[libX11] Add upstream patch to fix use-after-free that makes clients crash.
Bill Nottingham
notting at fedoraproject.org
Tue Aug 10 15:17:16 UTC 2010
commit 926552e6e9842177f375ac81d83eef99990b0b9c
Author: Bill Nottingham <notting at redhat.com>
Date: Tue Aug 10 11:15:58 2010 -0400
Add upstream patch to fix use-after-free that makes clients crash.
54a963608d23d35cd9233b2223f880ac3671f10b.patch | 33 ++++++++++++++++++++++++
libX11.spec | 8 ++++-
2 files changed, 39 insertions(+), 2 deletions(-)
---
diff --git a/54a963608d23d35cd9233b2223f880ac3671f10b.patch b/54a963608d23d35cd9233b2223f880ac3671f10b.patch
new file mode 100644
index 0000000..55330a1
--- /dev/null
+++ b/54a963608d23d35cd9233b2223f880ac3671f10b.patch
@@ -0,0 +1,33 @@
+From 54a963608d23d35cd9233b2223f880ac3671f10b Mon Sep 17 00:00:00 2001
+From: Jamey Sharp <jamey at minilop.net>
+Date: Fri, 06 Aug 2010 22:51:56 +0000
+Subject: Fix use-after-free in _XReply on X errors.
+
+_XReply would always call dequeue_pending_request on errors. When it
+got an error for the current request, it would call dequeue, then break
+out of the loop; then, if it had an error in the event queue, it would
+compare it with the sequence number of the now-freed pending request.
+_XReply already stored that sequence number in dpy->last_request_read
+before freeing it, so look at that instead.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=29412
+
+Signed-off-by: Jamey Sharp <jamey at minilop.net>
+Signed-off-by: Josh Triplett <josh at joshtriplett.org>
+(cherry picked from commit 4b8ff7db39f2fe7ef12968d462aaf3f9054b6c18)
+---
+diff --git a/src/xcb_io.c b/src/xcb_io.c
+index dac7622..72881d8 100644
+--- a/src/xcb_io.c
++++ b/src/xcb_io.c
+@@ -579,7 +579,7 @@ Status _XReply(Display *dpy, xReply *rep, int extra, Bool discard)
+ xcb_generic_event_t *event = dpy->xcb->next_event;
+ unsigned long event_sequence = dpy->last_request_read;
+ widen(&event_sequence, event->full_sequence);
+- if(event_sequence == current->sequence)
++ if(event_sequence == dpy->last_request_read)
+ {
+ error = (xcb_generic_error_t *) event;
+ dpy->xcb->next_event = NULL;
+--
+cgit v0.8.3-6-g21f6
diff --git a/libX11.spec b/libX11.spec
index 31a863b..c9f4ea7 100644
--- a/libX11.spec
+++ b/libX11.spec
@@ -4,7 +4,7 @@
Summary: Core X11 protocol client library
Name: libX11
Version: 1.3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
License: MIT
Group: System Environment/Libraries
URL: http://www.x.org
@@ -16,7 +16,7 @@ Source0: http://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.t
#Source1: make-git-snapshot.sh
Patch2: dont-forward-keycode-0.patch
-
+Patch3: 54a963608d23d35cd9233b2223f880ac3671f10b.patch
BuildRequires: xorg-x11-util-macros
BuildRequires: pkgconfig(xproto) >= 7.0.15
BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@@ -48,6 +48,7 @@ X.Org X11 libX11 development package
%setup -q
#setup -q -n %{tarball}-%{gitdate}
%patch2 -p1 -b .dont-forward-keycode-0
+%patch3 -p1
%build
# sodding libtool
@@ -114,6 +115,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/*.5*
%changelog
+* Tue Aug 10 2010 Bill Nottingham <notting at redhat.com> - 1.3.4-3
+- Merge upstream commit 54a96360, fixes use-after-free (fd.o 29412)
+
* Mon Jul 19 2010 Matěj Cepl <mcepl at redhat.com> - 1.3.4-2
- don't own /usr/share/X11, filesystem owns it already (#569395)
More information about the scm-commits
mailing list