CVS commit: [netbsd-6-0] xsrc/xfree/xc/programs/mkfontscale
Module Name:xsrc
Committed By: martin
Date: Sat Jun 30 11:44:32 UTC 2018
Modified Files:
xsrc/xfree/xc/programs/mkfontscale [netbsd-6-0]: ident.c
Log Message:
Apply patch, requested by mrg in ticket #1550:
xsrc/xfree/xc/programs/mkfontscale/ident.c (patch)
Pass gzFile, not gzFile * to gzio functions.
Should fix PR toolchain/53415.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.28.1 \
xsrc/xfree/xc/programs/mkfontscale/ident.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/xfree/xc/programs/mkfontscale/ident.c
diff -u xsrc/xfree/xc/programs/mkfontscale/ident.c:1.1.1.1 xsrc/xfree/xc/programs/mkfontscale/ident.c:1.1.1.1.28.1
--- xsrc/xfree/xc/programs/mkfontscale/ident.c:1.1.1.1 Fri Mar 5 14:26:48 2004
+++ xsrc/xfree/xc/programs/mkfontscale/ident.c Sat Jun 30 11:44:32 2018
@@ -213,7 +213,7 @@ pcfIdentify(gzFile f, char **name)
#define NKEY 20
static char*
-getKeyword(gzFile *f, int *eol)
+getKeyword(gzFile f, int *eol)
{
static char keyword[NKEY + 1];
int c, i;
@@ -236,7 +236,7 @@ getKeyword(gzFile *f, int *eol)
}
static int
-bdfskip(gzFile *f)
+bdfskip(gzFile f)
{
int c;
do {
@@ -248,7 +248,7 @@ bdfskip(gzFile *f)
}
static char *
-bdfend(gzFile *f)
+bdfend(gzFile f)
{
int c;
char *buf = NULL;
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: snj
Date: Sat Jan 13 22:29:23 UTC 2018
Modified Files:
xsrc/external/mit/libXcursor/dist/src [netbsd-6-0]: file.c library.c
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-6-0]: pcfread.c
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-6-0]: dirfile.c
fileio.c fontdir.c
xsrc/xfree/xc/lib/Xcursor [netbsd-6-0]: file.c library.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-6-0]: pcfread.c
xsrc/xfree/xc/lib/font/fontfile [netbsd-6-0]: dirfile.c fileio.c
fontdir.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1514):
xsrc/external/mit/libXcursor/dist/src/file.c: patch
xsrc/external/mit/libXcursor/dist/src/library.c: patch
xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c: patch
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c: patch
xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c: patch
xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c: patch
xsrc/xfree/xc/lib/Xcursor/file.c: patch
xsrc/xfree/xc/lib/Xcursor/library.c: patch
xsrc/xfree/xc/lib/font/bitmap/pcfread.c: patch
xsrc/xfree/xc/lib/font/fontfile/dirfile.c: patch
xsrc/xfree/xc/lib/font/fontfile/fileio.c: patch
xsrc/xfree/xc/lib/font/fontfile/fontdir.c: patch
Fix CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \
xsrc/external/mit/libXcursor/dist/src/file.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/libXcursor/dist/src/library.c
cvs rdiff -u -r1.1.1.2.2.1 -r1.1.1.2.2.1.2.1 \
xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c
cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.30.1 xsrc/xfree/xc/lib/Xcursor/file.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.28.1 xsrc/xfree/xc/lib/Xcursor/library.c
cvs rdiff -u -r1.3 -r1.3.10.1 xsrc/xfree/xc/lib/font/bitmap/pcfread.c
cvs rdiff -u -r1.4.16.1 -r1.4.16.2 xsrc/xfree/xc/lib/font/fontfile/dirfile.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 \
xsrc/xfree/xc/lib/font/fontfile/fileio.c
cvs rdiff -u -r1.2 -r1.2.10.1 xsrc/xfree/xc/lib/font/fontfile/fontdir.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXcursor/dist/src/file.c
diff -u xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.3.4.1 xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.3.4.2
--- xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.3.4.1 Thu Jun 6 03:52:04 2013
+++ xsrc/external/mit/libXcursor/dist/src/file.c Sat Jan 13 22:29:23 2018
@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int heigh
{
XcursorImage*image;
+if (width < 0 || height < 0)
+ return NULL;
+if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@@ -102,7 +107,7 @@ XcursorCommentCreate (XcursorUInt commen
{
XcursorComment *comment;
-if (length > XCURSOR_COMMENT_MAX_LEN)
+if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
return NULL;
comment = malloc (sizeof (XcursorComment) + length + 1);
@@ -449,7 +454,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return NULL;
/* sanity check data */
-if (head.width >= 0x1 || head.height > 0x1)
+if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
+ head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
if (head.width == 0 || head.height == 0)
return NULL;
@@ -458,6 +464,8 @@ _XcursorReadImage (XcursorFile *file,
/* Create the image and initialize it */
image = XcursorImageCreate (head.width, head.height);
+if (image == NULL)
+ return NULL;
if (chunkHeader.version < image->version)
image->version = chunkHeader.version;
image->size = chunkHeader.subtype;
Index: xsrc/external/mit/libXcursor/dist/src/library.c
diff -u xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.2 xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.2.4.1
--- xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.2 Sun Nov 8 09:42:56 2009
+++ xsrc/external/mit/libXcursor/dist/src/library.c Sat Jan 13 22:29:23 2018
@@ -180,7 +180,7 @@ _XcursorThemeInherits (const char *full)
if (*l != '=') continue;
l++;
while (*l == ' ') l++;
- result = malloc (strlen (l));
+ result = malloc (strlen (l) + 1);
if (result)
{
r = result;
Index: xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c
diff -u xsrc/external/mit/libXfont/
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc Committed By: snj Date: Sun Nov 5 20:15:05 UTC 2017 Modified Files: xsrc/external/mit/xorg-server/dist/Xext [netbsd-6-0]: panoramiX.c saver.c xvdisp.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-6-0]: xichangehierarchy.c xsrc/external/mit/xorg-server/dist/dbe [netbsd-6-0]: dbe.c xsrc/external/mit/xorg-server/dist/dix [netbsd-6-0]: dispatch.c xsrc/external/mit/xorg-server/dist/hw/dmx [netbsd-6-0]: dmxpict.c xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod [netbsd-6-0]: xf86dga2.c xsrc/external/mit/xorg-server/dist/hw/xfree86/dri [netbsd-6-0]: xf86dri.c xsrc/external/mit/xorg-server/dist/render [netbsd-6-0]: render.c xsrc/external/mit/xorg-server/dist/xfixes [netbsd-6-0]: cursor.c region.c saveset.c xfixes.c xsrc/xfree/xc/programs/Xserver/Xext [netbsd-6-0]: panoramiX.c saver.c xf86dga2.c xvdisp.c xsrc/xfree/xc/programs/Xserver/dbe [netbsd-6-0]: dbe.c xsrc/xfree/xc/programs/Xserver/dix [netbsd-6-0]: dispatch.c xsrc/xfree/xc/programs/Xserver/hw/dmx [netbsd-6-0]: dmxpict.c xsrc/xfree/xc/programs/Xserver/render [netbsd-6-0]: render.c Log Message: Apply patch (requested by mrg in ticket #1511): apply fixes for CVEs 2017-12176 to 2017-12187 To generate a diff of this commit: cvs rdiff -u -r1.1.1.5 -r1.1.1.5.4.1 \ xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c \ xsrc/external/mit/xorg-server/dist/Xext/saver.c cvs rdiff -u -r1.3.4.1 -r1.3.4.2 \ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c cvs rdiff -u -r1.1.1.4.4.1 -r1.1.1.4.4.2 \ xsrc/external/mit/xorg-server/dist/dbe/dbe.c cvs rdiff -u -r1.1.1.6.4.1 -r1.1.1.6.4.2 \ xsrc/external/mit/xorg-server/dist/dix/dispatch.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/hw/dmx/dmxpict.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.4.1 \ xsrc/external/mit/xorg-server/dist/hw/xfree86/dixmods/extmod/xf86dga2.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c cvs rdiff -u -r1.1.1.7.4.1 -r1.1.1.7.4.2 \ xsrc/external/mit/xorg-server/dist/render/render.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.4.1 \ xsrc/external/mit/xorg-server/dist/xfixes/cursor.c \ xsrc/external/mit/xorg-server/dist/xfixes/region.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \ xsrc/external/mit/xorg-server/dist/xfixes/saveset.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/xfixes/xfixes.c cvs rdiff -u -r1.1.1.7 -r1.1.1.7.16.1 \ xsrc/xfree/xc/programs/Xserver/Xext/panoramiX.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 \ xsrc/xfree/xc/programs/Xserver/Xext/saver.c \ xsrc/xfree/xc/programs/Xserver/Xext/xf86dga2.c cvs rdiff -u -r1.1.1.5.28.1 -r1.1.1.5.28.2 \ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c cvs rdiff -u -r1.2.10.1 -r1.2.10.2 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c cvs rdiff -u -r1.1.1.7.16.1 -r1.1.1.7.16.2 \ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.18.1 \ xsrc/xfree/xc/programs/Xserver/hw/dmx/dmxpict.c cvs rdiff -u -r1.3.10.1 -r1.3.10.2 \ xsrc/xfree/xc/programs/Xserver/render/render.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c diff -u xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5.4.1 --- xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c:1.1.1.5 Tue Aug 2 06:57:05 2011 +++ xsrc/external/mit/xorg-server/dist/Xext/panoramiX.c Sun Nov 5 20:15:04 2017 @@ -990,10 +990,11 @@ ProcPanoramiXGetScreenSize(ClientPtr cli xPanoramiXGetScreenSizeReply rep; int n, rc; + REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + if (stuff->screen >= PanoramiXNumScreens) return BadMatch; - REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); if (rc != Success) return rc; Index: xsrc/external/mit/xorg-server/dist/Xext/saver.c diff -u xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.5.4.1 --- xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.5 Tue Aug 2 06:57:05 2011 +++ xsrc/external/mit/xorg-server/dist/Xext/saver.c Sun Nov 5 20:15:04 2017 @@ -1283,6 +1283,8 @@ ProcScreenSaverUnsetAttributes (ClientPt PanoramiXRes *draw; int rc, i; + REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); + rc = dixLookupResourceByClass((pointer *)&draw, stuff->drawable, XRC_DRAWABLE, client, DixWriteAccess); if (rc != Success) Index: xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c diff -u xsrc/exter
