diff options
Diffstat (limited to 'x11')
69 files changed, 4122 insertions, 0 deletions
diff --git a/x11/modular-xorg-server112/DESCR b/x11/modular-xorg-server112/DESCR new file mode 100644 index 00000000000..232af8063fd --- /dev/null +++ b/x11/modular-xorg-server112/DESCR @@ -0,0 +1,2 @@ +The X.org X11 Server from the modularized source tree of +X.org X11. diff --git a/x11/modular-xorg-server112/MESSAGE b/x11/modular-xorg-server112/MESSAGE new file mode 100644 index 00000000000..53aaae65cbd --- /dev/null +++ b/x11/modular-xorg-server112/MESSAGE @@ -0,0 +1,16 @@ +=========================================================================== +$NetBSD: MESSAGE,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +For the X server to run you need at least some fonts installed. The +recommended approach is to install the entire modular-xorg-fonts +meta-package, but failing that the minimum set required is: + + fonts/font-alias + fonts/font-misc-misc + fonts/font-cursor-misc + +This package does *not* depend on these font packages directly as +in some circumstances installing extra copies from pkgsrc would be +redundant or possibly harmful. + +=========================================================================== diff --git a/x11/modular-xorg-server112/Makefile b/x11/modular-xorg-server112/Makefile new file mode 100644 index 00000000000..3bd9267d541 --- /dev/null +++ b/x11/modular-xorg-server112/Makefile @@ -0,0 +1,183 @@ +# $NetBSD: Makefile,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +DISTNAME= xorg-server-1.12.4 +PKGNAME= modular-${DISTNAME} +PKGREVISION= 12 +CATEGORIES= x11 +MASTER_SITES= ${MASTER_SITE_XORG:=xserver/} +EXTRACT_SUFX= .tar.bz2 + +MAINTAINER= pkgsrc-users@NetBSD.org +HOMEPAGE= http://xorg.freedesktop.org/ +COMMENT= Modular X11 server from modular X.org + +SPECIAL_PERMS+= bin/Xorg ${SETUID_ROOT_PERMS} + +GNU_CONFIGURE= yes +USE_LIBTOOL= yes +USE_TOOLS+= gmake pkg-config +USE_LANGUAGES+= c99 + +PKGCONFIG_OVERRIDE+= xorg-server.pc.in +SHLIBTOOL_OVERRIDE= # empty + +BUILD_DEFS+= VARBASE +BUILD_DEFS_EFFECTS+= XKB_OUTPUT_DIR + +OWN_DIRS+= ${VARBASE}/log +OWN_DIRS+= ${XKB_OUTPUT_DIR} +XKB_OUTPUT_DIR?= ${VARBASE}/db/xkb # XXX sync with xkeyboard-config + +CONFIGURE_ARGS+= --localstatedir=${VARBASE:Q} +CONFIGURE_ARGS+= --with-xkb-output=${XKB_OUTPUT_DIR:Q} + +.if !empty(USE_TOOLS:Mauto*) +TOOLS_DEPENDS+= xorg-util-macros>=1.1.5:../../devel/xorg-util-macros +.endif + +DEPENDS+= xkbcomp-[0-9]*:../../x11/xkbcomp +DEPENDS+= xkeyboard-config-[0-9]*:../../x11/xkeyboard-config + +.include "../../mk/bsd.prefs.mk" + +.if ${OPSYS} == "NetBSD" +CONFIGURE_ARGS+= --with-builder-addr="tech-x11@NetBSD.org" +CONFIGURE_ARGS+= --with-os-vendor="The NetBSD Foundation" +# TLS is not supported by NetBSD<6 +. if !empty(OS_VERSION:M[0-5].*) +CONFIGURE_ENV+= ac_cv_tls=no +CONFIGURE_ARGS+= --disable-glx-tls +. endif +.endif +CONFIGURE_ARGS+= --with-os-name=${MACHINE_PLATFORM:Q} + +CONFIGURE_ARGS+= --enable-xorg + +CONFIGURE_ARGS+= --with-fontrootdir=${PREFIX}/share/fonts/X11 + +LEGACY_FONT_PATHS= +DEFAULT_FONT_PATHS= +.for f in misc TTF OTF Type1 100dpi 75dpi cyrillic +DEFAULT_FONT_PATHS+= ${PREFIX}/share/fonts/X11/${f} +LEGACY_FONT_PATHS+= ${PREFIX}/lib/X11/fonts/${f} +.endfor +FONT_PATHS= ${DEFAULT_FONT_PATHS} ${LEGACY_FONT_PATHS} + +CONFIGURE_ARGS+= --with-default-font-path=${FONT_PATHS:ts,:Q} + +CONFIGURE_ARGS+= --disable-config-hal +CONFIGURE_ARGS+= --disable-dmx +CONFIGURE_ARGS+= --disable-xwin +CONFIGURE_ARGS+= --disable-xephyr +CONFIGURE_ARGS+= --disable-kdrive +#CONFIGURE_ARGS+= --disable-kdrive-vesa +CONFIGURE_ARGS+= --disable-xfake +CONFIGURE_ARGS+= --disable-xfbdev + +CONFIGURE_ARGS+= --with-int10=x86emu + +CONFIGURE_ENV+= APP_MAN_SUFFIX=1 FILE_MAN_SUFFIX=5 +CONFIGURE_ENV+= DRIVER_MAN_SUFFIX=4 + +PLIST_VARS+= sunos +PLIST_SUBST+= SUNOS_ARCH=${SUNOS_ARCH} + +.if ${OPSYS} == "SunOS" +PLIST.sunos= yes +. if ${MACHINE_ARCH} == "i386" +SUNOS_ARCH= ia32 +. elif ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "x86_64" +SUNOS_ARCH= amd64 +. elif ${MACHINE_ARCH} == "sparc" || ${MACHINE_ARCH} == "sparc64" +SUNOS_ARCH= sparcv8plus +. endif +.endif + +# Workaround for PR#41556. +# Avoid to use bsd_kqueue_apm, force to use bsd_apm instead. +.if ${OPSYS} == "NetBSD" +CONFIGURE_ENV+= ac_cv_header_sys_event_h=no +.endif + +INSTALLATION_DIRS+= lib/xorg/modules/drivers lib/xorg/modules/input + +BUILDLINK_API_DEPENDS.MesaLib+= MesaLib>=7.8.0<10 +BUILDLINK_API_DEPENDS.compositeproto+= compositeproto>=0.4 +BUILDLINK_API_DEPENDS.fixesproto+= fixesproto>=5.0 +BUILDLINK_API_DEPENDS.damageproto+= damageproto>=1.1 +BUILDLINK_API_DEPENDS.xcmiscproto+= xcmiscproto>=1.2.0 +BUILDLINK_API_DEPENDS.xtrans+= xtrans>=1.2.2 +BUILDLINK_API_DEPENDS.bigreqsproto+= bigreqsproto>=1.1.0 +BUILDLINK_API_DEPENDS.xproto+= xproto>=7.0.22 +BUILDLINK_API_DEPENDS.xextproto+= xextproto>=7.1.99 +BUILDLINK_API_DEPENDS.recordproto+= recordproto>=1.13.99.1 +BUILDLINK_API_DEPENDS.scrnsaverproto+= scrnsaverproto>=1.1 +BUILDLINK_API_DEPENDS.resourceproto+= resourceproto>=1.2.0 +BUILDLINK_API_DEPENDS.dri+= dri>=7.8 +BUILDLINK_API_DEPENDS.xfont+= xfont>=1.4.2 +BUILDLINK_API_DEPENDS.glproto+= glproto>=1.4.16 +BUILDLINK_API_DEPENDS.inputproto+= inputproto>=2.1.99.6 +BUILDLINK_API_DEPENDS.kbproto+= kbproto>=1.0.3 +BUILDLINK_API_DEPENDS.pixman+= pixman>=0.21.8 +BUILDLINK_API_DEPENDS.randrproto+= randrproto>=1.4.0 +BUILDLINK_API_DEPENDS.renderproto+= renderproto>=0.11 +BUILDLINK_API_DEPENDS.xf86dgaproto+= xf86dgaproto>=2.0.3 +BUILDLINK_API_DEPENDS.xf86driproto+= xf86driproto>=2.1.0 + +BUILD_DEPENDS+= tradcpp-[0-9]*:../../devel/tradcpp +CONFIGURE_ENV+= ac_cv_path_RAWCPP="${PREFIX}/bin/tradcpp -Uunix" + +.include "options.mk" + +.include "../../devel/ncurses/buildlink3.mk" +.include "../../devel/zlib/buildlink3.mk" +.include "../../fonts/libfontenc/buildlink3.mk" +.include "../../graphics/MesaLib/buildlink3.mk" +.include "../../security/openssl/buildlink3.mk" +BUILDLINK_API_DEPENDS.libpciaccess+= libpciaccess>=0.11.0 +BUILDLINK_DEPMETHOD.libpciaccess= full +.include "../../sysutils/libpciaccess/buildlink3.mk" +.include "../../x11/bigreqsproto/buildlink3.mk" +.include "../../x11/compositeproto/buildlink3.mk" +.include "../../x11/damageproto/buildlink3.mk" +.include "../../x11/dri2proto/buildlink3.mk" +.include "../../x11/evieext/buildlink3.mk" +.include "../../x11/fixesproto/buildlink3.mk" +.include "../../x11/fontsproto/buildlink3.mk" +.include "../../x11/glproto/buildlink3.mk" +.include "../../x11/inputproto/buildlink3.mk" +.include "../../x11/libX11/buildlink3.mk" +.include "../../x11/libXau/buildlink3.mk" +.include "../../x11/libXaw/buildlink3.mk" +BUILDLINK_API_DEPENDS.libXext+= libXext>=1.1.1 +.include "../../x11/libXext/buildlink3.mk" +.include "../../x11/libXfixes/buildlink3.mk" +.include "../../x11/libXfont/buildlink3.mk" +.include "../../x11/libXt/buildlink3.mk" +.include "../../x11/libXxf86misc/buildlink3.mk" +.include "../../x11/libXxf86vm/buildlink3.mk" +.include "../../x11/libXinerama/buildlink3.mk" +.include "../../x11/libdrm/buildlink3.mk" +.include "../../x11/libxkbfile/buildlink3.mk" +.include "../../x11/libxkbui/buildlink3.mk" +.include "../../x11/pixman/buildlink3.mk" +.include "../../x11/randrproto/buildlink3.mk" +.include "../../x11/recordproto/buildlink3.mk" +.include "../../x11/renderproto/buildlink3.mk" +.include "../../x11/resourceproto/buildlink3.mk" +.include "../../x11/scrnsaverproto/buildlink3.mk" +.include "../../x11/trapproto/buildlink3.mk" +.include "../../x11/videoproto/buildlink3.mk" +.include "../../x11/xcmiscproto/buildlink3.mk" +.include "../../x11/xextproto/buildlink3.mk" +.include "../../x11/kbproto/buildlink3.mk" +.include "../../x11/xf86bigfontproto/buildlink3.mk" +.include "../../x11/xf86dgaproto/buildlink3.mk" +.include "../../x11/xf86driproto/buildlink3.mk" +.include "../../x11/xf86miscproto/buildlink3.mk" +.include "../../x11/xf86vidmodeproto/buildlink3.mk" +.include "../../x11/xineramaproto/buildlink3.mk" +.include "../../x11/xproto/buildlink3.mk" +.include "../../x11/xtrans/buildlink3.mk" + +.include "../../mk/bsd.pkg.mk" diff --git a/x11/modular-xorg-server112/PLIST b/x11/modular-xorg-server112/PLIST new file mode 100644 index 00000000000..1faf5cfc1df --- /dev/null +++ b/x11/modular-xorg-server112/PLIST @@ -0,0 +1,213 @@ +@comment $NetBSD: PLIST,v 1.1 2015/04/03 09:46:18 tnn Exp $ +bin/X +bin/Xnest +bin/Xorg +bin/Xvfb +bin/cvt +bin/gtf +include/xorg/BT.h +include/xorg/IBM.h +include/xorg/TI.h +include/xorg/XIstubs.h +include/xorg/Xprintf.h +include/xorg/bt829.h +include/xorg/callback.h +include/xorg/client.h +include/xorg/closestr.h +include/xorg/closure.h +include/xorg/colormap.h +include/xorg/colormapst.h +include/xorg/compiler.h +include/xorg/compositeext.h +include/xorg/cursor.h +include/xorg/cursorstr.h +include/xorg/damage.h +include/xorg/damagestr.h +include/xorg/dbestruct.h +include/xorg/dgaproc.h +include/xorg/dix.h +include/xorg/dixaccess.h +include/xorg/dixevents.h +include/xorg/dixfont.h +include/xorg/dixfontstr.h +include/xorg/dixgrabs.h +include/xorg/dixstruct.h +${PLIST.dri}include/xorg/dri.h +include/xorg/dri2.h +${PLIST.dri}include/xorg/dristruct.h +include/xorg/edid.h +include/xorg/events.h +include/xorg/exa.h +include/xorg/exevents.h +include/xorg/extension.h +include/xorg/extinit.h +include/xorg/extnsionst.h +include/xorg/fb.h +include/xorg/fbdevhw.h +include/xorg/fboverlay.h +include/xorg/fbpict.h +include/xorg/fbrop.h +include/xorg/fi1236.h +include/xorg/fourcc.h +include/xorg/gc.h +include/xorg/gcstruct.h +include/xorg/geext.h +include/xorg/geint.h +include/xorg/globals.h +include/xorg/glyphstr.h +include/xorg/hotplug.h +include/xorg/i2c_def.h +include/xorg/input.h +include/xorg/inputstr.h +include/xorg/list.h +include/xorg/mi.h +include/xorg/mibstore.h +include/xorg/micmap.h +include/xorg/micoord.h +include/xorg/mifillarc.h +include/xorg/mifpoly.h +include/xorg/migc.h +include/xorg/miline.h +include/xorg/mioverlay.h +include/xorg/mipict.h +include/xorg/mipointer.h +include/xorg/mipointrst.h +include/xorg/misc.h +include/xorg/miscstruct.h +include/xorg/mispans.h +include/xorg/mistruct.h +include/xorg/misync.h +include/xorg/misyncstr.h +include/xorg/miwideline.h +include/xorg/mizerarc.h +include/xorg/msp3430.h +include/xorg/opaque.h +include/xorg/optionstr.h +include/xorg/os.h +include/xorg/panoramiX.h +include/xorg/panoramiXsrv.h +include/xorg/picture.h +include/xorg/picturestr.h +include/xorg/pixmap.h +include/xorg/pixmapstr.h +include/xorg/privates.h +include/xorg/property.h +include/xorg/propertyst.h +include/xorg/ptrveloc.h +include/xorg/randrstr.h +include/xorg/region.h +include/xorg/regionstr.h +include/xorg/registry.h +include/xorg/resource.h +include/xorg/rgb.h +include/xorg/rrtransform.h +${PLIST.dri}include/xorg/sarea.h +include/xorg/screenint.h +include/xorg/scrnintstr.h +include/xorg/selection.h +include/xorg/servermd.h +include/xorg/shadow.h +include/xorg/shadowfb.h +include/xorg/shmint.h +include/xorg/site.h +${PLIST.sunos}include/xorg/solaris-${SUNOS_ARCH}.il +include/xorg/swaprep.h +include/xorg/swapreq.h +include/xorg/syncsdk.h +include/xorg/tda8425.h +include/xorg/tda9850.h +include/xorg/tda9885.h +include/xorg/uda1380.h +include/xorg/validate.h +include/xorg/vbe.h +include/xorg/vbeModes.h +include/xorg/vgaHW.h +include/xorg/vidmodeproc.h +include/xorg/wfbrename.h +include/xorg/window.h +include/xorg/windowstr.h +include/xorg/xaarop.h +include/xorg/xaa.h +include/xorg/xaalocal.h +include/xorg/xace.h +include/xorg/xacestr.h +include/xorg/xf86.h +include/xorg/xf86Crtc.h +include/xorg/xf86Cursor.h +include/xorg/xf86DDC.h +include/xorg/xf86Modes.h +include/xorg/xf86Module.h +include/xorg/xf86Opt.h +include/xorg/xf86Optionstr.h +include/xorg/xf86Optrec.h +include/xorg/xf86Parser.h +include/xorg/xf86Pci.h +include/xorg/xf86PciInfo.h +include/xorg/xf86Priv.h +include/xorg/xf86Privstr.h +include/xorg/xf86RamDac.h +include/xorg/xf86RandR12.h +include/xorg/xf86Rename.h +include/xorg/xf86VGAarbiter.h +include/xorg/xf86Xinput.h +include/xorg/xf86_OSlib.h +include/xorg/xf86_OSproc.h +include/xorg/xf86cmap.h +include/xorg/xf86fbman.h +include/xorg/xf86i2c.h +include/xorg/xf86int10.h +include/xorg/xf86sbusBus.h +include/xorg/xf86str.h +include/xorg/xf86xv.h +include/xorg/xf86xvmc.h +include/xorg/xf86xvpriv.h +include/xorg/xfixes.h +include/xorg/xisb.h +include/xorg/xkbfile.h +include/xorg/xkbrules.h +include/xorg/xkbsrv.h +include/xorg/xkbstr.h +include/xorg/xorg-server.h +include/xorg/xorgVersion.h +include/xorg/xserver-properties.h +include/xorg/xvdix.h +include/xorg/xvmcext.h +lib/pkgconfig/xorg-server.pc +${PLIST.dri}lib/xorg/modules/extensions/libdbe.la +${PLIST.dri}lib/xorg/modules/extensions/libdri.la +${PLIST.dri}lib/xorg/modules/extensions/libdri2.la +${PLIST.dri}lib/xorg/modules/extensions/libextmod.la +${PLIST.dri}lib/xorg/modules/extensions/libglx.la +${PLIST.dri}lib/xorg/modules/extensions/librecord.la +lib/xorg/modules/libexa.la +lib/xorg/modules/libfb.la +lib/xorg/modules/libfbdevhw.la +lib/xorg/modules/libint10.la +lib/xorg/modules/libshadow.la +lib/xorg/modules/libshadowfb.la +lib/xorg/modules/libvbe.la +lib/xorg/modules/libvgahw.la +lib/xorg/modules/libwfb.la +lib/xorg/modules/libxaa.la +lib/xorg/modules/multimedia/bt829_drv.la +lib/xorg/modules/multimedia/fi1236_drv.la +lib/xorg/modules/multimedia/msp3430_drv.la +lib/xorg/modules/multimedia/tda8425_drv.la +lib/xorg/modules/multimedia/tda9850_drv.la +lib/xorg/modules/multimedia/tda9885_drv.la +lib/xorg/modules/multimedia/uda1380_drv.la +lib/xorg/protocol.txt +man/man1/Xnest.1 +man/man1/Xorg.1 +man/man1/Xserver.1 +man/man1/Xvfb.1 +man/man1/cvt.1 +man/man1/gtf.1 +man/man4/exa.4 +man/man4/fbdevhw.4 +man/man5/xorg.conf.5 +man/man5/xorg.conf.d.5 +share/aclocal/xorg-server.m4 +${PLIST.dtrace}share/doc/xorg-server/Xserver-DTrace.xml +@pkgdir lib/xorg/modules/input +@pkgdir lib/xorg/modules/drivers diff --git a/x11/modular-xorg-server112/distinfo b/x11/modular-xorg-server112/distinfo new file mode 100644 index 00000000000..794710321f8 --- /dev/null +++ b/x11/modular-xorg-server112/distinfo @@ -0,0 +1,68 @@ +$NetBSD: distinfo,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +SHA1 (xorg-server-1.12.4.tar.bz2) = 6d616874f9c7677bda08dc073c03f83e78fbc585 +RMD160 (xorg-server-1.12.4.tar.bz2) = 4907b5dc42efd6b3fb6bf9d64f1441080a6a6983 +Size (xorg-server-1.12.4.tar.bz2) = 5444761 bytes +SHA1 (patch-Xext_xcmisc.c) = 8bf7ff8c928b14f6e98d2f1240ea5736bcf43021 +SHA1 (patch-Xext_xvdisp.c) = 5c85a221d11f9893bc68d223cf75e63c00586a9f +SHA1 (patch-Xi_chgdctl.c) = 0bba99d4fe90832d9f364aa4d2eef4ba7f18ff24 +SHA1 (patch-Xi_chgfctl.c) = 1fb0fb890fc28e5374a00cc29aeee8ae1401f41c +SHA1 (patch-Xi_sendexev.c) = 387d7382ad31b85530cdfb068831b29cf2f15755 +SHA1 (patch-Xi_xiallowev.c) = 4d10addbd669bd3b867b6e209e876806c402f3e2 +SHA1 (patch-Xi_xichangecursor.c) = f123415ca0b481bca7f43731992d8ce3ef842aac +SHA1 (patch-Xi_xichangehierarchy.c) = 35ac279d2f7c4ed57bc583df2067a13c1dbee1bf +SHA1 (patch-Xi_xigetclientpointer.c) = 7bac39459d98cf13fcd33582a594f67c53936881 +SHA1 (patch-Xi_xigrabdev.c) = 882474440142ffd1874b018d2cb3bceeff3c12ce +SHA1 (patch-Xi_xipassivegrab.c) = 2a8c97b5e963ae48711db4e9e6c1e7fc6d49d645 +SHA1 (patch-Xi_xiproperty.c) = ba3fd9f9305f95ecf616cea5b221aa2a5de03096 +SHA1 (patch-Xi_xiquerydevice.c) = 33d70ace5b969521e573eb4ce416185b910374db +SHA1 (patch-Xi_xiquerypointer.c) = e9dc180b4697d7a519d470e4f879a61dd64be2f2 +SHA1 (patch-Xi_xiselectev.c) = a17d893af3855f8676f4747defcb2b6866db0ec6 +SHA1 (patch-Xi_xisetclientpointer.c) = 3e1c4c7087383474f39362f9b53bc449d35b28ee +SHA1 (patch-Xi_xisetdevfocus.c) = add3a8f096fa90c9966128f8641e447c570a8a11 +SHA1 (patch-Xi_xiwarppointer.c) = 0567dcc1ff2f8de4fa5caf865edd084611ff8c5c +SHA1 (patch-configure) = 031bc0accf1dd71ed687e7aac3fcc9498cb06784 +SHA1 (patch-configure.ac) = c7dc061377e3bb25425ad3f418c40a45a0e55440 +SHA1 (patch-dbe_dbe.c) = 7c31812b30613b42e509677b6a430d261046a77a +SHA1 (patch-dix_dispatch.c) = 454ce12b27d3906b22f32d7d4c1a3a6a6fb549e3 +SHA1 (patch-dix_dixfonts.c) = 2f1fd51c538eab12c06b85c4ddab18af25338174 +SHA1 (patch-dix_region.c) = 0a7fe6f67c4780c003f1e662be20e2294a7562f2 +SHA1 (patch-exa_exa__render.c) = e20fd4a8d30162d3d7b084ed2dbd46779387f25a +SHA1 (patch-glx_glxcmds.c) = 2566885001178f47eb151a2ef84450b60137f3c1 +SHA1 (patch-glx_glxcmdsswap.c) = b9a0d5386ba928d2db95885f0b68414ffbae71ef +SHA1 (patch-glx_glxserver.h) = 47bd1cc49dbf761c042f00adc6db8cec2a038501 +SHA1 (patch-glx_indirect__program.c) = fb49f91690ff3488e11f4708f23aaa358f98d40c +SHA1 (patch-glx_indirect__reqsize.c) = 0b0305bb8b6a215f0e7548bf85ea571bed8df00b +SHA1 (patch-glx_indirect__reqsize.h) = fa963a97083dc5b0cf6f80b76905ce1f21ea0d5e +SHA1 (patch-glx_indirect__texture__compression.c) = b2af15e99e65c7f43a0218f6813b5bd4407618ea +SHA1 (patch-glx_indirect__util.c) = 182c3c5768e87118ace979304a350c137a1119db +SHA1 (patch-glx_rensize.c) = 574c5bf883ba9046e5cab52c0bd2919440ad1460 +SHA1 (patch-glx_single2.c) = 05cd1c9ba051561d68a28e23af7a5e7aaa942b82 +SHA1 (patch-glx_single2swap.c) = 900787c9b5e5f842141ea146f1b06740cfa7aa81 +SHA1 (patch-glx_singlepix.c) = 72ac42939b37ae0d57fc06453344ca76cdf2c856 +SHA1 (patch-glx_singlepixswap.c) = 1e3d54d3082a59d21edd81276980b953efc39ebb +SHA1 (patch-glx_swap__interval.c) = 2ff4e2e7d2793dd8558b04c1f72abfa81998f2c6 +SHA1 (patch-glx_unpack.h) = 5ae5c10c93835cb51c08f5dae05c5a5e2afaad98 +SHA1 (patch-hw_xfree86_common_compiler.h) = 88de747715b80b22f448869ab32dce1641bcb6db +SHA1 (patch-hw_xfree86_dri2_dri2.c) = 32a8c309f9ae417c99fe81b6a9c3b1f402880981 +SHA1 (patch-hw_xfree86_dri2_dri2ext.c) = bc2b57e4bef5ae386d1d3a015c01d243f8880ab4 +SHA1 (patch-hw_xfree86_os-support_xf86__OSlib.h) = 7c2760509610b44915da077b22899bef9c338cc1 +SHA1 (patch-include_dix.h) = ab0dc2debd87f29c0ac7f971a3cad4850b239c3a +SHA1 (patch-include_regionstr.h) = c6f3e3b263593b622e7087d3ebe2b470cf9526e3 +SHA1 (patch-os_access.c) = 94ee087d68bc9ba713dbe42102f971a1b8e6a3c4 +SHA1 (patch-os_rpcauth.c) = 6617d5ef0e3cc5e9e10cd8db74f87e347e52ebe3 +SHA1 (patch-randr_randr.c) = e8d2b72f8230a2a8a6ade47f5459ec9b0849ed0b +SHA1 (patch-randr_randrstr.h) = f634438dda61111b3bf3b77580951a638fbdea10 +SHA1 (patch-randr_rrsdispatch.c) = 13a2e819fea3ab8fa4caee7f9450a518ac41e517 +SHA1 (patch-render_picture.h) = ec7085022e2c896daaa91378632003aabd957f5e +SHA1 (patch-render_render.c) = f86496fc392681d2fba3c50bbd37b24b78bed682 +SHA1 (patch-test_Makefile.am) = 77caa0c25103307d5bd30178f72e552dbae9555a +SHA1 (patch-test_misc.c) = 1615c03ceb595fa976a571455723665025c14aa0 +SHA1 (patch-test_xi1_Makefile.am) = c5b7a86f6b4e8381c3063fa840de5e238a5877a4 +SHA1 (patch-test_xi1_protocol-xchangedevicecontrol.c) = e3efd2a5e8f93f6acf2f561451ca3d26a70ad826 +SHA1 (patch-test_xi2_protocol-xigetclientpointer.c) = e2eb3995d0bae797ba86d81165930dcd7365c74d +SHA1 (patch-test_xi2_protocol-xipassivegrabdevice.c) = 503566a73fe797a98f637fb9dd497d55e7e7db1d +SHA1 (patch-test_xi2_protocol-xiquerypointer.c) = 6594dff2bccac46aa4b8aec7c517d122517407ad +SHA1 (patch-test_xi2_protocol-xiwarppointer.c) = fda57d72b963890478e8e78dfbe2864eb51971d2 +SHA1 (patch-xfixes_select.c) = 0f0dac08732a54112a2f0a7b3f1393a28fbfd8bc +SHA1 (patch-xkb_xkb.c) = 95861e071546428ab5ada2365e2b8201f238577c diff --git a/x11/modular-xorg-server112/options.mk b/x11/modular-xorg-server112/options.mk new file mode 100644 index 00000000000..018df660ae7 --- /dev/null +++ b/x11/modular-xorg-server112/options.mk @@ -0,0 +1,41 @@ +# $NetBSD: options.mk,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +PKG_OPTIONS_VAR= PKG_OPTIONS.modular-xorg-server +PKG_SUPPORTED_OPTIONS= dri inet6 debug dtrace +PKG_SUGGESTED_OPTIONS= dri inet6 + +.include "../../mk/bsd.options.mk" + +PLIST_VARS+= dri dtrace + +.if !empty(PKG_OPTIONS:Mdri) +PLIST.dri= yes +CONFIGURE_ARGS+= --enable-dri +CONFIGURE_ARGS+= --enable-glx +CONFIGURE_ARGS+= --enable-aiglx +.else +### +### XXX Perhaps we should allow for a built-in glx without dri enabled? +### +CONFIGURE_ARGS+= --disable-dri +CONFIGURE_ARGS+= --disable-glx +.endif + +.if !empty(PKG_OPTIONS:Minet6) +CONFIGURE_ARGS+= --enable-ipv6 +.else +CONFIGURE_ARGS+= --disable-ipv6 +.endif + +.if !empty(PKG_OPTIONS:Mdebug) +CONFIGURE_ARGS+= --enable-debug +CFLAGS+= -ggdb +.endif + + +.if !empty(PKG_OPTIONS:Mdtrace) +PLIST.dtrace= yes +CONFIGURE_ARGS+= --with-dtrace +.else +CONFIGURE_ARGS+= --without-dtrace +.endif diff --git a/x11/modular-xorg-server112/patches/patch-Xext_xcmisc.c b/x11/modular-xorg-server112/patches/patch-Xext_xcmisc.c new file mode 100644 index 00000000000..106e5592786 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xext_xcmisc.