subject:"CVS commit\: \[netbsd\-8\] xsrc\/external\/mit"

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src

2021-05-19 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Wed May 19 17:19:20 UTC 2021

Modified Files:
xsrc/external/mit/libX11/dist/src [netbsd-8]: Font.c FontInfo.c
FontNames.c GetColor.c LoadFont.c LookupCol.c ParseCol.c QuExt.c
SetFPath.c SetHints.c StNColor.c StName.c
xsrc/external/mit/libX11/dist/src/xlibi18n [netbsd-8]: imKStoUCS.c

Log Message:
Apply patch, requested by mrg in ticket #1679:

xsrc/external/mit/libX11/dist/src/Font.c(apply patch)
xsrc/external/mit/libX11/dist/src/FontInfo.c(apply patch)
xsrc/external/mit/libX11/dist/src/FontNames.c   (apply patch)
xsrc/external/mit/libX11/dist/src/GetColor.c(apply patch)
xsrc/external/mit/libX11/dist/src/LoadFont.c(apply patch)
xsrc/external/mit/libX11/dist/src/LookupCol.c   (apply patch)
xsrc/external/mit/libX11/dist/src/ParseCol.c(apply patch)
xsrc/external/mit/libX11/dist/src/QuExt.c   (apply patch)
xsrc/external/mit/libX11/dist/src/SetFPath.c(apply patch)
xsrc/external/mit/libX11/dist/src/SetHints.c(apply patch)
xsrc/external/mit/libX11/dist/src/StNColor.c(apply patch)
xsrc/external/mit/libX11/dist/src/StName.c  (apply patch)
xsrc/external/mit/libX11/dist/src/xlibi18n/imKStoUCS.c  (apply patch)

Apply upstream fixes for CVE-2021-31535 (and one other bug).
Reject string longer than USHRT_MAX before sending them on the wire.
Fix out-of-bound access in KeySymToUcs4().


To generate a diff of this commit:
cvs rdiff -u -r1.5.2.1 -r1.5.2.2 xsrc/external/mit/libX11/dist/src/Font.c
cvs rdiff -u -r1.1.1.7.2.1 -r1.1.1.7.2.2 \
xsrc/external/mit/libX11/dist/src/FontInfo.c
cvs rdiff -u -r1.6.2.2 -r1.6.2.3 \
xsrc/external/mit/libX11/dist/src/FontNames.c
cvs rdiff -u -r1.1.1.3.16.1 -r1.1.1.3.16.2 \
xsrc/external/mit/libX11/dist/src/GetColor.c \
xsrc/external/mit/libX11/dist/src/LoadFont.c \
xsrc/external/mit/libX11/dist/src/LookupCol.c \
xsrc/external/mit/libX11/dist/src/ParseCol.c
cvs rdiff -u -r1.1.1.4.16.1 -r1.1.1.4.16.2 \
xsrc/external/mit/libX11/dist/src/QuExt.c
cvs rdiff -u -r1.1.1.4.8.1 -r1.1.1.4.8.2 \
xsrc/external/mit/libX11/dist/src/SetFPath.c
cvs rdiff -u -r1.1.1.5.8.1 -r1.1.1.5.8.2 \
xsrc/external/mit/libX11/dist/src/SetHints.c
cvs rdiff -u -r1.1.1.2.16.1 -r1.1.1.2.16.2 \
xsrc/external/mit/libX11/dist/src/StNColor.c
cvs rdiff -u -r1.1.1.4.10.1 -r1.1.1.4.10.2 \
xsrc/external/mit/libX11/dist/src/StName.c
cvs rdiff -u -r1.1.1.4.10.1 -r1.1.1.4.10.2 \
xsrc/external/mit/libX11/dist/src/xlibi18n/imKStoUCS.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libX11/dist/src/Font.c
diff -u xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.1 xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.2
--- xsrc/external/mit/libX11/dist/src/Font.c:1.5.2.1	Wed Aug  5 14:10:19 2020
+++ xsrc/external/mit/libX11/dist/src/Font.c	Wed May 19 17:19:20 2021
@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
 XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
 #endif
 
+if (strlen(name) >= USHRT_MAX)
+return NULL;
 if (_XF86LoadQueryLocaleFont(dpy, name, _result, (Font *)0))
   return font_result;
 LockDisplay(dpy);
@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont(
 if (!name)
 	return 0;
 l = (int) strlen(name);
-if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
 	return 0;
 charset = NULL;
 /* next three lines stolen from _XkbGetCharset() */

Index: xsrc/external/mit/libX11/dist/src/FontInfo.c
diff -u xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.1 xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.2
--- xsrc/external/mit/libX11/dist/src/FontInfo.c:1.1.1.7.2.1	Wed Aug  5 14:10:19 2020
+++ xsrc/external/mit/libX11/dist/src/FontInfo.c	Wed May 19 17:19:20 2021
@@ -58,6 +58,9 @@ XFontStruct **info)	/* RETURN */
 register xListFontsReq *req;
 int j;
 
+if (strlen(pattern) >= USHRT_MAX)
+return NULL;
+
 LockDisplay(dpy);
 GetReq(ListFontsWithInfo, req);
 req->maxNames = maxNames;

Index: xsrc/external/mit/libX11/dist/src/FontNames.c
diff -u xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.2 xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.3
--- xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.2	Wed Aug  5 14:10:19 2020
+++ xsrc/external/mit/libX11/dist/src/FontNames.c	Wed May 19 17:19:20 2021
@@ -51,6 +51,9 @@ int *actualCount)	/* RETURN */
 register xListFontsReq *req;
 unsigned long rlen = 0;
 
+if (strlen(pattern) >= USHRT_MAX)
+return NULL;
+
 LockDisplay(dpy);
 GetReq(ListFonts, req);
 req->maxNames = maxNames;

Index:

CVS commit: [netbsd-8] xsrc/external/mit

2021-04-27 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Tue Apr 27 19:02:05 UTC 2021

Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]: chgfctl.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: chgfctl.c

Log Message:
Apply patch, requested by mrg in ticket #1673:

external/mit/xorg-server/dist/Xi/chgfctl.c  (apply patch)
external/mit/xorg-server.old/dist/Xi/chgfctl.c  (apply patch)

Fix for CVE-2021-3472 (local privilege escalation).