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: snj
Date: Tue Jul 11 21:24:02 UTC 2017
Modified Files:
xsrc/external/mit/xorg-server/dist/Xi [netbsd-6-0]: sendexev.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-6-0]: events.c swapreq.c
xsrc/xfree/xc/programs/Xserver/Xi [netbsd-6-0]: sendexev.c
Log Message:
Apply patch (requested by mrg in ticket #1459):
Fix CVE-2017-10971 and CVE-2017-10972.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \
xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.4.1 \
xsrc/external/mit/xorg-server/dist/dix/events.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/xorg-server/dist/dix/swapreq.c
cvs rdiff -u -r1.1.1.4.30.1 -r1.1.1.4.30.2 \
xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.4.1 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.4.2
--- xsrc/external/mit/xorg-server/dist/Xi/sendexev.c:1.1.1.3.4.1 Tue Dec 9 19:44:40 2014
+++ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c Tue Jul 11 21:24:01 2017
@@ -79,7 +79,7 @@ SProcXSendExtensionEvent(ClientPtr clien
char n;
CARD32 *p;
int i;
-xEvent eventT;
+xEvent eventT = { .u.u.type = 0 };
xEvent *eventP;
EventSwapPtr proc;
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
+if (eventP->u.u.type == GenericEvent) {
+client->errorValue = eventP->u.u.type;
+return BadValue;
+}
+
proc = EventSwapVector[eventP->u.u.type & 0177];
- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
+/* no swapping proc; invalid event type? */
+if (proc == NotImplemented) {
+client->errorValue = eventP->u.u.type;
return BadValue;
+}
(*proc) (eventP, &eventT);
*eventP = eventT;
}
@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien
int
ProcXSendExtensionEvent(ClientPtr client)
{
-int ret;
+int ret, i;
DeviceIntPtr dev;
xEvent *first;
XEventClass *list;
@@ -140,10 +148,12 @@ ProcXSendExtensionEvent(ClientPtr client
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) & stuff[1]);
-if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
- (first->u.u.type < lastEvent))) {
- client->errorValue = first->u.u.type;
- return BadValue;
+for (i = 0; i < stuff->num_events; i++) {
+if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+(first[i].u.u.type < lastEvent))) {
+client->errorValue = first[i].u.u.type;
+return BadValue;
+}
}
list = (XEventClass *) (first + stuff->num_events);
Index: xsrc/external/mit/xorg-server/dist/dix/events.c
diff -u xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.7 xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.7.4.1
--- xsrc/external/mit/xorg-server/dist/dix/events.c:1.1.1.7 Tue Aug 2 06:56:45 2011
+++ xsrc/external/mit/xorg-server/dist/dix/events.c Tue Jul 11 21:24:02 2017
@@ -5009,6 +5009,12 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->event.u.u.type;
return BadValue;
}
+/* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+if (stuff->event.u.u.type == GenericEvent) {
+client->errorValue = stuff->event.u.u.type;
+return BadValue;
+}
if (stuff->event.u.u.type == ClientMessage &&
stuff->event.u.u.detail != 8 &&
stuff->event.u.u.detail != 16 &&
Index: xsrc/external/mit/xorg-server/dist/dix/swapreq.c
diff -u xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2 xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2.4.1
--- xsrc/external/mit/xorg-server/dist/dix/swapreq.c:1.1.1.2 Tue Nov 23 05:21:00 2010
+++ xsrc/external/mit/xorg-server/dist/dix/swapreq.c Tue Jul 11 21:24:02 2017
@@ -315,6 +315,13 @@ SProcSendEvent(ClientPtr client)
swapl(&stuff->destination, n);
swapl(&stuff->eventMask, n);
+/* Generic events can have variable size, but SendEvent request holds
+ exactly 32B of event data. */
+if (stuff->event.u.u.type == GenericEvent) {
+client->errorValue = stuff->event.u.u.type;
+return BadValue;
+}
+
/* Swap event */
proc = EventSwapVector[stuff->event.u.u.type & 0177];
if (!proc || proc == NotImplemented)/* no swapping proc; invalid event type? */
Index: xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
diff -u xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.30.1 xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.1.1.4.30.2
--- xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c:1.
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc Committed By: martin Date: Wed Mar 8 14:56:16 UTC 2017 Modified Files: xsrc/external/mit/xorg-server/dist [netbsd-6-0]: configure.ac xsrc/external/mit/xorg-server/dist/include [netbsd-6-0]: dix-config.h.in os.h xsrc/external/mit/xorg-server/dist/os [netbsd-6-0]: auth.c mitauth.c osdep.h rpcauth.c xdmauth.c xsrc/external/mit/xorg-server/include [netbsd-6-0]: dix-config.h xsrc/xfree/xc/programs/Xserver/include [netbsd-6-0]: os.h xsrc/xfree/xc/programs/Xserver/os [netbsd-6-0]: auth.c mitauth.c osdep.h rpcauth.c xdmauth.c Added Files: xsrc/external/mit/xorg-server/dist/os [netbsd-6-0]: timingsafe_memcmp.c xsrc/xfree/xc/programs/Xserver/os [netbsd-6-0]: timingsafe_memcmp.c Log Message: xsrc/external/mit/xorg-server.old/dist/configure.ac 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/include/dix-config.h.in 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/include/dix-config.h.in 1.3 (patch) xsrc/external/mit/xorg-server.old/dist/include/os.h 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/os/auth.c1.2 (patch) xsrc/external/mit/xorg-server.old/dist/os/auth.c1.3 (patch) xsrc/external/mit/xorg-server.old/dist/os/mitauth.c 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/os/mitauth.c 1.3 (patch) xsrc/external/mit/xorg-server.old/dist/os/osdep.h 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/os/rpcauth.c 1.2 (patch) xsrc/external/mit/xorg-server.old/dist/os/timingsafe_memcmp.c 1.1 (patch) xsrc/external/mit/xorg-server.old/dist/os/xdmauth.c 1.2 (patch) xsrc/external/mit/xorg-server.old/include/dix-config.h 1.3 (patch) xsrc/external/mit/xorg-server.old/include/dix-config.h 1.4 (patch) xsrc/external/mit/xorg-server/dist/configure.ac 1.4 (patch) xsrc/external/mit/xorg-server/dist/configure.ac 1.5 (patch) xsrc/external/mit/xorg-server/dist/include/dix-config.h.in 1.2 (patch) xsrc/external/mit/xorg-server/dist/include/dix-config.h.in 1.3 (patch) xsrc/external/mit/xorg-server/dist/include/os.h 1.8 (patch) xsrc/external/mit/xorg-server/dist/os/auth.c1.2 (patch) xsrc/external/mit/xorg-server/dist/os/auth.c1.3 (patch) xsrc/external/mit/xorg-server/dist/os/mitauth.c 1.2 (patch) xsrc/external/mit/xorg-server/dist/os/mitauth.c 1.3 (patch) xsrc/external/mit/xorg-server/dist/os/osdep.h 1.2 (patch) xsrc/external/mit/xorg-server/dist/os/rpcauth.c 1.4 (patch) xsrc/external/mit/xorg-server/dist/os/timingsafe_memcmp.c 1.1 (patch) xsrc/external/mit/xorg-server/dist/os/xdmauth.c 1.2 (patch) xsrc/external/mit/xorg-server/include/dix-config.h 1.26 (patch) xsrc/external/mit/xorg-server/include/dix-config.h 1.27 (patch) Apply upstream fixes for generation and comparision of MIT-MAGIC-COOKIES, fixing CVE-2017-2624 [mrg, ticket #1443] To generate a diff of this commit: cvs rdiff -u -r1.1.1.8.4.1 -r1.1.1.8.4.2 \ xsrc/external/mit/xorg-server/dist/configure.ac cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/include/dix-config.h.in cvs rdiff -u -r1.6 -r1.6.4.1 xsrc/external/mit/xorg-server/dist/include/os.h cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \ xsrc/external/mit/xorg-server/dist/os/auth.c \ xsrc/external/mit/xorg-server/dist/os/xdmauth.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/xorg-server/dist/os/mitauth.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/os/osdep.h cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \ xsrc/external/mit/xorg-server/dist/os/rpcauth.c cvs rdiff -u -r0 -r1.1.10.2 \ xsrc/external/mit/xorg-server/dist/os/timingsafe_memcmp.c cvs rdiff -u -r1.19 -r1.19.4.1 \ xsrc/external/mit/xorg-server/include/dix-config.h cvs rdiff -u -r1.5 -r1.5.16.1 xsrc/xfree/xc/programs/Xserver/include/os.h cvs rdiff -u -r1.4 -r1.4.28.1 xsrc/xfree/xc/programs/Xserver/os/auth.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.30.1 \ xsrc/xfree/xc/programs/Xserver/os/mitauth.c cvs rdiff -u -r1.1.1.7 -r1.1.1.7.16.1 \ xsrc/xfree/xc/programs/Xserver/os/osdep.h cvs rdiff -u -r1.1.1.5.28.1 -r1.1.1.5.28.2 \ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c cvs rdiff -u -r0 -r1.1.10.2 \ xsrc/xfree/xc/programs/Xserver/os/timingsafe_memcmp.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 \ xsrc/xfree/xc/programs/Xserver/os/xdmauth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/configure.ac diff -u xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.8.4.1 xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.8.4.2 --- xsrc/external/mit/xorg-server/dist/configure.ac:1.1.1.8.4.1 Tue Dec 9 19:44:40 2014 +++ xsrc/external/mit/xorg-server/dist/configure.ac Wed Mar 8 14:56:15 2017 @@ -220,6 +220,8 @@ AC_CHECK_FUNC([strlcpy], AC_DEFINE(HAS_S AM_CONDITIONAL(NEED_VSNPRINTF, [test x$HAVE_VSNPRINTF = xn
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: snj
Date: Tue Mar 7 20:54:15 UTC 2017
Modified Files:
xsrc/external/mit/libICE/dist/src [netbsd-6-0]: iceauth.c
xsrc/xfree/xc/lib/ICE [netbsd-6-0]: iceauth.c
Log Message:
Apply patch (requested by mrg in ticket #1442):
Use arc4random when available to produce the auth cookie.
