CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src
Module Name:xsrc Committed By: martin Date: Wed May 19 17:19:20 UTC 2021 Modified Files: xsrc/external/mit/libX11/dist/src [netbsd-8]: Font.c FontInfo.c FontNames.c GetColor.c LoadFont.c LookupCol.c ParseCol.c QuExt.c SetFPath.c SetHints.c StNColor.c StName.c xsrc/external/mit/libX11/dist/src/xlibi18n [netbsd-8]: imKStoUCS.c Log Message: Apply patch, requested by mrg in ticket #1679: xsrc/external/mit/libX11/dist/src/Font.c(apply patch) xsrc/external/mit/libX11/dist/src/FontInfo.c(apply patch) xsrc/external/mit/libX11/dist/src/FontNames.c (apply patch) xsrc/external/mit/libX11/dist/src/GetColor.c(apply patch) xsrc/external/mit/libX11/dist/src/LoadFont.c(apply patch) xsrc/external/mit/libX11/dist/src/LookupCol.c (apply patch) xsrc/external/mit/libX11/dist/src/ParseCol.c(apply patch) xsrc/external/mit/libX11/dist/src/QuExt.c (apply patch) xsrc/external/mit/libX11/dist/src/SetFPath.c(apply patch) xsrc/external/mit/libX11/dist/src/SetHints.c(apply patch) xsrc/external/mit/libX11/dist/src/StNColor.c(apply patch) xsrc/external/mit/libX11/dist/src/StName.c (apply patch) xsrc/external/mit/libX11/dist/src/xlibi18n/imKStoUCS.c (apply patch) Apply upstream fixes for CVE-2021-31535 (and one other bug). Reject string longer than USHRT_MAX before sending them on the wire. Fix out-of-bound access in KeySymToUcs4(). To generate a diff of this commit: cvs rdiff -u -r1.5.2.1 -r1.5.2.2 xsrc/external/mit/libX11/dist/src/Font.c cvs rdiff -u -r1.1.1.7.2.1 -r1.1.1.7.2.2 \ xsrc/external/mit/libX11/dist/src/FontInfo.c cvs rdiff -u -r1.6.2.2 -r1.6.2.3 \ xsrc/external/mit/libX11/dist/src/FontNames.c cvs rdiff -u -r1.1.1.3.16.1 -r1.1.1.3.16.2 \ xsrc/external/mit/libX11/dist/src/GetColor.c \ xsrc/external/mit/libX11/dist/src/LoadFont.c \ xsrc/external/mit/libX11/dist/src/LookupCol.c \ xsrc/external/mit/libX11/dist/src/ParseCol.c cvs rdiff -u -r1.1.1.4.16.1 -r1.1.1.4.16.2 \ xsrc/external/mit/libX11/dist/src/QuExt.c cvs rdiff -u -r1.1.1.4.8.1 -r1.1.1.4.8.2 \ xsrc/external/mit/libX11/dist/src/SetFPath.c cvs rdiff -u -r1.1.1.5.8.1 -r1.1.1.5.8.2 \ xsrc/external/mit/libX11/dist/src/SetHints.c cvs rdiff -u -r1.1.1.2.16.1 -r1.1.1.2.16.2 \ xsrc/external/mit/libX11/dist/src/StNColor.c cvs rdiff -u -r1.1.1.4.10.1 -r1.1.1.4.10.2 \ xsrc/external/mit/libX11/dist/src/StName.c cvs rdiff -u -r1.1.1.4.10.1 -r1.1.1.4.10.2 \ xsrc/external/mit/libX11/dist/src/xlibi18n/imKStoUCS.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libX11/dist/src/Font.c diff -u xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.1 xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.2 --- xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.1 Wed Aug 5 14:10:19 2020 +++ xsrc/external/mit/libX11/dist/src/Font.c Wed May 19 17:19:20 2021 @@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont( XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy); #endif +if (strlen(name) >= USHRT_MAX) +return NULL; if (_XF86LoadQueryLocaleFont(dpy, name, _result, (Font *)0)) return font_result; LockDisplay(dpy); @@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont( if (!name) return 0; l = (int) strlen(name); -if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-') +if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX) return 0; charset = NULL; /* next three lines stolen from _XkbGetCharset() */ Index: xsrc/external/mit/libX11/dist/src/FontInfo.c diff -u xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.1 xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.2 --- xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.1 Wed Aug 5 14:10:19 2020 +++ xsrc/external/mit/libX11/dist/src/FontInfo.c Wed May 19 17:19:20 2021 @@ -58,6 +58,9 @@ XFontStruct **info) /* RETURN */ register xListFontsReq *req; int j; +if (strlen(pattern) >= USHRT_MAX) +return NULL; + LockDisplay(dpy); GetReq(ListFontsWithInfo, req); req->maxNames = maxNames; Index: xsrc/external/mit/libX11/dist/src/FontNames.c diff -u xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.2 xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.3 --- xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.2 Wed Aug 5 14:10:19 2020 +++ xsrc/external/mit/libX11/dist/src/FontNames.c Wed May 19 17:19:20 2021 @@ -51,6 +51,9 @@ int *actualCount) /* RETURN */ register xListFontsReq *req; unsigned long rlen = 0; +if (strlen(pattern) >= USHRT_MAX) +return NULL; + LockDisplay(dpy); GetReq(ListFonts, req); req->maxNames = maxNames; Index:
CVS commit: [netbsd-8] xsrc/external/mit
Module Name:xsrc Committed By: martin Date: Tue Apr 27 19:02:05 UTC 2021 Modified Files: xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]: chgfctl.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: chgfctl.c Log Message: Apply patch, requested by mrg in ticket #1673: external/mit/xorg-server/dist/Xi/chgfctl.c (apply patch) external/mit/xorg-server.old/dist/Xi/chgfctl.c (apply patch) Fix for CVE-2021-3472 (local privilege escalation). To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \ xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c diff -u xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1.2.1 --- xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1 Thu Jun 9 09:07:56 2016 +++ xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c Tue Apr 27 19:02:04 2021 @@ -468,8 +468,11 @@ ProcXChangeFeedbackControl(ClientPtr cli case StringFeedbackClass: { char n; - xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]); +xStringFeedbackCtl *f; +REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, +sizeof(xStringFeedbackCtl)); +f = ((xStringFeedbackCtl *) [1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength; Index: xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c diff -u xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3.2.1 --- xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3 Thu Aug 11 00:04:26 2016 +++ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c Tue Apr 27 19:02:05 2021 @@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr cli break; case StringFeedbackClass: { -xStringFeedbackCtl *f = ((xStringFeedbackCtl *) [1]); +xStringFeedbackCtl *f; +REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, +sizeof(xStringFeedbackCtl)); +f = ((xStringFeedbackCtl *) [1]); if (client->swapped) { if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) return BadLength;
