diff options
| author | wiz <wiz@pkgsrc.org> | 2014-12-21 16:03:17 +0000 |
|---|---|---|
| committer | wiz <wiz@pkgsrc.org> | 2014-12-21 16:03:17 +0000 |
| commit | 4dcc90eaae006863cba1ee04040ef7df27c83819 (patch) | |
| tree | 5c6cea11b39b06e0f5df570405d36ffbc090cc69 /x11/modular-xorg-server | |
| parent | 17d8a90cfe9b0ba0070f24507217b7bfd7664ea9 (diff) | |
| download | pkgsrc-4dcc90eaae006863cba1ee04040ef7df27c83819.tar.gz | |
Fix
X.Org Security Advisory: Dec. 9, 2014
Protocol handling issues in X Window System servers
using the 1.16.x patches, backported to 1.12 by myself.
Review welcome.
Bump PKGREVISION.
Diffstat (limited to 'x11/modular-xorg-server')
55 files changed, 3250 insertions, 4 deletions
diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile index 3be0d179c40..bb1f772fa03 100644 --- a/x11/modular-xorg-server/Makefile +++ b/x11/modular-xorg-server/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.83 2014/05/05 00:48:31 ryoon Exp $ +# $NetBSD: Makefile,v 1.84 2014/12/21 16:03:17 wiz Exp $ DISTNAME= xorg-server-1.12.4 PKGNAME= modular-${DISTNAME} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XORG:=xserver/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo index dc4e5d6ad73..3310bae31b8 100644 --- a/x11/modular-xorg-server/distinfo +++ b/x11/modular-xorg-server/distinfo @@ -1,9 +1,62 @@ -$NetBSD: distinfo,v 1.52 2013/10/08 20:33:54 wiz Exp $ +$NetBSD: distinfo,v 1.53 2014/12/21 16:03:17 wiz Exp $ SHA1 (xorg-server-1.12.4.tar.bz2) = 6d616874f9c7677bda08dc073c03f83e78fbc585 RMD160 (xorg-server-1.12.4.tar.bz2) = 4907b5dc42efd6b3fb6bf9d64f1441080a6a6983 Size (xorg-server-1.12.4.tar.bz2) = 5444761 bytes +SHA1 (patch-Xext_xcmisc.c) = 8bf7ff8c928b14f6e98d2f1240ea5736bcf43021 +SHA1 (patch-Xext_xvdisp.c) = 5c85a221d11f9893bc68d223cf75e63c00586a9f +SHA1 (patch-Xi_chgdctl.c) = 0bba99d4fe90832d9f364aa4d2eef4ba7f18ff24 +SHA1 (patch-Xi_chgfctl.c) = 1fb0fb890fc28e5374a00cc29aeee8ae1401f41c +SHA1 (patch-Xi_sendexev.c) = 387d7382ad31b85530cdfb068831b29cf2f15755 +SHA1 (patch-Xi_xiallowev.c) = 4d10addbd669bd3b867b6e209e876806c402f3e2 +SHA1 (patch-Xi_xichangecursor.c) = f123415ca0b481bca7f43731992d8ce3ef842aac +SHA1 (patch-Xi_xichangehierarchy.c) = 35ac279d2f7c4ed57bc583df2067a13c1dbee1bf +SHA1 (patch-Xi_xigetclientpointer.c) = 7bac39459d98cf13fcd33582a594f67c53936881 +SHA1 (patch-Xi_xigrabdev.c) = 882474440142ffd1874b018d2cb3bceeff3c12ce +SHA1 (patch-Xi_xipassivegrab.c) = 2a8c97b5e963ae48711db4e9e6c1e7fc6d49d645 +SHA1 (patch-Xi_xiproperty.c) = ba3fd9f9305f95ecf616cea5b221aa2a5de03096 +SHA1 (patch-Xi_xiquerydevice.c) = 33d70ace5b969521e573eb4ce416185b910374db +SHA1 (patch-Xi_xiquerypointer.c) = e9dc180b4697d7a519d470e4f879a61dd64be2f2 +SHA1 (patch-Xi_xiselectev.c) = a17d893af3855f8676f4747defcb2b6866db0ec6 +SHA1 (patch-Xi_xisetclientpointer.c) = 3e1c4c7087383474f39362f9b53bc449d35b28ee +SHA1 (patch-Xi_xisetdevfocus.c) = add3a8f096fa90c9966128f8641e447c570a8a11 +SHA1 (patch-Xi_xiwarppointer.c) = 0567dcc1ff2f8de4fa5caf865edd084611ff8c5c SHA1 (patch-configure) = 031bc0accf1dd71ed687e7aac3fcc9498cb06784 +SHA1 (patch-configure.ac) = c7dc061377e3bb25425ad3f418c40a45a0e55440 +SHA1 (patch-dbe_dbe.c) = 7c31812b30613b42e509677b6a430d261046a77a +SHA1 (patch-dix_dispatch.c) = 454ce12b27d3906b22f32d7d4c1a3a6a6fb549e3 SHA1 (patch-dix_dixfonts.c) = 2f1fd51c538eab12c06b85c4ddab18af25338174 -SHA1 (patch-hw_xfree86_common_compiler.h) = 88de747715b80b22f448869ab32dce1641bcb6db +SHA1 (patch-dix_region.c) = 0a7fe6f67c4780c003f1e662be20e2294a7562f2 +SHA1 (patch-glx_glxcmds.c) = 2566885001178f47eb151a2ef84450b60137f3c1 +SHA1 (patch-glx_glxcmdsswap.c) = b9a0d5386ba928d2db95885f0b68414ffbae71ef +SHA1 (patch-glx_glxserver.h) = 47bd1cc49dbf761c042f00adc6db8cec2a038501 +SHA1 (patch-glx_indirect__program.c) = fb49f91690ff3488e11f4708f23aaa358f98d40c +SHA1 (patch-glx_indirect__reqsize.c) = 0b0305bb8b6a215f0e7548bf85ea571bed8df00b +SHA1 (patch-glx_indirect__reqsize.h) = fa963a97083dc5b0cf6f80b76905ce1f21ea0d5e +SHA1 (patch-glx_indirect__texture__compression.c) = b2af15e99e65c7f43a0218f6813b5bd4407618ea +SHA1 (patch-glx_indirect__util.c) = 182c3c5768e87118ace979304a350c137a1119db +SHA1 (patch-glx_rensize.c) = 574c5bf883ba9046e5cab52c0bd2919440ad1460 +SHA1 (patch-glx_single2.c) = 05cd1c9ba051561d68a28e23af7a5e7aaa942b82 +SHA1 (patch-glx_single2swap.c) = 900787c9b5e5f842141ea146f1b06740cfa7aa81 +SHA1 (patch-glx_singlepix.c) = 72ac42939b37ae0d57fc06453344ca76cdf2c856 +SHA1 (patch-glx_singlepixswap.c) = 1e3d54d3082a59d21edd81276980b953efc39ebb +SHA1 (patch-glx_swap__interval.c) = 2ff4e2e7d2793dd8558b04c1f72abfa81998f2c6 +SHA1 (patch-glx_unpack.h) = 5ae5c10c93835cb51c08f5dae05c5a5e2afaad98 +SHA1 (patch-hw_xfree86_common_compiler.h) = 55d8b82a77a27cb2c7c2ccaff784c8721afe2951 +SHA1 (patch-hw_xfree86_dri2_dri2ext.c) = bc2b57e4bef5ae386d1d3a015c01d243f8880ab4 SHA1 (patch-hw_xfree86_os-support_xf86__OSlib.h) = 7c2760509610b44915da077b22899bef9c338cc1 +SHA1 (patch-include_dix.h) = ab0dc2debd87f29c0ac7f971a3cad4850b239c3a +SHA1 (patch-include_regionstr.h) = c6f3e3b263593b622e7087d3ebe2b470cf9526e3 +SHA1 (patch-os_access.c) = 94ee087d68bc9ba713dbe42102f971a1b8e6a3c4 +SHA1 (patch-os_rpcauth.c) = 6617d5ef0e3cc5e9e10cd8db74f87e347e52ebe3 +SHA1 (patch-randr_rrsdispatch.c) = 13a2e819fea3ab8fa4caee7f9450a518ac41e517 +SHA1 (patch-render_render.c) = f86496fc392681d2fba3c50bbd37b24b78bed682 +SHA1 (patch-test_Makefile.am) = 77caa0c25103307d5bd30178f72e552dbae9555a +SHA1 (patch-test_misc.c) = 1615c03ceb595fa976a571455723665025c14aa0 +SHA1 (patch-test_xi1_Makefile.am) = c5b7a86f6b4e8381c3063fa840de5e238a5877a4 +SHA1 (patch-test_xi1_protocol-xchangedevicecontrol.c) = e3efd2a5e8f93f6acf2f561451ca3d26a70ad826 +SHA1 (patch-test_xi2_protocol-xigetclientpointer.c) = e2eb3995d0bae797ba86d81165930dcd7365c74d +SHA1 (patch-test_xi2_protocol-xipassivegrabdevice.c) = 503566a73fe797a98f637fb9dd497d55e7e7db1d +SHA1 (patch-test_xi2_protocol-xiquerypointer.c) = 6594dff2bccac46aa4b8aec7c517d122517407ad +SHA1 (patch-test_xi2_protocol-xiwarppointer.c) = fda57d72b963890478e8e78dfbe2864eb51971d2 +SHA1 (patch-xfixes_select.c) = 0f0dac08732a54112a2f0a7b3f1393a28fbfd8bc diff --git a/x11/modular-xorg-server/patches/patch-Xext_xcmisc.c b/x11/modular-xorg-server/patches/patch-Xext_xcmisc.c new file mode 100644 index 00000000000..ec3cf0f9fab --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xext_xcmisc.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xext_xcmisc.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xext/xcmisc.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xext/xcmisc.c +@@ -161,6 +161,7 @@ static int + SProcXCMiscGetXIDList(ClientPtr client) + { + REQUEST(xXCMiscGetXIDListReq); ++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + + swaps(&stuff->length); + swapl(&stuff->count); diff --git a/x11/modular-xorg-server/patches/patch-Xext_xvdisp.c b/x11/modular-xorg-server/patches/patch-Xext_xvdisp.c new file mode 100644 index 00000000000..3b256648c2b --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xext_xvdisp.c @@ -0,0 +1,167 @@ +$NetBSD: patch-Xext_xvdisp.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xext/xvdisp.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xext/xvdisp.c +@@ -1202,6 +1202,7 @@ static int + SProcXvQueryExtension(ClientPtr client) + { + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length); + return XvProcVector[xv_QueryExtension] (client); + } +@@ -1210,6 +1211,7 @@ static int + SProcXvQueryAdaptors(ClientPtr client) + { + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length); + swapl(&stuff->window); + return XvProcVector[xv_QueryAdaptors] (client); +@@ -1219,6 +1221,7 @@ static int + SProcXvQueryEncodings(ClientPtr client) + { + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryEncodings] (client); +@@ -1228,6 +1231,7 @@ static int + SProcXvGrabPort(ClientPtr client) + { + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1238,6 +1242,7 @@ static int + SProcXvUngrabPort(ClientPtr client) + { + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1248,6 +1253,7 @@ static int + SProcXvPutVideo(ClientPtr client) + { + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1267,6 +1273,7 @@ static int + SProcXvPutStill(ClientPtr client) + { + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1286,6 +1293,7 @@ static int + SProcXvGetVideo(ClientPtr client) + { + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1305,6 +1313,7 @@ static int + SProcXvGetStill(ClientPtr client) + { + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1324,6 +1333,7 @@ static int + SProcXvPutImage(ClientPtr client) + { + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1347,6 +1357,7 @@ static int + SProcXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1374,6 +1385,7 @@ static int + SProcXvSelectVideoNotify(ClientPtr client) + { + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length); + swapl(&stuff->drawable); + return XvProcVector[xv_SelectVideoNotify] (client); +@@ -1383,6 +1395,7 @@ static int + SProcXvSelectPortNotify(ClientPtr client) + { + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_SelectPortNotify] (client); +@@ -1392,6 +1405,7 @@ static int + SProcXvStopVideo(ClientPtr client) + { + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1402,6 +1416,7 @@ static int + SProcXvSetPortAttribute(ClientPtr client) + { + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1413,6 +1428,7 @@ static int + SProcXvGetPortAttribute(ClientPtr client) + { + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1423,6 +1439,7 @@ static int + SProcXvQueryBestSize(ClientPtr client) + { + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swaps(&stuff->vid_w); +@@ -1436,6 +1453,7 @@ static int + SProcXvQueryPortAttributes(ClientPtr client) + { + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryPortAttributes] (client); +@@ -1445,6 +1463,7 @@ static int + SProcXvQueryImageAttributes(ClientPtr client) + { + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->id); +@@ -1457,6 +1476,7 @@ static int + SProcXvListImageFormats(ClientPtr client) + { + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_ListImageFormats] (client); diff --git a/x11/modular-xorg-server/patches/patch-Xi_chgdctl.c b/x11/modular-xorg-server/patches/patch-Xi_chgdctl.c new file mode 100644 index 00000000000..c96716550d4 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_chgdctl.c @@ -0,0 +1,36 @@ +$NetBSD: patch-Xi_chgdctl.