(80f62c54fbd50a3bbdf9c37258525098c9117830 upstream)
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \
xsrc/external/mit/libICE/dist/src/iceauth.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 xsrc/xfree/xc/lib/ICE/iceauth.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libICE/dist/src/iceauth.c
diff -u xsrc/external/mit/libICE/dist/src/iceauth.c:1.1.1.3 xsrc/external/mit/libICE/dist/src/iceauth.c:1.1.1.3.4.1
--- xsrc/external/mit/libICE/dist/src/iceauth.c:1.1.1.3 Sun Nov 21 05:47:12 2010
+++ xsrc/external/mit/libICE/dist/src/iceauth.c Tue Mar 7 20:54:15 2017
@@ -36,6 +36,10 @@ Author: Ralph Mor, X Consortium
#include
#define Time_t time_t
+#ifdef HAVE_LIBBSD
+#include /* for arc4random_buf() */
+#endif
+
static int was_called_state;
/*
@@ -50,14 +54,19 @@ IceGenerateMagicCookie (
)
{
char*auth;
+#ifndef HAVE_ARC4RANDOM_BUF
longldata[2];
int seed;
int value;
int i;
+#endif
if ((auth = (char *) malloc (len + 1)) == NULL)
return (NULL);
+#ifdef HAVE_ARC4RANDOM_BUF
+arc4random_buf(auth, len);
+#else
#ifdef ITIMER_REAL
{
struct timeval now;
@@ -81,8 +90,8 @@ IceGenerateMagicCookie (
value = rand ();
auth[i] = value & 0xff;
}
+#endif
auth[len] = '\0';
-
return (auth);
}
Index: xsrc/xfree/xc/lib/ICE/iceauth.c
diff -u xsrc/xfree/xc/lib/ICE/iceauth.c:1.1.1.5 xsrc/xfree/xc/lib/ICE/iceauth.c:1.1.1.5.30.1
--- xsrc/xfree/xc/lib/ICE/iceauth.c:1.1.1.5 Fri Feb 28 13:18:45 2003
+++ xsrc/xfree/xc/lib/ICE/iceauth.c Tue Mar 7 20:54:15 2017
@@ -37,6 +37,10 @@ Author: Ralph Mor, X Consortium
static int binaryEqual ();
+#ifdef HAVE_LIBBSD
+#include /* for arc4random_buf() */
+#endif
+
static int was_called_state;
/*
@@ -52,14 +56,19 @@ int len;
{
char*auth;
+#ifndef HAVE_ARC4RANDOM_BUF
longldata[2];
int seed;
int value;
int i;
+#endif
if ((auth = (char *) malloc (len + 1)) == NULL)
return (NULL);
+#ifdef HAVE_ARC4RANDOM_BUF
+arc4random_buf(auth, len);
+#else
#ifdef ITIMER_REAL
{
struct timeval now;
@@ -83,8 +92,8 @@ int len;
value = rand ();
auth[i] = value & 0xff;
}
+#endif
auth[len] = '\0';
-
return (auth);
}
CVS commit: [netbsd-6-0] xsrc/xfree/xc
Module Name:xsrc Committed By: bouyer Date: Wed Oct 5 10:49:31 UTC 2016 Modified Files: xsrc/xfree/xc/lib/X11 [netbsd-6-0]: FontNames.c GetImage.c ListExt.c ModMap.c Xlibint.h xsrc/xfree/xc/lib/Xi [netbsd-6-0]: XGMotion.c XGetBMap.c XGetDCtl.c XGetFCtl.c XGetKMap.c XGetMMap.c XOpenDev.c XQueryDv.c xsrc/xfree/xc/lib/Xrender [netbsd-6-0]: Filter.c Xrender.c xsrc/xfree/xc/lib/Xtst [netbsd-6-0]: XRecord.c xsrc/xfree/xc/lib/Xv [netbsd-6-0]: Xv.c xsrc/xfree/xc/programs/Xserver/include [netbsd-6-0]: dix.h Log Message: Apply patch, requested my mrg in ticket 1411: xsrc/xfree/xc/lib/X11/FontNames.c patch xsrc/xfree/xc/lib/X11/GetImage.cpatch xsrc/xfree/xc/lib/X11/ListExt.c patch xsrc/xfree/xc/lib/X11/ModMap.c patch xsrc/xfree/xc/lib/X11/Xlibint.h patch xsrc/xfree/xc/lib/Xi/XGMotion.c patch xsrc/xfree/xc/lib/Xi/XGetBMap.c patch xsrc/xfree/xc/lib/Xi/XGetDCtl.c patch xsrc/xfree/xc/lib/Xi/XGetFCtl.c patch xsrc/xfree/xc/lib/Xi/XGetKMap.c patch xsrc/xfree/xc/lib/Xi/XGetMMap.c patch xsrc/xfree/xc/lib/Xi/XOpenDev.c patch xsrc/xfree/xc/lib/Xi/XQueryDv.c patch xsrc/xfree/xc/lib/Xrender/Filter.c patch xsrc/xfree/xc/lib/Xrender/Xrender.c patch xsrc/xfree/xc/lib/Xtst/XRecord.cpatch xsrc/xfree/xc/lib/Xv/Xv.c patch xsrc/xfree/xc/programs/Xserver/include/dix.hpatch Fix (backported from upstream) the following issues in X client libraries: libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Affected versions libX11 <= 1.6.3 libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. Affected versions : libXfixes <= 5.0.2 libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected versions libXi <= 1.7.6 libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. Affected versions: libXrandr <= 1.5.0 libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. Affected version: libXrender <= 0.9.9 XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected version libXtst <= 1.2.2 libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption. CVE-2016-5407 affected versions libXv <= 1.0.10 libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libXvMC <= 1.0.9 To generate a diff of this commit: cvs rdiff -u -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/X11/FontNames.c \ xsrc/xfree/xc/lib/X11/GetImage.c xsrc/xfree/xc/lib/X11/ModMap.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.30.1 xsrc/xfree/xc/lib/X11/ListExt.c cvs rdiff -u -r1.1.1.7.16.1 -r1.1.1.7.16.2 xsrc/xfree/xc/lib/X11/Xlibint.h cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 xsrc/xfree/xc/lib/Xi/XGMotion.c \ xsrc/xfree/xc/lib/Xi/XGetBMap.c xsrc/xfree/xc/lib/Xi/XGetDCtl.c \ xsrc/xfree/xc/lib/Xi/XGetFCtl.c xsrc/xfree/xc/lib/Xi/XGetMMap.c \ xsrc/xfree/xc/lib/Xi/XOpenDev.c xsrc/xfree/xc/lib/Xi/XQueryDv.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.28.1 xsrc/xfree/xc/lib/Xi/XGetKMap.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.30.1 xsrc/xfree/xc/lib/Xrender/Filter.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 xsrc/xfree/xc/lib/Xrender/Xrender.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 xsrc/xfree/xc/lib/Xtst/XRecord.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 xsrc/xfree/xc/lib/Xv/Xv.c cvs rdiff -u -r1.1.1.6.28.1 -r1.1.1.6.28.2 \ xsrc/xfree/xc/programs/Xserver/include/dix.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/lib/X11/FontNames.c diff -u xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5 xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5.28.1 --- xsrc/xfree/xc/lib/X11/FontNames.c:1.1.1.5 Fri Mar 5 14:24:07 2004 +++ xsrc/xfree/xc/lib/X11/FontNames.c Wed Oct 5 10:49:30 2016 @@ -29,6 +29,7 @@ in this Software without prior written a #define NEED_REPLIES #include "Xlibint.h" +#include char ** XListFonts( @@ -41,7 +42,9 @@ int *actualCount) /* RETURN */ register unsigned i; register int length; char **flist; -char *ch; +
CVS commit: [netbsd-6-0] xsrc/external/mit
