modular-xorg-server-1.3.0nb5:

Fix a number of buffer-overflows, privacy-leaks and memory corruptions.

17 files changed, 530 insertions, 3 deletions

diff --git a/x11/modular-xorg-server/Makefile b/x11/modular-xorg-server/Makefile
index 59c986289aa..f0709c3f7d9 100644
--- a/x11/modular-xorg-server/Makefile
+++ b/x11/modular-xorg-server/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.24 2008/01/16 00:28:36 joerg Exp $
+# $NetBSD: Makefile,v 1.25 2008/02/25 15:39:16 joerg Exp $
 
 DISTNAME=	xorg-server-1.3.0.0
 PKGNAME=	modular-${DISTNAME}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	x11
 MASTER_SITES=	http://xorg.freedesktop.org/releases/individual/xserver/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/x11/modular-xorg-server/distinfo b/x11/modular-xorg-server/distinfo
index 34ed0383ee4..6a8b92191e6 100644
--- a/x11/modular-xorg-server/distinfo
+++ b/x11/modular-xorg-server/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2008/01/23 03:19:33 tnn Exp $
+$NetBSD: distinfo,v 1.20 2008/02/25 15:39:16 joerg Exp $
 
 SHA1 (MesaLib-6.5.2.tar.bz2) = ba860bb6ee57c02202342dfd5927464a068ea18f
 RMD160 (MesaLib-6.5.2.tar.bz2) = 9a92d69110c066ae6734bcaafb78f222ac2df6d3
@@ -18,6 +18,21 @@ SHA1 (patch-db) = 28913a094c8499536a71c8d4d7ca57a5efb25b39
 SHA1 (patch-dc) = 75df6f37b1cbc9574adb5ee66cb84d0f5ebac853
 SHA1 (patch-dd) = cfb7c9d470098b0fcfcddbe9a1363a14f762fe19
 SHA1 (patch-de) = f887f3fd09406006b6165779b74be780b7fddd18
+SHA1 (patch-ea) = 435ac0e1795c68fa6e125deceb4624564f7ce0dd
+SHA1 (patch-eb) = 925a8a7e7880e545feac439850372548d04e8f87
+SHA1 (patch-ec) = 86959d152174cbc8a03dbe6bde32545b824bfd74
+SHA1 (patch-ed) = dfe8f08c0e061c572e0299cba020da20519b87c2
+SHA1 (patch-ef) = 94cd889105a416f9d72adbc247d00b568207a02f
+SHA1 (patch-eg) = 6953b53d41af088b855d22c6459aa1eefd0d25eb
+SHA1 (patch-eh) = 5e1dbbf82c01bc340d1ef4029cd5352b9fcf775e
+SHA1 (patch-ei) = 893b23b9e67ad640d984c962b93b5db639a780b3
+SHA1 (patch-ej) = 0719d0fa6fb55739a58b157e31f0ae442d57c211
+SHA1 (patch-ek) = de8ee96433a65b9f59804c4e78d6b04496e30d37
+SHA1 (patch-el) = cc7f39c82d017657bb72ff332b65f797bdbdd6fc
+SHA1 (patch-em) = 25ec7e56ceb87ea5bfc53f5734dab84ad15b88ca
+SHA1 (patch-en) = 447e7f996ab7e0179227676a9f7f2c4b51a69d62
+SHA1 (patch-eo) = 499b6d47db383acb0e7fcb90faebf4ede1ccd2a9
+SHA1 (patch-ep) = 0beae9b5cbc5e87c757e22796aed82c1c4436f0e
 SHA1 (patch-sa) = 5586e998e2239b6851291b5f79b2e6009c78b174
 SHA1 (patch-sb) = b769780b446e4f10bc99ccd3373d666daf44f863
 SHA1 (patch-sc) = 33c4d4731e3732032f84946fc17e28d0cba389a6
diff --git a/x11/modular-xorg-server/patches/patch-ea b/x11/modular-xorg-server/patches/patch-ea
new file mode 100644
index 00000000000..73b3491e84c
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ea
@@ -0,0 +1,36 @@
+$NetBSD: patch-ea,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xext/EVI.c.orig	2006-09-18 08:04:17.000000000 +0200
++++ Xext/EVI.c
+@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "modinit.h"
++#include "scrnintstr.h"
+ 
+ #if 0
+ static unsigned char XEVIReqCode = 0;
+@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
+ {
+     REQUEST(xEVIGetVisualInfoReq);
+     xEVIGetVisualInfoReply rep;
+-    int n, n_conflict, n_info, sz_info, sz_conflict;
++    int i, n, n_conflict, n_info, sz_info, sz_conflict;
+     VisualID32 *conflict;
++    unsigned int total_visuals = 0;
+     xExtendedVisualInfo *eviInfo;
+     int status;
++
++    /*
++     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
++     * here that you don't have more than 2^32 visuals over all your screens;
++     * this seems like a safe assumption.
