diff options
author | Keith Packard <keithp@keithp.com> | 2022-12-11 10:32:26 -0800 |
---|---|---|
committer | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2022-12-11 11:17:48 -0800 |
commit | d6d6cba90215d323567fef13d6565756c9956f60 (patch) | |
tree | 26cce88248e78fafd82e535f0ef6a39e37a2640f /nls/iso8859-7 | |
parent | 496d9bfeedda89a2211ec665f9214c2693c022f4 (diff) | |
download | xorg-lib-libX11-d6d6cba90215d323567fef13d6565756c9956f60.tar.gz |
Update XPutBackEvent() to support clients that put back unpadded events
It seems to be common practice of some X11 clients to pass specific event
types into APIs that take XEvent*. For example, freeglut does:
XConfigureEvent fakeEvent = {0};
...
XPutBackEvent(fgDisplay.Display, (XEvent*)&fakeEvent);
This can result in reads overflowing the input event when libX11 does:
XEvent store = *event;
=================================================================
==75304==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016ee4a8e8 at pc 0x000101c54d14 bp 0x00016ee4a0d0 sp 0x00016ee49888
READ of size 192 at 0x00016ee4a8e8 thread T0
#0 0x101c54d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
#1 0x102848a18 in _XPutBackEvent PutBEvent.c:41
#2 0x1028490a4 in XPutBackEvent PutBEvent.c:84
#3 0x1013295c8 in fgOpenWindow freeglut_window.c:1178
#4 0x101321984 in fgCreateWindow freeglut_structure.c:108
#5 0x10132b138 in glutCreateWindow freeglut_window.c:1551
#6 0x100fb7d94 in main+0x78 (checkeredTriangles:arm64+0x100003d94)
#7 0x197de3e4c (<unknown module>)
Address 0x00016ee4a8e8 is located in stack of thread T0 at offset 840 in frame
#0 0x1013282f8 in fgOpenWindow freeglut_window.c:1063
This frame has 8 object(s):
[32, 40) 'title.addr'
[64, 176) 'winAttr' (line 1066)
[208, 240) 'textProperty' (line 1067)
[272, 352) 'sizeHints' (line 1068)
[384, 440) 'wmHints' (line 1069)
[480, 672) 'eventReturnBuffer' (line 1070)
[736, 740) 'num_FBConfigs' (line 1072)
[752, 840) 'fakeEvent' (line 1074) <== Memory access at offset 840 overflows this variable
This change allows XPutBackEvent() to support such clients without
risk of memory read overflow.
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Diffstat (limited to 'nls/iso8859-7')
0 files changed, 0 insertions, 0 deletions