Module Name:xsrc Committed By: bouyer Date: Wed Oct 5 10:47:45 UTC 2016 Modified Files: xsrc/external/mit/libX11/dist/include/X11 [netbsd-6-0]: Xlibint.h xsrc/external/mit/libX11/dist/src [netbsd-6-0]: FontNames.c GetImage.c ListExt.c ModMap.c xsrc/external/mit/libXfixes/dist/src [netbsd-6-0]: Region.c xsrc/external/mit/libXi/dist/src [netbsd-6-0]: XGMotion.c XGetBMap.c XGetDCtl.c XGetFCtl.c XGetKMap.c XGetMMap.c XIQueryDevice.c XListDev.c XOpenDev.c XQueryDv.c xsrc/external/mit/libXrandr/dist/src [netbsd-6-0]: XrrConfig.c XrrCrtc.c XrrOutput.c XrrScreen.c xsrc/external/mit/libXrender/dist/src [netbsd-6-0]: Filter.c Xrender.c xsrc/external/mit/libXtst/dist/src [netbsd-6-0]: XRecord.c xsrc/external/mit/libXv/dist/src [netbsd-6-0]: Xv.c xsrc/external/mit/libXvMC/dist/src [netbsd-6-0]: XvMC.c Log Message: Apply patch, requested my mrg in ticket 1410: xsrc/external/mit/libX11/dist/include/X11/Xlibint.h patch xsrc/external/mit/libX11/dist/src/FontNames.c patch xsrc/external/mit/libX11/dist/src/GetImage.cpatch xsrc/external/mit/libX11/dist/src/ListExt.c patch xsrc/external/mit/libX11/dist/src/ModMap.c patch xsrc/external/mit/libXfixes/dist/src/Region.c patch xsrc/external/mit/libXi/dist/src/XGMotion.c patch xsrc/external/mit/libXi/dist/src/XGetBMap.c patch xsrc/external/mit/libXi/dist/src/XGetDCtl.c patch xsrc/external/mit/libXi/dist/src/XGetFCtl.c patch xsrc/external/mit/libXi/dist/src/XGetKMap.c patch xsrc/external/mit/libXi/dist/src/XGetMMap.c patch xsrc/external/mit/libXi/dist/src/XIQueryDevice.cpatch xsrc/external/mit/libXi/dist/src/XListDev.c patch xsrc/external/mit/libXi/dist/src/XOpenDev.c patch xsrc/external/mit/libXi/dist/src/XQueryDv.c patch xsrc/external/mit/libXrandr/dist/src/XrrConfig.cpatch xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c patch xsrc/external/mit/libXrandr/dist/src/XrrOutput.cpatch xsrc/external/mit/libXrandr/dist/src/XrrProvider.c patch xsrc/external/mit/libXrandr/dist/src/XrrScreen.cpatch xsrc/external/mit/libXrender/dist/src/Filter.c patch xsrc/external/mit/libXrender/dist/src/Xrender.c patch xsrc/external/mit/libXtst/dist/src/XRecord.cpatch xsrc/external/mit/libXv/dist/src/Xv.c patch xsrc/external/mit/libXvMC/dist/src/XvMC.c patch Fix (backported from upstream) the following issues in X client libraries: libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Affected versions libX11 <= 1.6.3 libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. Affected versions : libXfixes <= 5.0.2 libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected versions libXi <= 1.7.6 libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. Affected versions: libXrandr <= 1.5.0 libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. Affected version: libXrender <= 0.9.9 XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected version libXtst <= 1.2.2 libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption. CVE-2016-5407 affected versions libXv <= 1.0.10 libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libXvMC <= 1.0.9 To generate a diff of this commit: cvs rdiff -u -r1.1.1.7.4.1 -r1.1.1.7.4.2 \ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h cvs rdiff -u -r1.1.1.4.4.1 -r1.1.1.4.4.2 \ xsrc/external/mit/libX11/dist/src/FontNames.c \ xsrc/external/mit/libX11/dist/src/GetImage.c \ xsrc/external/mit/libX11/dist/src/ModMap.c cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \ xsrc/external/mit/libX11/dist/src/ListExt.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/libXfixes/dist/src/Region.c cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.2 \ xsrc/external/mit/libXi/dist/src/XGMotion.c \ xsrc/external/mit/libXi/dist/src/XGetFCtl.c \ xsrc/external/mit/libXi/di
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: msaitoh
Date: Sun Apr 19 05:56:13 UTC 2015
Modified Files:
xsrc/external/mit/libX11/dist/include/X11 [netbsd-6-0]: Xlibint.h
xsrc/xfree/xc/lib/X11 [netbsd-6-0]: Xlibint.h
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1290):
xsrc/external/mit/libX11/dist/include/X11/Xlibint.h patch
xsrc/xfree/xc/lib/X11/Xlibint.h 1.2
Fix CVE-2013-7439: Buffer overflow in MakeBigReq macro in libX11.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.4.1 \
xsrc/external/mit/libX11/dist/include/X11/Xlibint.h
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.16.1 xsrc/xfree/xc/lib/X11/Xlibint.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libX11/dist/include/X11/Xlibint.h
diff -u xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.7 xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.7.4.1
--- xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.7 Wed Aug 3 03:01:44 2011
+++ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h Sun Apr 19 05:56:13 2015
@@ -536,6 +536,14 @@ extern LockInfoPtr _Xglobal_lock;
#endif
#ifdef WORD64
+/*
+ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
+ * length, after req->length, before the data in the request. The new length
+ * includes the "n" extra 32-bit words.
+ *
+ * Do not use MakeBigReq if there is no data already in the request.
+ * req->length must already be >= 2.
+ */
#define MakeBigReq(req,n) \
{ \
char _BRdat[4]; \
@@ -554,7 +562,7 @@ extern LockInfoPtr _Xglobal_lock;
CARD32 _BRlen = req->length - 1; \
req->length = 0; \
_BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
((CARD32 *)req)[1] = _BRlen + n + 2; \
Data32(dpy, &_BRdat, 4); \
}
@@ -565,13 +573,20 @@ extern LockInfoPtr _Xglobal_lock;
CARD32 _BRlen = req->length - 1; \
req->length = 0; \
_BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
((CARD32 *)req)[1] = _BRlen + n + 2; \
Data32(dpy, &_BRdat, 4); \
}
#endif
#endif
+/*
+ * SetReqLen increases the count of 32-bit words in the request by "n",
+ * or by "badlen" if "n" is too large.
+ *
+ * Do not use SetReqLen if "req" does not already have data after the
+ * xReq header. req->length must already be >= 2.
+ */
#ifndef __clang_analyzer__
#define SetReqLen(req,n,badlen) \
if ((req->length + n) > (unsigned)65535) { \
Index: xsrc/xfree/xc/lib/X11/Xlibint.h
diff -u xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7 xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.16.1
--- xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7 Fri Mar 18 13:04:29 2005
+++ xsrc/xfree/xc/lib/X11/Xlibint.h Sun Apr 19 05:56:13 2015
@@ -528,6 +528,14 @@ extern LockInfoPtr _Xglobal_lock;
#endif
#ifdef WORD64
+/*
+ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
+ * length, after req->length, before the data in the request. The new length
+ * includes the "n" extra 32-bit words.
+ *
+ * Do not use MakeBigReq if there is no data already in the request.
+ * req->length must already be >= 2.