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c
cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/chgfctl.c	Tue Apr 27 19:02:04 2021
@@ -468,8 +468,11 @@ ProcXChangeFeedbackControl(ClientPtr cli
 case StringFeedbackClass:
 {
 	char n;
-	xStringFeedbackCtl *f = ((xStringFeedbackCtl *) & stuff[1]);
+xStringFeedbackCtl *f;
 
+REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
+sizeof(xStringFeedbackCtl));
+f = ((xStringFeedbackCtl *) [1]);
 	if (client->swapped) {
 if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
 return BadLength;

Index: xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c:1.3	Thu Aug 11 00:04:26 2016
+++ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c	Tue Apr 27 19:02:05 2021
@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr cli
 break;
 case StringFeedbackClass:
 {
-xStringFeedbackCtl *f = ((xStringFeedbackCtl *) [1]);
+xStringFeedbackCtl *f;
 
+REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq,
+sizeof(xStringFeedbackCtl));
+f = ((xStringFeedbackCtl *) [1]);
 if (client->swapped) {
 if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
 return BadLength;

CVS commit: [netbsd-8] xsrc/external/mit/xterm

2021-02-17 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Wed Feb 17 09:48:40 UTC 2021

Modified Files:
xsrc/external/mit/xterm/dist [netbsd-8]: INSTALL Imakefile MANIFEST
Makefile.in NEWS THANKS TekPrsTbl.c Tekproc.c UXTerm.ad VTPrsTbl.c
VTparse.def VTparse.h XTerm.ad aclocal.m4 button.c cachedGCs.c
charclass.c charclass.h charproc.c charsets.c config.guess
config.sub configure configure.in ctlseqs.ms ctlseqs.txt cursor.c
data.c data.h df-install.in doublechr.c error.h fontutils.c
fontutils.h graphics.c graphics_regis.c graphics_sixel.c html.c
input.c keysym2ucs.c koi8rxterm koi8rxterm.man linedata.c main.c
main.h menu.c menu.h minstall.in misc.c plink.sh print.c ptydata.c
ptyx.h resize.c resize.man run-tic.sh screen.c scrollback.c
scrollbar.c svg.c tabs.c termcap terminfo testxmc.c trace.c trace.h
util.c uxterm uxterm.desktop uxterm.man version.c version.h vms.c
wcwidth.c wcwidth.h xcharmouse.h xstrings.c xstrings.h
xterm.appdata.xml xterm.dat xterm.h xterm.log.html xterm.man
xterm_io.h xtermcap.c xtermcfg.hin xutf8.c
xsrc/external/mit/xterm/dist/icons [netbsd-8]: filled-xterm.svg
mini.xterm.svg terminal_48x48.svg xterm-color.svg xterm.svg
xsrc/external/mit/xterm/dist/package [netbsd-8]: xterm.spec
xsrc/external/mit/xterm/dist/package/debian [netbsd-8]: changelog
compat control copyright rules watch xterm-dev.docs xterm-dev.menu
xsrc/external/mit/xterm/dist/package/freebsd [netbsd-8]: Makefile
pkg-descr
xsrc/external/mit/xterm/dist/unicode [netbsd-8]: convmap.pl keysym.map
xsrc/external/mit/xterm/dist/vttests [netbsd-8]: 256colors.pl
256colors2.pl 88colors.pl 88colors2.pl dynamic.pl paste64.pl
query-color.pl query-fonts.pl resize.pl tcapquery.pl
xsrc/external/mit/xterm/include [netbsd-8]: xtermcfg.h
Added Files:
xsrc/external/mit/xterm/dist [netbsd-8]: COPYING gen-charsets.pl
xsrc/external/mit/xterm/dist/package/debian [netbsd-8]:
xterm-dev.lintian-overrides
xsrc/external/mit/xterm/dist/package/freebsd [netbsd-8]: distinfo
pkg-message.wchar
xsrc/external/mit/xterm/dist/package/pkgsrc [netbsd-8]: DESCR Makefile
PLIST distinfo options.mk
xsrc/external/mit/xterm/dist/vttests [netbsd-8]: closest-rgb.pl
modify-keys.pl mouse-codes other-sgr.sh print-vt-chars.pl
query-dynamic.pl query-status.pl query-xres.pl report-sgr.pl
sgrPushPop.pl sgrPushPop2.pl
Removed Files:
xsrc/external/mit/xterm/include [netbsd-8]: Tekparse.hin VTparse.hin

Log Message:
Pull up the following

xsrc/external/mit/xterm/dist/package/debian/xterm-dev.lintian-overrides 
up to 1.1.1.1
xsrc/external/mit/xterm/dist/package/freebsd/distinfo up to 1.1.1.1
xsrc/external/mit/xterm/dist/package/freebsd/pkg-message.wchar up to 
1.1.1.1
xsrc/external/mit/xterm/dist/package/pkgsrc/Makefile up to 1.1.1.1
xsrc/external/mit/xterm/dist/package/pkgsrc/DESCRup to 1.1.1.1
xsrc/external/mit/xterm/dist/package/pkgsrc/distinfo up to 1.1.1.1
xsrc/external/mit/xterm/dist/package/pkgsrc/PLISTup to 1.1.1.1
xsrc/external/mit/xterm/dist/package/pkgsrc/options.mk up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/closest-rgb.pl  up to 1.1.1.2
xsrc/external/mit/xterm/dist/vttests/query-status.pl up to 1.1.1.2
xsrc/external/mit/xterm/dist/vttests/modify-keys.pl  up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/mouse-codes up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/other-sgr.shup to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/print-vt-chars.pl up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/query-dynamic.pl up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/query-xres.pl   up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/report-sgr.pl   up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/sgrPushPop.pl   up to 1.1.1.1
xsrc/external/mit/xterm/dist/vttests/sgrPushPop2.pl  up to 1.1.1.1
xsrc/external/mit/xterm/dist/COPYING up to 1.1.1.1
xsrc/external/mit/xterm/dist/gen-charsets.pl up to 1.1.1.1
xsrc/external/mit/xterm/include/Tekparse.hin delete
xsrc/external/mit/xterm/include/VTparse.hin  delete
xsrc/external/mit/xterm/dist/INSTALL up to 1.1.1.12
xsrc/external/mit/xterm/dist/Imakefile   up to 1.1.1.10
xsrc/external/mit/xterm/dist/MANIFESTup to 1.1.1.16
xsrc/external/mit/xterm/dist/Makefile.in up to 1.1.1.13
xsrc/external/mit/xterm/dist/NEWSup to 1.1.1.3
xsrc/external/mit/xterm/dist/THANKS

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/modules/im/ximcp

2020-12-07 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Mon Dec  7 20:20:15 UTC 2020

Modified Files:
xsrc/external/mit/libX11/dist/modules/im/ximcp [netbsd-8]: imRmAttr.c

Log Message:
Apply patch, requested by maya in ticket #1634:

external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c(patch)

PR 55640: fix off by one in X Input Method.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.8.2.1 -r1.1.1.8.2.2 \
xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c
diff -u xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.1 xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.2
--- xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c:1.1.1.8.2.1	Wed Aug  5 14:10:16 2020
+++ xsrc/external/mit/libX11/dist/modules/im/ximcp/imRmAttr.c	Mon Dec  7 20:20:15 2020
@@ -1407,7 +1407,7 @@ _XimCountNumberOfAttr(
 *names_len = 0;
 while (total > min_len) {
 	len = attr[2];
-	if (len >= (total - min_len)) {
+	if (len > (total - min_len)) {
 	return 0;
 	}
 	*names_len += (len + 1);

CVS commit: [netbsd-8] xsrc/external/mit/xorg-server.old/dist/xkb

2020-12-07 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Mon Dec  7 19:29:26 UTC 2020

Modified Files:
xsrc/external/mit/xorg-server.old/dist/xkb [netbsd-8]: xkb.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1628):

external/mit/xorg-server.old/dist/xkb/xkb.c: revision 1.2

merge security fixes for xkb, as found in these xserver gitlab
commits:

270e439739e023463e7e0719a4eede69d45f7a3f - xkb: only swap once in XkbSetMap
446ff2d3177087b8173fa779fa5b77a2a128988b - Check SetMap request length carefully
87c64fc5b0db9f62f4e361444f4b60501ebf67b9 - Fix XkbSetDeviceInfo() and 
SetDeviceIndicators() heap overflows
de940e06f8733d87bbb857aef85d830053442cfe - xkb: fix key type index check in 
_XkbSetMapChecks
f7cd1276bbd4fe3a9700096dec33b52b8440788d - Correct bounds checking in 
XkbSetNames()

i haven't tested these run OK, and it was a 33 out of 34 hunks
did not apply cleanly, but they merge was still largely the
same (patch failed due to whitespace changes mostly), and i am
able to build-test successfully.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c:1.1.1.1	Thu Jun  9 09:08:01 2016
+++ xsrc/external/mit/xorg-server.old/dist/xkb/xkb.c	Mon Dec  7 19:29:26 2020
@@ -151,6 +151,19 @@ static RESTYPE	RT_XKBCLIENT;
 #define	CHK_REQ_KEY_RANGE(err,first,num,r)  \
 	CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
 
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+char *cstuff = (char *)stuff;
+char *cfrom = (char *)from;
+char *cto = (char *)to;
+
+return cfrom < cto &&
+   cfrom >= cstuff &&
+   cfrom < cstuff + ((size_t)client->req_len << 2) &&
+   cto >= cstuff &&
+   cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
 /******/
 
 int
@@ -1550,7 +1563,8 @@ CheckKeyTypes(	ClientPtr	client,
 		xkbSetMapReq *	req,
 		xkbKeyTypeWireDesc **wireRtrn,
 		int	 *	nMapsRtrn,
-		CARD8 *		mapWidthRtrn)
+		CARD8 *		mapWidthRtrn,
+		Bool doswap)
 {
 unsigned		nMaps;
 register unsigned	i,n;
@@ -1588,7 +1602,7 @@ register xkbKeyTypeWireDesc	*wire = *wir
 }
 for (i=0;inTypes;i++) {
 	unsigned	width;
-	if (client->swapped) {
+if (client->swapped && doswap) {
 	register int s;
 	swaps(>virtualMods,s);
 	}
@@ -1615,7 +1629,7 @@ register xkbKeyTypeWireDesc	*wire = *wir
 	mapWire= (xkbKTSetMapEntryWireDesc *)[1];
 	preWire= (xkbModsWireDesc *)[wire->nMapEntries];
 	for (n=0;nnMapEntries;n++) {
-		if (client->swapped) {
+if (client->swapped && doswap) {
 		register int s;
 		swaps([n].virtualMods,s);
 		}
@@ -1634,7 +1648,7 @@ register xkbKeyTypeWireDesc	*wire = *wir
 		return 0;
 		}
 		if (wire->preserve) {
-		if (client->swapped) {
+		if (client->swapped && doswap) {
 			register int s;
 			swaps([n].virtualMods,s);
 		}
@@ -1673,7 +1687,8 @@ CheckKeySyms(	ClientPtr		client,
 		CARD8 *	 		mapWidths,
 		CARD16 *	 	symsPerKey,
 		xkbSymMapWireDesc **	wireRtrn,
-		int *			errorRtrn)
+		int *			errorRtrn,
+		Bool			doswap)
 {
 register unsigned	i;
 XkbSymMapPtr		map;
@@ -1685,7 +1700,7 @@ xkbSymMapWireDesc*	wire = *wireRtrn;
 for (i=0;inKeySyms;i++) {
 	KeySym *pSyms;
 	register unsigned nG;
-	if (client->swapped) {
+	if (client->swapped && doswap) {
 	swaps(>nSyms,nG);
 	}
 	nG = XkbNumGroups(wire->groupInfo);
@@ -2322,13 +2337,99 @@ XkbServerMapPtr		srv = xkbi->desc->serve
 }
 return (char *)wire;
 }
+ 
+#define _add_check_len(new) \
+if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+else len += new
+
+/**
+ * Check the length of the SetMap request
+ */
+static int
+_XkbSetMapCheckLength(xkbSetMapReq *req)
+{
+size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+xkbKeyTypeWireDesc *keytype;
+xkbSymMapWireDesc *symmap;
+BOOL preserve;
+int i, map_count, nSyms;
+
+if (req_len < len)
+goto bad;
+/* types */
+if (req->present & XkbKeyTypesMask) {
+keytype = (xkbKeyTypeWireDesc *)(req + 1);
+for (i = 0; i < req->nTypes; i++) {
+_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+if (req->flags & XkbSetMapResizeTypes) {
+_add_check_len(keytype->nMapEntries
+   * sz_xkbKTSetMapEntryWireDesc);
+preserve = keytype->preserve;
+map_count = keytype->nMapEntries;
+if (preserve) {
+

CVS commit: [netbsd-8] xsrc/external/mit/xorg-server/dist/xkb

2020-12-06 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Sun Dec  6 10:24:47 UTC 2020

Modified Files:
xsrc/external/mit/xorg-server/dist/xkb [netbsd-8]: xkb.c

Log Message:
Apply patch, requested by mrg in ticket #1627:

external/mit/xorg-server/dist/xkb/xkb.c apply patch

Apply upstream patches for:
 * CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access
 * CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow


To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/xkb/xkb.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3.2.1
--- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.3	Thu Aug 11 00:04:36 2016
+++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c	Sun Dec  6 10:24:47 2020
@@ -152,6 +152,19 @@ static RESTYPE RT_XKBCLIENT;
 #define	CHK_REQ_KEY_RANGE(err,first,num,r)  \
 	CHK_REQ_KEY_RANGE2(err,first,num,r,client->errorValue,BadValue)
 
+static Bool
+_XkbCheckRequestBounds(ClientPtr client, void *stuff, void *from, void *to) {
+char *cstuff = (char *)stuff;
+char *cfrom = (char *)from;
+char *cto = (char *)to;
+
+return cfrom < cto &&
+   cfrom >= cstuff &&
+   cfrom < cstuff + ((size_t)client->req_len << 2) &&
+   cto >= cstuff &&
+   cto <= cstuff + ((size_t)client->req_len << 2);
+}
+
 /******/
 
 int
@@ -1587,7 +1600,7 @@ CheckKeyTypes(ClientPtr client,
   XkbDescPtr xkb,
   xkbSetMapReq * req,
   xkbKeyTypeWireDesc ** wireRtrn,
-  int *nMapsRtrn, CARD8 *mapWidthRtrn)
+  int *nMapsRtrn, CARD8 *mapWidthRtrn, Bool doswap)
 {
 unsigned nMaps;
 register unsigned i, n;
@@ -1626,7 +1639,7 @@ CheckKeyTypes(ClientPtr client,
 for (i = 0; i < req->nTypes; i++) {
 unsigned width;
 
