/Fix-size-calculation-in-_XimAttributeToValue.patch new file mode 100644 --- /dev/null +++ b/files/Fix-size-calculation-in-_XimAttributeToValue.patch @@ -0,0 +1,51 @@ +From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001 +From: Yichao Yu +Date: Sun, 2 Aug 2020 13:43:58 -0400 +Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`. + +The check here guards the read below. +For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` +these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. +(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this +function and doesn't need to be checked.) + +The old code here used the native datatype size instead of the wire protocol size causing +the check to always fail. + +Also fix the size calculation for the header (size). It is 2 x CARD16 for both types +despite the unused `CARD16` for `XimType_XIMStyles`. + +[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles + +This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. + +Fix #116 +--- + modules/im/ximcp/imRmAttr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c +index 2491908e..919c5564 100644 +--- a/modules/im/ximcp/imRmAttr.c ++++ b/modules/im/ximcp/imRmAttr.c +@@ -265,7 +265,7 @@ _XimAttributeToValue( + + if (num > (USHRT_MAX / sizeof(XIMStyle))) + return False; +- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) ++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) + return False; + alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; + if (alloc_len < sizeof(XIMStyles)) +@@ -379,7 +379,7 @@ _XimAttributeToValue( + + if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) + return False; +- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) ++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) + return False; + alloc_len = sizeof(XIMHotKeyTriggers) + + sizeof(XIMHotKeyTrigger) * num; +-- +GitLab + diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : libx11 -version : 1.6.9 -release : 22 +version : 1.6.10 +release : 23 source : - - https://www.x.org/releases/individual/lib/libX11-1.6.9.tar.bz2 : 9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1 + - https://www.x.org/releases/individual/lib/libX11-1.6.10.tar.bz2 : af48626989b8515c994777896bd7b7ba2bd5b1ef4e1efaee0a55d8852bbe6226 license : MIT component : xorg.library summary : Core X11 protocol client library @@ -22,6 +22,7 @@ - speed - lto setup : | + %patch -p1 < $pkgfiles/Fix-size-calculation-in-_XimAttributeToValue.patch %configure --disable-static build : | %make diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,8 +2,8 @@ libx11 - F. von Gellhorn - flinux@vongellhorn.ch + Pierre-Yves + pyu@riseup.net MIT xorg.library @@ -1188,7 +1188,7 @@ emul32 - libx11 + libx11 /usr/lib32/libX11-xcb.so.1 @@ -1204,8 +1204,8 @@ programming.devel - libx11-devel - libx11-32bit + libx11-devel + libx11-32bit /usr/lib32/libX11-xcb.so @@ -1221,7 +1221,7 @@ programming.devel - libx11 + libx11 /usr/include/X11/ImUtil.h @@ -1244,12 +1244,12 @@ - - 2019-12-03 - 1.6.9 + + 2020-08-03 + 1.6.10 Packaging update - F. von Gellhorn - flinux@vongellhorn.ch + Pierre-Yves + pyu@riseup.net \ No newline at end of file