++     */
++    for (i = 0; i < screenInfo.numScreens; i++)
++	total_visuals += screenInfo.screens[i]->numVisuals;
++    if (stuff->n_visual > total_visuals)
++	return BadValue;
++
+     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
+     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
+ 		&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/x11/modular-xorg-server/patches/patch-eb b/x11/modular-xorg-server/patches/patch-eb
new file mode 100644
index 00000000000..ffed16daf0c
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-eb
@@ -0,0 +1,14 @@
+$NetBSD: patch-eb,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xext/cup.c.orig	2006-09-18 08:04:17.000000000 +0200
++++ Xext/cup.c
+@@ -196,6 +196,9 @@ int ProcGetReservedColormapEntries(
+ 
+     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ 
++    if (stuff->screen >= screenInfo.numScreens)
++	return BadValue;
++
+ #ifndef HAVE_SPECIAL_DESKTOP_COLORS
+     citems[CUP_BLACK_PIXEL].pixel = 
+ 	screenInfo.screens[stuff->screen]->blackPixel;
diff --git a/x11/modular-xorg-server/patches/patch-ec b/x11/modular-xorg-server/patches/patch-ec
new file mode 100644
index 00000000000..0ae3bf77dc7
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ec
@@ -0,0 +1,60 @@
+$NetBSD: patch-ec,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xext/sampleEVI.c.orig	2006-09-18 08:04:17.000000000 +0200
++++ Xext/sampleEVI.c
+@@ -35,6 +35,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ #include <X11/extensions/XEVIstr.h>
+ #include "EVIstruct.h"
+ #include "scrnintstr.h"
++
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static int sampleGetVisualInfo(
+     VisualID32 *visual,
+     int n_visual,
+@@ -43,24 +50,36 @@ static int sampleGetVisualInfo(
+     VisualID32 **conflict_rn,
+     int *n_conflict_rn)
+ {
+-    int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++    unsigned int max_sz_evi;
+     VisualID32 *temp_conflict;
+     xExtendedVisualInfo *evi;
+-    int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
++    unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+     register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
+-    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+-    if (!*evi_rn)
+-         return BadAlloc;
++
++    if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
++	return BadAlloc;
++    max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
++    
+     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+         if (screenInfo.screens[scrI]->numVisuals > max_visuals)
+             max_visuals = screenInfo.screens[scrI]->numVisuals;
+     }
++
++    if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens 
++			       * max_visuals)) 
++	return BadAlloc;
+     max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
++
++    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
++    if (!*evi_rn)
++         return BadAlloc;
++
+     temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
+     if (!temp_conflict) {
+         xfree(*evi_rn);
+         return BadAlloc;
+     }
++
+     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
+         for (visualI = 0; visualI < n_visual; visualI++) {
+ 	    evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/x11/modular-xorg-server/patches/patch-ed b/x11/modular-xorg-server/patches/patch-ed
new file mode 100644
index 00000000000..3063b0c39b1
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ed
@@ -0,0 +1,25 @@
+$NetBSD: patch-ed,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xext/security.c.orig	2006-11-16 18:39:03.000000000 +0100
++++ Xext/security.c
+@@ -1567,9 +1567,9 @@ SecurityLoadPropertyAccessList(void)
+ 	return;
+ 
+ #ifndef __UNIXOS2__
+-    f = fopen(SecurityPolicyFile, "r");
++    f = Fopen(SecurityPolicyFile, "r");
+ #else
+-    f = fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
++    f = Fopen((char*)__XOS2RedirRoot(SecurityPolicyFile), "r");
+ #endif    
+     if (!f)
+     {
+@@ -1653,7 +1653,7 @@ SecurityLoadPropertyAccessList(void)
+     }
+ #endif /* PROPDEBUG */
+ 
+-    fclose(f);
++    Fclose(f);
+ } /* SecurityLoadPropertyAccessList */
+ 
+ 
diff --git a/x11/modular-xorg-server/patches/patch-ef b/x11/modular-xorg-server/patches/patch-ef
new file mode 100644
index 00000000000..ba2d29e4492
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ef
@@ -0,0 +1,100 @@
+$NetBSD: patch-ef,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xext/shm.c.orig	2008-02-25 15:43:05.000000000 +0100
++++ Xext/shm.c
+@@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap(
+     int i, j, result;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+     PanoramiXRes *newPix;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -732,11 +734,26 @@ ProcPanoramiXShmCreatePixmap(
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++        return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -747,9 +764,7 @@ ProcPanoramiXShmCreatePixmap(
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ 
+     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ 	return BadAlloc;