-if (client->swapped) {
+if (client->swapped && doswap) {
 swaps(>virtualMods);
 }
 n = i + req->firstType;
@@ -1653,7 +1666,7 @@ CheckKeyTypes(ClientPtr client,
 mapWire = (xkbKTSetMapEntryWireDesc *) [1];
 preWire = (xkbModsWireDesc *) [wire->nMapEntries];
 for (n = 0; n < wire->nMapEntries; n++) {
-if (client->swapped) {
+if (client->swapped && doswap) {
 swaps([n].virtualMods);
 }
 if (mapWire[n].realMods & (~wire->realMods)) {
@@ -1671,7 +1684,7 @@ CheckKeyTypes(ClientPtr client,
 return 0;
 }
 if (wire->preserve) {
-if (client->swapped) {
+if (client->swapped && doswap) {
 swaps([n].virtualMods);
 }
 if (preWire[n].realMods & (~mapWire[n].realMods)) {
@@ -1710,7 +1723,7 @@ CheckKeySyms(ClientPtr client,
  xkbSetMapReq * req,
  int nTypes,
  CARD8 *mapWidths,
- CARD16 *symsPerKey, xkbSymMapWireDesc ** wireRtrn, int *errorRtrn)
+ CARD16 *symsPerKey, xkbSymMapWireDesc ** wireRtrn, int *errorRtrn, Bool doswap)
 {
 register unsigned i;
 XkbSymMapPtr map;
@@ -1724,7 +1737,7 @@ CheckKeySyms(ClientPtr client,
 KeySym *pSyms;
 register unsigned nG;
 
-if (client->swapped) {
+if (client->swapped && doswap) {
 swaps(>nSyms);
 }
 nG = XkbNumGroups(wire->groupInfo);
@@ -2366,13 +2379,100 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
 return (char *) wire;
 }
 
+#define _add_check_len(new) \
+if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+else len += new
+
+/**
+ * Check the length of the SetMap request
+ */
+static int
+_XkbSetMapCheckLength(xkbSetMapReq *req)
+{
+size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+xkbKeyTypeWireDesc *keytype;
+xkbSymMapWireDesc *symmap;
+BOOL preserve;
+int i, map_count, nSyms;
+
+if (req_len < len)
+goto bad;
+/* types */
+if (req->present & XkbKeyTypesMask) {
+keytype = (xkbKeyTypeWireDesc *)(req + 1);
+for (i = 0; i < req->nTypes; i++) {
+_add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+if (req->flags & XkbSetMapResizeTypes) {
+_add_check_len(keytype->nMapEntries
+   * sz_xkbKTSetMapEntryWireDesc);
+preserve = keytype->preserve;
+map_count = keytype->nMapEntries;
+if (preserve) {
+_add_check_len(map_count * sz_xkbModsWireDesc);
+}
+keytype += 1;
+keytype =

CVS commit: [netbsd-8] xsrc/external/mit/freetype/dist/src/sfnt

2020-10-22 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Thu Oct 22 11:31:16 UTC 2020

Modified Files:
xsrc/external/mit/freetype/dist/src/sfnt [netbsd-8]: pngshim.c

Log Message:
Apply patch, requested by maya and mrg in ticket #1618:

xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c  (apply patch)

Fix for CVE-2020-15999.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \
xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c
diff -u xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4 xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4.2.1
--- xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c:1.1.1.4	Sun May 15 22:35:30 2016
+++ xsrc/external/mit/freetype/dist/src/sfnt/pngshim.c	Thu Oct 22 11:31:16 2020
@@ -260,6 +260,12 @@
 {
   FT_ULong  size;
 
+  /* reject too large bitmaps similarly to the rasterizer */
+  if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+  {
+error = FT_THROW( Array_Too_Large );
+goto DestroyExit;
+  }
 
   metrics->width  = (FT_UShort)imgWidth;
   metrics->height = (FT_UShort)imgHeight;
@@ -270,13 +276,6 @@
   map->pitch  = (int)( map->width * 4 );
   map->num_grays  = 256;
 
-  /* reject too large bitmaps similarly to the rasterizer */
-  if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-  {
-error = FT_THROW( Array_Too_Large );
-goto DestroyExit;
-  }
-
   /* this doesn't overflow: 0x7FFF * 0x7FFF * 4 < 2^32 */
   size = map->rows * (FT_ULong)map->pitch;

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist

2020-08-05 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Wed Aug  5 14:10:20 UTC 2020

Modified Files:
xsrc/external/mit/libX11/dist [netbsd-8]: ChangeLog Makefile.am
Makefile.in aclocal.m4 config.guess config.sub configure
configure.ac depcomp install-sh ltmain.sh
xsrc/external/mit/libX11/dist/include [netbsd-8]: Makefile.am
Makefile.in
xsrc/external/mit/libX11/dist/include/X11 [netbsd-8]: Xlib.h Xlibint.h
xsrc/external/mit/libX11/dist/m4 [netbsd-8]: libtool.m4
xsrc/external/mit/libX11/dist/man [netbsd-8]: AllPlanes.man
BlackPixelOfScreen.man Compose.man DisplayOfCCC.man
ImageByteOrder.man IsCursorKey.man Makefile.in
XAddConnectionWatch.man XAddHost.man XAllocClassHint.man
XAllocColor.man XAllocIconSize.man XAllocSizeHints.man
XAllocStandardColormap.man XAllocWMHints.man XAllowEvents.man
XAnyEvent.man XButtonEvent.man XChangeKeyboardControl.man
XChangeKeyboardMapping.man XChangePointerControl.man
XChangeSaveSet.man XChangeWindowAttributes.man XCirculateEvent.man
XCirculateRequestEvent.man XClearArea.man XClientMessageEvent.man
XColormapEvent.man XConfigureEvent.man XConfigureRequestEvent.man
XConfigureWindow.man XCopyArea.man XCreateColormap.man
XCreateFontCursor.man XCreateFontSet.man XCreateGC.man
XCreateIC.man XCreateOC.man XCreatePixmap.man XCreateRegion.man
XCreateWindow.man XCreateWindowEvent.man XCrossingEvent.man
XDefineCursor.man XDestroyWindow.man XDestroyWindowEvent.man
XDrawArc.man XDrawImageString.man XDrawLine.man XDrawPoint.man
XDrawRectangle.man XDrawString.man XDrawText.man XEmptyRegion.man
XErrorEvent.man XExposeEvent.man XExtentsOfFontSet.man
XFillRectangle.man XFilterEvent.man XFlush.man
XFocusChangeEvent.man XFontSetExtents.man XFontsOfFontSet.man
XFree.man XGetEventData.man XGetVisualInfo.man
XGetWindowAttributes.man XGetWindowProperty.man
XGetXCBConnection.man XGrabButton.man XGrabKey.man
XGrabKeyboard.man XGrabPointer.man XGrabServer.man
XGraphicsExposeEvent.man XGravityEvent.man XIconifyWindow.man
XIfEvent.man XInitImage.man XInitThreads.man XInstallColormap.man
XInternAtom.man XIntersectRegion.man XKeymapEvent.man
XListFonts.man XLoadFont.man XLookupKeysym.man XMapEvent.man
XMapRequestEvent.man XMapWindow.man XNextEvent.man XNoOp.man
XOpenDisplay.man XOpenIM.man XOpenOM.man XParseGeometry.man
XPolygonRegion.man XPropertyEvent.man XPutBackEvent.man
XPutImage.man XQueryBestSize.man XQueryColor.man
XQueryExtension.man XQueryPointer.man XQueryTree.man
XRaiseWindow.man XReadBitmapFile.man XRecolorCursor.man
XReparentEvent.man XReparentWindow.man XResizeRequestEvent.man
XResourceManagerString.man XSaveContext.man XSelectInput.man
XSelectionClearEvent.man XSelectionEvent.man
XSelectionRequestEvent.man XSendEvent.man XSetArcMode.man
XSetClipOrigin.man XSetCloseDownMode.man XSetCommand.man
XSetErrorHandler.man XSetEventQueueOwner.man XSetFillStyle.man
XSetFont.man XSetFontPath.man XSetICFocus.man XSetICValues.man
XSetInputFocus.man XSetLineAttributes.man XSetPointerMapping.man
XSetScreenSaver.man XSetSelectionOwner.man XSetState.man
XSetTextProperty.man XSetTile.man XSetTransientForHint.man
XSetWMClientMachine.man XSetWMColormapWindows.man
XSetWMIconName.man XSetWMName.man XSetWMProperties.man
XSetWMProtocols.man XStoreBytes.man XStoreColors.man
XStringListToTextProperty.man XStringToKeysym.man
XSupportsLocale.man XSynchronize.man XTextExtents.man
XTextWidth.man XTranslateCoordinates.man XUnmapEvent.man
XUnmapWindow.man XVaCreateNestedList.man XVisibilityEvent.man
XWarpPointer.man XcmsAllocColor.man XcmsCCCOfColormap.man
XcmsCIELabQueryMaxC.man XcmsCIELuvQueryMaxC.man XcmsColor.man
XcmsConvertColors.man XcmsCreateCCC.man XcmsDefaultCCC.man
XcmsQueryBlack.man XcmsQueryColor.man XcmsSetWhitePoint.man
XcmsStoreColor.man XcmsTekHVCQueryMaxC.man XmbDrawImageString.man
XmbDrawString.man XmbDrawText.man XmbLookupString.man
XmbResetIC.man XmbTextEscapement.man XmbTextExtents.man
XmbTextListToTextProperty.man XmbTextPerCharExtents.man
XrmEnumerateDatabase.man XrmGetFileDatabase.man XrmGetResource.man
XrmInitialize.man XrmMergeDatabases.man XrmPutResource.man
XrmUniqueQuark.man
xsrc/external/mit/libX11/dist/man/xkb [netbsd-8]: Makefile.am
Makefile.in