+ */
#define MakeBigReq(req,n) \
{ \
char _BRdat[4]; \
@@ -546,7 +554,7 @@ extern LockInfoPtr _Xglobal_lock;
CARD32 _BRlen = req->length - 1; \
req->length = 0; \
_BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
((CARD32 *)req)[1] = _BRlen + n + 2; \
Data32(dpy, &_BRdat, 4); \
}
@@ -557,13 +565,20 @@ extern LockInfoPtr _Xglobal_lock;
CARD32 _BRlen = req->length - 1; \
req->length = 0; \
_BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
((CARD32 *)req)[1] = _BRlen + n + 2; \
Data32(dpy, &_BRdat, 4); \
}
#endif
#endif
+/*
+ * SetReqLen increases the count of 32-bit words in the request by "n",
+ * or by "badlen" if "n" is too large.
+ *
+ * Do not use SetReqLen if "req" does not already have data after the
+ * xReq header. req->length must already be >= 2.
+ */
#define SetReqLen(req,n,badlen) \
if ((req->length + n) > (unsigned)65535) { \
if (dpy->bigreq_size) { \
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: snj
Date: Tue Mar 17 18:35:35 UTC 2015
Modified Files:
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-6-0]: bdfread.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-6-0]: bdfread.c
Log Message:
Apply patch (requested by mrg in ticket #1280):
Fix the following security issues:
CVE-2015-1802: bdfReadProperties: property count needs range check
The bdf parser reads a count for the number of properties defined in
a font from the font file, and allocates arrays with entries for each
property based on that count. It never checked to see if that count
was negative, or large enough to overflow when multiplied by the size
of the structures being allocated, and could thus allocate the wrong
buffer size, leading to out of bounds writes.
CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read
If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap
data and later crash when trying to read the bitmap from that pointer.
CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct
The bdf parser read metrics values as 32-bit integers, but stored
them into 16-bit integers. Overflows could occur in various operations
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2.4.1 -r1.1.1.2.4.2 \
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
cvs rdiff -u -r1.2.10.1 -r1.2.10.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2.4.1 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2.4.2
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2.4.1 Tue Jan 7 18:02:37 2014
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c Tue Mar 17 18:35:35 2015
@@ -65,8 +65,16 @@ from The Open Group.
#if HAVE_STDINT_H
#include
-#elif !defined(INT32_MAX)
-#define INT32_MAX 0x7fff
+#else
+# ifndef INT32_MAX
+# define INT32_MAX 0x7fff
+# endif
+# ifndef INT16_MAX
+# define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+# define INT16_MIN (0 - 0x8000)
+# endif
#endif
#define INDICES 256
@@ -420,6 +428,12 @@ bdfReadCharacters(FontFilePtr file, Font
bdfError("DWIDTH y value must be zero\n");
goto BAILOUT;
}
+ /* xCharInfo metrics are stored as INT16 */
+ if ((wx < 0) || (wx > INT16_MAX)) {
+ bdfError("character '%s' has out of range width, %d\n",
+ charName, wx);
+ goto BAILOUT;
+ }
line = bdfGetLine(file, lineBuf, BDFLINELEN);
if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
bdfError("bad 'BBX'\n");
@@ -430,6 +444,14 @@ bdfReadCharacters(FontFilePtr file, Font
charName, bw, bh);
goto BAILOUT;
}
+ /* xCharInfo metrics are read as int, but stored as INT16 */
+ if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
+ (bb > INT16_MAX) || (bb < INT16_MIN) ||
+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
+ charName, bl, (bl+bw), (bh+bb), -bb);
+ goto BAILOUT;
+ }
line = bdfGetLine(file, lineBuf, BDFLINELEN);
if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
for (p = line + strlen("ATTRIBUTES ");
@@ -461,7 +483,10 @@ bdfReadCharacters(FontFilePtr file, Font
ci->metrics.descent = -bb;
ci->metrics.characterWidth = wx;
ci->bits = NULL;
- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
+ bdfError("could not read bitmap for character '%s'\n", charName);
+ goto BAILOUT;
+ }
ci++;
ndx++;
} else
@@ -607,7 +632,9 @@ bdfReadProperties(FontFilePtr file, Font
bdfError("missing 'STARTPROPERTIES'\n");
return (FALSE);
}
-if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+ (nProps <= 0) ||
+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
bdfError("bad 'STARTPROPERTIES'\n");
return (FALSE);
}
Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.10.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.10.2
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.10.1 Tue Jan 7 18:02:38 2014
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Mar 17 18:35:35 2015
@@ -63,8 +63,16 @@ from The Open Group.
#if HAVE_STDINT_H
#include
-#elif !defined(INT32_MAX)
-#define INT32_MAX 0x7fff
+#else
+# ifndef INT32_MAX
+# define INT32_MAX 0x7fff
+# endif
+# ifndef INT16_MAX
+# define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+# define INT16_MIN (0 - 0x8000)
+# endif
#endif
#defi
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: martin
Date: Wed Feb 11 14:54:21 UTC 2015
Modified Files:
xsrc/external/mit/xorg-server/dist/xkb [netbsd-6-0]: xkb.c
xsrc/xfree/xc/programs/Xserver/xkb [netbsd-6-0]: xkb.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1253):
external/mit/xorg-server/dist/xkb/xkb.c: revision 1.2
xfree/xc/programs/Xserver/xkb/xkb.c: revision 1.2
apply fixes for CVE-2015-0255:
Information leak in the XkbSetGeometry request of X servers
http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
ported to xorg-server 1.10 and xfree myself.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.4.1 \
xsrc/external/mit/xorg-server/dist/xkb/xkb.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.28.1 \
xsrc/xfree/xc/programs/Xserver/xkb/xkb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.6.4.1
--- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.6 Tue Aug 2 06:57:06 2011
+++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c Wed Feb 11 14:54:21 2015
@@ -4839,27 +4839,30 @@ ProcXkbGetGeometry(ClientPtr client)
/******/
-static char *
-_GetCountedString(char **wire_inout,Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
-char * wire,*str;
-CARD16 len,*plen;
+char *wire, *next;
+CARD16 len;
-wire= *wire_inout;
-plen= (CARD16 *)wire;
-if (swap) {
- register int n;
- swaps(plen,n);
-}
-len= *plen;
-str= malloc(len+1);
-if (str) {
- memcpy(str,&wire[2],len);
- str[len]= '\0';
+wire = *wire_inout;
+len = *(CARD16 *) wire;
+if (client->swapped) {
+ int n;
+swaps(&len, n);
}
-wire+= XkbPaddedSize(len+2);
-*wire_inout= wire;
-return str;
+next = wire + XkbPaddedSize(len + 2);
+/* Check we're still within the size of the request */
+if (client->req_len <
+bytes_to_int32(next - (char *) client->requestBuffer))
+return BadValue;
+*str = malloc(len + 1);
+if (!*str)
+return BadAlloc;
+memcpy(*str, &wire[2], len);
+*(*str + len) = '\0';
+*wire_inout = next;
+return Success;
}
static Status
@@ -4871,6 +4874,7 @@ _CheckSetDoodad( char ** wire_inout,
char * wire;
xkbDoodadWireDesc * dWire;
XkbDoodadPtr doodad;
+Status status;
dWire= (xkbDoodadWireDesc *)(*wire_inout);
wire= (char *)&dWire[1];
@@ -4920,8 +4924,14 @@ XkbDoodadPtr doodad;
doodad->text.width= dWire->text.width;
doodad->text.height= dWire->text.height;
doodad->text.color_ndx= dWire->text.colorNdx;
- doodad->text.text= _GetCountedString(&wire,client->swapped);
- doodad->text.font= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &doodad->text.text);
+if (status != Success)
+return status;
+status = _GetCountedString(&wire, client, &doodad->text.font);
+if (status != Success) {
+free (doodad->text.text);
+return status;
+}
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx>=geom->num_colors) {
@@ -4956,7 +4966,9 @@ XkbDoodadPtr doodad;
}
doodad->logo.color_ndx= dWire->logo.colorNdx;
doodad->logo.shape_ndx= dWire->logo.shapeNdx;
- doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+if (status != Success)
+return status;
break;
default:
client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
@@ -5191,17 +5203,20 @@ Status status;
char * wire;
wire= (char *)&req[1];
-geom->label_font= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &geom->label_font);
+if (status != Success)
+return status;
+
+for (i = 0; i < req->nProperties; i++) {
+ char *name, *val;
-for (i=0;inProperties;i++) {
- char *name,*val;
- name= _GetCountedString(&wire,client->swapped);
-if (!name)
-return BadAlloc;
- val= _GetCountedString(&wire,client->swapped);
-if (!val) {
+status = _GetCountedString(&wire, client, &name);
+if (status != Success)
+return status;
+status = _GetCountedString(&wire, client, &val);
+if (status != Success) {
free(name);
-return BadAlloc;
+return status;
}
if (XkbAddGeomProperty(geom,name,val)==NULL) {
free(name);
@@ -5230,11 +5245,11 @@ char * wire;
return BadMatch;
}
-for (i=0;inColors;i++)
CVS commit: [netbsd-6-0] xsrc/external/mit/xorg-server/dist
Module Name:xsrc
Committed By: msaitoh
Date: Mon Dec 22 10:38:25 UTC 2014
Modified Files:
xsrc/external/mit/xorg-server/dist/exa [netbsd-6-0]: exa_render.c
xsrc/external/mit/xorg-server/dist/render [netbsd-6-0]: picture.h
Log Message:
Pullup additional patches requested by mrg in ticket #1208:
xsrc/external/mit/xorg-server/dist/exa/exa_render.c 1.2