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/chgdctl.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/chgdctl.c +@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr clie + + REQUEST(xChangeDeviceControlReq); + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + swaps(&stuff->control); + ctl = (xDeviceCtl *) &stuff[1]; + swaps(&ctl->control); +@@ -116,7 +116,7 @@ ProcXChangeDeviceControl(ClientPtr clien + devicePresenceNotify dpn; + + REQUEST(xChangeDeviceControlReq); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + + len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); +@@ -184,6 +184,10 @@ ProcXChangeDeviceControl(ClientPtr clien + break; + case DEVICE_ENABLE: + e = (xDeviceEnableCtl *) &stuff[1]; ++ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { ++ ret = BadLength; ++ goto out; ++ } + + status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e); + diff --git a/x11/modular-xorg-server/patches/patch-Xi_chgfctl.c b/x11/modular-xorg-server/patches/patch-Xi_chgfctl.c new file mode 100644 index 00000000000..7b0cc5fce39 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_chgfctl.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_chgfctl.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/chgfctl.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/chgfctl.c +@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr cli + xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + + if (client->swapped) { ++ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) ++ return BadLength; + swaps(&f->num_keysyms); + } + if (len != diff --git a/x11/modular-xorg-server/patches/patch-Xi_sendexev.c b/x11/modular-xorg-server/patches/patch-Xi_sendexev.c new file mode 100644 index 00000000000..01c72287c0a --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_sendexev.c @@ -0,0 +1,17 @@ +$NetBSD: patch-Xi_sendexev.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/sendexev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/sendexev.c +@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client + if (ret != Success) + return ret; + ++ if (stuff->num_events == 0) ++ return ret; ++ + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiallowev.c b/x11/modular-xorg-server/patches/patch-Xi_xiallowev.c new file mode 100644 index 00000000000..e567a577ca2 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiallowev.c @@ -0,0 +1,23 @@ +$NetBSD: patch-Xi_xiallowev.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiallowev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiallowev.c +@@ -48,6 +48,7 @@ int + SProcXIAllowEvents(ClientPtr client) + { + REQUEST(xXIAllowEventsReq); ++ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client) + if (stuff->length > 3) { + xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff; + ++ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq); + swapl(&req_xi22->touchid); + swapl(&req_xi22->grab_window); + } diff --git a/x11/modular-xorg-server/patches/patch-Xi_xichangecursor.c b/x11/modular-xorg-server/patches/patch-Xi_xichangecursor.c new file mode 100644 index 00000000000..3653bfbba7a --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xichangecursor.c @@ -0,0 +1,20 @@ +$NetBSD: patch-Xi_xichangecursor.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xichangecursor.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xichangecursor.c +@@ -57,11 +57,11 @@ int + SProcXIChangeCursor(ClientPtr client) + { + REQUEST(xXIChangeCursorReq); ++ REQUEST_SIZE_MATCH(xXIChangeCursorReq); + swaps(&stuff->length); + swapl(&stuff->win); + swapl(&stuff->cursor); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXIChangeCursorReq); + return (ProcXIChangeCursor(client)); + } + diff --git a/x11/modular-xorg-server/patches/patch-Xi_xichangehierarchy.c b/x11/modular-xorg-server/patches/patch-Xi_xichangehierarchy.c new file mode 100644 index 00000000000..469a007772b --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xichangehierarchy.c @@ -0,0 +1,97 @@ +$NetBSD: patch-Xi_xichangehierarchy.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xichangehierarchy.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xichangehierarchy.c +@@ -407,7 +407,7 @@ int + ProcXIChangeHierarchy(ClientPtr client) + { + xXIAnyHierarchyChangeInfo *any; +- int required_len = sizeof(xXIChangeHierarchyReq); ++ size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; + +@@ -417,21 +417,46 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + ++ if (stuff->length > (INT_MAX >> 2)) ++ return BadAlloc; ++ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { ++ if (len < sizeof(xXIAnyHierarchyChangeInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } ++ + SWAPIF(swaps(&any->type)); + SWAPIF(swaps(&any->length)); + +- required_len += any->length; +- if ((stuff->length * 4) < required_len) ++ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) + return BadLength; + ++#define CHANGE_SIZE_MATCH(type) \ ++ do { \ ++ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ ++ rc = BadLength; \ ++ goto unwind; \ ++ } \ ++ } while(0) ++ + switch (any->type) { + case XIAddMaster: + { + xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + ++ /* Variable length, due to appended name string */ ++ if (len < sizeof(xXIAddMasterInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } + SWAPIF(swaps(&c->name_len)); ++ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { ++ rc = BadLength; ++ goto unwind; ++ } + + rc = add_master(client, c, flags); + if (rc != Success) +@@ -442,6 +467,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +@@ -451,6 +477,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -460,6 +487,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -467,6 +495,7 @@ ProcXIChangeHierarchy(ClientPtr client) + break; + } + ++ len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + diff --git a/x11/modular-xorg-server/patches/patch-Xi_xigetclientpointer.c b/x11/modular-xorg-server/patches/patch-Xi_xigetclientpointer.c new file mode 100644 index 00000000000..2e74986a1dd --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xigetclientpointer.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xi_xigetclientpointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xigetclientpointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xigetclientpointer.c +@@ -50,6 +50,7 @@ int + SProcXIGetClientPointer(ClientPtr client) + { + REQUEST(xXIGetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXIGetClientPointerReq); + + swaps(&stuff->length); + swapl(&stuff->win); diff --git a/x11/modular-xorg-server/patches/patch-Xi_xigrabdev.c b/x11/modular-xorg-server/patches/patch-Xi_xigrabdev.c new file mode 100644 index 00000000000..b3c1bd1f7f2 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xigrabdev.c @@ -0,0 +1,44 @@ +$NetBSD: patch-Xi_xigrabdev.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xigrabdev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xigrabdev.c +@@ -47,6 +47,11 @@ int + SProcXIGrabDevice(ClientPtr client) + { + REQUEST(xXIGrabDeviceReq); ++ /* ++ * Check here for at least the length of the struct we swap, then ++ * let ProcXIGrabDevice check the full size after we swap mask_len. ++ */ ++ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -69,7 +74,7 @@ ProcXIGrabDevice(ClientPtr client) + int mask_len; + + REQUEST(xXIGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); + if (ret != Success) +@@ -118,6 +123,7 @@ int + SProcXIUngrabDevice(ClientPtr client) + { + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -135,6 +141,7 @@ ProcXIUngrabDevice(ClientPtr client) + TimeStamp time; + + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); + if (ret != Success) diff --git a/x11/modular-xorg-server/patches/patch-Xi_xipassivegrab.c b/x11/modular-xorg-server/patches/patch-Xi_xipassivegrab.c new file mode 100644 index 00000000000..d62bd119f29 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xipassivegrab.c @@ -0,0 +1,61 @@ +$NetBSD: patch-Xi_xipassivegrab.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xipassivegrab.