CVS commit: [netbsd-8] xsrc/external/mit

2020-08-02 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Sun Aug  2 09:09:39 UTC 2020

Modified Files:
xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: pixmap.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: pixmap.c

Log Message:
Pull up following revision(s) (requested by maya in ticket #1582):

xsrc/external/mit/xorg-server/dist/dix/pixmap.c: revision 1.2
xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c: revision 1.2

Backport the only patch from xorg-server 1.20.9 as I can't find a tarball.

>From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb 
Date: Sat, 25 Jul 2020 19:33:50 +0200
Subject: [PATCH] fix for ZDI-11426

Avoid leaking un-initalized memory to clients by zeroing the
whole pixmap on initial allocation.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Matthieu Herrb 
Reviewed-by: Alan Coopersmith 


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \
xsrc/external/mit/xorg-server/dist/dix/pixmap.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/pixmap.c	Sun Aug  2 09:09:39 2020
@@ -120,7 +120,7 @@ AllocatePixmap(ScreenPtr pScreen, int pi
 if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize)
 	return NullPixmap;
 
-pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
 if (!pPixmap)
 	return NullPixmap;
 

Index: xsrc/external/mit/xorg-server/dist/dix/pixmap.c
diff -u xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4.2.1
--- xsrc/external/mit/xorg-server/dist/dix/pixmap.c:1.1.1.4	Wed Aug 10 07:44:31 2016
+++ xsrc/external/mit/xorg-server/dist/dix/pixmap.c	Sun Aug  2 09:09:39 2020
@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pi
 if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
 return NullPixmap;
 
-pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
 if (!pPixmap)
 return NullPixmap;

CVS commit: [netbsd-8] xsrc/external/mit/xf86-video-wsfb/dist/src

2019-12-29 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Sun Dec 29 09:20:15 UTC 2019

Modified Files:
xsrc/external/mit/xf86-video-wsfb/dist/src [netbsd-8]: wsfb_driver.c

Log Message:
Pull up following revision(s) (requested by tsutsui in ticket #1479):

external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c: revision 1.36

Fix Xorg wsfb server "Rotate" corruption problem.  PR xsrc/54167
Confirmed on zaurus SL-C1000, SL-C3000 (CW) and hpcarm WS003SH (CCW).
Should be pulled up to netbsd-8 and netbsd-9.


To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.29.2.1 \
xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c
diff -u xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29 xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29.2.1
--- xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c:1.29	Fri Mar 24 00:57:33 2017
+++ xsrc/external/mit/xf86-video-wsfb/dist/src/wsfb_driver.c	Sun Dec 29 09:20:15 2019
@@ -858,6 +858,7 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL)
 	int ret, flags, ncolors;
 	int wsmode = WSDISPLAYIO_MODE_DUMBFB;
 	int wstype;
+	int width;
 	size_t len;
 
 	TRACE_ENTER("WsfbScreenInit");
@@ -972,7 +973,17 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL)
 #endif
 
 	if (fPtr->shadowFB) {
-		fPtr->shadow = calloc(1, fPtr->fbi.fbi_stride * pScrn->virtualY);
+		if (fPtr->rotate) {
+			/*
+			 * Note Rotate and Shadow FB options are valid
+			 * only on depth >= 8.
+			 */
+			len = pScrn->virtualX * pScrn->virtualY *
+			(pScrn->bitsPerPixel >> 3);
+		} else {
+			len = fPtr->fbi.fbi_stride * pScrn->virtualY;
+		}
+		fPtr->shadow = calloc(1, len);
 
 		if (!fPtr->shadow) {
 			xf86DrvMsg(pScrn->scrnIndex, X_ERROR,
@@ -981,13 +992,29 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL)
 		}
 	}
 
+	/*
+	 * fbScreenInit() seems to require "pixel width of frame buffer"
+	 * but it is actually "stride in pixel" of frame buffer,
+	 * per xorg/xserver/tree/fb/fbscreen.c.
+	 */
+	if (fPtr->rotate) {
+		width = pScrn->displayWidth;
+	} else {
+		if (pScrn->bitsPerPixel > 8) {
+			width =
+			fPtr->fbi.fbi_stride / (pScrn->bitsPerPixel >> 3);
+		} else {
+			width =
+			fPtr->fbi.fbi_stride * (8 / pScrn->bitsPerPixel);
+		}
+	}
 	switch (pScrn->bitsPerPixel) {
 	case 1:
 		ret = fbScreenInit(pScreen,
 		fPtr->fbstart,
 		pScrn->virtualX, pScrn->virtualY,
 		pScrn->xDpi, pScrn->yDpi,
-		fPtr->fbi.fbi_stride * 8, pScrn->bitsPerPixel);
+		width, pScrn->bitsPerPixel);
 		break;
 	case 4:
 	case 8:
@@ -998,8 +1025,7 @@ WsfbScreenInit(SCREEN_INIT_ARGS_DECL)
 		fPtr->shadowFB ? fPtr->shadow : fPtr->fbstart,
 		pScrn->virtualX, pScrn->virtualY,
 		pScrn->xDpi, pScrn->yDpi,
-		/* apparently fb wants stride in pixels, not bytes */
-		fPtr->fbi.fbi_stride / (pScrn->bitsPerPixel >> 3),
+		width,
 		pScrn->bitsPerPixel);
 		break;
 	default:

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src

2018-08-28 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Tue Aug 28 13:27:24 UTC 2018

Modified Files:
xsrc/external/mit/libX11/dist/src [netbsd-8]: FontNames.c GetFPath.c
LiHosts.c ListExt.c

Log Message:
Apply patch, requested by mrg in ticket #995:

xsrc/external/mit/libX11/dist/src/FontNames.c
xsrc/external/mit/libX11/dist/src/GetFPath.c
xsrc/external/mit/libX11/dist/src/LiHosts.c
xsrc/external/mit/libX11/dist/src/ListExt.c

Apply fixes from libX11 1.6.5 for the following vulnerabilities:
Fixed off-by-one writes (CVE-2018-14599)
Validation of server response in XListHosts
Fixed out of boundary write (CVE-2018-14600)
Fixed crash on invalid reply (CVE-2018-14598)
(Backport of upstream git commits b469da1430cdcee06e31c6251b83aede072a1ff0,
 d81da209fd4d0c2c9ad0596a8078e58864479d0d,
 dbf72805fd9d7b1846fe9a11b46f3994bfc27fea,
 e83722768fd5c467ef61fa159e8c6278770b45c2 resp)


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.6.2.1 xsrc/external/mit/libX11/dist/src/FontNames.c
cvs rdiff -u -r1.5 -r1.5.2.1 xsrc/external/mit/libX11/dist/src/GetFPath.c \
xsrc/external/mit/libX11/dist/src/ListExt.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \
xsrc/external/mit/libX11/dist/src/LiHosts.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libX11/dist/src/FontNames.c
diff -u xsrc/external/mit/libX11/dist/src/FontNames.c:1.6 xsrc/external/mit/libX11/dist/src/FontNames.c:1.6.2.1
--- xsrc/external/mit/libX11/dist/src/FontNames.c:1.6	Sat Mar  4 22:00:21 2017
+++ xsrc/external/mit/libX11/dist/src/FontNames.c	Tue Aug 28 13:27:24 2018
@@ -88,24 +88,16 @@ int *actualCount)	/* RETURN */
 	 * unpack into null terminated strings.
 	 */
 	chstart = ch;
-	chend = ch + (rlen + 1);
+	chend = ch + rlen;
 	length = *(unsigned char *)ch;
 	*ch = 1; /* make sure it is non-zero for XFreeFontNames */
 	for (i = 0; i < rep.nFonts; i++) {
 	if (ch + length < chend) {
 		flist[i] = ch + 1;  /* skip over length */
 		ch += length + 1;  /* find next length ... */
-		if (ch <= chend) {
-		length = *(unsigned char *)ch;
-		*ch = '\0';  /* and replace with null-termination */
-		count++;
-		} else {
-Xfree(chstart);
-Xfree(flist);
-flist = NULL;
-count = 0;
-break;
-		}
+		length = *(unsigned char *)ch;
+		*ch = '\0';  /* and replace with null-termination */
+		count++;
 	} else {
 Xfree(chstart);
 Xfree(flist);

Index: xsrc/external/mit/libX11/dist/src/GetFPath.c
diff -u xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5 xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5.2.1
--- xsrc/external/mit/libX11/dist/src/GetFPath.c:1.5	Tue Oct  4 22:04:39 2016
+++ xsrc/external/mit/libX11/dist/src/GetFPath.c	Tue Aug 28 13:27:24 2018
@@ -69,15 +69,20 @@ char **XGetFontPath(
 	/*
 	 * unpack into null terminated strings.
 	 */
-	chend = ch + (nbytes + 1);
-	length = *ch;
+	chend = ch + nbytes;
+	length = *(unsigned char *)ch;
 	for (i = 0; i < rep.nPaths; i++) {
 		if (ch + length < chend) {
 		flist[i] = ch+1;  /* skip over length */
 		ch += length + 1; /* find next length ... */
-		length = *ch;
+		length = *(unsigned char *)ch;
 		*ch = '\0'; /* and replace with null-termination */
 		count++;
+		} else if (i == 0) {
+		Xfree(flist);
+		Xfree(ch);
+		flist = NULL;
+		break;
 		} else
 		flist[i] = NULL;
 	}
Index: xsrc/external/mit/libX11/dist/src/ListExt.c
diff -u xsrc/external/mit/libX11/dist/src/ListExt.c:1.5 xsrc/external/mit/libX11/dist/src/ListExt.c:1.5.2.1
--- xsrc/external/mit/libX11/dist/src/ListExt.c:1.5	Tue Oct  4 22:04:39 2016
+++ xsrc/external/mit/libX11/dist/src/ListExt.c	Tue Aug 28 13:27:24 2018
@@ -74,19 +74,20 @@ char **XListExtensions(
 	/*
 	 * unpack into null terminated strings.
 	 */
-	chend = ch + (rlen + 1);
-	length = *ch;
+	chend = ch + rlen;
+	length = *(unsigned char *)ch;
 	for (i = 0; i < rep.nExtensions; i++) {
 		if (ch + length < chend) {
 		list[i] = ch+1;  /* skip over length */
 		ch += length + 1; /* find next length ... */
-		if (ch <= chend) {
-			length = *ch;
-			*ch = '\0'; /* and replace with null-termination */
-			count++;
-		} else {
-			list[i] = NULL;
-		}
+		length = *(unsigned char *)ch;
+		*ch = '\0'; /* and replace with null-termination */
+		count++;
+		} else if (i == 0) {
+		Xfree(list);
+		Xfree(ch);
+		list = NULL;
+		break;
 		} else
 		list[i] = NULL;
 	}

Index: xsrc/external/mit/libX11/dist/src/LiHosts.c
diff -u xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5 xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5.10.1
--- xsrc/external/mit/libX11/dist/src/LiHosts.c:1.1.1.5	Thu May 30 23:04:40 2013
+++

CVS commit: [netbsd-8] xsrc/external/mit

2017-12-01 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Fri Dec  1 09:47:57 UTC 2017

Modified Files:
xsrc/external/mit/libXcursor/dist [netbsd-8]: ChangeLog INSTALL
Makefile.in aclocal.m4 config.guess config.h.in config.sub
configure configure.ac depcomp install-sh ltmain.sh missing
xsrc/external/mit/libXcursor/dist/include/X11/Xcursor [netbsd-8]:
Xcursor.h
xsrc/external/mit/libXcursor/dist/man [netbsd-8]: Makefile.in
xsrc/external/mit/libXcursor/dist/src [netbsd-8]: Makefile.in cursor.c
display.c file.c library.c
xsrc/external/mit/libXcursor/include [netbsd-8]: config.h
xsrc/external/mit/libXfont/dist [netbsd-8]: ChangeLog Makefile.in
aclocal.m4 config.guess config.sub configure configure.ac
install-sh ltmain.sh
xsrc/external/mit/libXfont/dist/doc [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src/FreeType [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-8]: Makefile.in
pcfread.c
xsrc/external/mit/libXfont/dist/src/builtins [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src/fc [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-8]: Makefile.in
dirfile.c fileio.c fontdir.c
xsrc/external/mit/libXfont/dist/src/stubs [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/dist/src/util [netbsd-8]: Makefile.in
xsrc/external/mit/libXfont/include [netbsd-8]: config.h
Added Files:
xsrc/external/mit/libXcursor/dist [netbsd-8]: compile

Log Message:
Sync xsrc/external/mit/libXfont and xsrc/external/mit/libXcursor with
HEAD: Fixes for CVEs 2017-13722, 2017-13720, 2017-16611, and 2017-16612.