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xext_xcmisc.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xext/xcmisc.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xext/xcmisc.c +@@ -161,6 +161,7 @@ static int + SProcXCMiscGetXIDList(ClientPtr client) + { + REQUEST(xXCMiscGetXIDListReq); ++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); + + swaps(&stuff->length); + swapl(&stuff->count); diff --git a/x11/modular-xorg-server112/patches/patch-Xext_xvdisp.c b/x11/modular-xorg-server112/patches/patch-Xext_xvdisp.c new file mode 100644 index 00000000000..547e99675bb --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xext_xvdisp.c @@ -0,0 +1,167 @@ +$NetBSD: patch-Xext_xvdisp.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xext/xvdisp.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xext/xvdisp.c +@@ -1202,6 +1202,7 @@ static int + SProcXvQueryExtension(ClientPtr client) + { + REQUEST(xvQueryExtensionReq); ++ REQUEST_SIZE_MATCH(xvQueryExtensionReq); + swaps(&stuff->length); + return XvProcVector[xv_QueryExtension] (client); + } +@@ -1210,6 +1211,7 @@ static int + SProcXvQueryAdaptors(ClientPtr client) + { + REQUEST(xvQueryAdaptorsReq); ++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); + swaps(&stuff->length); + swapl(&stuff->window); + return XvProcVector[xv_QueryAdaptors] (client); +@@ -1219,6 +1221,7 @@ static int + SProcXvQueryEncodings(ClientPtr client) + { + REQUEST(xvQueryEncodingsReq); ++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryEncodings] (client); +@@ -1228,6 +1231,7 @@ static int + SProcXvGrabPort(ClientPtr client) + { + REQUEST(xvGrabPortReq); ++ REQUEST_SIZE_MATCH(xvGrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1238,6 +1242,7 @@ static int + SProcXvUngrabPort(ClientPtr client) + { + REQUEST(xvUngrabPortReq); ++ REQUEST_SIZE_MATCH(xvUngrabPortReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->time); +@@ -1248,6 +1253,7 @@ static int + SProcXvPutVideo(ClientPtr client) + { + REQUEST(xvPutVideoReq); ++ REQUEST_SIZE_MATCH(xvPutVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1267,6 +1273,7 @@ static int + SProcXvPutStill(ClientPtr client) + { + REQUEST(xvPutStillReq); ++ REQUEST_SIZE_MATCH(xvPutStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1286,6 +1293,7 @@ static int + SProcXvGetVideo(ClientPtr client) + { + REQUEST(xvGetVideoReq); ++ REQUEST_SIZE_MATCH(xvGetVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1305,6 +1313,7 @@ static int + SProcXvGetStill(ClientPtr client) + { + REQUEST(xvGetStillReq); ++ REQUEST_SIZE_MATCH(xvGetStillReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1324,6 +1333,7 @@ static int + SProcXvPutImage(ClientPtr client) + { + REQUEST(xvPutImageReq); ++ REQUEST_AT_LEAST_SIZE(xvPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1347,6 +1357,7 @@ static int + SProcXvShmPutImage(ClientPtr client) + { + REQUEST(xvShmPutImageReq); ++ REQUEST_SIZE_MATCH(xvShmPutImageReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1374,6 +1385,7 @@ static int + SProcXvSelectVideoNotify(ClientPtr client) + { + REQUEST(xvSelectVideoNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); + swaps(&stuff->length); + swapl(&stuff->drawable); + return XvProcVector[xv_SelectVideoNotify] (client); +@@ -1383,6 +1395,7 @@ static int + SProcXvSelectPortNotify(ClientPtr client) + { + REQUEST(xvSelectPortNotifyReq); ++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_SelectPortNotify] (client); +@@ -1392,6 +1405,7 @@ static int + SProcXvStopVideo(ClientPtr client) + { + REQUEST(xvStopVideoReq); ++ REQUEST_SIZE_MATCH(xvStopVideoReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->drawable); +@@ -1402,6 +1416,7 @@ static int + SProcXvSetPortAttribute(ClientPtr client) + { + REQUEST(xvSetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1413,6 +1428,7 @@ static int + SProcXvGetPortAttribute(ClientPtr client) + { + REQUEST(xvGetPortAttributeReq); ++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->attribute); +@@ -1423,6 +1439,7 @@ static int + SProcXvQueryBestSize(ClientPtr client) + { + REQUEST(xvQueryBestSizeReq); ++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq); + swaps(&stuff->length); + swapl(&stuff->port); + swaps(&stuff->vid_w); +@@ -1436,6 +1453,7 @@ static int + SProcXvQueryPortAttributes(ClientPtr client) + { + REQUEST(xvQueryPortAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_QueryPortAttributes] (client); +@@ -1445,6 +1463,7 @@ static int + SProcXvQueryImageAttributes(ClientPtr client) + { + REQUEST(xvQueryImageAttributesReq); ++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); + swaps(&stuff->length); + swapl(&stuff->port); + swapl(&stuff->id); +@@ -1457,6 +1476,7 @@ static int + SProcXvListImageFormats(ClientPtr client) + { + REQUEST(xvListImageFormatsReq); ++ REQUEST_SIZE_MATCH(xvListImageFormatsReq); + swaps(&stuff->length); + swapl(&stuff->port); + return XvProcVector[xv_ListImageFormats] (client); diff --git a/x11/modular-xorg-server112/patches/patch-Xi_chgdctl.c b/x11/modular-xorg-server112/patches/patch-Xi_chgdctl.c new file mode 100644 index 00000000000..5603ef6749a --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_chgdctl.c @@ -0,0 +1,36 @@ +$NetBSD: patch-Xi_chgdctl.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/chgdctl.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/chgdctl.c +@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr clie + + REQUEST(xChangeDeviceControlReq); + swaps(&stuff->length); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + swaps(&stuff->control); + ctl = (xDeviceCtl *) &stuff[1]; + swaps(&ctl->control); +@@ -116,7 +116,7 @@ ProcXChangeDeviceControl(ClientPtr clien + devicePresenceNotify dpn; + + REQUEST(xChangeDeviceControlReq); +- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); + + len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); +@@ -184,6 +184,10 @@ ProcXChangeDeviceControl(ClientPtr clien + break; + case DEVICE_ENABLE: + e = (xDeviceEnableCtl *) &stuff[1]; ++ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { ++ ret = BadLength; ++ goto out; ++ } + + status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e); + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_chgfctl.c b/x11/modular-xorg-server112/patches/patch-Xi_chgfctl.c new file mode 100644 index 00000000000..5a6da54bab0 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_chgfctl.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_chgfctl.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/chgfctl.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/chgfctl.c +@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr cli + xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); + + if (client->swapped) { ++ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) ++ return BadLength; + swaps(&f->num_keysyms); + } + if (len != diff --git a/x11/modular-xorg-server112/patches/patch-Xi_sendexev.c b/x11/modular-xorg-server112/patches/patch-Xi_sendexev.c new file mode 100644 index 00000000000..a830433013d --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_sendexev.c @@ -0,0 +1,17 @@ +$NetBSD: patch-Xi_sendexev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/sendexev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/sendexev.c +@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client + if (ret != Success) + return ret; + ++ if (stuff->num_events == 0) ++ return ret; ++ + /* The client's event type must be one defined by an extension. */ + + first = ((xEvent *) &stuff[1]); diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiallowev.c b/x11/modular-xorg-server112/patches/patch-Xi_xiallowev.c new file mode 100644 index 00000000000..478aaf465c4 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiallowev.c @@ -0,0 +1,23 @@ +$NetBSD: patch-Xi_xiallowev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiallowev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiallowev.c +@@ -48,6 +48,7 @@ int + SProcXIAllowEvents(ClientPtr client) + { + REQUEST(xXIAllowEventsReq); ++ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client) + if (stuff->length > 3) { + xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff; + ++ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq); + swapl(&req_xi22->touchid); + swapl(&req_xi22->grab_window); + } diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xichangecursor.c b/x11/modular-xorg-server112/patches/patch-Xi_xichangecursor.c new file mode 100644 index 00000000000..5034269b9e3 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xichangecursor.c @@ -0,0 +1,20 @@ +$NetBSD: patch-Xi_xichangecursor.