xsrc/external/mit/xorg-server/dist/render/picture.h 1.2
fixes for CVE CVE-2013-6424:
If t->bottom is close to MIN_INT, removing top can wraparound, so do
the check properly.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \
xsrc/external/mit/xorg-server/dist/exa/exa_render.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \
xsrc/external/mit/xorg-server/dist/render/picture.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/exa/exa_render.c
diff -u xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.4.4.1
--- xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.4 Tue Nov 23 05:21:03 2010
+++ xsrc/external/mit/xorg-server/dist/exa/exa_render.c Mon Dec 22 10:38:25 2014
@@ -1172,6 +1172,7 @@ exaTrapezoids (CARD8 op, PicturePtr pSrc
exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
for (; ntrap; ntrap--, traps++)
+ if (xTrapezoidValid(traps))
(*ps->RasterizeTrapezoid) (pPicture, traps,
-bounds.x1, -bounds.y1);
exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
Index: xsrc/external/mit/xorg-server/dist/render/picture.h
diff -u xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.3 xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.3.4.1
--- xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.3 Tue Nov 23 05:22:13 2010
+++ xsrc/external/mit/xorg-server/dist/render/picture.h Mon Dec 22 10:38:25 2014
@@ -210,7 +210,7 @@ typedef pixman_fixed_t xFixed;
/* whether 't' is a well defined not obviously empty trapezoid */
#define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \
(t)->right.p1.y != (t)->right.p2.y && \
- (int) ((t)->bottom - (t)->top) > 0)
+ ((t)->bottom > (t)->top))
/*
* Standard NTSC luminance conversions:
CVS commit: [netbsd-6-0] xsrc/xfree/xc/programs/Xserver
Module Name:xsrc Committed By: snj Date: Fri Dec 12 07:25:34 UTC 2014 Modified Files: xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-6-0]: glxcmds.c glxcmdsswap.c glxserver.h rensize.c single2.c single2swap.c singlepix.c singlepixswap.c unpack.h xsrc/xfree/xc/programs/Xserver/Xext [netbsd-6-0]: xcmisc.c xvdisp.c xsrc/xfree/xc/programs/Xserver/Xi [netbsd-6-0]: chgdctl.c chgfctl.c sendexev.c xsrc/xfree/xc/programs/Xserver/dbe [netbsd-6-0]: dbe.c xsrc/xfree/xc/programs/Xserver/dix [netbsd-6-0]: dispatch.c xsrc/xfree/xc/programs/Xserver/include [netbsd-6-0]: dix.h misc.h xsrc/xfree/xc/programs/Xserver/os [netbsd-6-0]: access.c rpcauth.c xsrc/xfree/xc/programs/Xserver/randr [netbsd-6-0]: randr.c xsrc/xfree/xc/programs/Xserver/render [netbsd-6-0]: render.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1208): xfree/xc/programs/Xserver/dix/dispatch.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xvdisp.c: revision 1.2 xfree/xc/programs/Xserver/include/misc.h: revision 1.2 xfree/xc/programs/Xserver/render/render.c: revision 1.4 xfree/xc/programs/Xserver/GL/glx/singlepixswap.c: revision 1.2 xfree/xc/programs/Xserver/Xi/sendexev.c: revision 1.2 xfree/xc/programs/Xserver/include/dix.h: revision 1.2 xfree/xc/programs/Xserver/os/access.c: revision 1.7 xfree/xc/programs/Xserver/GL/glx/glxserver.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/rensize.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/unpack.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/singlepix.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgfctl.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgdctl.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmds.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xcmisc.c: revision 1.3 xfree/xc/programs/Xserver/randr/randr.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c: revision 1.2 xfree/xc/programs/Xserver/os/rpcauth.c: revision 1.2 xfree/xc/programs/Xserver/dbe/dbe.c: revision 1.3 xfree/xc/programs/Xserver/GL/glx/single2.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/single2swap.c: revision 1.2 pull over from xorg-server, porting as necessary. - -- apply fixes for: X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers backported to 1.10.x by myself. included are fixes for: denial of service due to unchecked malloc in client authentication CVE-2014-8091 integer overflows calculating memory needs for requests CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 out of bounds access due to not validating length or offset values in requests CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 - -- apply two more parts of CVE-2014-8092: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] - -- To generate a diff of this commit: cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h cvs rdiff -u -r1.1.1.7 -r1.1.1.7.16.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.30.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.30.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c cvs rdiff -u -r1.2 -r1.2.10.1 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.28.1 \ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.30.1 \ xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c cvs rdiff -u -r1.2 -r1.2.10.1 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c cvs rdiff -u -r1.1.1.7 -r1.1.1.7.16.1 \ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.28.1 \ xsrc/xfree/xc/programs/Xserver/include/dix.h cvs rdiff -u -r1.1.1.6 -r1.1.1.6.16.1 \ xsrc/xfree/xc/programs/Xserver/include/misc.h cvs rdiff -u -r1.6 -r1.6.16.1 xsrc/xfree/xc/programs/Xserver/os/access.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.28.1 \ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.28.1 \ xsrc/xfree/xc/programs/Xserver/randr/randr.c cvs rdiff -u -r1.3 -r1.3.10.1 xsrc/xfree/xc/programs/Xserver/render/render.c Please note that d
CVS commit: [netbsd-6-0] xsrc/external/mit/xorg-server/dist
Module Name:xsrc
Committed By: snj
Date: Wed Dec 10 22:47:26 UTC 2014
Modified Files:
xsrc/external/mit/xorg-server/dist/include [netbsd-6-0]: dix.h
xsrc/external/mit/xorg-server/dist/os [netbsd-6-0]: access.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1208):
external/mit/xorg-server/dist/include/dix.h: revision 1.3
external/mit/xorg-server/dist/os/access.c: revision 1.3
apply two more parts of CVE-2014-8092:
Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.5.4.1 -r1.1.1.5.4.2 \
xsrc/external/mit/xorg-server/dist/include/dix.h
cvs rdiff -u -r1.1.1.5.4.1 -r1.1.1.5.4.2 \
xsrc/external/mit/xorg-server/dist/os/access.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/include/dix.h
diff -u xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5.4.1 xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5.4.2
--- xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.5.4.1 Tue Dec 9 19:44:41 2014
+++ xsrc/external/mit/xorg-server/dist/include/dix.h Wed Dec 10 22:47:26 2014
@@ -80,7 +80,7 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
-((n >> 2) >= client->req_len) || \
+(((n) >> 2) >= client->req_len) || \
uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
Index: xsrc/external/mit/xorg-server/dist/os/access.c
diff -u xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5.4.1 xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5.4.2
--- xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.5.4.1 Tue Dec 9 19:44:41 2014
+++ xsrc/external/mit/xorg-server/dist/os/access.c Wed Dec 10 22:47:26 2014
@@ -1420,7 +1420,7 @@ GetHosts (
for (host = validhosts; host; host = host->next)
{
len = host->len;
-if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *)ptr)->family = host->family;
((xHostEntry *)ptr)->length = len;
CVS commit: [netbsd-6-0] xsrc/external/mit/xorg-server/dist
Module Name:xsrc Committed By: snj Date: Tue Dec 9 19:44:42 UTC 2014 Modified Files: xsrc/external/mit/xorg-server/dist [netbsd-6-0]: configure configure.ac xsrc/external/mit/xorg-server/dist/Xext [netbsd-6-0]: xcmisc.c xvdisp.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-6-0]: chgdctl.c chgfctl.c sendexev.c xiallowev.c xichangecursor.c xichangehierarchy.c xigetclientpointer.c xigrabdev.c xipassivegrab.c xiproperty.c xiquerydevice.c xiquerypointer.c xiselectev.c xisetclientpointer.c xisetdevfocus.c xiwarppointer.c xsrc/external/mit/xorg-server/dist/dbe [netbsd-6-0]: dbe.c xsrc/external/mit/xorg-server/dist/dix [netbsd-6-0]: dispatch.c region.c xsrc/external/mit/xorg-server/dist/glx [netbsd-6-0]: glxcmds.c glxcmdsswap.c glxserver.h indirect_program.c indirect_reqsize.c indirect_reqsize.h indirect_texture_compression.c indirect_util.c rensize.c single2.c single2swap.c singlepix.c singlepixswap.c swap_interval.c unpack.h xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2 [netbsd-6-0]: dri2ext.c xsrc/external/mit/xorg-server/dist/include [netbsd-6-0]: dix.h regionstr.h xsrc/external/mit/xorg-server/dist/os [netbsd-6-0]: access.c rpcauth.c xsrc/external/mit/xorg-server/dist/randr [netbsd-6-0]: rrsdispatch.c xsrc/external/mit/xorg-server/dist/render [netbsd-6-0]: render.c xsrc/external/mit/xorg-server/dist/test [netbsd-6-0]: Makefile.am xsrc/external/mit/xorg-server/dist/test/xi2 [netbsd-6-0]: protocol-xigetclientpointer.c protocol-xiquerypointer.c protocol-xiwarppointer.c xsrc/external/mit/xorg-server/dist/xfixes [netbsd-6-0]: select.c Added Files: xsrc/external/mit/xorg-server/dist/test/xi1 [netbsd-6-0]: Makefile.am protocol-xchangedevicecontrol.c Log Message: Apply patch (requested by mrg in ticket #1208): apply fixes for X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers included are fixes for: denial of service due to unchecked malloc in client authentication CVE-2014-8091 integer overflows calculating memory needs for requests CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 out of bounds access due to not validating length or offset values in requests CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 To generate a diff of this commit: cvs rdiff -u -r1.1.1.8 -r1.1.1.8.4.1 \ xsrc/external/mit/xorg-server/dist/configure \ xsrc/external/mit/xorg-server/dist/configure.ac cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c cvs rdiff -u -r1.3 -r1.3.4.1 xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \ xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c \ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c \ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/xorg-server/dist/Xi/xiallowev.c \ xsrc/external/mit/xorg-server/dist/Xi/xichangecursor.c \ xsrc/external/mit/xorg-server/dist/Xi/xigetclientpointer.c \ xsrc/external/mit/xorg-server/dist/Xi/xisetclientpointer.c \ xsrc/external/mit/xorg-server/dist/Xi/xisetdevfocus.