Requested by mrg in #414.

xsrc/external/mit/libXfont/dist/ChangeLog 1.1.1.11
xsrc/external/mit/libXfont/dist/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/aclocal.m4 1.1.1.11
xsrc/external/mit/libXfont/dist/config.guess 1.1.1.9
xsrc/external/mit/libXfont/dist/config.sub 1.1.1.9
xsrc/external/mit/libXfont/dist/configure 1.1.1.11
xsrc/external/mit/libXfont/dist/configure.ac 1.1.1.11
xsrc/external/mit/libXfont/dist/install-sh 1.1.1.7
xsrc/external/mit/libXfont/dist/ltmain.sh 1.1.1.8
xsrc/external/mit/libXfont/dist/doc/Makefile.in 1.1.1.6
xsrc/external/mit/libXfont/dist/src/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/FreeType/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/bitmap/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c 1.5
xsrc/external/mit/libXfont/dist/src/builtins/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/fc/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/fontfile/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c 1.5
xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c 1.3
xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c 1.1.1.7
xsrc/external/mit/libXfont/dist/src/stubs/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/dist/src/util/Makefile.in 1.1.1.10
xsrc/external/mit/libXfont/include/config.h 1.9
xsrc/external/mit/libXcursor/dist/compile 1.1.1.1
xsrc/external/mit/libXcursor/dist/ChangeLog 1.1.1.6
xsrc/external/mit/libXcursor/dist/INSTALL 1.1.1.3
xsrc/external/mit/libXcursor/dist/Makefile.in 1.1.1.6
xsrc/external/mit/libXcursor/dist/aclocal.m4 1.1.1.6
xsrc/external/mit/libXcursor/dist/config.guess 1.1.1.5
xsrc/external/mit/libXcursor/dist/config.h.in 1.1.1.5
xsrc/external/mit/libXcursor/dist/config.sub 1.1.1.5
xsrc/external/mit/libXcursor/dist/configure 1.1.1.6
xsrc/external/mit/libXcursor/dist/configure.ac 1.1.1.6
xsrc/external/mit/libXcursor/dist/depcomp 1.1.1.5
xsrc/external/mit/libXcursor/dist/install-sh 1.1.1.5
xsrc/external/mit/libXcursor/dist/ltmain.sh 1.1.1.6
xsrc/external/mit/libXcursor/dist/missing 1.1.1.4
xsrc/external/mit/libXcursor/dist/include/X11/Xcursor/Xcursor.h 1.1.1.3
xsrc/external/mit/libXcursor/dist/man/Makefile.in 1.1.1.6
xsrc/external/mit/libXcursor/dist/src/Makefile.in 1.1.1.6
xsrc/external/mit/libXcursor/dist/src/cursor.c 1.1.1.5
xsrc/external/mit/libXcursor/dist/src/display.c 1.1.1.5
xsrc/external/mit/libXcursor/dist/src/file.c 1.1.1.5
xsrc/external/mit/libXcursor/dist/src/library.c 1.1.1.4
xsrc/external/mit/libXcursor/include/config.h 1.4


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.10.1 \
xsrc/external/mit/libXcursor/dist/ChangeLog \
xsrc/external/mit/libXcursor/dist/Makefile.in \
xsrc/external/mit/libXcursor/dist/aclocal.m4 \
xsrc/external/mit/libXcursor/dist/configure \
xsrc/external/mit/libXcursor/dist/configure.ac \
xsrc/external/mit/libXcursor/dist/ltmain.sh
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.16.1 \
xsrc/external/mit/libXcursor/dist/INSTALL
cvs rdiff -u -r0 -r1.1.1.1.2.2 xsrc/external/mit/libXcursor/dist/compile
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \

CVS commit: [netbsd-8] xsrc/external/mit

2017-11-06 Thread Soren Jacobsen

Module Name:xsrc
Committed By:   snj
Date:   Mon Nov  6 09:43:03 UTC 2017

Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xext [netbsd-8]: panoramiX.c
saver.c xvdisp.c
xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]:
xichangehierarchy.c
xsrc/external/mit/xorg-server.old/dist/dbe [netbsd-8]: dbe.c
xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: dispatch.c
xsrc/external/mit/xorg-server.old/dist/hw/dmx [netbsd-8]: dmxpict.c
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod 
[netbsd-8]:
xf86dga2.c
xsrc/external/mit/xorg-server.old/dist/hw/xfree86/dri [netbsd-8]:
xf86dri.c
xsrc/external/mit/xorg-server.old/dist/render [netbsd-8]: render.c
xsrc/external/mit/xorg-server.old/dist/xfixes [netbsd-8]: cursor.c
region.c saveset.c xfixes.c
xsrc/external/mit/xorg-server/dist/Xext [netbsd-8]: panoramiX.c saver.c
vidmode.c xres.c xvdisp.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: xibarriers.c
xichangehierarchy.c
xsrc/external/mit/xorg-server/dist/dbe [netbsd-8]: dbe.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: dispatch.c
xsrc/external/mit/xorg-server/dist/hw/dmx [netbsd-8]: dmxpict.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/common [netbsd-8]:
xf86DGA.c
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri [netbsd-8]: xf86dri.c
xsrc/external/mit/xorg-server/dist/pseudoramiX [netbsd-8]:
pseudoramiX.c
xsrc/external/mit/xorg-server/dist/render [netbsd-8]: render.c
xsrc/external/mit/xorg-server/dist/xfixes [netbsd-8]: cursor.c region.c
saveset.c xfixes.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #346):
external/mit/xorg-server.old/dist/Xext/panoramiX.c: 1.2
external/mit/xorg-server.old/dist/Xext/saver.c: 1.2
external/mit/xorg-server.old/dist/Xext/xvdisp.c: 1.2
external/mit/xorg-server.old/dist/Xi/xichangehierarchy.c: 1.2
external/mit/xorg-server.old/dist/dbe/dbe.c: 1.2
external/mit/xorg-server.old/dist/dix/dispatch.c: 1.2
external/mit/xorg-server.old/dist/hw/dmx/dmxpict.c: 1.2
external/mit/xorg-server.old/dist/hw/xfree86/dixmods/extmod/xf86dga2.c: 
1.2
external/mit/xorg-server.old/dist/hw/xfree86/dri/xf86dri.c: 1.2
external/mit/xorg-server.old/dist/render/render.c: 1.2
external/mit/xorg-server.old/dist/xfixes/cursor.c: 1.2
external/mit/xorg-server.old/dist/xfixes/region.c: 1.2
external/mit/xorg-server.old/dist/xfixes/saveset.c: 1.2
external/mit/xorg-server.old/dist/xfixes/xfixes.c: 1.2
external/mit/xorg-server/dist/Xext/panoramiX.c: 1.2
external/mit/xorg-server/dist/Xext/saver.c: 1.2
external/mit/xorg-server/dist/Xext/vidmode.c: 1.2
external/mit/xorg-server/dist/Xext/xres.c: 1.2
external/mit/xorg-server/dist/Xext/xvdisp.c: 1.7
external/mit/xorg-server/dist/Xi/xibarriers.c: 1.2
external/mit/xorg-server/dist/Xi/xichangehierarchy.c: 1.4
external/mit/xorg-server/dist/dbe/dbe.c: 1.4
external/mit/xorg-server/dist/dix/dispatch.c: 1.4
external/mit/xorg-server/dist/hw/dmx/dmxpict.c: 1.2
external/mit/xorg-server/dist/hw/xfree86/common/xf86DGA.c: 1.2
external/mit/xorg-server/dist/hw/xfree86/dri/xf86dri.c: 1.2
external/mit/xorg-server/dist/pseudoramiX/pseudoramiX.c: 1.2
external/mit/xorg-server/dist/render/render.c: 1.4
external/mit/xorg-server/dist/xfixes/cursor.c: 1.2
external/mit/xorg-server/dist/xfixes/region.c: 1.2
external/mit/xorg-server/dist/xfixes/saveset.c: 1.2
external/mit/xorg-server/dist/xfixes/xfixes.c: 1.2
apply fixes for CVEs 2017-12176 to 2017-12187.
--
>From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001
From: Nathan Kidd 
Date: Sun, 21 Dec 2014 01:10:03 -0500
Subject: hw/xfree86: unvalidated lengths
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
--
>From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001
From: Michal Srb 
Date: Fri, 7 Jul 2017 17:21:46 +0200
Subject: Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or 
swapping of values on heap behind the receive buffer.
--
>From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
From: Nathan Kidd 
Date: Fri, 9 Jan 2015 10:09:14 -0500
Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
 (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
--
>From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001
From: Nathan Kidd

