[libX11] Add upstream patch to fix use-after-free that makes clients crash.

Bill Nottingham notting at fedoraproject.org
Tue Aug 10 15:17:16 UTC 2010 

commit 926552e6e9842177f375ac81d83eef99990b0b9c
Author: Bill Nottingham <notting at redhat.com>
Date:   Tue Aug 10 11:15:58 2010 -0400

    Add upstream patch to fix use-after-free that makes clients crash.

 54a963608d23d35cd9233b2223f880ac3671f10b.patch |   33 ++++++++++++++++++++++++
 libX11.spec                                    |    8 ++++-
 2 files changed, 39 insertions(+), 2 deletions(-)
---
diff --git a/54a963608d23d35cd9233b2223f880ac3671f10b.patch b/54a963608d23d35cd9233b2223f880ac3671f10b.patch
new file mode 100644
index 0000000..55330a1
--- /dev/null
+++ b/54a963608d23d35cd9233b2223f880ac3671f10b.patch
@@ -0,0 +1,33 @@
+From 54a963608d23d35cd9233b2223f880ac3671f10b Mon Sep 17 00:00:00 2001
+From: Jamey Sharp <jamey at minilop.net>
+Date: Fri, 06 Aug 2010 22:51:56 +0000
+Subject: Fix use-after-free in _XReply on X errors.
+
+_XReply would always call dequeue_pending_request on errors.  When it
+got an error for the current request, it would call dequeue, then break
+out of the loop; then, if it had an error in the event queue, it would
+compare it with the sequence number of the now-freed pending request.
+_XReply already stored that sequence number in dpy->last_request_read
+before freeing it, so look at that instead.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412
+
+Signed-off-by: Jamey Sharp <jamey at minilop.net>
+Signed-off-by: Josh Triplett <josh at joshtriplett.org>
+(cherry picked from commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18)
+---
+diff --git a/src/xcb_io.c b/src/xcb_io.c
+index dac7622..72881d8 100644
+--- a/src/xcb_io.c
++++ b/src/xcb_io.c
+@@ -579,7 +579,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard)
+ 		xcb_generic_event_t *event = dpy->xcb->next_event;
+ 		unsigned long event_sequence = dpy->last_request_read;
+ 		widen(&event_sequence, event->full_sequence);
+-		if(event_sequence == current->sequence)
++		if(event_sequence == dpy->last_request_read)
+ 		{
+ 			error = (xcb_generic_error_t *) event;
+ 			dpy->xcb->next_event = NULL;
+--
+cgit v0.8.3-6-g21f6
diff --git a/libX11.spec b/libX11.spec
index 31a863b..c9f4ea7 100644
--- a/libX11.spec
+++ b/libX11.spec
@@ -4,7 +4,7 @@
 Summary: Core X11 protocol client library
 Name: libX11
 Version: 1.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Group: System Environment/Libraries
 URL: http://www.x.org
@@ -16,7 +16,7 @@ Source0: http://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.t
 #Source1:    make-git-snapshot.sh
 
 Patch2: dont-forward-keycode-0.patch
-
+Patch3: 54a963608d23d35cd9233b2223f880ac3671f10b.patch
 BuildRequires: xorg-x11-util-macros
 BuildRequires: pkgconfig(xproto) >= 7.0.15
 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@@ -48,6 +48,7 @@ X.Org X11 libX11 development package
 %setup -q
 #setup -q -n %{tarball}-%{gitdate}
 %patch2 -p1 -b .dont-forward-keycode-0
+%patch3 -p1
 
 %build
 # sodding libtool
@@ -114,6 +115,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/*.5*
 
 %changelog
+* Tue Aug 10 2010 Bill Nottingham <notting at redhat.com> - 1.3.4-3
+- Merge upstream commit 54a96360, fixes use-after-free (fd.o 29412)
+
 * Mon Jul 19 2010 Matěj Cepl <mcepl at redhat.com> - 1.3.4-2
 - don't own /usr/share/X11, filesystem owns it already (#569395)

More information about the scm-commits mailing list