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c \ xsrc/external/mit/xorg-server/dist/Xi/xigrabdev.c \ xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c \ xsrc/external/mit/xorg-server/dist/Xi/xiquerydevice.c \ xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c \ xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c \ xsrc/external/mit/xorg-server/dist/Xi/xiwarppointer.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \ xsrc/external/mit/xorg-server/dist/dbe/dbe.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.4.1 \ xsrc/external/mit/xorg-server/dist/dix/dispatch.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/xorg-server/dist/dix/region.c cvs rdiff -u -r1.6 -r1.6.4.1 xsrc/external/mit/xorg-server/dist/glx/glxcmds.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \ xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c \ xsrc/external/mit/xorg-server/dist/glx/glxserver.h \ xsrc/external/mit/xorg-server/dist/glx/single2.c \ xsrc/external/mit/xorg-server/dist/glx/unpack.h cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \ xsrc/external/mit/xorg-server/dist/glx/indirect_program.c \ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c \ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h \ xsrc/external/mit/xorg-server/dist/glx/indirect_texture_comp
CVS commit: [netbsd-6-0] xsrc/external/mit/libXt/dist/src
Module Name:xsrc Committed By: msaitoh Date: Sun Nov 9 07:19:01 UTC 2014 Modified Files: xsrc/external/mit/libXt/dist/src [netbsd-6-0]: ResConfig.c Log Message: Pull up following revision(s) (requested by snj in ticket #1181): xsrc/external/mit/libXt/dist/src/ResConfig.cpatch Fix DEBUG build of libXt. From Sandro Millien in PR xsrc/48863. To generate a diff of this commit: cvs rdiff -u -r1.1.1.4.4.1 -r1.1.1.4.4.2 \ xsrc/external/mit/libXt/dist/src/ResConfig.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXt/dist/src/ResConfig.c diff -u xsrc/external/mit/libXt/dist/src/ResConfig.c:1.1.1.4.4.1 xsrc/external/mit/libXt/dist/src/ResConfig.c:1.1.1.4.4.2 --- xsrc/external/mit/libXt/dist/src/ResConfig.c:1.1.1.4.4.1 Thu Jun 6 03:52:05 2013 +++ xsrc/external/mit/libXt/dist/src/ResConfig.c Sun Nov 9 07:19:01 2014 @@ -988,7 +988,7 @@ _XtResourceConfigurationEH ( resource = XtNewString (data_ptr); value = XtNewString (data_value); #ifdef DEBUG -fprintf (stderr, "resource_len=%d\n" +fprintf (stderr, "resource_len=%d\n", resource_len); fprintf (stderr, "resource = %s\t value = %s\n", resource, value);
CVS commit: [netbsd-6-0] xsrc/external/mit/xf86-video-wsfb/dist/src
Module Name:xsrc
Committed By: msaitoh
Date: Thu Aug 7 09:12:36 UTC 2014
Modified Files:
xsrc/external/mit/xf86-video-wsfb/dist/src [netbsd-6-0]: wsfb_driver.c
Log Message:
Pull up following revision(s) (requested by tsutsui in ticket #1101):
xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c: revision 1.17
Call removeShadow only when shadowFB has been initialized.
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.4.1 \
xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c
diff -u xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.13 xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.13.4.1
--- xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.13 Fri Jul 22 15:12:01 2011
+++ xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c Thu Aug 7 09:12:36 2014
@@ -989,7 +989,8 @@ WsfbCloseScreen(int scrnIndex, ScreenPtr
TRACE_ENTER("WsfbCloseScreen");
pPixmap = pScreen->GetScreenPixmap(pScreen);
- shadowRemove(pScreen, pPixmap);
+ if (fPtr->shadowFB)
+ shadowRemove(pScreen, pPixmap);
if (pScrn->vtSema) {
WsfbRestore(pScrn);
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: msaitoh
Date: Wed May 14 03:55:40 UTC 2014
Modified Files:
xsrc/external/mit/libXfont/dist/src/fc [netbsd-6-0]: fsconvert.c
fserve.c
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-6-0]: dirfile.c
xsrc/xfree/xc/lib/font/fc [netbsd-6-0]: fsconvert.c fserve.c
xsrc/xfree/xc/lib/font/fontfile [netbsd-6-0]: dirfile.c
Log Message:
Pull up following revision(s) (requested by spz in ticket #1063):
xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c 1.2
xsrc/external/mit/libXfont/dist/src/fc/fserve.c 1.2
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.2
xsrc/xfree/xc/lib/font/fc/fsconvert.c 1.5
xsrc/xfree/xc/lib/font/fc/fserve.c 1.5
xsrc/xfree/xc/lib/font/fontfile/dirfile.c 1.5
Fix multiple vulnerabilities in libXfont:
- CVE-2014-0209: integer overflow of allocations in font metadata file parsing
When a local user who is already authenticated to the X server adds
a new directory to the font path, the X server calls libXfont to open
the fonts.dir and fonts.alias files in that directory and add entries
to the font tables for every line in it. A large file (~2-4 gb) could
cause the allocations to overflow, and allow the remaining data read
from the file to overwrite other memory in the heap.
Affected functions: FontFileAddEntry(), lexAlias()
- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
When parsing replies received from the font server, these calls do not
check that the lengths and/or indexes returned by the font server are
within the size of the reply or the bounds of the memory allocated to
store the data, so could write past the bounds of allocated memory when
storing the returned data.
Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
fs_read_list(), fs_read_list_info()
- CVE-2014-0211: integer overflows calculating memory needs for xfs replies
These calls do not check that their calculations for how much memory
is needed to handle the returned data have not overflowed, so can
result in allocating too little memory and then writing the returned
data past the end of the allocated buffer.
Affected functions: fs_get_reply(), fs_alloc_glyphs(),
fs_read_extent_info()
See also: http://lists.x.org/archives/xorg-announce/2014-May/002431.html
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \
xsrc/external/mit/libXfont/dist/src/fc/fserve.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.4 -r1.4.28.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \
xsrc/xfree/xc/lib/font/fc/fserve.c
cvs rdiff -u -r1.4 -r1.4.16.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c
diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2.4.1
--- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.2 Wed Jun 10 07:33:40 2009
+++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 03:55:40 2014
@@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp
for (i = 0; i < nprops; i++, dprop++, is_str++)
{
memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+ if ((local_off.name.position >= pi->data_len) ||
+ (local_off.name.length >
+ (pi->data_len - local_off.name.position)))
+ goto bail;
dprop->name = MakeAtom(&pdc[local_off.name.position],
local_off.name.length, 1);
if (local_off.type != PropTypeString) {
@@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp
dprop->value = local_off.value.position;
} else {
*is_str = TRUE;
+ if ((local_off.name.position >= pi->data_len) ||
+ (local_off.name.length >
+ (pi->data_len - local_off.name.position)))
+ goto bail;
dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
local_off.value.length, 1);
if (dprop->value == BAD_RESOURCE)
{
+ bail:
free (pfi->props);
pfi->nprops = 0;
pfi->props = 0;
@@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size
FSGlyphPtr glyphs;
FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
-glyphs = malloc (sizeof (FSGlyphRec) + size);
+if (size < (INT_MAX - sizeof (FSGlyphRec)))
+ glyphs = malloc (sizeof (FSGlyphRec) + size);
+else
+glyphs = NULL;
+if (glyphs == NULL)
+return NULL;
glyphs->next = fsfont->glyphs;
fsfont->glyphs = glyphs;
return (poin
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: bouyer
Date: Tue Jan 7 18:02:38 UTC 2014
Modified Files:
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-6-0]: bdfread.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-6-0]: bdfread.c
Log Message:
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.cpatch
xsrc/xfree/xc/lib/font/bitmap/bdfread.c patch
Fix CVE-2013-6462: scanf without field width limits can crash
with huge input data.