CVS commit: [netbsd-8] xsrc/external/mit

2017-07-07 Thread Martin Husemann

Module Name:xsrc
Committed By:   martin
Date:   Fri Jul  7 14:10:25 UTC 2017

Modified Files:
xsrc/external/mit/xorg-server.old/dist/Xi [netbsd-8]: sendexev.c
xsrc/external/mit/xorg-server.old/dist/dix [netbsd-8]: events.c
swapreq.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: sendexev.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: events.c swapreq.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #109):
external/mit/xorg-server.old/dist/Xi/sendexev.c: revision 1.2
external/mit/xorg-server.old/dist/Xi/sendexev.c: revision 1.3
external/mit/xorg-server/dist/dix/events.c: revision 1.2
external/mit/xorg-server.old/dist/dix/events.c: revision 1.2
external/mit/xorg-server/dist/dix/swapreq.c: revision 1.2
external/mit/xorg-server/dist/Xi/sendexev.c: revision 1.4
external/mit/xorg-server.old/dist/dix/swapreq.c: revision 1.2
CVE-2017-10971 and CVE-2017-10972: apply fixes to the event loop from
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=3Dba336b24052122b136486961c82deac76bbde455
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D8caed4df36b1f802b4992edcfd282cbeeec35d9d
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D215f894965df5fb0bb45b107d84524e700d2073c
   
https://cgit.freedesktop.org/xorg/xserver/commit/?id=3D05442de962d3dc624f79fc1a00eca3ffc5489ced
add missing } from the previous. apparently i mis-tested and it didn't compile.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.2.1 \
xsrc/external/mit/xorg-server.old/dist/dix/events.c \
xsrc/external/mit/xorg-server.old/dist/dix/swapreq.c
cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.9 -r1.1.1.9.2.1 \
xsrc/external/mit/xorg-server/dist/dix/events.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.2.1 \
xsrc/external/mit/xorg-server/dist/dix/swapreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c
diff -u xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/Xi/sendexev.c	Fri Jul  7 14:10:24 2017
@@ -79,7 +79,7 @@ SProcXSendExtensionEvent(ClientPtr clien
 char n;
 CARD32 *p;
 int i;
-xEvent eventT;
+xEvent eventT = { .u.u.type = 0 };
 xEvent *eventP;
 EventSwapPtr proc;
 
@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr clien
 
 eventP = (xEvent *) & stuff[1];
 for (i = 0; i < stuff->num_events; i++, eventP++) {
+if (eventP->u.u.type == GenericEvent) {
+client->errorValue = eventP->u.u.type;
+return BadValue;
+}
+
 	proc = EventSwapVector[eventP->u.u.type & 0177];
-	if (proc == NotImplemented)	/* no swapping proc; invalid event type? */
+/* no swapping proc; invalid event type? */
+if (proc == NotImplemented) {
+client->errorValue = eventP->u.u.type;
 	return BadValue;
+}
 	(*proc) (eventP, );
 	*eventP = eventT;
 }
@@ -117,7 +125,7 @@ SProcXSendExtensionEvent(ClientPtr clien
 int
 ProcXSendExtensionEvent(ClientPtr client)
 {
-int ret;
+int ret, i;
 DeviceIntPtr dev;
 xEvent *first;
 XEventClass *list;
@@ -140,10 +148,12 @@ ProcXSendExtensionEvent(ClientPtr client
 /* The client's event type must be one defined by an extension. */
 
 first = ((xEvent *) & stuff[1]);
-if (!((EXTENSION_EVENT_BASE <= first->u.u.type) &&
-	  (first->u.u.type < lastEvent))) {
-	client->errorValue = first->u.u.type;
-	return BadValue;
+for (i = 0; i < stuff->num_events; i++) {
+if (!((EXTENSION_EVENT_BASE <= first[i].u.u.type) &&
+(first[i].u.u.type < lastEvent))) {
+client->errorValue = first[i].u.u.type;
+return BadValue;
+}
 }
 
 list = (XEventClass *) (first + stuff->num_events);

Index: xsrc/external/mit/xorg-server.old/dist/dix/events.c
diff -u xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1 xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1.2.1
--- xsrc/external/mit/xorg-server.old/dist/dix/events.c:1.1.1.1	Thu Jun  9 09:07:56 2016
+++ xsrc/external/mit/xorg-server.old/dist/dix/events.c	Fri Jul  7 14:10:24 2017
@@ -5021,6 +5021,12 @@ ProcSendEvent(ClientPtr client)
 	client->errorValue = stuff->event.u.u.type;
 	return BadValue;
 }
+/* Generic events can have variable size, but SendEvent request holds
+   exactly 32B of event data. */
+if (stuff->event.u.u.type == GenericEvent) {
+client->errorValue = stuff->event.u.u.type;
+

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src

CVS commit: [netbsd-8] xsrc/external/mit

CVS commit: [netbsd-8] xsrc/external/mit/xterm

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/modules/im/ximcp

CVS commit: [netbsd-8] xsrc/external/mit/xorg-server.old/dist/xkb

CVS commit: [netbsd-8] xsrc/external/mit/xorg-server/dist/xkb

CVS commit: [netbsd-8] xsrc/external/mit/freetype/dist/src/sfnt

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist

CVS commit: [netbsd-8] xsrc/external/mit

CVS commit: [netbsd-8] xsrc/external/mit/xf86-video-wsfb/dist/src

CVS commit: [netbsd-8] xsrc/external/mit/libX11/dist/src

CVS commit: [netbsd-8] xsrc/external/mit

CVS commit: [netbsd-8] xsrc/external/mit

CVS commit: [netbsd-8] xsrc/external/mit

14 matches

Site Navigation

Mail list logo

Footer information