+@@ -1047,6 +1062,8 @@ ProcShmCreatePixmap(client)
+     register int i;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+     client->errorValue = stuff->pid;
+@@ -1055,11 +1072,26 @@ ProcShmCreatePixmap(client)
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++    
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++	return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++	if (size < width * height)
++	    return BadAlloc;
++	/* thankfully, offset is unsigned */
++	if (stuff->offset + size < size)
++	    return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -1070,9 +1102,7 @@ ProcShmCreatePixmap(client)
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ 			    pDraw->pScreen, stuff->width,
+ 			    stuff->height, stuff->depth,
diff --git a/x11/modular-xorg-server/patches/patch-eg b/x11/modular-xorg-server/patches/patch-eg
new file mode 100644
index 00000000000..c957a9f9013
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-eg
@@ -0,0 +1,24 @@
+$NetBSD: patch-eg,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/chgfctl.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/chgfctl.c
+@@ -451,18 +451,13 @@ ChangeStringFeedback(ClientPtr client, D
+ 		     xStringFeedbackCtl * f)
+ {
+     register char n;
+-    register long *p;
+     int i, j;
+     KeySym *syms, *sup_syms;
+ 
+     syms = (KeySym *) (f + 1);
+     if (client->swapped) {
+ 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
+-	p = (long *)(syms);
+-	for (i = 0; i < f->num_keysyms; i++) {
+-	    swapl(p, n);
+-	    p++;
+-	}
++	SwapLongs((CARD32 *) syms, f->num_keysyms);
+     }
+ 
+     if (f->num_keysyms > s->ctrl.max_symbols) {
diff --git a/x11/modular-xorg-server/patches/patch-eh b/x11/modular-xorg-server/patches/patch-eh
new file mode 100644
index 00000000000..ee6b2fecdda
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-eh
@@ -0,0 +1,41 @@
+$NetBSD: patch-eh,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/chgkmap.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/chgkmap.c
+@@ -79,18 +79,14 @@ int
+ SProcXChangeDeviceKeyMapping(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i, count;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+-    p = (long *)&stuff[1];
+     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+-    for (i = 0; i < count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), count);
+     return (ProcXChangeDeviceKeyMapping(client));
+ }
+ 
+@@ -106,10 +102,14 @@ ProcXChangeDeviceKeyMapping(register Cli
+     int ret;
+     unsigned len;
+     DeviceIntPtr dev;
++    unsigned int count;
+ 
+     REQUEST(xChangeDeviceKeyMappingReq);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ 
++    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
++    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
++
+     dev = LookupDeviceIntRec(stuff->deviceid);
+     if (dev == NULL) {
+ 	SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
diff --git a/x11/modular-xorg-server/patches/patch-ei b/x11/modular-xorg-server/patches/patch-ei
new file mode 100644
index 00000000000..ccdb225a1c5
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ei
@@ -0,0 +1,27 @@
+$NetBSD: patch-ei,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/chgprop.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/chgprop.c
+@@ -81,19 +81,15 @@ int
+ SProcXChangeDeviceDontPropagateList(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xChangeDeviceDontPropagateListReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
++                      stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+     return (ProcXChangeDeviceDontPropagateList(client));
+ }
+ 
diff --git a/x11/modular-xorg-server/patches/patch-ej b/x11/modular-xorg-server/patches/patch-ej
new file mode 100644
index 00000000000..bb63e69a2ce
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ej
@@ -0,0 +1,30 @@
+$NetBSD: patch-ej,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/grabdev.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/grabdev.c
+@@ -82,8 +82,6 @@ int
+ SProcXGrabDevice(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceReq);
+     swaps(&stuff->length, n);
+@@ -91,11 +89,11 @@ SProcXGrabDevice(register ClientPtr clie
+     swapl(&stuff->grabWindow, n);
+     swapl(&stuff->time, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++
++    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
++       return BadLength;
++    
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDevice(client));
+ }
diff --git a/x11/modular-xorg-server/patches/patch-ek b/x11/modular-xorg-server/patches/patch-ek
new file mode 100644
index 00000000000..e50f933a9a2
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ek
@@ -0,0 +1,28 @@
+$NetBSD: patch-ek,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/grabdevb.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/grabdevb.c
+@@ -80,8 +80,6 @@ int
+ SProcXGrabDeviceButton(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceButtonReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,9 @@ SProcXGrabDeviceButton(register ClientPt