CVS commit: [netbsd-8] xsrc/external/mit/xterm
Module Name:xsrc Committed By: martin Date: Wed Feb 17 09:48:40 UTC 2021 Modified Files: xsrc/external/mit/xterm/dist [netbsd-8]: INSTALL Imakefile MANIFEST Makefile.in NEWS THANKS TekPrsTbl.c Tekproc.c UXTerm.ad VTPrsTbl.c VTparse.def VTparse.h XTerm.ad aclocal.m4 button.c cachedGCs.c charclass.c charclass.h charproc.c charsets.c config.guess config.sub configure configure.in ctlseqs.ms ctlseqs.txt cursor.c data.c data.h df-install.in doublechr.c error.h fontutils.c fontutils.h graphics.c graphics_regis.c graphics_sixel.c html.c input.c keysym2ucs.c koi8rxterm koi8rxterm.man linedata.c main.c main.h menu.c menu.h minstall.in misc.c plink.sh print.c ptydata.c ptyx.h resize.c resize.man run-tic.sh screen.c scrollback.c scrollbar.c svg.c tabs.c termcap terminfo testxmc.c trace.c trace.h util.c uxterm uxterm.desktop uxterm.man version.c version.h vms.c wcwidth.c wcwidth.h xcharmouse.h xstrings.c xstrings.h xterm.appdata.xml xterm.dat xterm.h xterm.log.html xterm.man xterm_io.h xtermcap.c xtermcfg.hin xutf8.c xsrc/external/mit/xterm/dist/icons [netbsd-8]: filled-xterm.svg mini.xterm.svg terminal_48x48.svg xterm-color.svg xterm.svg xsrc/external/mit/xterm/dist/package [netbsd-8]: xterm.spec xsrc/external/mit/xterm/dist/package/debian [netbsd-8]: changelog compat control copyright rules watch xterm-dev.docs xterm-dev.menu xsrc/external/mit/xterm/dist/package/freebsd [netbsd-8]: Makefile pkg-descr xsrc/external/mit/xterm/dist/unicode [netbsd-8]: convmap.pl keysym.map xsrc/external/mit/xterm/dist/vttests [netbsd-8]: 256colors.pl 256colors2.pl 88colors.pl 88colors2.pl dynamic.pl paste64.pl query-color.pl query-fonts.pl resize.pl tcapquery.pl xsrc/external/mit/xterm/include [netbsd-8]: xtermcfg.h Added Files: xsrc/external/mit/xterm/dist [netbsd-8]: COPYING gen-charsets.pl xsrc/external/mit/xterm/dist/package/debian [netbsd-8]: xterm-dev.lintian-overrides xsrc/external/mit/xterm/dist/package/freebsd [netbsd-8]: distinfo pkg-message.wchar xsrc/external/mit/xterm/dist/package/pkgsrc [netbsd-8]: DESCR Makefile PLIST distinfo options.mk xsrc/external/mit/xterm/dist/vttests [netbsd-8]: closest-rgb.pl modify-keys.pl mouse-codes other-sgr.sh print-vt-chars.pl query-dynamic.pl query-status.pl query-xres.pl report-sgr.pl sgrPushPop.pl sgrPushPop2.pl Removed Files: xsrc/external/mit/xterm/include [netbsd-8]: Tekparse.hin VTparse.hin Log Message: Pull up the following xsrc/external/mit/xterm/dist/package/debian/xterm-dev.lintian-overrides up to 1.1.1.1 xsrc/external/mit/xterm/dist/package/freebsd/distinfo up to 1.1.1.1 xsrc/external/mit/xterm/dist/package/freebsd/pkg-message.wchar up to 1.1.1.1 xsrc/external/mit/xterm/dist/package/pkgsrc/Makefile up to 1.1.1.1 xsrc/external/mit/xterm/dist/package/pkgsrc/DESCRup to 1.1.1.1 xsrc/external/mit/xterm/dist/package/pkgsrc/distinfo up to 1.1.1.1 xsrc/external/mit/xterm/dist/package/pkgsrc/PLISTup to 1.1.1.1 xsrc/external/mit/xterm/dist/package/pkgsrc/options.mk up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/closest-rgb.pl up to 1.1.1.2 xsrc/external/mit/xterm/dist/vttests/query-status.pl up to 1.1.1.2 xsrc/external/mit/xterm/dist/vttests/modify-keys.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/mouse-codes up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/other-sgr.shup to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/print-vt-chars.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/query-dynamic.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/query-xres.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/report-sgr.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/sgrPushPop.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/vttests/sgrPushPop2.pl up to 1.1.1.1 xsrc/external/mit/xterm/dist/COPYING up to 1.1.1.1 xsrc/external/mit/xterm/dist/gen-charsets.pl up to 1.1.1.1 xsrc/external/mit/xterm/include/Tekparse.hin delete xsrc/external/mit/xterm/include/VTparse.hin delete xsrc/external/mit/xterm/dist/INSTALL up to 1.1.1.12 xsrc/external/mit/xterm/dist/Imakefile up to 1.1.1.10 xsrc/external/mit/xterm/dist/MANIFESTup to 1.1.1.16 xsrc/external/mit/xterm/dist/Makefile.in up to 1.1.1.13 xsrc/external/mit/xterm/dist/NEWSup to 1.1.1.3 xsrc/external/mit/xterm/dist/THANKS
CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/modules/im/ximcp
Module Name:xsrc Committed By: martin Date: Mon Dec 7 20:20:15 UTC 2020 Modified Files: xsrc/external/mit/libX11/dist/modules/im/ximcp [netbsd-8]: imRmAttr.c Log Message: Apply patch, requested by maya in ticket #1634: external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c(patch) PR 55640: fix off by one in X Input Method. To generate a diff of this commit: cvs rdiff -u -r1.1.1.8.2.1 -r1.1.1.8.2.2 \ xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c diff -u xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.1 xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.2 --- xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.1 Wed Aug 5 14:10:16 2020 +++ xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c Mon Dec 7 20:20:15 2020 @@ -1407,7 +1407,7 @@ _XimCountNumberOfAttr( *names_len = 0; while (total > min_len) { len = attr[2]; - if (len >= (total - min_len)) { + if (len > (total - min_len)) { return 0; } *names_len += (len + 1);
CVS commit: [netbsd-8] xsrc/external/mit/xorg-server.old/dist/xkb