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xipassivegrab.c +@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien + xXIModifierInfo *mods; + + REQUEST(xXIPassiveGrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien + swaps(&stuff->mask_len); + swaps(&stuff->num_modifiers); + ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); + mods = (xXIModifierInfo *) &stuff[1]; + + for (i = 0; i < stuff->num_modifiers; i++, mods++) { +@@ -88,7 +91,8 @@ ProcXIPassiveGrabDevice(ClientPtr client + int mask_len; + + REQUEST(xXIPassiveGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; +@@ -250,6 +254,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli + uint32_t *modifiers; + + REQUEST(xXIPassiveUngrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + + swaps(&stuff->length); + swapl(&stuff->grab_window); +@@ -257,6 +262,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli + swapl(&stuff->detail); + swaps(&stuff->num_modifiers); + ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + modifiers = (uint32_t *) &stuff[1]; + + for (i = 0; i < stuff->num_modifiers; i++, modifiers++) +@@ -275,7 +282,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie + int i, rc; + + REQUEST(xXIPassiveUngrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiproperty.c b/x11/modular-xorg-server/patches/patch-Xi_xiproperty.c new file mode 100644 index 00000000000..6e5c1faf1a9 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiproperty.c @@ -0,0 +1,88 @@ +$NetBSD: patch-Xi_xiproperty.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiproperty.c.orig 2012-08-19 15:45:55.000000000 +0000 ++++ Xi/xiproperty.c +@@ -1007,10 +1007,9 @@ int + SProcXListDeviceProperties(ClientPtr client) + { + REQUEST(xListDevicePropertiesReq); ++ REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + + swaps(&stuff->length); +- +- REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + return (ProcXListDeviceProperties(client)); + } + +@@ -1031,10 +1030,10 @@ int + SProcXDeleteDeviceProperty(ClientPtr client) + { + REQUEST(xDeleteDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + return (ProcXDeleteDeviceProperty(client)); + } + +@@ -1042,13 +1041,13 @@ int + SProcXGetDeviceProperty(ClientPtr client) + { + REQUEST(xGetDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); + swapl(&stuff->type); + swapl(&stuff->longOffset); + swapl(&stuff->longLength); +- REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + return (ProcXGetDeviceProperty(client)); + } + +@@ -1243,11 +1242,10 @@ int + SProcXIListProperties(ClientPtr client) + { + REQUEST(xXIListPropertiesReq); ++ REQUEST_SIZE_MATCH(xXIListPropertiesReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +- +- REQUEST_SIZE_MATCH(xXIListPropertiesReq); + return (ProcXIListProperties(client)); + } + +@@ -1269,11 +1267,11 @@ int + SProcXIDeleteProperty(ClientPtr client) + { + REQUEST(xXIDeletePropertyReq); ++ REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + return (ProcXIDeleteProperty(client)); + } + +@@ -1281,6 +1279,7 @@ int + SProcXIGetProperty(ClientPtr client) + { + REQUEST(xXIGetPropertyReq); ++ REQUEST_SIZE_MATCH(xXIGetPropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -1288,7 +1287,6 @@ SProcXIGetProperty(ClientPtr client) + swapl(&stuff->type); + swapl(&stuff->offset); + swapl(&stuff->len); +- REQUEST_SIZE_MATCH(xXIGetPropertyReq); + return (ProcXIGetProperty(client)); + } + diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiquerydevice.c b/x11/modular-xorg-server/patches/patch-Xi_xiquerydevice.c new file mode 100644 index 00000000000..d3744402e4c --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiquerydevice.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xi_xiquerydevice.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiquerydevice.c.orig 2012-07-24 04:36:54.000000000 +0000 ++++ Xi/xiquerydevice.c +@@ -54,6 +54,7 @@ int + SProcXIQueryDevice(ClientPtr client) + { + REQUEST(xXIQueryDeviceReq); ++ REQUEST_SIZE_MATCH(xXIQueryDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiquerypointer.c b/x11/modular-xorg-server/patches/patch-Xi_xiquerypointer.c new file mode 100644 index 00000000000..0743eb65d0f --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiquerypointer.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_xiquerypointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiquerypointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiquerypointer.c +@@ -62,6 +62,8 @@ int + SProcXIQueryPointer(ClientPtr client) + { + REQUEST(xXIQueryPointerReq); ++ REQUEST_SIZE_MATCH(xXIQueryPointerReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->win); diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiselectev.c b/x11/modular-xorg-server/patches/patch-Xi_xiselectev.c new file mode 100644 index 00000000000..c35dc0e421b --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiselectev.c @@ -0,0 +1,33 @@ +$NetBSD: patch-Xi_xiselectev.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiselectev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiselectev.c +@@ -63,6 +63,7 @@ int + SProcXISelectEvents(ClientPtr client) + { + int i; ++ int len; + xXIEventMask *evmask; + + REQUEST(xXISelectEventsReq); +@@ -71,10 +72,17 @@ SProcXISelectEvents(ClientPtr client) + swapl(&stuff->win); + swaps(&stuff->num_masks); + ++ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); + evmask = (xXIEventMask *) &stuff[1]; + for (i = 0; i < stuff->num_masks; i++) { ++ if (len < bytes_to_int32(sizeof(xXIEventMask))) ++ return BadLength; ++ len -= bytes_to_int32(sizeof(xXIEventMask)); + swaps(&evmask->deviceid); + swaps(&evmask->mask_len); ++ if (len < evmask->mask_len) ++ return BadLength; ++ len -= evmask->mask_len; + evmask = + (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); + } diff --git a/x11/modular-xorg-server/patches/patch-Xi_xisetclientpointer.c b/x11/modular-xorg-server/patches/patch-Xi_xisetclientpointer.c new file mode 100644 index 00000000000..e474e6b1d2b --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xisetclientpointer.c @@ -0,0 +1,20 @@ +$NetBSD: patch-Xi_xisetclientpointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xisetclientpointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xisetclientpointer.c +@@ -51,10 +51,11 @@ int + SProcXISetClientPointer(ClientPtr client) + { + REQUEST(xXISetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXISetClientPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->win); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXISetClientPointerReq); + return (ProcXISetClientPointer(client)); + } + diff --git a/x11/modular-xorg-server/patches/patch-Xi_xisetdevfocus.c b/x11/modular-xorg-server/patches/patch-Xi_xisetdevfocus.c new file mode 100644 index 00000000000..1afbff2d5ba --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xisetdevfocus.c @@ -0,0 +1,25 @@ +$NetBSD: patch-Xi_xisetdevfocus.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xisetdevfocus.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xisetdevfocus.c +@@ -44,6 +44,8 @@ int + SProcXISetFocus(ClientPtr client) + { + REQUEST(xXISetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXISetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->focus); +@@ -56,6 +58,8 @@ int + SProcXIGetFocus(ClientPtr client) + { + REQUEST(xXIGetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + diff --git a/x11/modular-xorg-server/patches/patch-Xi_xiwarppointer.c b/x11/modular-xorg-server/patches/patch-Xi_xiwarppointer.c new file mode 100644 index 00000000000..cc9a6a200e7 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-Xi_xiwarppointer.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_xiwarppointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiwarppointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiwarppointer.c +@@ -56,6 +56,8 @@ int + SProcXIWarpPointer(ClientPtr client) + { + REQUEST(xXIWarpPointerReq); ++ REQUEST_SIZE_MATCH(xXIWarpPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->src_win); + swapl(&stuff->dst_win); diff --git a/x11/modular-xorg-server/patches/patch-configure.ac b/x11/modular-xorg-server/patches/patch-configure.ac new file mode 100644 index 00000000000..09cf16f3cfa --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-configure.ac @@ -0,0 +1,15 @@ +$NetBSD: patch-configure.ac,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- configure.ac.orig 2012-08-27 05:10:47.000000000 +0000 ++++ configure.ac +@@ -2229,6 +2229,7 @@ hw/kdrive/fbdev/Makefile + hw/kdrive/linux/Makefile + hw/kdrive/src/Makefile + test/Makefile ++test/xi1/Makefile + test/xi2/Makefile + xserver.ent + xorg-server.pc diff --git a/x11/modular-xorg-server/patches/patch-dbe_dbe.c b/x11/modular-xorg-server/patches/patch-dbe_dbe.c new file mode 100644 index 00000000000..f13df89db60 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-dbe_dbe.c @@ -0,0 +1,48 @@ +$NetBSD: patch-dbe_dbe.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dbe/dbe.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dbe/dbe.c +@@ -453,18 +453,20 @@ ProcDbeSwapBuffers(ClientPtr client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ + + if (nStuff == 0) { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return Success; + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *) &stuff[1]; +@@ -955,13 +957,16 @@ static int + SProcDbeSwapBuffers(ClientPtr client) + { + REQUEST(xDbeSwapBuffersReq); +- register int i; ++ unsigned int i; + xDbeSwapInfo *pSwapInfo; + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { + pSwapInfo = (xDbeSwapInfo *) stuff + 1; diff --git a/x11/modular-xorg-server/patches/patch-dix_dispatch.c b/x11/modular-xorg-server/patches/patch-dix_dispatch.c new file mode 100644 index 00000000000..13212920e54 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-dix_dispatch.c @@ -0,0 +1,17 @@ +$NetBSD: patch-dix_dispatch.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dix/dispatch.