libXtst: Changes to 'master'

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Fri Jul 26 22:34:18 UTC 2024 

 src/XRecord.c |   25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

New commits:
commit 4e4eb10495cc0d24b02c4cc82d86f3977f3cc95f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sun Jul 21 10:05:36 2024 -0700

    parse_reply_call_callback: avoid NULL dereference if reply is missing data
    
    Clears up 7 -Wanalyzer-null-dereference warnings from gcc 14.1
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>

commit 3f05df5a6c5140dc3d44f35b9fb635cca8b682c1
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Jul 20 17:03:59 2024 -0700

    XRecordFreeState: avoid NULL dereference when called in error path
    
    If the client_info pointer is NULL (for instance, if we decided
    the number of entries would cause an integer overflow), then
    don't attempt to walk it to free the entries.
    
    Found by gcc 14.1:
    
    XRecord.c:513:31: warning: dereference of NULL ‘0’ [CWE-476]
     [-Wanalyzer-null-dereference]
      513 |         if (state->client_info[i]->ranges) {
          |             ~~~~~~~~~~~~~~~~~~^~~
    [...]
        |  452 |         ret->client_info = client_inf;
        |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        |      |                          |
        |      |                          (10) ‘client_inf’ is NULL
    [...]
        |  457 |            XRecordFreeState(ret);
        |      |            ^~~~~~~~~~~~~~~~~~~~~
        |      |            |
        |      |            (14) ...to here
        |      |            (15) calling ‘XRecordFreeState’ from ‘XRecordGetContext’
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>

commit eb8370d5e4cf3d68f05b679d3679f695542eddb1
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Jul 20 16:35:48 2024 -0700

    XRecordGetContext: Avoid double free in error path
    
    XRecordFreeState() will handle the free for us, so let it.
    
    Found by gcc 14.1:
    
    XRecord.c:514:31: warning: use after ‘free’ of ‘*state.client_info + i * 8’
     [CWE-416] [-Wanalyzer-use-after-free]
      514 |         if (state->client_info[i]->ranges) {
          |             ~~~~~~~~~~~~~~~~~~^~~
    [...]
        |  455 |            free(client_inf);
        |      |            ~~~~~~~~~~~~~~~~
        |      |            |
        |      |            (18) freed here
    
    Fixes: e7e04b7 ("integer overflow in XRecordGetContext() [CVE-2013-2063]")
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxtst/-/merge_requests/7>

More information about the xorg-commit mailing list