Module Name:xsrc Committed By: martin Date: Mon Dec 7 19:29:26 UTC 2020 Modified Files: xsrc/external/mit/xorg-server.old/dist/xkb [netbsd-8]: xkb.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1628): external/mit/xorg-server.old/dist/xkb/xkb.c: revision 1.2 merge security fixes for xkb, as found in these xserver gitlab commits: 270e439739e023463e7e0719a4eede69d45f7a3f - xkb: only swap once in XkbSetMap 446ff2d3177087b8173fa779fa5b77a2a128988b - Check SetMap request length carefully 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 - Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap overflows de940e06f8733d87bbb857aef85d830053442cfe - xkb: fix key type index check in _XkbSetMapChecks f7cd1276bbd4fe3a9700096dec33b52b8440788d - Correct bounds checking in XkbSetNames() i haven't tested these run OK, and it was a 33 out of 34 hunks did not apply cleanly, but they merge was still largely the same (patch failed due to whitespace changes mostly), and i am able to build-test successfully. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \ xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c diff -u xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1.2.1 --- xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1 Thu Jun 9 09:08:01 2016 +++ xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c Mon Dec 7 19:29:26 2020 @@ -151,6 +151,19 @@ static RESTYPE RT_XKBCLIENT; #define CHK_REQ_KEY_RANGE(err,first,num,r) \ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) +static Bool +_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { +char *cstuff = (char *)stuff; +char *cfrom = (char *)from; +char *cto = (char *)to; + +return cfrom < cto && + cfrom >= cstuff && + cfrom < cstuff + ((size_t)client->req_len << 2) && + cto >= cstuff && + cto <= cstuff + ((size_t)client->req_len << 2); +} + /******/ int @@ -1550,7 +1563,8 @@ CheckKeyTypes( ClientPtr client, xkbSetMapReq * req, xkbKeyTypeWireDesc **wireRtrn, int * nMapsRtrn, - CARD8 * mapWidthRtrn) + CARD8 * mapWidthRtrn, + Bool doswap) { unsigned nMaps; register unsigned i,n; @@ -1588,7 +1602,7 @@ register xkbKeyTypeWireDesc *wire = *wir } for (i=0;inTypes;i++) { unsigned width; - if (client->swapped) { +if (client->swapped && doswap) { register int s; swaps(>virtualMods,s); } @@ -1615,7 +1629,7 @@ register xkbKeyTypeWireDesc *wire = *wir mapWire= (xkbKTSetMapEntryWireDesc *)[1]; preWire= (xkbModsWireDesc *)[wire->nMapEntries]; for (n=0;nnMapEntries;n++) { - if (client->swapped) { +if (client->swapped && doswap) { register int s; swaps([n].virtualMods,s); } @@ -1634,7 +1648,7 @@ register xkbKeyTypeWireDesc *wire = *wir return 0; } if (wire->preserve) { - if (client->swapped) { + if (client->swapped && doswap) { register int s; swaps([n].virtualMods,s); } @@ -1673,7 +1687,8 @@ CheckKeySyms( ClientPtr client, CARD8 * mapWidths, CARD16 * symsPerKey, xkbSymMapWireDesc ** wireRtrn, - int * errorRtrn) + int * errorRtrn, + Bool doswap) { register unsigned i; XkbSymMapPtr map; @@ -1685,7 +1700,7 @@ xkbSymMapWireDesc* wire = *wireRtrn; for (i=0;inKeySyms;i++) { KeySym *pSyms; register unsigned nG; - if (client->swapped) { + if (client->swapped && doswap) { swaps(>nSyms,nG); } nG = XkbNumGroups(wire->groupInfo); @@ -2322,13 +2337,99 @@ XkbServerMapPtr srv = xkbi->desc->serve } return (char *)wire; } + +#define _add_check_len(new) \ +if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ +else len += new + +/** + * Check the length of the SetMap request + */ +static int +_XkbSetMapCheckLength(xkbSetMapReq *req) +{ +size_t len = sz_xkbSetMapReq, req_len = req->length << 2; +xkbKeyTypeWireDesc *keytype; +xkbSymMapWireDesc *symmap; +BOOL preserve; +int i, map_count, nSyms; + +if (req_len < len) +goto bad; +/* types */ +if (req->present & XkbKeyTypesMask) { +keytype = (xkbKeyTypeWireDesc *)(req + 1); +for (i = 0; i < req->nTypes; i++) { +_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); +if (req->flags & XkbSetMapResizeTypes) { +_add_check_len(keytype->nMapEntries + * sz_xkbKTSetMapEntryWireDesc); +preserve = keytype->preserve; +map_count = keytype->nMapEntries; +if (preserve) { +
CVS commit: [netbsd-8] xsrc/external/mit/xorg-server/dist/xkb
Module Name:xsrc Committed By: martin Date: Sun Dec 6 10:24:47 UTC 2020 Modified Files: xsrc/external/mit/xorg-server/dist/xkb [netbsd-8]: xkb.c Log Message: Apply patch, requested by mrg in ticket #1627: external/mit/xorg-server/dist/xkb/xkb.c apply patch Apply upstream patches for: * CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access * CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/xkb/xkb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3.2.1 --- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3 Thu Aug 11 00:04:36 2016 +++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c Sun Dec 6 10:24:47 2020 @@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT; #define CHK_REQ_KEY_RANGE(err,first,num,r) \ CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue) +static Bool +_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) { +char *cstuff = (char *)stuff; +char *cfrom = (char *)from; +char *cto = (char *)to; + +return cfrom < cto && + cfrom >= cstuff && + cfrom < cstuff + ((size_t)client->req_len << 2) && + cto >= cstuff && + cto <= cstuff + ((size_t)client->req_len << 2); +} + /******/ int @@ -1587,7 +1600,7 @@ CheckKeyTypes(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req, xkbKeyTypeWireDesc ** wireRtrn, - int *nMapsRtrn, CARD8 *mapWidthRtrn) + int *nMapsRtrn, CARD8 *mapWidthRtrn, Bool doswap) { unsigned nMaps; register unsigned i, n; @@ -1626,7 +1639,7 @@ CheckKeyTypes(ClientPtr client, for (i = 0; i < req->nTypes; i++) { unsigned width; -if (client->swapped) { +if (client->swapped && doswap) { swaps(>virtualMods); } n = i + req->firstType; @@ -1653,7 +1666,7 @@ CheckKeyTypes(ClientPtr client, mapWire = (xkbKTSetMapEntryWireDesc *) [1]; preWire = (xkbModsWireDesc *) [wire->nMapEntries]; for (n = 0; n < wire->nMapEntries; n++) { -if (client->swapped) { +if (client->swapped && doswap) { swaps([n].virtualMods); } if (mapWire[n].realMods & (~wire->realMods)) { @@ -1671,7 +1684,7 @@ CheckKeyTypes(ClientPtr client, return 0; } if (wire->preserve) { -if (client->swapped) { +if (client->swapped && doswap) { swaps([n].virtualMods); } if (preWire[n].realMods & (~mapWire[n].realMods)) { @@ -1710,7 +1723,7 @@ CheckKeySyms(ClientPtr client, xkbSetMapReq * req, int nTypes, CARD8 *mapWidths, - CARD16 *symsPerKey, xkbSymMapWireDesc ** wireRtrn, int *errorRtrn) + CARD16 *symsPerKey, xkbSymMapWireDesc ** wireRtrn, int *errorRtrn, Bool doswap) { register unsigned i; XkbSymMapPtr map; @@ -1724,7 +1737,7 @@ CheckKeySyms(ClientPtr client, KeySym *pSyms; register unsigned nG; -if (client->swapped) { +if (client->swapped && doswap) { swaps(>nSyms); } nG = XkbNumGroups(wire->groupInfo); @@ -2366,13 +2379,100 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi, return (char *) wire; } +#define _add_check_len(new) \ +if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \ +else len += new + +/** + * Check the length of the SetMap request + */ +static int +_XkbSetMapCheckLength(xkbSetMapReq *req) +{ +size_t len = sz_xkbSetMapReq, req_len = req->length << 2; +xkbKeyTypeWireDesc *keytype; +xkbSymMapWireDesc *symmap; +BOOL preserve; +int i, map_count, nSyms; + +if (req_len < len) +goto bad; +/* types */ +if (req->present & XkbKeyTypesMask) { +keytype = (xkbKeyTypeWireDesc *)(req + 1); +for (i = 0; i < req->nTypes; i++) { +_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc)); +if (req->flags & XkbSetMapResizeTypes) { +_add_check_len(keytype->nMapEntries + * sz_xkbKTSetMapEntryWireDesc); +preserve = keytype->preserve; +map_count = keytype->nMapEntries; +if (preserve) { +_add_check_len(map_count * sz_xkbModsWireDesc); +} +keytype += 1; +keytype =
CVS commit: [netbsd-8] xsrc/external/mit/freetype/dist/src/sfnt
Module Name:xsrc Committed By: martin Date: Thu Oct 22 11:31:16 UTC 2020 Modified Files: xsrc/external/mit/freetype/dist/src/sfnt [netbsd-8]: pngshim.c Log Message: Apply patch, requested by maya and mrg in ticket #1618: xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c (apply patch) Fix for CVE-2020-15999. To generate a diff of this commit: cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \ xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c diff -u xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4 xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4.2.1 --- xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4 Sun May 15 22:35:30 2016 +++ xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c Thu Oct 22 11:31:16 2020 @@ -260,6 +260,12 @@ { FT_ULong size; + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { +error = FT_THROW( Array_Too_Large ); +goto DestroyExit; + } metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -270,13 +276,6 @@ map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { -error = FT_THROW( Array_Too_Large ); -goto DestroyExit; - } - /* this doesn't overflow: 0x7FFF * 0x7FFF * 4 < 2^32 */ size = map->rows * (FT_ULong)map->pitch;
CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist
Module Name:xsrc Committed By: martin Date: Wed Aug 5 14:10:20 UTC 2020 Modified Files: xsrc/external/mit/libX11/dist [netbsd-8]: ChangeLog Makefile.am Makefile.in aclocal.m4 config.guess config.sub configure configure.ac depcomp install-sh ltmain.sh xsrc/external/mit/libX11/dist/include [netbsd-8]: Makefile.am Makefile.in xsrc/external/mit/libX11/dist/include/X11 [netbsd-8]: Xlib.h Xlibint.h xsrc/external/mit/libX11/dist/m4 [netbsd-8]: libtool.m4 xsrc/external/mit/libX11/dist/man [netbsd-8]: AllPlanes.man BlackPixelOfScreen.man Compose.man DisplayOfCCC.man ImageByteOrder.man IsCursorKey.man Makefile.in XAddConnectionWatch.man XAddHost.man XAllocClassHint.man XAllocColor.man XAllocIconSize.man XAllocSizeHints.man XAllocStandardColormap.man XAllocWMHints.man XAllowEvents.man XAnyEvent.man XButtonEvent.man XChangeKeyboardControl.man XChangeKeyboardMapping.man XChangePointerControl.man XChangeSaveSet.man XChangeWindowAttributes.man XCirculateEvent.man XCirculateRequestEvent.man XClearArea.man XClientMessageEvent.man XColormapEvent.man XConfigureEvent.man XConfigureRequestEvent.man XConfigureWindow.man XCopyArea.man XCreateColormap.man XCreateFontCursor.man XCreateFontSet.man XCreateGC.man XCreateIC.man XCreateOC.man XCreatePixmap.man XCreateRegion.man XCreateWindow.man XCreateWindowEvent.man XCrossingEvent.man XDefineCursor.man XDestroyWindow.man XDestroyWindowEvent.man XDrawArc.man XDrawImageString.man XDrawLine.man XDrawPoint.man XDrawRectangle.man XDrawString.man XDrawText.man XEmptyRegion.man XErrorEvent.man XExposeEvent.man XExtentsOfFontSet.man XFillRectangle.man XFilterEvent.man XFlush.man XFocusChangeEvent.man XFontSetExtents.man XFontsOfFontSet.man XFree.man XGetEventData.man XGetVisualInfo.man XGetWindowAttributes.man XGetWindowProperty.man XGetXCBConnection.man XGrabButton.man XGrabKey.man XGrabKeyboard.man XGrabPointer.man XGrabServer.man XGraphicsExposeEvent.man XGravityEvent.man XIconifyWindow.man XIfEvent.man XInitImage.man XInitThreads.man XInstallColormap.man XInternAtom.man XIntersectRegion.man XKeymapEvent.man XListFonts.man XLoadFont.man XLookupKeysym.man XMapEvent.man XMapRequestEvent.man XMapWindow.man XNextEvent.man XNoOp.man XOpenDisplay.man XOpenIM.man XOpenOM.man XParseGeometry.man XPolygonRegion.man XPropertyEvent.man XPutBackEvent.man XPutImage.man XQueryBestSize.man XQueryColor.man XQueryExtension.man XQueryPointer.man XQueryTree.man XRaiseWindow.man XReadBitmapFile.man XRecolorCursor.man XReparentEvent.man XReparentWindow.man XResizeRequestEvent.man XResourceManagerString.man XSaveContext.man XSelectInput.man XSelectionClearEvent.man XSelectionEvent.man XSelectionRequestEvent.man XSendEvent.man XSetArcMode.man XSetClipOrigin.man XSetCloseDownMode.man XSetCommand.man XSetErrorHandler.man