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dix/dispatch.c +@@ -1952,6 +1952,9 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if ((bytes_to_int32(lengthProto * stuff->height) + + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) + return BadLength; diff --git a/x11/modular-xorg-server/patches/patch-dix_region.c b/x11/modular-xorg-server/patches/patch-dix_region.c new file mode 100644 index 00000000000..0d744f15134 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-dix_region.c @@ -0,0 +1,78 @@ +$NetBSD: patch-dix_region.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dix/region.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ dix/region.c +@@ -169,7 +169,6 @@ Equipment Corporation. + ((r1)->y1 <= (r2)->y1) && \ + ((r1)->y2 >= (r2)->y2) ) + +-#define xallocData(n) malloc(RegionSizeof(n)) + #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) + + #define RECTALLOC_BAIL(pReg,n,bail) \ +@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num + #define DOWNSIZE(reg,numRects) \ + if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ + { \ +- RegDataPtr NewData; \ +- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ ++ size_t NewSize = RegionSizeof(numRects); \ ++ RegDataPtr NewData = \ ++ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ + if (NewData) \ + { \ + NewData->size = (numRects); \ +@@ -330,17 +330,20 @@ Bool + RegionRectAlloc(RegionPtr pRgn, int n) + { + RegDataPtr data; ++ size_t rgnSize; + + if (!pRgn->data) { + n++; +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 1; + *RegionBoxptr(pRgn) = pRgn->extents; + } + else if (!pRgn->data->size) { +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 0; +@@ -352,7 +355,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) + n = 250; + } + n += pRgn->data->numRects; +- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); ++ rgnSize = RegionSizeof(n); ++ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; + if (!data) + return RegionBreak(pRgn); + pRgn->data = data; +@@ -1297,6 +1301,7 @@ RegionFromRects(int nrects, xRectangle * + { + + RegionPtr pRgn; ++ size_t rgnSize; + RegDataPtr pData; + BoxPtr pBox; + int i; +@@ -1323,7 +1328,8 @@ RegionFromRects(int nrects, xRectangle * + } + return pRgn; + } +- pData = xallocData(nrects); ++ rgnSize = RegionSizeof(nrects); ++ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pData) { + RegionBreak(pRgn); + return pRgn; diff --git a/x11/modular-xorg-server/patches/patch-glx_glxcmds.c b/x11/modular-xorg-server/patches/patch-glx_glxcmds.c new file mode 100644 index 00000000000..f4b953fc785 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_glxcmds.c @@ -0,0 +1,62 @@ +$NetBSD: patch-glx_glxcmds.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxcmds.c.orig 2012-08-02 00:59:23.000000000 +0000 ++++ glx/glxcmds.c +@@ -1983,7 +1983,8 @@ __glXDisp_Render(__GLXclientState * cl, + if (entry.varsize) { + /* variable size command */ + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + extra = 0; + } +@@ -2060,6 +2061,7 @@ __glXDisp_RenderLarge(__GLXclientState * + return BadLength; + } + pc += sz_xGLXRenderLargeReq; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData entry; +@@ -2100,7 +2102,8 @@ __glXDisp_RenderLarge(__GLXclientState * + ** will be in the 1st request, so it's okay to do this. + */ + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + extra = 0; + } +@@ -2178,17 +2181,16 @@ __glXDisp_RenderLarge(__GLXclientState * + ** This is the last request; it must have enough bytes to complete + ** the command. + */ +- /* NOTE: the two pad macros have been added below; they are needed +- ** because the client library pads the total byte count, but not +- ** the per-request byte counts. The Protocol Encoding says the +- ** total byte count should not be padded, so a proposal will be +- ** made to the ARB to relax the padding constraint on the total +- ** byte count, thus preserving backward compatibility. Meanwhile, +- ** the padding done below fixes a bug that did not allow +- ** large commands of odd sizes to be accepted by the server. ++ /* NOTE: the pad macro below is needed because the client library ++ ** pads the total byte count, but not the per-request byte counts. ++ ** The Protocol Encoding says the total byte count should not be ++ ** padded, so a proposal will be made to the ARB to relax the ++ ** padding constraint on the total byte count, thus preserving ++ ** backward compatibility. Meanwhile, the padding done below ++ ** fixes a bug that did not allow large commands of odd sizes to ++ ** be accepted by the server. + */ +- if (__GLX_PAD(cl->largeCmdBytesSoFar) != +- __GLX_PAD(cl->largeCmdBytesTotal)) { ++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); diff --git a/x11/modular-xorg-server/patches/patch-glx_glxcmdsswap.c b/x11/modular-xorg-server/patches/patch-glx_glxcmdsswap.c new file mode 100644 index 00000000000..dfc9f6243d2 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_glxcmdsswap.c @@ -0,0 +1,35 @@ +$NetBSD: patch-glx_glxcmdsswap.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxcmdsswap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/glxcmdsswap.c +@@ -962,11 +962,13 @@ __glXDispSwap_RenderLarge(__GLXclientSta + int + __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); + + req = (xGLXVendorPrivateReq *) pc; + __GLX_SWAP_SHORT(&req->length); +@@ -989,11 +991,13 @@ __glXDispSwap_VendorPrivate(__GLXclientS + int + __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateWithReplyReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); + + req = (xGLXVendorPrivateWithReplyReq *) pc; + __GLX_SWAP_SHORT(&req->length); diff --git a/x11/modular-xorg-server/patches/patch-glx_glxserver.h b/x11/modular-xorg-server/patches/patch-glx_glxserver.h new file mode 100644 index 00000000000..82de6cf4a6d --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_glxserver.h @@ -0,0 +1,64 @@ +$NetBSD: patch-glx_glxserver.h,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxserver.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/glxserver.h +@@ -167,7 +167,7 @@ typedef int (*__GLXprocPtr) (__GLXclient + /* + * Tables for computing the size of each rendering command. + */ +-typedef int (*gl_proto_size_func) (const GLbyte *, Bool); ++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); + + typedef struct { + int bytes; +@@ -218,6 +218,47 @@ extern void glxSwapQueryServerStringRepl + * Routines for computing the size of variably-sized rendering commands. + */ + ++static _X_INLINE int ++safe_add(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (INT_MAX - a < b) ++ return -1; ++ ++ return a + b; ++} ++ ++static _X_INLINE int ++safe_mul(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (a == 0 || b == 0) ++ return 0; ++ ++ if (a > INT_MAX / b) ++ return -1; ++ ++ return a * b; ++} ++ ++static _X_INLINE int ++safe_pad(int a) ++{ ++ int ret; ++ ++ if (a < 0) ++ return -1; ++ ++ if ((ret = safe_add(a, 3)) < 0) ++ return -1; ++ ++ return ret & (GLuint)~3; ++} ++ + extern int __glXTypeSize(GLenum enm); + extern int __glXImageSize(GLenum format, GLenum type, + GLenum target, GLsizei w, GLsizei h, GLsizei d, diff --git a/x11/modular-xorg-server/patches/patch-glx_indirect__program.c b/x11/modular-xorg-server/patches/patch-glx_indirect__program.c new file mode 100644 index 00000000000..4f0ecca77fa --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_indirect__program.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_indirect__program.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_program.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_program.c +@@ -69,6 +69,8 @@ DoGetProgramString(struct __GLXclientSta + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); ++ + pc += __GLX_VENDPRIV_HDR_SIZE; + if (cx != NULL) { + GLenum target; diff --git a/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.c b/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.c new file mode 100644 index 00000000000..f3af165811a --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.c @@ -0,0 +1,568 @@ +$NetBSD: patch-glx_indirect__reqsize.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_reqsize.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_reqsize.c +@@ -31,24 +31,22 @@ + #include "indirect_size.h" + #include "indirect_reqsize.h" + +-#define __GLX_PAD(x) (((x) + 3) & ~3) +- + #if defined(__CYGWIN__) || defined(__MINGW32__) + #undef HAVE_ALIAS + #endif + #ifdef HAVE_ALIAS + #define ALIAS2(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + __attribute__ ((alias( # to ))); + #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) + #else + #define ALIAS(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ +- { return __glX ## to ## ReqSize( pc, swap ); } ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ ++ { return __glX ## to ## ReqSize( pc, swap, reqlen ); } + #endif + + int +-__glXCallListsReqSize(const GLbyte * pc, Bool swap) ++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + GLenum type = *(GLenum *) (pc + 4); +@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, + } + + compsize = __glCallLists_size(type); +- return __GLX_PAD((compsize * n)); ++ return safe_pad(safe_mul(compsize, n)); + } + + int +-__glXBitmapReqSize(const GLbyte * pc, Bool swap) ++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bo + } + + int +-__glXFogfvReqSize(const GLbyte * pc, Bool swap) ++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Boo + } + + compsize = __glFogfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, B + } + + compsize = __glLightfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * + } + + compsize = __glLightModelfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) ++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc + } + + compsize = __glMaterialfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) ++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte + } + + int +-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte + } + + compsize = __glTexParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc + } + + int +-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc + } + + int +-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, + } + + compsize = __glTexEnvfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexGendvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, + } + + compsize = __glTexGendv_size(pname); +- return __GLX_PAD((compsize * 8)); ++ return safe_pad(safe_mul(compsize, 8)); + } + + int +-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, + } + + compsize = __glTexGenfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 4)); ++ return safe_pad(safe_mul(mapsize, 4)); + } + + int +-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * p + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 2)); ++ return safe_pad(safe_mul(mapsize, 2)); + } + + int +-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) ++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc + } + + int +-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) ++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4) + (n * 4)); ++ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); + } + + int +-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * + } + + int +-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * + } + + int +-__glXColorTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc + } + + int +-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const + } + + compsize = __glColorTableParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * + } + + int +-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GL + } + + int +-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GL + } + + int +-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const + } + + compsize = __glConvolutionParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc + } + + int +-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * + } + + int +-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 20); + +@@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 24); + +@@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 28); + +@@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 36); + +@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(c + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) ++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 8); + +@@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyt + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + int +-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) ++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4)); ++ return safe_pad((n * 4)); + } + + int +-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) ++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GL + } + + compsize = __glPointParameterfvEXT_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad((compsize * 4)); + } + + int +-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const + num = bswap_32(num); + } + +- return __GLX_PAD((num * 32)); ++ return safe_pad((num * 32)); + } + + int +-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const + num = bswap_32(num); + } + +- return __GLX_PAD((num * 16)); ++ return safe_pad((num * 16)); + } + + int +-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 8)); ++ return safe_pad(safe_mul(n, 8)); + } + + int +-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 16)); ++ return safe_pad(safe_mul(n, 16)); + } + + int +-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 24)); ++ return safe_pad(safe_mul(n, 24)); + } + + int +-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 12)); ++ return safe_pad(safe_mul(n, 12)); + } + + int +-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 6)); ++ return safe_pad(safe_mul(n, 6)); + } + + int +-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 32)); ++ return safe_pad(safe_mul(n, 32)); + } + + int +-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 4); + +@@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(c + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + ALIAS(Fogiv, Fogfv) diff --git a/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.h b/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.h new file mode 100644 index 00000000000..ed519e0fab5 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_indirect__reqsize.h @@ -0,0 +1,210 @@ +$NetBSD: patch-glx_indirect__reqsize.h,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_reqsize.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_reqsize.h +@@ -36,128 +36,128 @@ + #define PURE + #endif + +-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); ++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + + #undef PURE + diff --git a/x11/modular-xorg-server/patches/patch-glx_indirect__texture__compression.c b/x11/modular-xorg-server/patches/patch-glx_indirect__texture__compression.c new file mode 100644 index 00000000000..44f58b46169 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_indirect__texture__compression.c @@ -0,0 +1,25 @@ +$NetBSD: patch-glx_indirect__texture__compression.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_texture_compression.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_texture_compression.c +@@ -47,6 +47,8 @@ __glXDisp_GetCompressedTexImageARB(struc + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = *(GLenum *) (pc + 0); +@@ -93,6 +95,8 @@ __glXDispSwap_GetCompressedTexImageARB(s + __glXForceCurrent(cl, bswap_32(req->contextTag), &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); diff --git a/x11/modular-xorg-server/patches/patch-glx_indirect__util.c b/x11/modular-xorg-server/patches/patch-glx_indirect__util.c new file mode 100644 index 00000000000..7154837c365 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_indirect__util.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_indirect__util.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_util.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_util.c +@@ -78,7 +78,7 @@ __glXGetAnswerBuffer(__GLXclientState * + void *local_buffer, size_t local_size, unsigned alignment) + { + void *buffer = local_buffer; +- const unsigned mask = alignment - 1; ++ const intptr_t mask = alignment - 1; + + if (local_size < required_size) { + const size_t worst_case_size = required_size + alignment; diff --git a/x11/modular-xorg-server/patches/patch-glx_rensize.c b/x11/modular-xorg-server/patches/patch-glx_rensize.c new file mode 100644 index 00000000000..655b16f1158 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_rensize.c @@ -0,0 +1,96 @@ +$NetBSD: patch-glx_rensize.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/rensize.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/rensize.c +@@ -52,7 +52,7 @@ Map1Size(GLint k, GLint order) + } + + int +-__glXMap1dReqSize(const GLbyte * pc, Bool swap) ++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -68,7 +68,7 @@ __glXMap1dReqSize(const GLbyte * pc, Boo + } + + int +-__glXMap1fReqSize(const GLbyte * pc, Bool swap) ++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -92,7 +92,7 @@ Map2Size(int k, int majorOrder, int mino + } + + int +-__glXMap2dReqSize(const GLbyte * pc, Bool swap) ++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -110,7 +110,7 @@ __glXMap2dReqSize(const GLbyte * pc, Boo + } + + int +-__glXMap2fReqSize(const GLbyte * pc, Bool swap) ++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -342,13 +342,14 @@ __glXTypeSize(GLenum enm) + } + + int +-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) ++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -357,6 +358,13 @@ __glXDrawArraysReqSize(const GLbyte * pc + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i = 0; i < numComponents; i++) { +@@ -400,17 +408,18 @@ __glXDrawArraysReqSize(const GLbyte * pc + return -1; + } + +- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); ++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); ++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) ++ return -1; + + pc += sizeof(__GLXdispatchDrawArraysComponentHeader); + } + +- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + +- (numVertexes * arrayElementSize)); ++ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); + } + + int +-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; diff --git a/x11/modular-xorg-server/patches/patch-glx_single2.c b/x11/modular-xorg-server/patches/patch-glx_single2.c new file mode 100644 index 00000000000..6987707a396 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_single2.c @@ -0,0 +1,115 @@ +$NetBSD: patch-glx_single2.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/single2.