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xichangecursor.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xichangecursor.c +@@ -57,11 +57,11 @@ int + SProcXIChangeCursor(ClientPtr client) + { + REQUEST(xXIChangeCursorReq); ++ REQUEST_SIZE_MATCH(xXIChangeCursorReq); + swaps(&stuff->length); + swapl(&stuff->win); + swapl(&stuff->cursor); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXIChangeCursorReq); + return (ProcXIChangeCursor(client)); + } + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xichangehierarchy.c b/x11/modular-xorg-server112/patches/patch-Xi_xichangehierarchy.c new file mode 100644 index 00000000000..00e6d168231 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xichangehierarchy.c @@ -0,0 +1,97 @@ +$NetBSD: patch-Xi_xichangehierarchy.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xichangehierarchy.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xichangehierarchy.c +@@ -407,7 +407,7 @@ int + ProcXIChangeHierarchy(ClientPtr client) + { + xXIAnyHierarchyChangeInfo *any; +- int required_len = sizeof(xXIChangeHierarchyReq); ++ size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; + +@@ -417,21 +417,46 @@ ProcXIChangeHierarchy(ClientPtr client) + if (!stuff->num_changes) + return rc; + ++ if (stuff->length > (INT_MAX >> 2)) ++ return BadAlloc; ++ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); ++ + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; + while (stuff->num_changes--) { ++ if (len < sizeof(xXIAnyHierarchyChangeInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } ++ + SWAPIF(swaps(&any->type)); + SWAPIF(swaps(&any->length)); + +- required_len += any->length; +- if ((stuff->length * 4) < required_len) ++ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) + return BadLength; + ++#define CHANGE_SIZE_MATCH(type) \ ++ do { \ ++ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ ++ rc = BadLength; \ ++ goto unwind; \ ++ } \ ++ } while(0) ++ + switch (any->type) { + case XIAddMaster: + { + xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + ++ /* Variable length, due to appended name string */ ++ if (len < sizeof(xXIAddMasterInfo)) { ++ rc = BadLength; ++ goto unwind; ++ } + SWAPIF(swaps(&c->name_len)); ++ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { ++ rc = BadLength; ++ goto unwind; ++ } + + rc = add_master(client, c, flags); + if (rc != Success) +@@ -442,6 +467,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +@@ -451,6 +477,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -460,6 +487,7 @@ ProcXIChangeHierarchy(ClientPtr client) + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + ++ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; +@@ -467,6 +495,7 @@ ProcXIChangeHierarchy(ClientPtr client) + break; + } + ++ len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xigetclientpointer.c b/x11/modular-xorg-server112/patches/patch-Xi_xigetclientpointer.c new file mode 100644 index 00000000000..4da6b035835 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xigetclientpointer.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xi_xigetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xigetclientpointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xigetclientpointer.c +@@ -50,6 +50,7 @@ int + SProcXIGetClientPointer(ClientPtr client) + { + REQUEST(xXIGetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXIGetClientPointerReq); + + swaps(&stuff->length); + swapl(&stuff->win); diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xigrabdev.c b/x11/modular-xorg-server112/patches/patch-Xi_xigrabdev.c new file mode 100644 index 00000000000..612fa06678d --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xigrabdev.c @@ -0,0 +1,44 @@ +$NetBSD: patch-Xi_xigrabdev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xigrabdev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xigrabdev.c +@@ -47,6 +47,11 @@ int + SProcXIGrabDevice(ClientPtr client) + { + REQUEST(xXIGrabDeviceReq); ++ /* ++ * Check here for at least the length of the struct we swap, then ++ * let ProcXIGrabDevice check the full size after we swap mask_len. ++ */ ++ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -69,7 +74,7 @@ ProcXIGrabDevice(ClientPtr client) + int mask_len; + + REQUEST(xXIGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); + if (ret != Success) +@@ -118,6 +123,7 @@ int + SProcXIUngrabDevice(ClientPtr client) + { + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -135,6 +141,7 @@ ProcXIUngrabDevice(ClientPtr client) + TimeStamp time; + + REQUEST(xXIUngrabDeviceReq); ++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); + + ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); + if (ret != Success) diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xipassivegrab.c b/x11/modular-xorg-server112/patches/patch-Xi_xipassivegrab.c new file mode 100644 index 00000000000..faec485c002 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xipassivegrab.c @@ -0,0 +1,61 @@ +$NetBSD: patch-Xi_xipassivegrab.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xipassivegrab.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xipassivegrab.c +@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien + xXIModifierInfo *mods; + + REQUEST(xXIPassiveGrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien + swaps(&stuff->mask_len); + swaps(&stuff->num_modifiers); + ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); + mods = (xXIModifierInfo *) &stuff[1]; + + for (i = 0; i < stuff->num_modifiers; i++, mods++) { +@@ -88,7 +91,8 @@ ProcXIPassiveGrabDevice(ClientPtr client + int mask_len; + + REQUEST(xXIPassiveGrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, ++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; +@@ -250,6 +254,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli + uint32_t *modifiers; + + REQUEST(xXIPassiveUngrabDeviceReq); ++ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + + swaps(&stuff->length); + swapl(&stuff->grab_window); +@@ -257,6 +262,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli + swapl(&stuff->detail); + swaps(&stuff->num_modifiers); + ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + modifiers = (uint32_t *) &stuff[1]; + + for (i = 0; i < stuff->num_modifiers; i++, modifiers++) +@@ -275,7 +282,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie + int i, rc; + + REQUEST(xXIPassiveUngrabDeviceReq); +- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); ++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, ++ ((uint32_t) stuff->num_modifiers) << 2); + + if (stuff->deviceid == XIAllDevices) + dev = inputInfo.all_devices; diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiproperty.c b/x11/modular-xorg-server112/patches/patch-Xi_xiproperty.c new file mode 100644 index 00000000000..414ced82515 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiproperty.c @@ -0,0 +1,88 @@ +$NetBSD: patch-Xi_xiproperty.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiproperty.c.orig 2012-08-19 15:45:55.000000000 +0000 ++++ Xi/xiproperty.c +@@ -1007,10 +1007,9 @@ int + SProcXListDeviceProperties(ClientPtr client) + { + REQUEST(xListDevicePropertiesReq); ++ REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + + swaps(&stuff->length); +- +- REQUEST_SIZE_MATCH(xListDevicePropertiesReq); + return (ProcXListDeviceProperties(client)); + } + +@@ -1031,10 +1030,10 @@ int + SProcXDeleteDeviceProperty(ClientPtr client) + { + REQUEST(xDeleteDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); + return (ProcXDeleteDeviceProperty(client)); + } + +@@ -1042,13 +1041,13 @@ int + SProcXGetDeviceProperty(ClientPtr client) + { + REQUEST(xGetDevicePropertyReq); ++ REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + + swaps(&stuff->length); + swapl(&stuff->property); + swapl(&stuff->type); + swapl(&stuff->longOffset); + swapl(&stuff->longLength); +- REQUEST_SIZE_MATCH(xGetDevicePropertyReq); + return (ProcXGetDeviceProperty(client)); + } + +@@ -1243,11 +1242,10 @@ int + SProcXIListProperties(ClientPtr client) + { + REQUEST(xXIListPropertiesReq); ++ REQUEST_SIZE_MATCH(xXIListPropertiesReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +- +- REQUEST_SIZE_MATCH(xXIListPropertiesReq); + return (ProcXIListProperties(client)); + } + +@@ -1269,11 +1267,11 @@ int + SProcXIDeleteProperty(ClientPtr client) + { + REQUEST(xXIDeletePropertyReq); ++ REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->property); +- REQUEST_SIZE_MATCH(xXIDeletePropertyReq); + return (ProcXIDeleteProperty(client)); + } + +@@ -1281,6 +1279,7 @@ int + SProcXIGetProperty(ClientPtr client) + { + REQUEST(xXIGetPropertyReq); ++ REQUEST_SIZE_MATCH(xXIGetPropertyReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); +@@ -1288,7 +1287,6 @@ SProcXIGetProperty(ClientPtr client) + swapl(&stuff->type); + swapl(&stuff->offset); + swapl(&stuff->len); +- REQUEST_SIZE_MATCH(xXIGetPropertyReq); + return (ProcXIGetProperty(client)); + } + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiquerydevice.c b/x11/modular-xorg-server112/patches/patch-Xi_xiquerydevice.c new file mode 100644 index 00000000000..c936a789b89 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiquerydevice.c @@ -0,0 +1,15 @@ +$NetBSD: patch-Xi_xiquerydevice.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiquerydevice.c.orig 2012-07-24 04:36:54.000000000 +0000 ++++ Xi/xiquerydevice.c +@@ -54,6 +54,7 @@ int + SProcXIQueryDevice(ClientPtr client) + { + REQUEST(xXIQueryDeviceReq); ++ REQUEST_SIZE_MATCH(xXIQueryDeviceReq); + + swaps(&stuff->length); + swaps(&stuff->deviceid); diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiquerypointer.c b/x11/modular-xorg-server112/patches/patch-Xi_xiquerypointer.c new file mode 100644 index 00000000000..b683ed1cbe9 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiquerypointer.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_xiquerypointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiquerypointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiquerypointer.c +@@ -62,6 +62,8 @@ int + SProcXIQueryPointer(ClientPtr client) + { + REQUEST(xXIQueryPointerReq); ++ REQUEST_SIZE_MATCH(xXIQueryPointerReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->win); diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiselectev.c b/x11/modular-xorg-server112/patches/patch-Xi_xiselectev.c new file mode 100644 index 00000000000..01330f7062e --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiselectev.c @@ -0,0 +1,33 @@ +$NetBSD: patch-Xi_xiselectev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiselectev.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiselectev.c +@@ -63,6 +63,7 @@ int + SProcXISelectEvents(ClientPtr client) + { + int i; ++ int len; + xXIEventMask *evmask; + + REQUEST(xXISelectEventsReq); +@@ -71,10 +72,17 @@ SProcXISelectEvents(ClientPtr client) + swapl(&stuff->win); + swaps(&stuff->num_masks); + ++ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); + evmask = (xXIEventMask *) &stuff[1]; + for (i = 0; i < stuff->num_masks; i++) { ++ if (len < bytes_to_int32(sizeof(xXIEventMask))) ++ return BadLength; ++ len -= bytes_to_int32(sizeof(xXIEventMask)); + swaps(&evmask->deviceid); + swaps(&evmask->mask_len); ++ if (len < evmask->mask_len) ++ return BadLength; ++ len -= evmask->mask_len; + evmask = + (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); + } diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xisetclientpointer.c b/x11/modular-xorg-server112/patches/patch-Xi_xisetclientpointer.c new file mode 100644 index 00000000000..d1859ce9c9a --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xisetclientpointer.c @@ -0,0 +1,20 @@ +$NetBSD: patch-Xi_xisetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xisetclientpointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xisetclientpointer.c +@@ -51,10 +51,11 @@ int + SProcXISetClientPointer(ClientPtr client) + { + REQUEST(xXISetClientPointerReq); ++ REQUEST_SIZE_MATCH(xXISetClientPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->win); + swaps(&stuff->deviceid); +- REQUEST_SIZE_MATCH(xXISetClientPointerReq); + return (ProcXISetClientPointer(client)); + } + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xisetdevfocus.c b/x11/modular-xorg-server112/patches/patch-Xi_xisetdevfocus.c new file mode 100644 index 00000000000..efcf633b45e --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xisetdevfocus.c @@ -0,0 +1,25 @@ +$NetBSD: patch-Xi_xisetdevfocus.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xisetdevfocus.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xisetdevfocus.c +@@ -44,6 +44,8 @@ int + SProcXISetFocus(ClientPtr client) + { + REQUEST(xXISetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXISetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + swapl(&stuff->focus); +@@ -56,6 +58,8 @@ int + SProcXIGetFocus(ClientPtr client) + { + REQUEST(xXIGetFocusReq); ++ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); ++ + swaps(&stuff->length); + swaps(&stuff->deviceid); + diff --git a/x11/modular-xorg-server112/patches/patch-Xi_xiwarppointer.c b/x11/modular-xorg-server112/patches/patch-Xi_xiwarppointer.c new file mode 100644 index 00000000000..03af61c70d3 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-Xi_xiwarppointer.c @@ -0,0 +1,16 @@ +$NetBSD: patch-Xi_xiwarppointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- Xi/xiwarppointer.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ Xi/xiwarppointer.c +@@ -56,6 +56,8 @@ int + SProcXIWarpPointer(ClientPtr client) + { + REQUEST(xXIWarpPointerReq); ++ REQUEST_SIZE_MATCH(xXIWarpPointerReq); ++ + swaps(&stuff->length); + swapl(&stuff->src_win); + swapl(&stuff->dst_win); diff --git a/x11/modular-xorg-server112/patches/patch-configure b/x11/modular-xorg-server112/patches/patch-configure new file mode 100644 index 00000000000..24cf9775650 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-configure @@ -0,0 +1,14 @@ +$NetBSD: patch-configure,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Allow x86_64 as a SunOS arch. +--- configure.orig 2009-10-12 05:04:15.000000000 +0000 ++++ configure +@@ -18293,7 +18293,7 @@ fi + sparc*) + SOLARIS_INOUT_ARCH="sparcv8plus" + ;; +- i*86) ++ i*86|x86_64) + if test x$SOLARIS_64 = xyes ; then + SOLARIS_INOUT_ARCH="amd64" + else diff --git a/x11/modular-xorg-server112/patches/patch-configure.ac b/x11/modular-xorg-server112/patches/patch-configure.ac new file mode 100644 index 00000000000..21645b55852 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-configure.ac @@ -0,0 +1,15 @@ +$NetBSD: patch-configure.ac,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- configure.ac.orig 2012-08-27 05:10:47.000000000 +0000 ++++ configure.ac +@@ -2229,6 +2229,7 @@ hw/kdrive/fbdev/Makefile + hw/kdrive/linux/Makefile + hw/kdrive/src/Makefile + test/Makefile ++test/xi1/Makefile + test/xi2/Makefile + xserver.ent + xorg-server.pc diff --git a/x11/modular-xorg-server112/patches/patch-dbe_dbe.c b/x11/modular-xorg-server112/patches/patch-dbe_dbe.c new file mode 100644 index 00000000000..a1750fe7892 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-dbe_dbe.c @@ -0,0 +1,48 @@ +$NetBSD: patch-dbe_dbe.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dbe/dbe.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dbe/dbe.c +@@ -453,18 +453,20 @@ ProcDbeSwapBuffers(ClientPtr client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ + + if (nStuff == 0) { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return Success; + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *) &stuff[1]; +@@ -955,13 +957,16 @@ static int + SProcDbeSwapBuffers(ClientPtr client) + { + REQUEST(xDbeSwapBuffersReq); +- register int i; ++ unsigned int i; + xDbeSwapInfo *pSwapInfo; + + swaps(&stuff->length); + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) { + pSwapInfo = (xDbeSwapInfo *) stuff + 1; diff --git a/x11/modular-xorg-server112/patches/patch-dix_dispatch.c b/x11/modular-xorg-server112/patches/patch-dix_dispatch.c new file mode 100644 index 00000000000..3f6f14b5b05 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-dix_dispatch.c @@ -0,0 +1,17 @@ +$NetBSD: patch-dix_dispatch.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dix/dispatch.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dix/dispatch.c +@@ -1952,6 +1952,9 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if ((bytes_to_int32(lengthProto * stuff->height) + + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) + return BadLength; diff --git a/x11/modular-xorg-server112/patches/patch-dix_dixfonts.c b/x11/modular-xorg-server112/patches/patch-dix_dixfonts.c new file mode 100644 index 00000000000..73b029c5f8b --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-dix_dixfonts.c @@ -0,0 +1,74 @@ +$NetBSD: patch-dix_dixfonts.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Fix CVE-2013-4396. + +From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Mon, 16 Sep 2013 21:47:16 -0700 +Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. + +Reported-by: Pedro Ribeiro <pedrib@gmail.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- dix/dixfonts.c.orig 2012-05-17 17:09:01.000000000 +0000 ++++ dix/dixfonts.c +@@ -1414,6 +1414,7 @@ doImageText(ClientPtr client, ITclosureP + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1425,12 +1426,14 @@ doImageText(ClientPtr client, ITclosureP + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + + data = malloc(c->nChars * itemSize); + if (!data) { + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1441,6 +1444,7 @@ doImageText(ClientPtr client, ITclosureP + if (!pGC) { + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1453,6 +1457,7 @@ doImageText(ClientPtr client, ITclosureP + FreeScratchGC(pGC); + free(c->data); + free(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } diff --git a/x11/modular-xorg-server112/patches/patch-dix_region.c b/x11/modular-xorg-server112/patches/patch-dix_region.c new file mode 100644 index 00000000000..3cd451a0484 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-dix_region.c @@ -0,0 +1,78 @@ +$NetBSD: patch-dix_region.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- dix/region.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ dix/region.c +@@ -169,7 +169,6 @@ Equipment Corporation. + ((r1)->y1 <= (r2)->y1) && \ + ((r1)->y2 >= (r2)->y2) ) + +-#define xallocData(n) malloc(RegionSizeof(n)) + #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) + + #define RECTALLOC_BAIL(pReg,n,bail) \ +@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num + #define DOWNSIZE(reg,numRects) \ + if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ + { \ +- RegDataPtr NewData; \ +- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ ++ size_t NewSize = RegionSizeof(numRects); \ ++ RegDataPtr NewData = \ ++ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ + if (NewData) \ + { \ + NewData->size = (numRects); \ +@@ -330,17 +330,20 @@ Bool + RegionRectAlloc(RegionPtr pRgn, int n) + { + RegDataPtr data; ++ size_t rgnSize; + + if (!pRgn->data) { + n++; +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 1; + *RegionBoxptr(pRgn) = pRgn->extents; + } + else if (!pRgn->data->size) { +- pRgn->data = xallocData(n); ++ rgnSize = RegionSizeof(n); ++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pRgn->data) + return RegionBreak(pRgn); + pRgn->data->numRects = 0; +@@ -352,7 +355,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) + n = 250; + } + n += pRgn->data->numRects; +- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); ++ rgnSize = RegionSizeof(n); ++ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; + if (!data) + return RegionBreak(pRgn); + pRgn->data = data; +@@ -1297,6 +1301,7 @@ RegionFromRects(int nrects, xRectangle * + { + + RegionPtr pRgn; ++ size_t rgnSize; + RegDataPtr pData; + BoxPtr pBox; + int i; +@@ -1323,7 +1328,8 @@ RegionFromRects(int nrects, xRectangle * + } + return pRgn; + } +- pData = xallocData(nrects); ++ rgnSize = RegionSizeof(nrects); ++ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; + if (!pData) { + RegionBreak(pRgn); + return pRgn; diff --git a/x11/modular-xorg-server112/patches/patch-exa_exa__render.c b/x11/modular-xorg-server112/patches/patch-exa_exa__render.c new file mode 100644 index 00000000000..120f1bbcd34 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-exa_exa__render.c @@ -0,0 +1,17 @@ +$NetBSD: patch-exa_exa__render.