Pullup ticket #6295 - requested by maya

x11/libX11: bugfix

Revisions pulled up:
- x11/libX11/Makefile                                           1.53
- x11/libX11/distinfo                                           1.32
- x11/libX11/patches/patch-regression                           1.1

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Tue Aug  4 15:50:19 UTC 2020

   Modified Files:
   	pkgsrc/x11/libX11: Makefile distinfo
   Added Files:
   	pkgsrc/x11/libX11/patches: patch-regression

   Log Message:
   libX11: backport patch fixing regression from upstream. bump PKGREVISION

3 files changed, 49 insertions, 2 deletions

diff --git a/x11/libX11/Makefile b/x11/libX11/Makefile
index a691feb34b9..430b593c679 100644
--- a/x11/libX11/Makefile
+++ b/x11/libX11/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.51.4.1 2020/08/01 06:47:52 bsiegert Exp $
+# $NetBSD: Makefile,v 1.51.4.2 2020/08/14 17:11:16 bsiegert Exp $
 
 DISTNAME=		libX11-1.6.10
+PKGREVISION=		1
 CATEGORIES=		x11 devel
 MASTER_SITES=		${MASTER_SITE_XORG:=lib/}
 EXTRACT_SUFX=		.tar.bz2
diff --git a/x11/libX11/distinfo b/x11/libX11/distinfo
index 6d7c3836e41..eae5faf559f 100644
--- a/x11/libX11/distinfo
+++ b/x11/libX11/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30.6.1 2020/08/01 06:47:52 bsiegert Exp $
+$NetBSD: distinfo,v 1.30.6.2 2020/08/14 17:11:16 bsiegert Exp $
 
 SHA1 (libX11-1.6.10.tar.bz2) = e28f6bc0a33ca512b1aeb973a1dd8b3a3c48cd9f
 RMD160 (libX11-1.6.10.tar.bz2) = 3d7ecf53bf8d87347857a0a810ce772f97c4b352
@@ -7,3 +7,4 @@ Size (libX11-1.6.10.tar.bz2) = 2294095 bytes
 SHA1 (patch-Makefile.in) = 93d3b8d9882babf70788e984884a9db46a5367ef
 SHA1 (patch-aa) = 4f502264e7200fd2f9409d8684c53de3bc6f0649
 SHA1 (patch-ac) = 565aa2a636b5c50f67cbd11e7c2adcac8d55418e
+SHA1 (patch-regression) = 55d611dacaa9b64e4275f83bb76843323bc38234
diff --git a/x11/libX11/patches/patch-regression b/x11/libX11/patches/patch-regression
new file mode 100644
index 00000000000..b917641ca21
--- /dev/null
+++ b/x11/libX11/patches/patch-regression
@@ -0,0 +1,45 @@
+$NetBSD: patch-regression,v 1.2.2.2 2020/08/14 17:11:16 bsiegert Exp $
+
+From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
+From: Yichao Yu <yyc1992@gmail.com>
+Date: Sun, 2 Aug 2020 13:43:58 -0400
+Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+
+--- modules/im/ximcp/imRmAttr.c.orig
++++ modules/im/ximcp/imRmAttr.c
+@@ -265,7 +265,7 @@ _XimAttributeToValue(
+ 
+ 	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
+ 		return False;
+-	    if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
++	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+ 		return False;
+ 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+ 	    if (alloc_len < sizeof(XIMStyles))
+@@ -379,7 +379,7 @@ _XimAttributeToValue(
+ 
+ 	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+ 		return False;
+-	    if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
++	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+ 		return False;
+ 	    alloc_len = sizeof(XIMHotKeyTriggers)
+ 		      + sizeof(XIMHotKeyTrigger) * num;