Module Name: xsrc Committed By: martin Date: Mon Jan 23 13:33:05 UTC 2023
Modified Files: xsrc/external/mit/libX11/dist/modules/om/generic [netbsd-8]: omGeneric.c xsrc/external/mit/libXpm/dist/src [netbsd-8]: RdFToI.c WrFFrI.c create.c data.c parse.c xsrc/external/mit/xorg-server/dist/Xext [netbsd-8]: saver.c xtest.c xvmain.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-8]: xipassivegrab.c xiproperty.c xsrc/external/mit/xorg-server/dist/dix [netbsd-8]: property.c xsrc/external/mit/xorg-server/dist/xkb [netbsd-8]: xkbUtils.c Log Message: Apply patch, requested by mrg in ticket #1794: Apply upstream security fixes for the following CVEs: CVE-2022-46285, CVE-2022-44617, CVE-2022-4883, CVE-2020-14363, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342 CVE-2022-46343, CVE-2022-46344, CVE-2022-46283, CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011 To generate a diff of this commit: cvs rdiff -u -r1.1.1.8.2.1 -r1.1.1.8.2.2 \ xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.8.1 \ xsrc/external/mit/libXpm/dist/src/RdFToI.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.8.1 \ xsrc/external/mit/libXpm/dist/src/WrFFrI.c cvs rdiff -u -r1.3 -r1.3.2.1 xsrc/external/mit/libXpm/dist/src/create.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.10.1 \ xsrc/external/mit/libXpm/dist/src/data.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \ xsrc/external/mit/libXpm/dist/src/parse.c cvs rdiff -u -r1.1.1.7.2.1 -r1.1.1.7.2.2 \ xsrc/external/mit/xorg-server/dist/Xext/saver.c cvs rdiff -u -r1.5 -r1.5.2.1 xsrc/external/mit/xorg-server/dist/Xext/xtest.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.2.1 \ xsrc/external/mit/xorg-server/dist/Xext/xvmain.c cvs rdiff -u -r1.3 -r1.3.2.1 \ xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c \ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \ xsrc/external/mit/xorg-server/dist/dix/property.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.2.1 \ xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c diff -u xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c:1.1.1.8.2.1 xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c:1.1.1.8.2.2 --- xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c:1.1.1.8.2.1 Wed Aug 5 14:10:17 2020 +++ xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c Mon Jan 23 13:33:04 2023 @@ -1908,7 +1908,8 @@ init_om( char **required_list; XOrientation *orientation; char **value, buf[BUFSIZ], *bufptr; - int count = 0, num = 0, length = 0; + int count = 0, num = 0; + unsigned int length = 0; _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) Index: xsrc/external/mit/libXpm/dist/src/RdFToI.c diff -u xsrc/external/mit/libXpm/dist/src/RdFToI.c:1.1.1.4 xsrc/external/mit/libXpm/dist/src/RdFToI.c:1.1.1.4.8.1 --- xsrc/external/mit/libXpm/dist/src/RdFToI.c:1.1.1.4 Sun Mar 16 22:20:04 2014 +++ xsrc/external/mit/libXpm/dist/src/RdFToI.c Mon Jan 23 13:33:04 2023 @@ -43,6 +43,7 @@ #include <errno.h> #include <sys/types.h> #include <sys/wait.h> +#include <unistd.h> #else #ifdef FOR_MSW #include <fcntl.h> @@ -161,7 +162,17 @@ xpmPipeThrough( goto err; if ( 0 == pid ) { - execlp(cmd, cmd, arg1, (char *)NULL); +#ifdef HAVE_CLOSEFROM + closefrom(3); +#elif defined(HAVE_CLOSE_RANGE) +# ifdef CLOSE_RANGE_UNSHARE +# define close_range_flags CLOSE_RANGE_UNSHARE +# else +# define close_range_flags 0 +#endif + close_range(3, ~0U, close_range_flags); +#endif + execl(cmd, cmd, arg1, (char *)NULL); perror(cmd); goto err; } @@ -235,12 +246,12 @@ OpenReadFile( if ( ext && !strcmp(ext, ".Z") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); } else if ( ext && !strcmp(ext, ".gz") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); } else #endif /* z-files */ Index: xsrc/external/mit/libXpm/dist/src/WrFFrI.c diff -u xsrc/external/mit/libXpm/dist/src/WrFFrI.c:1.1.1.5 xsrc/external/mit/libXpm/dist/src/WrFFrI.c:1.1.1.5.8.1 --- xsrc/external/mit/libXpm/dist/src/WrFFrI.c:1.1.1.5 Sun Mar 16 22:20:04 2014 +++ xsrc/external/mit/libXpm/dist/src/WrFFrI.c Mon Jan 23 13:33:04 2023 @@ -336,10 +336,10 @@ OpenWriteFile( #ifndef NO_ZPIPE len = strlen(filename); if (len > 2 && !strcmp(".Z", filename + (len - 2))) { - mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); mdata->type = XPMPIPE; } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { - mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); mdata->type = XPMPIPE; } else #endif Index: xsrc/external/mit/libXpm/dist/src/create.c diff -u xsrc/external/mit/libXpm/dist/src/create.c:1.3 