XSetEventQueueOwner.man XSetFillStyle.man XSetFont.man XSetFontPath.man XSetICFocus.man XSetICValues.man XSetInputFocus.man XSetLineAttributes.man XSetPointerMapping.man XSetScreenSaver.man XSetSelectionOwner.man XSetState.man XSetTextProperty.man XSetTile.man XSetTransientForHint.man XSetWMClientMachine.man XSetWMColormapWindows.man XSetWMIconName.man XSetWMName.man XSetWMProperties.man XSetWMProtocols.man XStoreBytes.man XStoreColors.man XStringListToTextProperty.man XStringToKeysym.man XSupportsLocale.man XSynchronize.man XTextExtents.man XTextWidth.man XTranslateCoordinates.man XUnmapEvent.man XUnmapWindow.man XVaCreateNestedList.man XVisibilityEvent.man XWarpPointer.man XcmsAllocColor.man XcmsCCCOfColormap.man XcmsCIELabQueryMaxC.man XcmsCIELuvQueryMaxC.man XcmsColor.man XcmsConvertColors.man XcmsCreateCCC.man XcmsDefaultCCC.man XcmsQueryBlack.man XcmsQueryColor.man XcmsSetWhitePoint.man XcmsStoreColor.man XcmsTekHVCQueryMaxC.man XmbDrawImageString.man XmbDrawString.man XmbDrawText.man XmbLookupString.man XmbResetIC.man XmbTextEscapement.man XmbTextExtents.man XmbTextListToTextProperty.man XmbTextPerCharExtents.man XrmEnumerateDatabase.man XrmGetFileDatabase.man XrmGetResource.man XrmInitialize.man XrmMergeDatabases.man XrmPutResource.man XrmUniqueQuark.man xsrc/external/mit/libX11/dist/man/xkb [netbsd-8]: Makefile.am Makefile.in
CVS commit: [netbsd-8] xsrc/external/mit
Module Name:xsrc Committed By: martin Date: Sun Aug 2 09:09:39 UTC 2020 Modified Files: xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: pixmap.c xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: pixmap.c Log Message: Pull up following revision(s) (requested by maya in ticket #1582): xsrc/external/mit/xorg-server/dist/dix/pixmap.c: revision 1.2 xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c: revision 1.2 Backport the only patch from xorg-server 1.20.9 as I can't find a tarball. >From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Sat, 25 Jul 2020 19:33:50 +0200 Subject: [PATCH] fix for ZDI-11426 Avoid leaking un-initalized memory to clients by zeroing the whole pixmap on initial allocation. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by: Matthieu Herrb Reviewed-by: Alan Coopersmith To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \ xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \ xsrc/external/mit/xorg-server/dist/dix/pixmap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c diff -u xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1.2.1 --- xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1 Thu Jun 9 09:07:56 2016 +++ xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c Sun Aug 2 09:09:39 2020 @@ -120,7 +120,7 @@ AllocatePixmap(ScreenPtr pScreen, int pi if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize) return NullPixmap; -pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); +pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); if (!pPixmap) return NullPixmap; Index: xsrc/external/mit/xorg-server/dist/dix/pixmap.c diff -u xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4.2.1 --- xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4 Wed Aug 10 07:44:31 2016 +++ xsrc/external/mit/xorg-server/dist/dix/pixmap.c Sun Aug 2 09:09:39 2020 @@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pi if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) return NullPixmap; -pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); +pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); if (!pPixmap) return NullPixmap;
CVS commit: [netbsd-8] xsrc/external/mit/xf86-video-wsfb/dist/src
Module Name:xsrc Committed By: martin Date: Sun Dec 29 09:20:15 UTC 2019 Modified Files: xsrc/external/mit/xf86-video-wsfb/dist/src [netbsd-8]: wsfb_driver.c Log Message: Pull up following revision(s) (requested by tsutsui in ticket #1479): external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c: revision 1.36 Fix Xorg wsfb server "Rotate" corruption problem. PR xsrc/54167 Confirmed on zaurus SL-C1000, SL-C3000 (CW) and hpcarm WS003SH (CCW). Should be pulled up to netbsd-8 and netbsd-9. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.29.2.1 \ xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c diff -u xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29 xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29.2.1 --- xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29 Fri Mar 24 00:57:33 2017 +++ xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c Sun Dec 29 09:20:15 2019 @@ -858,6 +858,7 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL) int ret, flags, ncolors; int wsmode = WSDISPLAYIO_MODE_DUMBFB; int wstype; + int width; size_t len; TRACE_ENTER("WsfbScreenInit"); @@ -972,7 +973,17 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL) #endif if (fPtr->shadowFB) { - fPtr->shadow = calloc(1, fPtr->fbi.fbi_stride * pScrn->virtualY); + if (fPtr->rotate) { + /* + * Note Rotate and Shadow FB options are valid + * only on depth >= 8. + */ + len = pScrn->virtualX * pScrn->virtualY * + (pScrn->bitsPerPixel >> 3); + } else { + len = fPtr->fbi.fbi_stride * pScrn->virtualY; + } + fPtr->shadow = calloc(1, len); if (!fPtr->shadow) { xf86DrvMsg(pScrn->scrnIndex, X_ERROR, @@ -981,13 +992,29 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL) } } + /* + * fbScreenInit() seems to require "pixel width of frame buffer" + * but it is actually "stride in pixel" of frame buffer, + * per xorg/xserver/tree/fb/fbscreen.c. + */ + if (fPtr->rotate) { + width = pScrn->displayWidth; + } else { + if (pScrn->bitsPerPixel > 8) { + width = + fPtr->fbi.fbi_stride / (pScrn->bitsPerPixel >> 3); + } else { + width = + fPtr->fbi.fbi_stride * (8 / pScrn->bitsPerPixel); + } + } switch (pScrn->bitsPerPixel) { case 1: ret = fbScreenInit(pScreen, fPtr->fbstart, pScrn->virtualX, pScrn->virtualY, pScrn->xDpi, pScrn->yDpi, - fPtr->fbi.fbi_stride * 8, pScrn->bitsPerPixel); + width, pScrn->bitsPerPixel); break; case 4: case 8: @@ -998,8 +1025,7 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL) fPtr->shadowFB ? fPtr->shadow : fPtr->fbstart, pScrn->virtualX, pScrn->virtualY, pScrn->xDpi, pScrn->yDpi, - /* apparently fb wants stride in pixels, not bytes */ - fPtr->fbi.fbi_stride / (pScrn->bitsPerPixel >> 3), + width, pScrn->bitsPerPixel); break; default:
CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src
Module Name:xsrc Committed By: martin Date: Tue Aug 28 13:27:24 UTC 2018 Modified Files: xsrc/external/mit/libX11/dist/src [netbsd-8]: FontNames.c GetFPath.c LiHosts.c ListExt.c Log Message: Apply patch, requested by mrg in ticket #995: xsrc/external/mit/libX11/dist/src/FontNames.c xsrc/external/mit/libX11/dist/src/GetFPath.c xsrc/external/mit/libX11/dist/src/LiHosts.c xsrc/external/mit/libX11/dist/src/ListExt.c Apply fixes from libX11 1.6.5 for the following vulnerabilities: Fixed off-by-one writes (CVE-2018-14599) Validation of server response in XListHosts Fixed out of boundary write (CVE-2018-14600) Fixed crash on invalid reply (CVE-2018-14598) (Backport of upstream git commits b469da1430cdcee06e31c6251b83aede072a1ff0, d81da209fd4d0c2c9ad0596a8078e58864479d0d, dbf72805fd9d7b1846fe9a11b46f3994bfc27fea, e83722768fd5c467ef61fa159e8c6278770b45c2 resp) To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.6.2.1 xsrc/external/mit/libX11/dist/src/FontNames.c cvs rdiff -u -r1.5 -r1.5.2.1 xsrc/external/mit/libX11/dist/src/GetFPath.c \ xsrc/external/mit/libX11/dist/src/ListExt.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \ xsrc/external/mit/libX11/dist/src/LiHosts.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libX11/dist/src/FontNames.c diff -u xsrc/external/mit/libX11/dist/src/FontNames.c:1.6 xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.1 --- xsrc/external/mit/libX11/dist/src/FontNames.c:1.6 Sat Mar 4 22:00:21 2017 +++ xsrc/external/mit/libX11/dist/src/FontNames.c Tue Aug 28 13:27:24 2018 @@ -88,24 +88,16 @@ int *actualCount) /* RETURN */ * unpack into null terminated strings. */ chstart = ch; - chend = ch + (rlen + 1); + chend = ch + rlen; length = *(unsigned char *)ch; *ch = 1; /* make sure it is non-zero for XFreeFontNames */ for (i = 0; i < rep.nFonts; i++) { if (ch + length < chend) { flist[i] = ch + 1; /* skip over length */ ch += length + 1; /* find next length ... */ - if (ch <= chend) { - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else { -Xfree(chstart); -Xfree(flist); -flist = NULL; -count = 0; -break; - } + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; } else { Xfree(chstart); Xfree(flist); Index: xsrc/external/mit/libX11/dist/src/GetFPath.c diff -u xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5 xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5.2.1 --- xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5 Tue Oct 4 22:04:39 2016 +++ xsrc/external/mit/libX11/dist/src/GetFPath.c Tue Aug 28 13:27:24 2018 @@ -69,15 +69,20 @@ char **XGetFontPath( /* * unpack into null terminated strings. */ - chend = ch + (nbytes + 1); - length = *ch; + chend = ch + nbytes; + length = *(unsigned char *)ch; for (i = 0; i < rep.nPaths; i++) { if (ch + length < chend) { flist[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; + length = *(unsigned char *)ch; *ch = '\0'; /* and replace with null-termination */ count++; + } else if (i == 0) { + Xfree(flist); + Xfree(ch); + flist = NULL; + break; } else flist[i] = NULL; } Index: xsrc/external/mit/libX11/dist/src/ListExt.c diff -u xsrc/external/mit/libX11/dist/src/ListExt.c:1.5 xsrc/external/mit/libX11/dist/src/ListExt.c:1.5.2.1 --- xsrc/external/mit/libX11/dist/src/ListExt.c:1.5 Tue Oct 4 22:04:39 2016 +++ xsrc/external/mit/libX11/dist/src/ListExt.c Tue Aug 28 13:27:24 2018 @@ -74,19 +74,20 @@ char **XListExtensions( /* * unpack into null terminated strings. */ - chend = ch + (rlen + 1); - length = *ch; + chend = ch + rlen; + length = *(unsigned char *)ch; for (i = 0; i < rep.nExtensions; i++) { if (ch + length < chend) { list[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - if (ch <= chend) { - length = *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else { - list[i] = NULL; - } + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else if (i == 0) { + Xfree(list); + Xfree(ch); + list = NULL; + break; } else list[i] = NULL; } Index: xsrc/external/mit/libX11/dist/src/LiHosts.c diff -u xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5 xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5.10.1 --- xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5 Thu May 30 23:04:40 2013 +++
CVS commit: [netbsd-8] xsrc/external/mit
Module Name:xsrc Committed By: martin Date: Fri Dec 1 09:47:57 UTC 2017 Modified Files: xsrc/external/mit/libXcursor/dist [netbsd-8]: ChangeLog INSTALL Makefile.in aclocal.m4 config.guess config.h.in config.sub configure configure.ac depcomp install-sh ltmain.sh missing xsrc/external/mit/libXcursor/dist/include/X11/Xcursor [netbsd-8]: Xcursor.h xsrc/external/mit/libXcursor/dist/man [netbsd-8]: Makefile.in xsrc/external/mit/libXcursor/dist/src [netbsd-8]: Makefile.in cursor.c display.c file.c library.c xsrc/external/mit/libXcursor/include [netbsd-8]: config.h xsrc/external/mit/libXfont/dist [netbsd-8]: ChangeLog Makefile.in aclocal.m4 config.guess config.sub configure configure.ac install-sh ltmain.sh xsrc/external/mit/libXfont/dist/doc [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src/FreeType [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-8]: Makefile.in pcfread.c xsrc/external/mit/libXfont/dist/src/builtins [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src/fc [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-8]: Makefile.in dirfile.c fileio.c fontdir.c xsrc/external/mit/libXfont/dist/src/stubs [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/dist/src/util [netbsd-8]: Makefile.in