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Fix CVE-2013-6424 using +http://lists.x.org/archives/xorg-devel/2013-October/037996.html + +--- exa/exa_render.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ exa/exa_render.c +@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; diff --git a/x11/modular-xorg-server112/patches/patch-glx_glxcmds.c b/x11/modular-xorg-server112/patches/patch-glx_glxcmds.c new file mode 100644 index 00000000000..9f2adfa9422 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_glxcmds.c @@ -0,0 +1,62 @@ +$NetBSD: patch-glx_glxcmds.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxcmds.c.orig 2012-08-02 00:59:23.000000000 +0000 ++++ glx/glxcmds.c +@@ -1983,7 +1983,8 @@ __glXDisp_Render(__GLXclientState * cl, + if (entry.varsize) { + /* variable size command */ + extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_HDR_SIZE); + if (extra < 0) { + extra = 0; + } +@@ -2060,6 +2061,7 @@ __glXDisp_RenderLarge(__GLXclientState * + return BadLength; + } + pc += sz_xGLXRenderLargeReq; ++ int left = (req->length << 2) - sz_xGLXRenderLargeReq; + + if (cl->largeCmdRequestsSoFar == 0) { + __GLXrenderSizeData entry; +@@ -2100,7 +2102,8 @@ __glXDisp_RenderLarge(__GLXclientState * + ** will be in the 1st request, so it's okay to do this. + */ + extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, +- client->swapped); ++ client->swapped, ++ left - __GLX_RENDER_LARGE_HDR_SIZE); + if (extra < 0) { + extra = 0; + } +@@ -2178,17 +2181,16 @@ __glXDisp_RenderLarge(__GLXclientState * + ** This is the last request; it must have enough bytes to complete + ** the command. + */ +- /* NOTE: the two pad macros have been added below; they are needed +- ** because the client library pads the total byte count, but not +- ** the per-request byte counts. The Protocol Encoding says the +- ** total byte count should not be padded, so a proposal will be +- ** made to the ARB to relax the padding constraint on the total +- ** byte count, thus preserving backward compatibility. Meanwhile, +- ** the padding done below fixes a bug that did not allow +- ** large commands of odd sizes to be accepted by the server. ++ /* NOTE: the pad macro below is needed because the client library ++ ** pads the total byte count, but not the per-request byte counts. ++ ** The Protocol Encoding says the total byte count should not be ++ ** padded, so a proposal will be made to the ARB to relax the ++ ** padding constraint on the total byte count, thus preserving ++ ** backward compatibility. Meanwhile, the padding done below ++ ** fixes a bug that did not allow large commands of odd sizes to ++ ** be accepted by the server. + */ +- if (__GLX_PAD(cl->largeCmdBytesSoFar) != +- __GLX_PAD(cl->largeCmdBytesTotal)) { ++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); diff --git a/x11/modular-xorg-server112/patches/patch-glx_glxcmdsswap.c b/x11/modular-xorg-server112/patches/patch-glx_glxcmdsswap.c new file mode 100644 index 00000000000..9a8fb7f0761 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_glxcmdsswap.c @@ -0,0 +1,35 @@ +$NetBSD: patch-glx_glxcmdsswap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxcmdsswap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/glxcmdsswap.c +@@ -962,11 +962,13 @@ __glXDispSwap_RenderLarge(__GLXclientSta + int + __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); + + req = (xGLXVendorPrivateReq *) pc; + __GLX_SWAP_SHORT(&req->length); +@@ -989,11 +991,13 @@ __glXDispSwap_VendorPrivate(__GLXclientS + int + __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + xGLXVendorPrivateWithReplyReq *req; + GLint vendorcode; + __GLXdispatchVendorPrivProcPtr proc; + + __GLX_DECLARE_SWAP_VARIABLES; ++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); + + req = (xGLXVendorPrivateWithReplyReq *) pc; + __GLX_SWAP_SHORT(&req->length); diff --git a/x11/modular-xorg-server112/patches/patch-glx_glxserver.h b/x11/modular-xorg-server112/patches/patch-glx_glxserver.h new file mode 100644 index 00000000000..dbc42be2e5d --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_glxserver.h @@ -0,0 +1,64 @@ +$NetBSD: patch-glx_glxserver.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/glxserver.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/glxserver.h +@@ -167,7 +167,7 @@ typedef int (*__GLXprocPtr) (__GLXclient + /* + * Tables for computing the size of each rendering command. + */ +-typedef int (*gl_proto_size_func) (const GLbyte *, Bool); ++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int); + + typedef struct { + int bytes; +@@ -218,6 +218,47 @@ extern void glxSwapQueryServerStringRepl + * Routines for computing the size of variably-sized rendering commands. + */ + ++static _X_INLINE int ++safe_add(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (INT_MAX - a < b) ++ return -1; ++ ++ return a + b; ++} ++ ++static _X_INLINE int ++safe_mul(int a, int b) ++{ ++ if (a < 0 || b < 0) ++ return -1; ++ ++ if (a == 0 || b == 0) ++ return 0; ++ ++ if (a > INT_MAX / b) ++ return -1; ++ ++ return a * b; ++} ++ ++static _X_INLINE int ++safe_pad(int a) ++{ ++ int ret; ++ ++ if (a < 0) ++ return -1; ++ ++ if ((ret = safe_add(a, 3)) < 0) ++ return -1; ++ ++ return ret & (GLuint)~3; ++} ++ + extern int __glXTypeSize(GLenum enm); + extern int __glXImageSize(GLenum format, GLenum type, + GLenum target, GLsizei w, GLsizei h, GLsizei d, diff --git a/x11/modular-xorg-server112/patches/patch-glx_indirect__program.c b/x11/modular-xorg-server112/patches/patch-glx_indirect__program.c new file mode 100644 index 00000000000..f23e799bcbe --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_indirect__program.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_indirect__program.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_program.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_program.c +@@ -69,6 +69,8 @@ DoGetProgramString(struct __GLXclientSta + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); ++ + pc += __GLX_VENDPRIV_HDR_SIZE; + if (cx != NULL) { + GLenum target; diff --git a/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.c b/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.c new file mode 100644 index 00000000000..c562d6080df --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.c @@ -0,0 +1,568 @@ +$NetBSD: patch-glx_indirect__reqsize.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_reqsize.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_reqsize.c +@@ -31,24 +31,22 @@ + #include "indirect_size.h" + #include "indirect_reqsize.h" + +-#define __GLX_PAD(x) (((x) + 3) & ~3) +- + #if defined(__CYGWIN__) || defined(__MINGW32__) + #undef HAVE_ALIAS + #endif + #ifdef HAVE_ALIAS + #define ALIAS2(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ + __attribute__ ((alias( # to ))); + #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize ) + #else + #define ALIAS(from,to) \ +- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \ +- { return __glX ## to ## ReqSize( pc, swap ); } ++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \ ++ { return __glX ## to ## ReqSize( pc, swap, reqlen ); } + #endif + + int +-__glXCallListsReqSize(const GLbyte * pc, Bool swap) ++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + GLenum type = *(GLenum *) (pc + 4); +@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc, + } + + compsize = __glCallLists_size(type); +- return __GLX_PAD((compsize * n)); ++ return safe_pad(safe_mul(compsize, n)); + } + + int +-__glXBitmapReqSize(const GLbyte * pc, Bool swap) ++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bo + } + + int +-__glXFogfvReqSize(const GLbyte * pc, Bool swap) ++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Boo + } + + compsize = __glFogfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, B + } + + compsize = __glLightfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap) ++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * + } + + compsize = __glLightModelfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap) ++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc + } + + compsize = __glMaterialfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap) ++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte + } + + int +-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte + } + + compsize = __glTexParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc + } + + int +-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc + } + + int +-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, + } + + compsize = __glTexEnvfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexGendvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, + } + + compsize = __glTexGendv_size(pname); +- return __GLX_PAD((compsize * 8)); ++ return safe_pad(safe_mul(compsize, 8)); + } + + int +-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap) ++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, + } + + compsize = __glTexGenfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 4)); ++ return safe_pad(safe_mul(mapsize, 4)); + } + + int +-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap) ++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei mapsize = *(GLsizei *) (pc + 4); + +@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * p + mapsize = bswap_32(mapsize); + } + +- return __GLX_PAD((mapsize * 2)); ++ return safe_pad(safe_mul(mapsize, 2)); + } + + int +-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap) ++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc + } + + int +-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap) ++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4) + (n * 4)); ++ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4))); + } + + int +-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte * + } + + int +-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte * + } + + int +-__glXColorTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc + } + + int +-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const + } + + compsize = __glColorTableParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap) ++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte * + } + + int +-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GL + } + + int +-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = 0; +@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GL + } + + int +-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap) ++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 4); + GLsizei compsize; +@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const + } + + compsize = __glConvolutionParameterfv_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad(safe_mul(compsize, 4)); + } + + int +-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc + } + + int +-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap) ++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLint row_length = *(GLint *) (pc + 4); + GLint image_height = *(GLint *) (pc + 8); +@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte * + } + + int +-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 20); + +@@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 24); + +@@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 28); + +@@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(cons + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap) ++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei imageSize = *(GLsizei *) (pc + 36); + +@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(c + imageSize = bswap_32(imageSize); + } + +- return __GLX_PAD(imageSize); ++ return safe_pad(imageSize); + } + + int +-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap) ++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 8); + +@@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyt + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + int +-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap) ++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 0); + +@@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte + n = bswap_32(n); + } + +- return __GLX_PAD((n * 4)); ++ return safe_pad((n * 4)); + } + + int +-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap) ++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum pname = *(GLenum *) (pc + 0); + GLsizei compsize; +@@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GL + } + + compsize = __glPointParameterfvEXT_size(pname); +- return __GLX_PAD((compsize * 4)); ++ return safe_pad((compsize * 4)); + } + + int +-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const + num = bswap_32(num); + } + +- return __GLX_PAD((num * 32)); ++ return safe_pad((num * 32)); + } + + int +-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei num = *(GLsizei *) (pc + 8); + +@@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const + num = bswap_32(num); + } + +- return __GLX_PAD((num * 16)); ++ return safe_pad((num * 16)); + } + + int +-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 8)); ++ return safe_pad(safe_mul(n, 8)); + } + + int +-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 16)); ++ return safe_pad(safe_mul(n, 16)); + } + + int +-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 24)); ++ return safe_pad(safe_mul(n, 24)); + } + + int +-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 12)); ++ return safe_pad(safe_mul(n, 12)); + } + + int +-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 6)); ++ return safe_pad(safe_mul(n, 6)); + } + + int +-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap) ++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei n = *(GLsizei *) (pc + 4); + +@@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb + n = bswap_32(n); + } + +- return __GLX_PAD((n * 32)); ++ return safe_pad(safe_mul(n, 32)); + } + + int +-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap) ++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLsizei len = *(GLsizei *) (pc + 4); + +@@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(c + len = bswap_32(len); + } + +- return __GLX_PAD(len); ++ return safe_pad(len); + } + + ALIAS(Fogiv, Fogfv) diff --git a/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.h b/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.h new file mode 100644 index 00000000000..0bc8c5324ad --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.h @@ -0,0 +1,210 @@ +$NetBSD: patch-glx_indirect__reqsize.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_reqsize.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_reqsize.h +@@ -36,128 +36,128 @@ + #define PURE + #endif + +-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap); ++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap); +-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc, +- Bool swap); +-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap); ++ Bool swap, int reqlen); ++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte * +- pc, Bool swap); ++ pc, Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc, +- Bool swap); ++ Bool swap, int reqlen); + + #undef PURE + diff --git a/x11/modular-xorg-server112/patches/patch-glx_indirect__texture__compression.c b/x11/modular-xorg-server112/patches/patch-glx_indirect__texture__compression.c new file mode 100644 index 00000000000..fe900bf8456 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_indirect__texture__compression.c @@ -0,0 +1,25 @@ +$NetBSD: patch-glx_indirect__texture__compression.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_texture_compression.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_texture_compression.c +@@ -47,6 +47,8 @@ __glXDisp_GetCompressedTexImageARB(struc + __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = *(GLenum *) (pc + 0); +@@ -93,6 +95,8 @@ __glXDispSwap_GetCompressedTexImageARB(s + __glXForceCurrent(cl, bswap_32(req->contextTag), &error); + ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + pc += __GLX_SINGLE_HDR_SIZE; + if (cx != NULL) { + const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); diff --git a/x11/modular-xorg-server112/patches/patch-glx_indirect__util.c b/x11/modular-xorg-server112/patches/patch-glx_indirect__util.c new file mode 100644 index 00000000000..ee446fa1765 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_indirect__util.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_indirect__util.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/indirect_util.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/indirect_util.c +@@ -78,7 +78,7 @@ __glXGetAnswerBuffer(__GLXclientState * + void *local_buffer, size_t local_size, unsigned alignment) + { + void *buffer = local_buffer; +- const unsigned mask = alignment - 1; ++ const intptr_t mask = alignment - 1; + + if (local_size < required_size) { + const size_t worst_case_size = required_size + alignment; diff --git a/x11/modular-xorg-server112/patches/patch-glx_rensize.c b/x11/modular-xorg-server112/patches/patch-glx_rensize.c new file mode 100644 index 00000000000..b14f242cd11 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_rensize.c @@ -0,0 +1,96 @@ +$NetBSD: patch-glx_rensize.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/rensize.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/rensize.c +@@ -52,7 +52,7 @@ Map1Size(GLint k, GLint order) + } + + int +-__glXMap1dReqSize(const GLbyte * pc, Bool swap) ++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -68,7 +68,7 @@ __glXMap1dReqSize(const GLbyte * pc, Boo + } + + int +-__glXMap1fReqSize(const GLbyte * pc, Bool swap) ++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint order, k; +@@ -92,7 +92,7 @@ Map2Size(int k, int majorOrder, int mino + } + + int +-__glXMap2dReqSize(const GLbyte * pc, Bool swap) ++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -110,7 +110,7 @@ __glXMap2dReqSize(const GLbyte * pc, Boo + } + + int +-__glXMap2fReqSize(const GLbyte * pc, Bool swap) ++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + GLenum target; + GLint uorder, vorder, k; +@@ -342,13 +342,14 @@ __glXTypeSize(GLenum enm) + } + + int +-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap) ++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc; + __GLXdispatchDrawArraysComponentHeader *compHeader; + GLint numVertexes = hdr->numVertexes; + GLint numComponents = hdr->numComponents; + GLint arrayElementSize = 0; ++ GLint x, size; + int i; + + if (swap) { +@@ -357,6 +358,13 @@ __glXDrawArraysReqSize(const GLbyte * pc + } + + pc += sizeof(__GLXdispatchDrawArraysHeader); ++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader); ++ ++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader), ++ numComponents); ++ if (size < 0 || reqlen < 0 || reqlen < size) ++ return -1; ++ + compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc; + + for (i = 0; i < numComponents; i++) { +@@ -400,17 +408,18 @@ __glXDrawArraysReqSize(const GLbyte * pc + return -1; + } + +- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype)); ++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype))); ++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0) ++ return -1; + + pc += sizeof(__GLXdispatchDrawArraysComponentHeader); + } + +- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) + +- (numVertexes * arrayElementSize)); ++ return safe_add(size, safe_mul(numVertexes, arrayElementSize)); + } + + int +-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) ++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen) + { + __GLXdispatchConvolutionFilterHeader *hdr = + (__GLXdispatchConvolutionFilterHeader *) pc; diff --git a/x11/modular-xorg-server112/patches/patch-glx_single2.c b/x11/modular-xorg-server112/patches/patch-glx_single2.c new file mode 100644 index 00000000000..24f0c1dc336 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_single2.c @@ -0,0 +1,115 @@ +$NetBSD: patch-glx_single2.