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/single2.c +@@ -49,11 +49,14 @@ + int + __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -80,10 +83,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat + int + __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -108,7 +114,7 @@ __glXDisp_SelectBuffer(__GLXclientState + int + __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + xGLXRenderModeReply reply; + __GLXcontext *cx; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -116,6 +122,8 @@ __glXDisp_RenderMode(__GLXclientState * + GLenum newMode; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -192,7 +200,6 @@ __glXDisp_RenderMode(__GLXclientState * + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -209,9 +216,12 @@ __glXDisp_RenderMode(__GLXclientState * + int + __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -225,10 +235,12 @@ __glXDisp_Flush(__GLXclientState * cl, G + int + __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -319,7 +331,7 @@ __glXcombine_strings(const char *cext_st + int + DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLenum name; + const char *string; +@@ -329,6 +341,8 @@ DoGetString(__GLXclientState * cl, GLbyt + char *buf = NULL, *buf1 = NULL; + GLint length = 0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + /* If the client has the opposite byte order, swap the contextTag and + * the name. + */ +@@ -345,7 +359,6 @@ DoGetString(__GLXclientState * cl, GLbyt + pc += __GLX_SINGLE_HDR_SIZE; + name = *(GLenum *) (pc + 0); + string = (const char *) CALL_GetString(GET_DISPATCH(), (name)); +- client = cl->client; + + if (string == NULL) + string = ""; diff --git a/x11/modular-xorg-server/patches/patch-glx_single2swap.c b/x11/modular-xorg-server/patches/patch-glx_single2swap.c new file mode 100644 index 00000000000..4c4e98d3b3c --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_single2swap.c @@ -0,0 +1,105 @@ +$NetBSD: patch-glx_single2swap.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/single2swap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/single2swap.c +@@ -45,6 +45,7 @@ + int + __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + +@@ -52,6 +53,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -81,12 +84,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient + int + __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + + __GLX_DECLARE_SWAP_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -113,7 +119,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt + int + __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + xGLXRenderModeReply reply; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -124,6 +130,8 @@ __glXDispSwap_RenderMode(__GLXclientStat + __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -204,7 +212,6 @@ __glXDispSwap_RenderMode(__GLXclientStat + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -226,11 +233,14 @@ __glXDispSwap_RenderMode(__GLXclientStat + int + __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -245,12 +255,14 @@ __glXDispSwap_Flush(__GLXclientState * c + int + __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -262,7 +274,6 @@ __glXDispSwap_Finish(__GLXclientState * + cx->hasUnflushedCommands = GL_FALSE; + + /* Send empty reply packet to indicate finish is finished */ +- client = cl->client; + __GLX_BEGIN_REPLY(0); + __GLX_PUT_RETVAL(0); + __GLX_SWAP_REPLY_HEADER(); diff --git a/x11/modular-xorg-server/patches/patch-glx_singlepix.c b/x11/modular-xorg-server/patches/patch-glx_singlepix.c new file mode 100644 index 00000000000..9131b92171c --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_singlepix.c @@ -0,0 +1,170 @@ +$NetBSD: patch-glx_singlepix.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/singlepix.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/singlepix.c +@@ -55,6 +55,8 @@ __glXDisp_ReadPixels(__GLXclientState * + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * + swapBytes = *(GLboolean *) (pc + 24); + lsbFirst = *(GLboolean *) (pc + 25); + compsize = __glReadPixels_size(format, type, width, height); +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +@@ -107,6 +109,8 @@ __glXDisp_GetTexImage(__GLXclientState * + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -133,7 +137,7 @@ __glXDisp_GetTexImage(__GLXclientState * + */ + compsize = + __glGetTexImage_size(target, level, format, type, width, height, depth); +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +@@ -169,6 +173,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS + GLubyte answerBuffer[200]; + char *answer; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -231,15 +237,13 @@ GetSeparableFilter(__GLXclientState * cl + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -265,7 +269,8 @@ int + __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -273,7 +278,8 @@ int + __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -343,7 +349,8 @@ int + __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -351,7 +358,8 @@ int + __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -411,7 +419,8 @@ int + __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -419,7 +428,8 @@ int + __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -471,7 +481,8 @@ int + __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -479,7 +490,8 @@ int + __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -540,7 +552,8 @@ int + __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -548,6 +561,7 @@ int + __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } diff --git a/x11/modular-xorg-server/patches/patch-glx_singlepixswap.c b/x11/modular-xorg-server/patches/patch-glx_singlepixswap.c new file mode 100644 index 00000000000..99da7a319a1 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_singlepixswap.c @@ -0,0 +1,152 @@ +$NetBSD: patch-glx_singlepixswap.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/singlepixswap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/singlepixswap.c +@@ -57,6 +57,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -122,6 +124,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -197,6 +201,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -266,15 +272,13 @@ GetSeparableFilter(__GLXclientState * cl + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -302,7 +306,9 @@ int + __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -310,7 +316,9 @@ int + __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -388,7 +396,9 @@ int + __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -396,7 +406,9 @@ int + __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -463,7 +475,9 @@ int + __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -471,7 +485,9 @@ int + __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -529,7 +545,9 @@ int + __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -537,7 +555,9 @@ int + __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -605,7 +625,9 @@ int + __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -613,6 +635,8 @@ int + __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } diff --git a/x11/modular-xorg-server/patches/patch-glx_swap__interval.c b/x11/modular-xorg-server/patches/patch-glx_swap__interval.c new file mode 100644 index 00000000000..8acaa016d80 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_swap__interval.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_swap__interval.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/swap_interval.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/swap_interval.c +@@ -50,6 +50,8 @@ DoSwapInterval(__GLXclientState * cl, GL + __GLXcontext *cx; + GLint interval; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); ++ + cx = __glXLookupContextByTag(cl, tag); + + if ((cx == NULL) || (cx->pGlxScreen == NULL)) { diff --git a/x11/modular-xorg-server/patches/patch-glx_unpack.h b/x11/modular-xorg-server/patches/patch-glx_unpack.h new file mode 100644 index 00000000000..1c22887a8d8 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-glx_unpack.h @@ -0,0 +1,17 @@ +$NetBSD: patch-glx_unpack.h,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/unpack.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/unpack.h +@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ diff --git a/x11/modular-xorg-server/patches/patch-hw_xfree86_dri2_dri2ext.c b/x11/modular-xorg-server/patches/patch-hw_xfree86_dri2_dri2ext.c new file mode 100644 index 00000000000..81fd51eda18 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-hw_xfree86_dri2_dri2ext.c @@ -0,0 +1,17 @@ +$NetBSD: patch-hw_xfree86_dri2_dri2ext.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- hw/xfree86/dri2/dri2ext.c.orig 2012-05-17 17:09:03.000000000 +0000 ++++ hw/xfree86/dri2/dri2ext.c +@@ -263,6 +263,9 @@ ProcDRI2GetBuffers(ClientPtr client) + unsigned int *attachments; + + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); ++ if (stuff->count > (INT_MAX / 4)) ++ return BadLength; ++ + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, + &pDrawable, &status)) + return status; diff --git a/x11/modular-xorg-server/patches/patch-include_dix.h b/x11/modular-xorg-server/patches/patch-include_dix.h new file mode 100644 index 00000000000..6c6a387559c --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-include_dix.h @@ -0,0 +1,21 @@ +$NetBSD: patch-include_dix.h,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- include/dix.h.orig 2012-05-17 17:09:04.000000000 +0000 ++++ include/dix.h +@@ -72,8 +72,13 @@ SOFTWARE. + if ((sizeof(req) >> 2) > client->req_len )\ + return(BadLength) + ++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ ++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ ++ return(BadLength) ++ + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ ++ (((n) >> 2) >= client->req_len) || \ + (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + return(BadLength) + diff --git a/x11/modular-xorg-server/patches/patch-include_regionstr.h b/x11/modular-xorg-server/patches/patch-include_regionstr.h new file mode 100644 index 00000000000..d92f8cc2dfa --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-include_regionstr.h @@ -0,0 +1,32 @@ +$NetBSD: patch-include_regionstr.h,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- include/regionstr.h.orig 2012-05-17 17:09:04.000000000 +0000 ++++ include/regionstr.h +@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg) + static inline size_t + RegionSizeof(int n) + { +- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) ++ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ else ++ return 0; + } + + static inline void +@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect + (_pReg)->data = (RegDataPtr) NULL; + } + else { ++ size_t rgnSize; + (_pReg)->extents = RegionEmptyBox; +- if (((_size) > 1) && ((_pReg)->data = +- (RegDataPtr) malloc(RegionSizeof(_size)))) { ++ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && ++ (((_pReg)->data = malloc(rgnSize)) != NULL)) { + (_pReg)->data->size = (_size); + (_pReg)->data->numRects = 0; + } diff --git a/x11/modular-xorg-server/patches/patch-os_access.c b/x11/modular-xorg-server/patches/patch-os_access.c new file mode 100644 index 00000000000..4e434e0aeac --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-os_access.c @@ -0,0 +1,27 @@ +$NetBSD: patch-os_access.