xsrc/external/mit/libXfont/include [netbsd-8]: config.h Added Files: xsrc/external/mit/libXcursor/dist [netbsd-8]: compile Log Message: Sync xsrc/external/mit/libXfont and xsrc/external/mit/libXcursor with HEAD: Fixes for CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612. Requested by mrg in #414. xsrc/external/mit/libXfont/dist/ChangeLog 1.1.1.11 xsrc/external/mit/libXfont/dist/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/aclocal.m4 1.1.1.11 xsrc/external/mit/libXfont/dist/config.guess 1.1.1.9 xsrc/external/mit/libXfont/dist/config.sub 1.1.1.9 xsrc/external/mit/libXfont/dist/configure 1.1.1.11 xsrc/external/mit/libXfont/dist/configure.ac 1.1.1.11 xsrc/external/mit/libXfont/dist/install-sh 1.1.1.7 xsrc/external/mit/libXfont/dist/ltmain.sh 1.1.1.8 xsrc/external/mit/libXfont/dist/doc/Makefile.in 1.1.1.6 xsrc/external/mit/libXfont/dist/src/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/FreeType/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/bitmap/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c 1.5 xsrc/external/mit/libXfont/dist/src/builtins/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/fc/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/fontfile/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.5 xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c 1.3 xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c 1.1.1.7 xsrc/external/mit/libXfont/dist/src/stubs/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/dist/src/util/Makefile.in 1.1.1.10 xsrc/external/mit/libXfont/include/config.h 1.9 xsrc/external/mit/libXcursor/dist/compile 1.1.1.1 xsrc/external/mit/libXcursor/dist/ChangeLog 1.1.1.6 xsrc/external/mit/libXcursor/dist/INSTALL 1.1.1.3 xsrc/external/mit/libXcursor/dist/Makefile.in 1.1.1.6 xsrc/external/mit/libXcursor/dist/aclocal.m4 1.1.1.6 xsrc/external/mit/libXcursor/dist/config.guess 1.1.1.5 xsrc/external/mit/libXcursor/dist/config.h.in 1.1.1.5 xsrc/external/mit/libXcursor/dist/config.sub 1.1.1.5 xsrc/external/mit/libXcursor/dist/configure 1.1.1.6 xsrc/external/mit/libXcursor/dist/configure.ac 1.1.1.6 xsrc/external/mit/libXcursor/dist/depcomp 1.1.1.5 xsrc/external/mit/libXcursor/dist/install-sh 1.1.1.5 xsrc/external/mit/libXcursor/dist/ltmain.sh 1.1.1.6 xsrc/external/mit/libXcursor/dist/missing 1.1.1.4 xsrc/external/mit/libXcursor/dist/include/X11/Xcursor/Xcursor.h 1.1.1.3 xsrc/external/mit/libXcursor/dist/man/Makefile.in 1.1.1.6 xsrc/external/mit/libXcursor/dist/src/Makefile.in 1.1.1.6 xsrc/external/mit/libXcursor/dist/src/cursor.c 1.1.1.5 xsrc/external/mit/libXcursor/dist/src/display.c 1.1.1.5 xsrc/external/mit/libXcursor/dist/src/file.c 1.1.1.5 xsrc/external/mit/libXcursor/dist/src/library.c 1.1.1.4 xsrc/external/mit/libXcursor/include/config.h 1.4 To generate a diff of this commit: cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \ xsrc/external/mit/libXcursor/dist/ChangeLog \ xsrc/external/mit/libXcursor/dist/Makefile.in \ xsrc/external/mit/libXcursor/dist/aclocal.m4 \ xsrc/external/mit/libXcursor/dist/configure \ xsrc/external/mit/libXcursor/dist/configure.ac \ xsrc/external/mit/libXcursor/dist/ltmain.sh cvs rdiff -u -r1.1.1.2 -r1.1.1.2.16.1 \ xsrc/external/mit/libXcursor/dist/INSTALL cvs rdiff -u -r0 -r1.1.1.1.2.2 xsrc/external/mit/libXcursor/dist/compile cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \
CVS commit: [netbsd-8] xsrc/external/mit
Module Name:xsrc Committed By: snj Date: Mon Nov 6 09:43:03 UTC 2017 Modified Files: xsrc/external/mit/xorg-server.old/dist/Xext [netbsd-8]: panoramiX.c saver.c xvdisp.c xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]: xichangehierarchy.c xsrc/external/mit/xorg-server.old/dist/dbe [netbsd-8]: dbe.c xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: dispatch.c xsrc/external/mit/xorg-server.old/dist/hw/dmx [netbsd-8]: dmxpict.c xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod [netbsd-8]: xf86dga2.c xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri [netbsd-8]: xf86dri.c xsrc/external/mit/xorg-server.old/dist/render [netbsd-8]: render.c xsrc/external/mit/xorg-server.old/dist/xfixes [netbsd-8]: cursor.c region.c saveset.c xfixes.c xsrc/external/mit/xorg-server/dist/Xext [netbsd-8]: panoramiX.c saver.c vidmode.c xres.c xvdisp.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: xibarriers.c xichangehierarchy.c xsrc/external/mit/xorg-server/dist/dbe [netbsd-8]: dbe.c xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: dispatch.c xsrc/external/mit/xorg-server/dist/hw/dmx [netbsd-8]: dmxpict.c xsrc/external/mit/xorg-server/dist/hw/xfree86/common [netbsd-8]: xf86DGA.c xsrc/external/mit/xorg-server/dist/hw/xfree86/dri [netbsd-8]: xf86dri.c xsrc/external/mit/xorg-server/dist/pseudoramiX [netbsd-8]: pseudoramiX.c xsrc/external/mit/xorg-server/dist/render [netbsd-8]: render.c xsrc/external/mit/xorg-server/dist/xfixes [netbsd-8]: cursor.c region.c saveset.c xfixes.c Log Message: Pull up following revision(s) (requested by mrg in ticket #346): external/mit/xorg-server.old/dist/Xext/panoramiX.c: 1.2 external/mit/xorg-server.old/dist/Xext/saver.c: 1.2 external/mit/xorg-server.old/dist/Xext/xvdisp.c: 1.2 external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c: 1.2 external/mit/xorg-server.old/dist/dbe/dbe.c: 1.2 external/mit/xorg-server.old/dist/dix/dispatch.c: 1.2 external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c: 1.2 external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c: 1.2 external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c: 1.2 external/mit/xorg-server.old/dist/render/render.c: 1.2 external/mit/xorg-server.old/dist/xfixes/cursor.c: 1.2 external/mit/xorg-server.old/dist/xfixes/region.c: 1.2 external/mit/xorg-server.old/dist/xfixes/saveset.c: 1.2 external/mit/xorg-server.old/dist/xfixes/xfixes.c: 1.2 external/mit/xorg-server/dist/Xext/panoramiX.c: 1.2 external/mit/xorg-server/dist/Xext/saver.c: 1.2 