xsrc/external/mit/libXpm/dist/src/create.c:1.3.2.1 --- xsrc/external/mit/libXpm/dist/src/create.c:1.3 Sat Mar 4 21:48:03 2017 +++ xsrc/external/mit/libXpm/dist/src/create.c Mon Jan 23 13:33:04 2023 @@ -994,11 +994,15 @@ CreateXImage( #if !defined(FOR_MSW) && !defined(AMIGA) if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { XDestroyImage(*image_return); + *image_return = NULL; return XpmNoMemory; } /* now that bytes_per_line must have been set properly alloc data */ - if((*image_return)->bytes_per_line == 0 || height == 0) + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); + *image_return = NULL; return XpmNoMemory; + } (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); Index: xsrc/external/mit/libXpm/dist/src/data.c diff -u xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4 xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4.10.1 --- xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4 Fri May 31 01:09:03 2013 +++ xsrc/external/mit/libXpm/dist/src/data.c Mon Jan 23 13:33:04 2023 @@ -174,6 +174,10 @@ ParseComment(xpmData *data) notend = 0; Ungetc(data, *s, file); } + else if (c == EOF) { + /* hit end of file before the end of the comment */ + return XpmFileInvalid; + } } return 0; } @@ -191,19 +195,23 @@ xpmNextString(xpmData *data) register char c; /* get to the end of the current string */ - if (data->Eos) - while ((c = *data->cptr++) && c != data->Eos); + if (data->Eos) { + while ((c = *data->cptr++) && c != data->Eos && c != '\0'); + + if (c == '\0') + return XpmFileInvalid; + } /* * then get to the beginning of the next string looking for possible * comment */ if (data->Bos) { - while ((c = *data->cptr++) && c != data->Bos) + while ((c = *data->cptr++) && c != data->Bos && c != '\0') if (data->Bcmt && c == data->Bcmt[0]) ParseComment(data); } else if (data->Bcmt) { /* XPM2 natural */ - while ((c = *data->cptr++) == data->Bcmt[0]) + while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') ParseComment(data); data->cptr--; } @@ -212,9 +220,13 @@ xpmNextString(xpmData *data) FILE *file = data->stream.file; /* get to the end of the current string */ - if (data->Eos) + if (data->Eos) { while ((c = Getc(data, file)) != data->Eos && c != EOF); + if (c == EOF) + return XpmFileInvalid; + } + /* * then get to the beginning of the next string looking for possible * comment @@ -230,7 +242,7 @@ xpmNextString(xpmData *data) Ungetc(data, c, file); } } - return 0; + return XpmSuccess; } Index: xsrc/external/mit/libXpm/dist/src/parse.c diff -u xsrc/external/mit/libXpm/dist/src/parse.c:1.1.1.5 xsrc/external/mit/libXpm/dist/src/parse.c:1.1.1.5.2.1 --- xsrc/external/mit/libXpm/dist/src/parse.c:1.1.1.5 Sat Mar 4 21:43:45 2017 +++ xsrc/external/mit/libXpm/dist/src/parse.c Mon Jan 23 13:33:04 2023 @@ -391,6 +391,13 @@ ParsePixels( { unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ unsigned int a, x, y; + int ErrorStatus; + + if ((width == 0) && (height != 0)) + return (XpmFileInvalid); + + if ((height == 0) && (width != 0)) + return (XpmFileInvalid); if ((height > 0 && width >= UINT_MAX / height) || width * height >= UINT_MAX / sizeof(unsigned int)) @@ -428,7 +435,11 @@ ParsePixels( colidx[(unsigned char)colorTable[a].string[0]] = a + 1; for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { int c = xpmGetC(data); @@ -475,7 +486,11 @@ do \ } for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { int cc1 = xpmGetC(data); if (cc1 > 0 && cc1 < 256) { @@ -515,7 +530,11 @@ do \ xpmHashAtom *slot; for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); @@ -535,7 +554,11 @@ do \ } } else { for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); Index: xsrc/external/mit/xorg-server/dist/Xext/saver.c diff -u xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7.2.1 xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7.2.2 --- xsrc/external/mit/xorg-server/dist/Xext/saver.c:1.1.1.7.2.1 Mon Nov 6 09:43:02 2017 +++ xsrc/external/mit/xorg-server/dist/Xext/saver.c Mon Jan 23 13:33:04 2023 @@ -1050,7 +1050,7 @@ ScreenSaverSetAttributes(ClientPtr clien pVlist++; } if (pPriv->attr) - FreeScreenAttr(pPriv->attr); + FreeResource(pPriv->attr->resource, AttrType); pPriv->attr = pAttr; pAttr->resource = FakeClientID(client->index); if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) Index: xsrc/external/mit/xorg-server/dist/Xext/xtest.c diff -u xsrc/external/mit/xorg-server/dist/Xext/xtest.c:1.5 xsrc/external/mit/xorg-server/dist/Xext/xtest.c:1.5.2.1 --- xsrc/external/mit/xorg-server/dist/Xext/xtest.c:1.5 Thu Aug 11 00:04:26 2016 +++ xsrc/external/mit/xorg-server/dist/Xext/xtest.c Mon Jan 23 13:33:04 2023 @@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xRe nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { + int evtype = ev->u.u.type & 0x177; /* Swap event */ - proc = EventSwapVector[ev->u.u.type & 0177]; + proc = EventSwapVector[evtype]; /* no swapping proc; invalid event type? */ - if (!proc || proc == NotImplemented) { + if (!proc || proc == NotImplemented || evtype == GenericEvent) { client->errorValue = ev->u.u.type; return BadValue; } Index: xsrc/external/mit/xorg-server/dist/Xext/xvmain.c diff -u xsrc/external/mit/xorg-server/dist/Xext/xvmain.c:1.1.1.4 xsrc/external/mit/xorg-server/dist/Xext/xvmain.c:1.1.1.4.2.1 --- xsrc/external/mit/xorg-server/dist/Xext/xvmain.c:1.1.1.4 Wed Aug 10 07:44:31 2016 +++ xsrc/external/mit/xorg-server/dist/Xext/xvmain.c Mon Jan 23 13:33:04 2023 @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, tpn = pn; while (tpn) { if (tpn->client == client) { - if (!onoff) + if (!onoff) { tpn->client = NULL; + FreeResource(tpn->id, XvRTVideoNotify); + } return Success; } if (!tpn->client) Index: xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c diff -u xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.3.2.1 --- xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.3 Thu Aug 11 00:04:26 2016 +++ xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c Mon Jan 23 13:33:04 2023 @@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client return BadValue; } + /* XI2 allows 32-bit keycodes but thanks to XKB we can never + * implement this. Just return an error for all keycodes that + * cannot work anyway, same for buttons > 255. */ + if (stuff->detail > 255) + return XIAlreadyGrabbed; + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], stuff->mask_len * 4) != Success) return BadValue; @@ -313,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr clie return BadValue; } + /* We don't allow passive grabs for details > 255 anyway */ + if (stuff->detail > 255) { + client->errorValue = stuff->detail; + return BadValue; + } + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); if (rc != Success) return rc; Index: xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c diff -u xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.3 xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.3.2.1 --- xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c:1.3 Thu Aug 11 00:04:26 2016 +++ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c Mon Jan 23 13:33:04 2023 @@ -886,7 +886,7 @@ ProcXChangeDeviceProperty(ClientPtr clie REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -898,6 +898,8 @@ ProcXChangeDeviceProperty(ClientPtr clie rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->nUnits); + if (rc != Success) + return rc; len = stuff->nUnits; if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) @@ -1124,7 +1126,7 @@ ProcXIChangeProperty(ClientPtr client) { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); @@ -1137,6 +1139,9 @@ ProcXIChangeProperty(ClientPtr client) rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->num_items); + if (rc != Success) + return rc; + len = stuff->num_items; if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) return BadLength; Index: xsrc/external/mit/xorg-server/dist/dix/property.c diff -u xsrc/external/mit/xorg-server/dist/dix/property.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/dix/property.c:1.1.1.5.2.1 --- xsrc/external/mit/xorg-server/dist/dix/property.c:1.1.1.5 Wed Aug 10 07:44:31 2016 +++ xsrc/external/mit/xorg-server/dist/dix/property.c Mon Jan 23 13:33:05 2023 @@ -194,7 +194,8 @@ ProcChangeProperty(ClientPtr client) WindowPtr pWin; char format, mode; unsigned long len; - int sizeInBytes, totalSize, err; + int sizeInBytes, err; + uint64_t totalSize; REQUEST(xChangePropertyReq); Index: xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c diff -u xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c:1.1.1.5 xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c:1.1.1.5.2.1 --- xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c:1.1.1.5 Wed Aug 10 07:44:35 2016 +++ xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c Mon Jan 23 13:33:05 2023 @@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr } else { free(dst->names->radio_groups); + dst->names->radio_groups = NULL; } dst->names->num_rg = src->names->num_rg;