[wiz, ticket #1011]
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.4.1 \
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
cvs rdiff -u -r1.2 -r1.2.10.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2.4.1
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.2 Wed Jun 10 07:33:40 2009
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c Tue Jan 7 18:02:37 2014
@@ -72,6 +72,7 @@ from The Open Group.
#define INDICES 256
#define MAXENCODING 0x
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -341,7 +342,7 @@ bdfReadCharacters(FontFilePtr file, Font
charcharName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
@@ -547,13 +548,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
unsigned charlineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -636,7 +642,9 @@ bdfReadProperties(FontFilePtr file, Font
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+BDFLINESTR BDFLINESTR BDFLINESTR,
+namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;
Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.10.1
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 Tue Apr 3 20:10:34 2007
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Jan 7 18:02:38 2014
@@ -70,6 +70,7 @@ from The Open Group.
#define INDICES 256
#define MAXENCODING 0x
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -340,7 +341,7 @@ bdfReadCharacters(FontFilePtr file, Font
charcharName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
@@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
unsigned charlineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLIN
CVS commit: [netbsd-6-0] xsrc
Module Name:xsrc
Committed By: jdc
Date: Sat Oct 12 18:58:59 UTC 2013
Modified Files:
xsrc/external/mit/xorg-server/dist/dix [netbsd-6-0]: dixfonts.c
xsrc/xfree/xc/programs/Xserver/dix [netbsd-6-0]: dixfonts.c
Log Message:
Pull up revisions:
xsrc/external/mit/xorg-server/dist/dix/dixfonts.c revision 1.2
xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c revision 1.4
(requested by spz in ticket #966).
Fix CVE-2013-4396 using a patch from:
--- snip ---
>From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith
Date: Mon, 16 Sep 2013 21:47:16 -0700
Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
Reported-by: Pedro Ribeiro
Signed-off-by: Alan Coopersmith
Reviewed-by: Julien Cristau
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.4.1 \
xsrc/external/mit/xorg-server/dist/dix/dixfonts.c
cvs rdiff -u -r1.3 -r1.3.4.1 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/dix/dixfonts.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.5.4.1
--- xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.5 Tue Aug 2 06:56:45 2011
+++ xsrc/external/mit/xorg-server/dist/dix/dixfonts.c Sat Oct 12 18:58:59 2013
@@ -1479,6 +1479,7 @@ doImageText(ClientPtr client, ITclosureP
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1491,6 +1492,7 @@ doImageText(ClientPtr client, ITclosureP
err = BadAlloc;
goto bail;
}
+old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1498,6 +1500,7 @@ doImageText(ClientPtr client, ITclosureP
if (!data)
{
free(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1509,6 +1512,7 @@ doImageText(ClientPtr client, ITclosureP
{
free(c->data);
free(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1522,6 +1526,7 @@ doImageText(ClientPtr client, ITclosureP
FreeScratchGC(pGC);
free(c->data);
free(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
Index: xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c
diff -u xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.3 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.3.4.1
--- xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.3 Fri May 27 21:29:26 2011
+++ xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c Sat Oct 12 18:58:59 2013
@@ -1544,6 +1544,7 @@ doImageText(client, c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1556,6 +1557,7 @@ doImageText(client, c)
err = BadAlloc;
goto bail;
}
+old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1563,6 +1565,7 @@ doImageText(client, c)
if (!data)
{
xfree(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1574,6 +1577,7 @@ doImageText(client, c)
{
xfree(c->data);
xfree(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1587,6 +1591,7 @@ doImageText(client, c)
FreeScratchGC(pGC);
xfree(c->data);
xfree(c);
+c = old_closure;
err = BadAlloc;
goto bail;
}
CVS commit: [netbsd-6-0] xsrc/external/mit/libX11/dist/src/xkb
Module Name:xsrc
Committed By: bouyer
Date: Wed Sep 18 19:53:43 UTC 2013
Modified Files:
xsrc/external/mit/libX11/dist/src/xkb [netbsd-6-0]: XKBGetMap.c
XKBNames.c
Log Message:
Apply patch, requested by riz in ticket #945
xsrc/external/mit/libX11/dist/src/xkb/XKBNames.cpatch
xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c patch
The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Check the XkbGetNames reply when names->keys was just allocated
Should fix PR lib/48170.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.4.1 -r1.1.1.4.4.2 \
xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c \
xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.4.1 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.4.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.4.4.1 Thu Jun 6 03:52:04 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c Wed Sep 18 19:53:43 2013
@@ -426,7 +426,7 @@ XkbServerMapPtr srv;
if ( rep->totalVModMapKeys>0 ) {
if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
- > xkb->max_key_code)
+ > xkb->max_key_code + 1)
return BadLength;
if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
Index: xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.4.1 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.4.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.4.4.1 Thu Jun 6 03:52:04 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c Wed Sep 18 19:53:43 2013
@@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy,
nKeys= xkb->max_key_code+1;
names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
}
- else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+ if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
goto BAILOUT;
if (names->keys!=NULL) {
if (!_XkbCopyFromReadBuffer(&buf,
CVS commit: [netbsd-6-0] xsrc/external/mit/xorg-server/dist/exa
Module Name:xsrc
Committed By: riz
Date: Tue Nov 20 22:50:02 UTC 2012
Modified Files:
xsrc/external/mit/xorg-server/dist/exa [netbsd-6-0]: exa_priv.h
exa_unaccel.c
Log Message:
Pull up following revision(s) (requested by abs in ticket #673):
external/mit/xorg-server/dist/exa/exa_unaccel.c: revision 1.2
external/mit/xorg-server/dist/exa/exa_priv.h: revision 1.2
Apply patch https://bugs.freedesktop.org/attachment.cgi?id=68718
(with whitespace tweaks) from
https://bugs.freedesktop.org/show_bug.cgi?id=47266
to address graphics corruption using recent Cairo, manifested most
commonly by certain rendered text sections appearing as solid rectangular
blocks of colour.
Should be pulled up to netbsd-6 (and probably -5)
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.4.1 \
xsrc/external/mit/xorg-server/dist/exa/exa_priv.h
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.4.1 \
xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/exa/exa_priv.h
diff -u xsrc/external/mit/xorg-server/dist/exa/exa_priv.h:1.1.1.4 xsrc/external/mit/xorg-server/dist/exa/exa_priv.h:1.1.1.4.4.1
--- xsrc/external/mit/xorg-server/dist/exa/exa_priv.h:1.1.1.4 Tue Nov 23 05:21:03 2010
+++ xsrc/external/mit/xorg-server/dist/exa/exa_priv.h Tue Nov 20 22:50:02 2012
@@ -206,6 +206,7 @@ typedef struct {
RegionRec srcReg;
RegionRec maskReg;
PixmapPtr srcPix;
+PixmapPtr maskPix;
} ExaScreenPrivRec, *ExaScreenPrivPtr;
Index: xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c
diff -u xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c:1.1.1.6 xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c:1.1.1.6.4.1
--- xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c:1.1.1.6 Tue Aug 2 06:56:46 2011
+++ xsrc/external/mit/xorg-server/dist/exa/exa_unaccel.c Tue Nov 20 22:50:02 2012
@@ -449,6 +449,13 @@ ExaSrcValidate(DrawablePtr pDrawable,
RegionPtr dst;
int xoff, yoff;
+if (pExaScr->srcPix == pPix)
+dst = &pExaScr->srcReg;
+else if (pExaScr->maskPix == pPix)
+dst = &pExaScr->maskReg;
+else
+return;
+
exaGetDrawableDeltas(pDrawable, pPix, &xoff, &yoff);
box.x1 = x + xoff;
@@ -456,9 +463,6 @@ ExaSrcValidate(DrawablePtr pDrawable,
box.x2 = box.x1 + width;
box.y2 = box.y1 + height;
-dst = (pExaScr->srcPix == pPix) ? &pExaScr->srcReg :
- &pExaScr->maskReg;
-
RegionInit(®, &box, 1);
RegionUnion(dst, dst, ®);
RegionUninit(®);
@@ -507,17 +511,20 @@ ExaPrepareCompositeReg(ScreenPtr pScree
RegionTranslate(pSrc->pCompositeClip,
-pSrc->pDrawable->x,
-pSrc->pDrawable->y);
-}
+} else
+pExaScr->srcPix = NULL;
if (pMask && pMask->pDrawable) {
pMaskPix = exaGetDrawablePixmap(pMask->pDrawable);
RegionNull(&pExaScr->maskReg);
maskReg = &pExaScr->maskReg;
+pExaScr->maskPix = pMaskPix;
if (pMask != pDst && pMask != pSrc)
RegionTranslate(pMask->pCompositeClip,
-pMask->pDrawable->x,
-pMask->pDrawable->y);
-}
+} else
+pExaScr->maskPix = NULL;
RegionTranslate(pDst->pCompositeClip,
-pDst->pDrawable->x,