external/mit/xorg-server/dist/Xext/vidmode.c: 1.2 external/mit/xorg-server/dist/Xext/xres.c: 1.2 external/mit/xorg-server/dist/Xext/xvdisp.c: 1.7 external/mit/xorg-server/dist/Xi/xibarriers.c: 1.2 external/mit/xorg-server/dist/Xi/xichangehierarchy.c: 1.4 external/mit/xorg-server/dist/dbe/dbe.c: 1.4 external/mit/xorg-server/dist/dix/dispatch.c: 1.4 external/mit/xorg-server/dist/hw/dmx/dmxpict.c: 1.2 external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c: 1.2 external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c: 1.2 external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c: 1.2 external/mit/xorg-server/dist/render/render.c: 1.4 external/mit/xorg-server/dist/xfixes/cursor.c: 1.2 external/mit/xorg-server/dist/xfixes/region.c: 1.2 external/mit/xorg-server/dist/xfixes/saveset.c: 1.2 external/mit/xorg-server/dist/xfixes/xfixes.c: 1.2 apply fixes for CVEs 2017-12176 to 2017-12187. -- >From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001 From: Nathan KiddDate: Sun, 21 Dec 2014 01:10:03 -0500 Subject: hw/xfree86: unvalidated lengths This addresses: CVE-2017-12180 in XFree86-VidModeExtension CVE-2017-12181 in XFree86-DGA CVE-2017-12182 in XFree86-DRI -- >From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Fri, 7 Jul 2017 17:21:46 +0200 Subject: Xi: Test exact size of XIBarrierReleasePointer Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. -- >From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001 From: Nathan Kidd Date: Fri, 9 Jan 2015 10:09:14 -0500 Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) v2: Protect against integer overflow (Alan Coopersmith) -- >From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001 From: Nathan Kidd
CVS commit: [netbsd-8] xsrc/external/mit
Module Name:xsrc Committed By: martin Date: Fri Jul 7 14:10:25 UTC 2017 Modified Files: xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]: sendexev.c xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: events.c swapreq.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: sendexev.c xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: events.c swapreq.c Log Message: Pull up following revision(s) (requested by mrg in ticket #109): external/mit/xorg-server.old/dist/Xi/sendexev.c: revision 1.2 external/mit/xorg-server.old/dist/Xi/sendexev.c: revision 1.3 external/mit/xorg-server/dist/dix/events.c: revision 1.2 external/mit/xorg-server.old/dist/dix/events.c: revision 1.2 external/mit/xorg-server/dist/dix/swapreq.c: revision 1.2 external/mit/xorg-server/dist/Xi/sendexev.c: revision 1.4 external/mit/xorg-server.old/dist/dix/swapreq.c: revision 1.2 CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from https://cgit.freedesktop.org/xorg/xserver/commit/?id=3Dba336b24052122b136486961c82deac76bbde455 https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D8caed4df36b1f802b4992edcfd282cbeeec35d9d https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D215f894965df5fb0bb45b107d84524e700d2073c https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D05442de962d3dc624f79fc1a00eca3ffc5489ced add missing } from the previous. apparently i mis-tested and it didn't compile. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \ xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \ xsrc/external/mit/xorg-server.old/dist/dix/events.c \ xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c cvs rdiff -u -r1.1.1.9 -r1.1.1.9.2.1 \ xsrc/external/mit/xorg-server/dist/dix/events.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.2.1 \ xsrc/external/mit/xorg-server/dist/dix/swapreq.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c diff -u xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1.2.1 --- xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1 Thu Jun 9 09:07:56 2016 +++ xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c Fri Jul 7 14:10:24 2017 @@ -79,7 +79,7 @@ SProcXSendExtensionEvent(ClientPtr clien char n; CARD32 *p; int i; -xEvent eventT; +xEvent eventT = { .u.u.type = 0 }; xEvent *eventP; EventSwapPtr proc; @@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien eventP = (xEvent *) & stuff[1]; for (i = 0; i < stuff->num_events; i++, eventP++) { +if (eventP->u.u.type == GenericEvent) { +client->errorValue = eventP->u.u.type; +return BadValue; +} + proc = EventSwapVector[eventP->u.u.type & 0177]; - if (proc == NotImplemented) /* no swapping proc; invalid event type? */ +/* no swapping proc; invalid event type? */ +if (proc == NotImplemented) { +client->errorValue = eventP->u.u.type; return BadValue; +} (*proc) (eventP, ); *eventP = eventT; } @@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien int ProcXSendExtensionEvent(ClientPtr client) { -int ret; +int ret, i; DeviceIntPtr dev; xEvent *first; XEventClass *list; @@ -140,10 +148,12 @@ ProcXSendExtensionEvent(ClientPtr client /* The client's event type must be one defined by an extension. */ first = ((xEvent *) & stuff[1]); -if (!((EXTENSION_EVENT_BASE <= first->u.u.type) && - (first->u.u.type < lastEvent))) { - client->errorValue = first->u.u.type; - return BadValue; +for (i = 0; i < stuff->num_events; i++) { +if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) && +(first[i].u.u.type < lastEvent))) { +client->errorValue = first[i].u.u.type; +return BadValue; +} } list = (XEventClass *) (first + stuff->num_events); Index: xsrc/external/mit/xorg-server.old/dist/dix/events.c diff -u xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1.2.1 --- xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1 Thu Jun 9 09:07:56 2016 +++ xsrc/external/mit/xorg-server.old/dist/dix/events.c Fri Jul 7 14:10:24 2017 @@ -5021,6 +5021,12 @@ ProcSendEvent(ClientPtr client) client->errorValue = stuff->event.u.u.type; return BadValue; } +/* Generic events can have variable size, but SendEvent request holds + exactly 32B of event data. */ +if (stuff->event.u.u.type == GenericEvent) { +client->errorValue = stuff->event.u.u.type; +