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- os/access.c.orig 2012-05-17 17:09:04.000000000 +0000 ++++ os/access.c +@@ -1331,6 +1331,10 @@ GetHosts(pointer *data, int *pnHosts, in + for (host = validhosts; host; host = host->next) { + nHosts++; + n += pad_to_int32(host->len) + sizeof(xHostEntry); ++ /* Could check for INT_MAX, but in reality having more than 1mb of ++ hostnames in the access list is ridiculous */ ++ if (n >= 1048576) ++ break; + } + if (n) { + *data = ptr = malloc(n); +@@ -1339,6 +1343,8 @@ GetHosts(pointer *data, int *pnHosts, in + } + for (host = validhosts; host; host = host->next) { + len = host->len; ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) ++ break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; + ptr += sizeof(xHostEntry); diff --git a/x11/modular-xorg-server/patches/patch-os_rpcauth.c b/x11/modular-xorg-server/patches/patch-os_rpcauth.c new file mode 100644 index 00000000000..128f6d9cd8e --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-os_rpcauth.c @@ -0,0 +1,18 @@ +$NetBSD: patch-os_rpcauth.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- os/rpcauth.c.orig 2012-05-17 17:09:04.000000000 +0000 ++++ os/rpcauth.c +@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int + SVCXPRT xprt; + + temp_inmsg = malloc(len); ++ if (temp_inmsg == NULL) { ++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ ++ return NULL; ++ } + memmove(temp_inmsg, inmsg, len); + + memset((char *) &msg, 0, sizeof(msg)); diff --git a/x11/modular-xorg-server/patches/patch-randr_rrsdispatch.c b/x11/modular-xorg-server/patches/patch-randr_rrsdispatch.c new file mode 100644 index 00000000000..3e947c7f737 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-randr_rrsdispatch.c @@ -0,0 +1,39 @@ +$NetBSD: patch-randr_rrsdispatch.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- randr/rrsdispatch.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ randr/rrsdispatch.c +@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) + { + REQUEST(xRRQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRRQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) + { + REQUEST(xRRGetScreenInfoReq); + ++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); + swaps(&stuff->length); + swapl(&stuff->window); + return (*ProcRandrVector[stuff->randrReqType]) (client); +@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) + { + REQUEST(xRRSelectInputReq); + ++ REQUEST_SIZE_MATCH(xRRSelectInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swaps(&stuff->enable); +@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr + { + REQUEST(xRRConfigureOutputPropertyReq); + ++ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); + swaps(&stuff->length); + swapl(&stuff->output); + swapl(&stuff->property); diff --git a/x11/modular-xorg-server/patches/patch-render_render.c b/x11/modular-xorg-server/patches/patch-render_render.c new file mode 100644 index 00000000000..d1e6a95efe3 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-render_render.c @@ -0,0 +1,141 @@ +$NetBSD: patch-render_render.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- render/render.c.orig 2014-12-21 14:51:52.000000000 +0000 ++++ render/render.c +@@ -271,10 +271,11 @@ ProcRenderQueryVersion(ClientPtr client) + + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + memset(&rep, 0, sizeof(xRenderQueryVersionReply)); + rep.type = X_Reply; + rep.length = 0; +@@ -1994,7 +1995,7 @@ static int + SProcRenderQueryVersion(ClientPtr client) + { + REQUEST(xRenderQueryVersionReq); +- ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -2005,6 +2006,7 @@ static int + SProcRenderQueryPictFormats(ClientPtr client) + { + REQUEST(xRenderQueryPictFormatsReq); ++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); + swaps(&stuff->length); + return (*ProcRenderVector[stuff->renderReqType]) (client); + } +@@ -2013,6 +2015,7 @@ static int + SProcRenderQueryPictIndexValues(ClientPtr client) + { + REQUEST(xRenderQueryPictIndexValuesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); + swaps(&stuff->length); + swapl(&stuff->format); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2028,6 +2031,7 @@ static int + SProcRenderCreatePicture(ClientPtr client) + { + REQUEST(xRenderCreatePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); + swaps(&stuff->length); + swapl(&stuff->pid); + swapl(&stuff->drawable); +@@ -2041,6 +2045,7 @@ static int + SProcRenderChangePicture(ClientPtr client) + { + REQUEST(xRenderChangePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swapl(&stuff->mask); +@@ -2052,6 +2057,7 @@ static int + SProcRenderSetPictureClipRectangles(ClientPtr client) + { + REQUEST(xRenderSetPictureClipRectanglesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swaps(&stuff->xOrigin); +@@ -2064,6 +2070,7 @@ static int + SProcRenderFreePicture(ClientPtr client) + { + REQUEST(xRenderFreePictureReq); ++ REQUEST_SIZE_MATCH(xRenderFreePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2073,6 +2080,7 @@ static int + SProcRenderComposite(ClientPtr client) + { + REQUEST(xRenderCompositeReq); ++ REQUEST_SIZE_MATCH(xRenderCompositeReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->mask); +@@ -2092,6 +2100,7 @@ static int + SProcRenderScale(ClientPtr client) + { + REQUEST(xRenderScaleReq); ++ REQUEST_SIZE_MATCH(xRenderScaleReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->dst); +@@ -2192,6 +2201,7 @@ static int + SProcRenderCreateGlyphSet(ClientPtr client) + { + REQUEST(xRenderCreateGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->format); +@@ -2202,6 +2212,7 @@ static int + SProcRenderReferenceGlyphSet(ClientPtr client) + { + REQUEST(xRenderReferenceGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->existing); +@@ -2212,6 +2223,7 @@ static int + SProcRenderFreeGlyphSet(ClientPtr client) + { + REQUEST(xRenderFreeGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2226,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) + xGlyphInfo *gi; + + REQUEST(xRenderAddGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + swapl(&stuff->nglyphs); +@@ -2260,6 +2273,7 @@ static int + SProcRenderFreeGlyphs(ClientPtr client) + { + REQUEST(xRenderFreeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + SwapRestL(stuff); +@@ -2277,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr cli + int size; + + REQUEST(xRenderCompositeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + + switch (stuff->renderReqType) { + default: diff --git a/x11/modular-xorg-server/patches/patch-test_Makefile.am b/x11/modular-xorg-server/patches/patch-test_Makefile.am new file mode 100644 index 00000000000..bb6c7154d21 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_Makefile.am @@ -0,0 +1,16 @@ +$NetBSD: patch-test_Makefile.am,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/Makefile.am.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/Makefile.am +@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string touch + if XORG + # Tests that require at least some DDX functions in order to fully link + # For now, requires xf86 ddx, could be adjusted to use another +-SUBDIRS += xi2 ++SUBDIRS += xi1 xi2 + noinst_PROGRAMS += xkb input xtest misc fixes xfree86 + endif + check_LTLIBRARIES = libxservertest.la diff --git a/x11/modular-xorg-server/patches/patch-test_misc.c b/x11/modular-xorg-server/patches/patch-test_misc.c new file mode 100644 index 00000000000..ee54214a637 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_misc.c @@ -0,0 +1,63 @@ +$NetBSD: patch-test_misc.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/misc.