From 0d227e369cbf400a3d6a490a588409011f9dd69d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 06:01:24 +0000 Subject: import at-spi2-atk-2.26.2-1.el7 --- diff --git a/.at-spi2-atk.metadata b/.at-spi2-atk.metadata index cd6b6e4..389ed19 100644 --- a/.at-spi2-atk.metadata +++ b/.at-spi2-atk.metadata @@ -1 +1 @@ -9896c6d8130ba167eba084fdf1cd47ed774be147 SOURCES/at-spi2-atk-2.22.0.tar.xz +d4f0710c50223a84ca412be1f385c281054558cc SOURCES/at-spi2-atk-2.26.2.tar.xz diff --git a/.gitignore b/.gitignore index b057aea..c6ff5e3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/at-spi2-atk-2.22.0.tar.xz +SOURCES/at-spi2-atk-2.26.2.tar.xz diff --git a/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch b/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch deleted file mode 100644 index 6b40c72..0000000 --- a/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 66dd82116845addb08973d52e518db6e7ce5ff22 Mon Sep 17 00:00:00 2001 -From: Milan Crha -Date: Mon, 8 May 2017 17:21:58 -0500 -Subject: [PATCH] Fix use after free when returned objects hold only one ref - -It seems that not all code expects atk_object_ref_accessible_child() -returning NULL, neither that it can return an object with only one -reference, thus the following unref in the code can cause use-after-free -eventually. - -At least the chunk in impl_GetChildAtIndex() avoids runtime warning about -invalid object being passed to g_object_unref(), which happened, in this -case, when evolution returned NULL. Evolution returns objects with one -reference only often, which tries to address the other chunks here. - -https://bugzilla.gnome.org/show_bug.cgi?id=781716 ---- - atk-adaptor/adaptors/accessible-adaptor.c | 3 ++- - atk-adaptor/adaptors/collection-adaptor.c | 16 ++++++++++++---- - 2 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/atk-adaptor/adaptors/accessible-adaptor.c b/atk-adaptor/adaptors/accessible-adaptor.c -index 058b116..572e4f8 100644 ---- a/atk-adaptor/adaptors/accessible-adaptor.c -+++ b/atk-adaptor/adaptors/accessible-adaptor.c -@@ -182,7 +182,8 @@ impl_GetChildAtIndex (DBusConnection * bus, - } - child = atk_object_ref_accessible_child (object, i); - reply = spi_object_return_reference (message, child); -- g_object_unref (child); -+ if (child) -+ g_object_unref (child); - - return reply; - } -diff --git a/atk-adaptor/adaptors/collection-adaptor.c b/atk-adaptor/adaptors/collection-adaptor.c -index 42ea073..b57c5f6 100644 ---- a/atk-adaptor/adaptors/collection-adaptor.c -+++ b/atk-adaptor/adaptors/collection-adaptor.c -@@ -494,9 +494,12 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls, - { - AtkObject *child = atk_object_ref_accessible_child (obj, i); - -- g_object_unref (child); -+ if (!child) -+ continue; -+ - if (prev && child == pobj) - { -+ g_object_unref (child); - return kount; - } - -@@ -517,6 +520,7 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls, - kount = sort_order_canonical (mrp, ls, kount, - max, child, 0, TRUE, - pobj, recurse, traverse); -+ g_object_unref (child); - } - return kount; - } -@@ -559,19 +563,23 @@ sort_order_rev_canonical (MatchRulePrivate * mrp, GList * ls, - and get it's last descendant. - First, get the previous sibling */ - nextobj = atk_object_ref_accessible_child (parent, indexinparent - 1); -- g_object_unref (nextobj); - - /* Now, drill down the right side to the last descendant */ -- while (atk_object_get_n_accessible_children (nextobj) > 0) -+ while (nextobj && atk_object_get_n_accessible_children (nextobj) > 0) - { -- nextobj = atk_object_ref_accessible_child (nextobj, -+ AtkObject *follow; -+ -+ follow = atk_object_ref_accessible_child (nextobj, - atk_object_get_n_accessible_children - (nextobj) - 1); - g_object_unref (nextobj); -+ nextobj = follow; - } - /* recurse with the last descendant */ - kount = sort_order_rev_canonical (mrp, ls, kount, max, - nextobj, TRUE, pobj); -+ if (nextobj) -+ g_object_unref (nextobj); - } - else if (max == 0 || kount < max) - { --- -2.9.3 - diff --git a/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch b/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch deleted file mode 100644 index 456dc2d..0000000 --- a/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 113d9c15ac9d1cc5f120d859d284ffb55f80d54e Mon Sep 17 00:00:00 2001 -From: Rui Matos -Date: Mon, 24 Apr 2017 14:39:05 +0200 -Subject: [PATCH] atk-adaptor/bridge: Fix GList handling resulting in memory - corruption - -As pointed out by this valgrind log: - -==2809== Thread 1: -==2809== Invalid write of size 8 -==2809== at 0x18FCF001: remove_events (bridge.c:759) -==2809== by 0x18FCF001: handle_event_listener_deregistered (bridge.c:788) -==2809== by 0x18FCF001: signal_filter (bridge.c:827) -==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631) -==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1) -==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201) -==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854) -==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927) -==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123) -==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10) -==2809== by 