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
++                      stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+ 
+     return (ProcXGrabDeviceButton(client));
+ }
diff --git a/x11/modular-xorg-server/patches/patch-el b/x11/modular-xorg-server/patches/patch-el
new file mode 100644
index 00000000000..f038a8f1dad
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-el
@@ -0,0 +1,27 @@
+$NetBSD: patch-el,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/grabdevk.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/grabdevk.c
+@@ -80,8 +80,6 @@ int
+ SProcXGrabDeviceKey(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xGrabDeviceKeyReq);
+     swaps(&stuff->length, n);
+@@ -89,11 +87,8 @@ SProcXGrabDeviceKey(register ClientPtr c
+     swapl(&stuff->grabWindow, n);
+     swaps(&stuff->modifiers, n);
+     swaps(&stuff->event_count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->event_count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
+     return (ProcXGrabDeviceKey(client));
+ }
+ 
diff --git a/x11/modular-xorg-server/patches/patch-em b/x11/modular-xorg-server/patches/patch-em
new file mode 100644
index 00000000000..ce7a5eb7f65
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-em
@@ -0,0 +1,28 @@
+$NetBSD: patch-em,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/selectev.c.orig	2006-11-16 19:01:22.000000000 +0100
++++ Xi/selectev.c
+@@ -84,19 +84,16 @@ int
+ SProcXSelectExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
+-    register int i;
+ 
+     REQUEST(xSelectExtensionEventReq);
+     swaps(&stuff->length, n);
+     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
+     swapl(&stuff->window, n);
+     swaps(&stuff->count, n);
+-    p = (long *)&stuff[1];
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
++                      stuff->count * sizeof(CARD32));
++    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
++
+     return (ProcXSelectExtensionEvent(client));
+ }
+ 
diff --git a/x11/modular-xorg-server/patches/patch-en b/x11/modular-xorg-server/patches/patch-en
new file mode 100644
index 00000000000..8649ba46562
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-en
@@ -0,0 +1,39 @@
+$NetBSD: patch-en,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- Xi/sendexev.c.orig	2006-06-06 19:13:52.000000000 +0200
++++ Xi/sendexev.c
+@@ -83,7 +83,7 @@ int
+ SProcXSendExtensionEvent(register ClientPtr client)
+ {
+     register char n;
+-    register long *p;
++    register CARD32 *p;
+     register int i;
+     xEvent eventT;
+     xEvent *eventP;
+@@ -94,6 +94,11 @@ SProcXSendExtensionEvent(register Client
+     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
+     swapl(&stuff->destination, n);
+     swaps(&stuff->count, n);
++
++    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
++       (stuff->num_events * (sizeof(xEvent) >> 2)))
++       return BadLength;
++
+     eventP = (xEvent *) & stuff[1];
+     for (i = 0; i < stuff->num_events; i++, eventP++) {
+ 	proc = EventSwapVector[eventP->u.u.type & 0177];
+@@ -103,11 +108,8 @@ SProcXSendExtensionEvent(register Client
+ 	*eventP = eventT;
+     }
+ 
+-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
+-    for (i = 0; i < stuff->count; i++) {
+-	swapl(p, n);
+-	p++;
+-    }
++    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
++    SwapLongs(p, stuff->count);
+     return (ProcXSendExtensionEvent(client));
+ }
+ 
diff --git a/x11/modular-xorg-server/patches/patch-eo b/x11/modular-xorg-server/patches/patch-eo
new file mode 100644
index 00000000000..ad68e196d85
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-eo
@@ -0,0 +1,18 @@
+$NetBSD: patch-eo,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- dix/dixfonts.c.orig	2006-11-16 19:01:22.000000000 +0100
++++ dix/dixfonts.c
+@@ -329,6 +329,13 @@ doOpenFont(ClientPtr client, OFclosurePt
+ 	err = BadFontName;
+ 	goto bail;
+     }
++    /* check values for firstCol, lastCol, firstRow, and lastRow */
++    if (pfont->info.firstCol > pfont->info.lastCol ||
++       pfont->info.firstRow > pfont->info.lastRow ||
++       pfont->info.lastCol - pfont->info.firstCol > 255) {
++       err = AllocError;
++       goto bail;
++    }
+     if (!pfont->fpe)
+ 	pfont->fpe = fpe;
+     pfont->refcnt++;
diff --git a/x11/modular-xorg-server/patches/patch-ep b/x11/modular-xorg-server/patches/patch-ep
new file mode 100644
index 00000000000..8e1d2aa67cb
--- /dev/null
+++ b/x11/modular-xorg-server/patches/patch-ep
@@ -0,0 +1,15 @@
+$NetBSD: patch-ep,v 1.1 2008/02/25 15:39:16 joerg Exp $
+
+--- hw/xfree86/common/xf86MiscExt.c.orig	2006-11-16 19:01:24.000000000 +0100
++++ hw/xfree86/common/xf86MiscExt.c
+@@ -640,6 +640,10 @@ MiscExtPassMessage(int scrnIndex, const 
+ 
+     DEBUG_P("MiscExtPassMessage");
+ 
++    /* should check this in the protocol, but xf86NumScreens isn't exported */
++    if (scrnIndex >= xf86NumScreens)
++	return BadValue;
++
+     if (*pScr->HandleMessage == NULL)
+ 	    return BadImplementation;
+     return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);