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/misc.c +@@ -28,6 +28,8 @@ + #include <stdint.h> + #include "misc.h" + #include "scrnintstr.h" ++#include "dix.h" ++#include "dixstruct.h" + + ScreenInfo screenInfo; + +@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void) + assert_dimensions(-w2, -h2, w2, h2); + } + ++static int ++dix_request_fixed_size_overflow(ClientRec *client) ++{ ++ xReq req = { 0 }; ++ ++ client->req_len = req.length = 1; ++ REQUEST_FIXED_SIZE(req, SIZE_MAX); ++ return Success; ++} ++ ++static int ++dix_request_fixed_size_match(ClientRec *client) ++{ ++ xReq req = { 0 }; ++ ++ client->req_len = req.length = 9; ++ REQUEST_FIXED_SIZE(req, 30); ++ return Success; ++} ++ ++static void ++dix_request_size_checks(void) ++{ ++ ClientRec client = { 0 }; ++ int rc; ++ ++ rc = dix_request_fixed_size_overflow(&client); ++ assert(rc == BadLength); ++ ++ rc = dix_request_fixed_size_match(&client); ++ assert(rc == Success); ++} ++ ++ + int + main(int argc, char **argv) + { + dix_version_compare(); + dix_update_desktop_dimensions(); ++ dix_request_size_checks(); + + return 0; + } diff --git a/x11/modular-xorg-server/patches/patch-test_xi1_Makefile.am b/x11/modular-xorg-server/patches/patch-test_xi1_Makefile.am new file mode 100644 index 00000000000..80216b95023 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi1_Makefile.am @@ -0,0 +1,42 @@ +$NetBSD: patch-test_xi1_Makefile.am,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi1/Makefile.am.orig 2014-12-21 14:51:52.000000000 +0000 ++++ test/xi1/Makefile.am +@@ -0,0 +1,34 @@ ++if ENABLE_UNIT_TESTS ++if HAVE_LD_WRAP ++noinst_PROGRAMS = \ ++ protocol-xchangedevicecontrol ++ ++TESTS=$(noinst_PROGRAMS) ++TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV) ++ ++AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@ ++AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2 ++TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS) ++COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c ++ ++if SPECIAL_DTRACE_OBJECTS ++TEST_LDADD += $(OS_LIB) $(DIX_LIB) ++endif ++ ++protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD) ++ ++protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient ++ ++protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c ++ ++else ++# Print that xi1-tests were skipped (exit code 77 for automake test harness) ++TESTS = xi1-tests ++CLEANFILES = $(TESTS) ++ ++xi1-tests: ++ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@ ++ @echo 'exit 77' >> $@ ++ $(AM_V_GEN)chmod +x $@ ++endif ++endif diff --git a/x11/modular-xorg-server/patches/patch-test_xi1_protocol-xchangedevicecontrol.c b/x11/modular-xorg-server/patches/patch-test_xi1_protocol-xchangedevicecontrol.c new file mode 100644 index 00000000000..257235d2021 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi1_protocol-xchangedevicecontrol.c @@ -0,0 +1,130 @@ +$NetBSD: patch-test_xi1_protocol-xchangedevicecontrol.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi1/protocol-xchangedevicecontrol.c.orig 2014-12-21 14:51:52.000000000 +0000 ++++ test/xi1/protocol-xchangedevicecontrol.c +@@ -0,0 +1,122 @@ ++/** ++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++ ++#ifdef HAVE_DIX_CONFIG_H ++#include <dix-config.h> ++#endif ++ ++/* ++ * Protocol testing for ChangeDeviceControl request. ++ */ ++#include <stdint.h> ++#include <X11/X.h> ++#include <X11/Xproto.h> ++#include <X11/extensions/XIproto.h> ++#include "inputstr.h" ++#include "chgdctl.h" ++ ++#include "protocol-common.h" ++ ++static ClientRec client_request; ++ ++static void ++reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata) ++{ ++ xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data; ++ ++ if (client->swapped) { ++ swapl(&rep->length); ++ swaps(&rep->sequenceNumber); ++ } ++ ++ reply_check_defaults(rep, len, ChangeDeviceControl); ++ ++ /* XXX: check status code in reply */ ++} ++ ++static void ++request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req, ++ xDeviceCtl *ctl, int error) ++{ ++ int rc; ++ ++ client_request.req_len = req->length; ++ rc = ProcXChangeDeviceControl(&client_request); ++ assert(rc == error); ++ ++ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */ ++ ++ client_request.swapped = TRUE; ++ swaps(&req->length); ++ swaps(&req->control); ++ swaps(&ctl->length); ++ swaps(&ctl->control); ++ /* XXX: swap other contents of ctl, depending on type */ ++ rc = SProcXChangeDeviceControl(&client_request); ++ assert(rc == error); ++} ++ ++static unsigned char *data[4096]; /* the request buffer */ ++ ++static void ++test_ChangeDeviceControl(void) ++{ ++ xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data; ++ xDeviceCtl *control = (xDeviceCtl *) (&request[1]); ++ ++ request_init(request, ChangeDeviceControl); ++ ++ reply_handler = reply_ChangeDeviceControl; ++ ++ client_request = init_client(request->length, request); ++ ++ printf("Testing invalid lengths:\n"); ++ printf(" -- no control struct\n"); ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ printf(" -- xDeviceResolutionCtl\n"); ++ request_init(request, ChangeDeviceControl); ++ request->control = DEVICE_RESOLUTION; ++ control->length = (sizeof(xDeviceResolutionCtl) >> 2); ++ request->length += control->length - 2; ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ printf(" -- xDeviceEnableCtl\n"); ++ request_init(request, ChangeDeviceControl); ++ request->control = DEVICE_ENABLE; ++ control->length = (sizeof(xDeviceEnableCtl) >> 2); ++ request->length += control->length - 2; ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ /* XXX: Test functionality! */ ++} ++ ++int ++main(int argc, char **argv) ++{ ++ init_simple(); ++ ++ test_ChangeDeviceControl(); ++ ++ return 0; ++} diff --git a/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xigetclientpointer.c b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xigetclientpointer.c new file mode 100644 index 00000000000..7d5718d8541 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xigetclientpointer.c @@ -0,0 +1,19 @@ +$NetBSD: patch-test_xi2_protocol-xigetclientpointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xigetclientpointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xigetclientpointer.c +@@ -124,6 +124,11 @@ test_XIGetClientPointer(void) + request.win = INVALID_WINDOW_ID; + request_XIGetClientPointer(&client_request, &request, BadWindow); + ++ printf("Testing invalid length\n"); ++ client_request.req_len -= 4; ++ request_XIGetClientPointer(&client_request, &request, BadLength); ++ client_request.req_len += 4; ++ + test_data.cp_is_set = FALSE; + + printf("Testing window None, unset ClientPointer.\n"); diff --git a/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xipassivegrabdevice.c b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xipassivegrabdevice.c new file mode 100644 index 00000000000..84f5ddc5941 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xipassivegrabdevice.c @@ -0,0 +1,29 @@ +$NetBSD: patch-test_xi2_protocol-xipassivegrabdevice.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xipassivegrabdevice.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xipassivegrabdevice.c +@@ -137,6 +137,7 @@ request_XIPassiveGrabDevice(ClientPtr cl + int rc; + int modifiers; + ++ client_request.req_len = req->length; + rc = ProcXIPassiveGrabDevice(&client_request); + assert(rc == error); + +@@ -187,6 +188,13 @@ test_XIPassiveGrabDevice(void) + request_XIPassiveGrabDevice(&client_request, request, BadDevice, + request->deviceid); + ++ printf("Testing invalid length\n"); ++ request->length -= 2; ++ request_XIPassiveGrabDevice(&client_request, request, BadLength, ++ client_request.errorValue); ++ /* re-init request since swapped length test leaves some values swapped */ ++ request_init(request, XIPassiveGrabDevice); ++ request->grab_window = CLIENT_WINDOW_ID; + request->deviceid = XIAllMasterDevices; + + printf("Testing invalid grab types\n"); diff --git a/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiquerypointer.c b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiquerypointer.c new file mode 100644 index 00000000000..d1e0f11a357 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiquerypointer.c @@ -0,0 +1,18 @@ +$NetBSD: patch-test_xi2_protocol-xiquerypointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xiquerypointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xiquerypointer.c +@@ -200,6 +200,10 @@ test_XIQueryPointer(void) + test_data.dev = devices.mouse; + request.deviceid = devices.mouse->id; + request_XIQueryPointer(&client_request, &request, Success); ++ ++ /* test REQUEST_SIZE_MATCH */ ++ client_request.req_len -= 4; ++ request_XIQueryPointer(&client_request, &request, BadLength); + } + + int diff --git a/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiwarppointer.c b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiwarppointer.c new file mode 100644 index 00000000000..90c813ecdc4 --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-test_xi2_protocol-xiwarppointer.c @@ -0,0 +1,17 @@ +$NetBSD: patch-test_xi2_protocol-xiwarppointer.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xiwarppointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xiwarppointer.c +@@ -197,6 +197,9 @@ test_XIWarpPointer(void) + request_XIWarpPointer(&client_request, &request, Success); + + /* FIXME: src_x/y checks */ ++ ++ client_request.req_len -= 2; /* invalid length */ ++ request_XIWarpPointer(&client_request, &request, BadLength); + } + + int diff --git a/x11/modular-xorg-server/patches/patch-xfixes_select.c b/x11/modular-xorg-server/patches/patch-xfixes_select.c new file mode 100644 index 00000000000..0ccd301977c --- /dev/null +++ b/x11/modular-xorg-server/patches/patch-xfixes_select.c @@ -0,0 +1,15 @@ +$NetBSD: patch-xfixes_select.c,v 1.1 2014/12/21 16:03:17 wiz Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- xfixes/select.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ xfixes/select.c +@@ -204,6 +204,7 @@ SProcXFixesSelectSelectionInput(ClientPt + { + REQUEST(xXFixesSelectSelectionInputReq); + ++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swapl(&stuff->selection); |