0x403DE0: main (in /usr/bin/evolution) -==2809== Address 0x29f22540 is 16 bytes inside a block of size 24 free'd -==2809== at 0x4C2ACDD: free (vg_replace_malloc.c:530) -==2809== by 0xFD92BCD: g_free (gmem.c:189) -==2809== by 0xFDAA518: g_slice_free1 (gslice.c:1136) -==2809== by 0xFD89463: g_list_remove (glist.c:521) -==2809== by 0x18FCF000: remove_events (bridge.c:759) -==2809== by 0x18FCF000: handle_event_listener_deregistered (bridge.c:788) -==2809== by 0x18FCF000: signal_filter (bridge.c:827) -==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631) -==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1) -==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201) -==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854) -==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927) -==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123) -==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10) -==2809== by 0x403DE0: main (in /usr/bin/evolution) -==2809== Block was alloc'd at -==2809== at 0x4C29BE3: malloc (vg_replace_malloc.c:299) -==2809== by 0xFD92ABD: g_malloc (gmem.c:94) -==2809== by 0xFDA9EFD: g_slice_alloc (gslice.c:1025) -==2809== by 0xFD89983: g_list_append (glist.c:261) -==2809== by 0x18FCE7EE: add_event (bridge.c:80) -==2809== by 0x18FCE7EE: add_event_from_iter (bridge.c:217) -==2809== by 0x18FCEEF6: handle_event_listener_registered (bridge.c:721) -==2809== by 0x18FCEEF6: signal_filter (bridge.c:825) -==2809== by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631) -==2809== by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1) -==2809== by 0xFD8D4C8: g_main_dispatch (gmain.c:3201) -==2809== by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854) -==2809== by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927) -==2809== by 0xFD8DAE9: g_main_loop_run (gmain.c:4123) -==2809== by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10) - -This line: - -list->prev = g_list_remove (list->prev, evdata); - -writes over free'd memory since the list link pointed to by the 'list' -pointer is free'd by g_list_remove(). We can use g_list_delete_link() -instead to achieve the intended result (and not re-iterate the whole -list) with less code overall. - -Thanks to Milan Crha for investigating and -providing the valgring log. - -https://bugzilla.gnome.org/show_bug.cgi?id=781658 ---- - atk-adaptor/bridge.c | 17 ++++++----------- - 1 file changed, 6 insertions(+), 11 deletions(-) - -diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c -index 7de84d4..0b2b736 100644 ---- a/atk-adaptor/bridge.c -+++ b/atk-adaptor/bridge.c -@@ -748,22 +748,17 @@ remove_events (const char *bus_name, const char *event) - if (!g_strcmp0 (evdata->bus_name, bus_name) && - spi_event_is_subtype (evdata->data, remove_data)) - { -+ GList *next; - GList *events = spi_global_app_data->events; -+ - g_strfreev (evdata->data); - g_free (evdata->bus_name); - g_slist_free_full (evdata->properties, free_property_definition); - g_free (evdata); -- if (list->prev) -- { -- GList *next = list->next; -- list->prev = g_list_remove (list->prev, evdata); -- list = next; -- } -- else -- { -- spi_global_app_data->events = g_list_remove (events, evdata); -- list = spi_global_app_data->events; -- } -+ -+ next = list->next; -+ spi_global_app_data->events = g_list_delete_link (events, list); -+ list = next; - } - else - { --- -2.9.3 - diff --git a/SPECS/at-spi2-atk.spec b/SPECS/at-spi2-atk.spec index 88ee282..ead1bb3 100644 --- a/SPECS/at-spi2-atk.spec +++ b/SPECS/at-spi2-atk.spec @@ -1,17 +1,14 @@ -%global atk_version 2.15.4 -%global at_spi2_core_version 2.17.90 +%global atk_version 2.25.2 +%global at_spi2_core_version 2.25.3 Name: at-spi2-atk -Version: 2.22.0 -Release: 2%{?dist} +Version: 2.26.2 +Release: 1%{?dist} Summary: A GTK+ module that bridges ATK to D-Bus at-spi License: LGPLv2+ URL: https://wiki.linuxfoundation.org/en/AT-SPI_on_D-Bus -Source0: https://download.gnome.org/sources/at-spi2-atk/2.22/%{name}-%{version}.tar.xz - -Patch0: 0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch -Patch1: 0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch +Source0: https://download.gnome.org/sources/at-spi2-atk/2.26/%{name}-%{version}.tar.xz BuildRequires: atk-devel >= %{atk_version} BuildRequires: at-spi2-core-devel >= %{at_spi2_core_version} @@ -47,8 +44,6 @@ The %{name}-devel package includes the header files for the %{name} library. %prep %setup -q -%patch0 -p1 -%patch1 -p1 %build %configure @@ -83,6 +78,10 @@ rm $RPM_BUILD_ROOT%{_libdir}/libatk-bridge-2.0.la %changelog +* Tue Mar 13 2018 Kalev Lember - 2.26.2-1 +- Update to 2.26.2 +- Resolves: #1567135 + * Mon Apr 24 2017 Rui Matos - 2.22.0-2 - Add patch to fix a memory corruption issue Resolves: #1444490