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/single2.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/single2.c +@@ -49,11 +49,14 @@ + int + __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -80,10 +83,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat + int + __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -108,7 +114,7 @@ __glXDisp_SelectBuffer(__GLXclientState + int + __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + xGLXRenderModeReply reply; + __GLXcontext *cx; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -116,6 +122,8 @@ __glXDisp_RenderMode(__GLXclientState * + GLenum newMode; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -192,7 +200,6 @@ __glXDisp_RenderMode(__GLXclientState * + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -209,9 +216,12 @@ __glXDisp_RenderMode(__GLXclientState * + int + __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -225,10 +235,12 @@ __glXDisp_Flush(__GLXclientState * cl, G + int + __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -319,7 +331,7 @@ __glXcombine_strings(const char *cext_st + int + DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLenum name; + const char *string; +@@ -329,6 +341,8 @@ DoGetString(__GLXclientState * cl, GLbyt + char *buf = NULL, *buf1 = NULL; + GLint length = 0; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + /* If the client has the opposite byte order, swap the contextTag and + * the name. + */ +@@ -345,7 +359,6 @@ DoGetString(__GLXclientState * cl, GLbyt + pc += __GLX_SINGLE_HDR_SIZE; + name = *(GLenum *) (pc + 0); + string = (const char *) CALL_GetString(GET_DISPATCH(), (name)); +- client = cl->client; + + if (string == NULL) + string = ""; diff --git a/x11/modular-xorg-server112/patches/patch-glx_single2swap.c b/x11/modular-xorg-server112/patches/patch-glx_single2swap.c new file mode 100644 index 00000000000..1487c83dfb0 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_single2swap.c @@ -0,0 +1,105 @@ +$NetBSD: patch-glx_single2swap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/single2swap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/single2swap.c +@@ -45,6 +45,7 @@ + int + __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + GLsizei size; + GLenum type; + +@@ -52,6 +53,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient + __GLXcontext *cx; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -81,12 +84,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient + int + __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + GLsizei size; + + __GLX_DECLARE_SWAP_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -113,7 +119,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt + int + __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) + { +- ClientPtr client; ++ ClientPtr client = cl->client; + __GLXcontext *cx; + xGLXRenderModeReply reply; + GLint nitems = 0, retBytes = 0, retval, newModeCheck; +@@ -124,6 +130,8 @@ __glXDispSwap_RenderMode(__GLXclientStat + __GLX_DECLARE_SWAP_ARRAY_VARIABLES; + int error; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -204,7 +212,6 @@ __glXDispSwap_RenderMode(__GLXclientStat + ** selection array, as per the API for glRenderMode itself. + */ + noChangeAllowed:; +- client = cl->client; + reply.length = nitems; + reply.type = X_Reply; + reply.sequenceNumber = client->sequence; +@@ -226,11 +233,14 @@ __glXDispSwap_RenderMode(__GLXclientStat + int + __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -245,12 +255,14 @@ __glXDispSwap_Flush(__GLXclientState * c + int + __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) + { ++ ClientPtr client = cl->client; + __GLXcontext *cx; +- ClientPtr client; + int error; + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_SIZE_MATCH(xGLXSingleReq); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -262,7 +274,6 @@ __glXDispSwap_Finish(__GLXclientState * + cx->hasUnflushedCommands = GL_FALSE; + + /* Send empty reply packet to indicate finish is finished */ +- client = cl->client; + __GLX_BEGIN_REPLY(0); + __GLX_PUT_RETVAL(0); + __GLX_SWAP_REPLY_HEADER(); diff --git a/x11/modular-xorg-server112/patches/patch-glx_singlepix.c b/x11/modular-xorg-server112/patches/patch-glx_singlepix.c new file mode 100644 index 00000000000..f894327ef87 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_singlepix.c @@ -0,0 +1,170 @@ +$NetBSD: patch-glx_singlepix.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/singlepix.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/singlepix.c +@@ -55,6 +55,8 @@ __glXDisp_ReadPixels(__GLXclientState * + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * + swapBytes = *(GLboolean *) (pc + 24); + lsbFirst = *(GLboolean *) (pc + 25); + compsize = __glReadPixels_size(format, type, width, height); +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +@@ -107,6 +109,8 @@ __glXDisp_GetTexImage(__GLXclientState * + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -133,7 +137,7 @@ __glXDisp_GetTexImage(__GLXclientState * + */ + compsize = + __glGetTexImage_size(target, level, format, type, width, height, depth); +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +@@ -169,6 +173,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS + GLubyte answerBuffer[200]; + char *answer; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { + return error; +@@ -231,15 +237,13 @@ GetSeparableFilter(__GLXclientState * cl + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -265,7 +269,8 @@ int + __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -273,7 +278,8 @@ int + __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -343,7 +349,8 @@ int + __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -351,7 +358,8 @@ int + __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -411,7 +419,8 @@ int + __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -419,7 +428,8 @@ int + __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -471,7 +481,8 @@ int + __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -479,7 +490,8 @@ int + __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -540,7 +552,8 @@ int + __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -548,6 +561,7 @@ int + __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); +- ++ ClientPtr client = cl->client; ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } diff --git a/x11/modular-xorg-server112/patches/patch-glx_singlepixswap.c b/x11/modular-xorg-server112/patches/patch-glx_singlepixswap.c new file mode 100644 index 00000000000..3060fb460c2 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_singlepixswap.c @@ -0,0 +1,152 @@ +$NetBSD: patch-glx_singlepixswap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/singlepixswap.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/singlepixswap.c +@@ -57,6 +57,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat + int error; + char *answer, answerBuffer[200]; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -122,6 +124,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta + char *answer, answerBuffer[200]; + GLint width = 0, height = 0, depth = 1; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -197,6 +201,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli + + __GLX_DECLARE_SWAP_VARIABLES; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4); ++ + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); + if (!cx) { +@@ -266,15 +272,13 @@ GetSeparableFilter(__GLXclientState * cl + compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); + compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); + +- if (compsize < 0) ++ if ((compsize = safe_pad(compsize)) < 0) + compsize = 0; +- if (compsize2 < 0) ++ if ((compsize2 = safe_pad(compsize2)) < 0) + compsize2 = 0; +- compsize = __GLX_PAD(compsize); +- compsize2 = __GLX_PAD(compsize2); + + CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); +- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); ++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); + __glXClearErrorOccured(); + CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), + *(GLenum *) (pc + 4), +@@ -302,7 +306,9 @@ int + __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -310,7 +316,9 @@ int + __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -388,7 +396,9 @@ int + __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -396,7 +406,9 @@ int + __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -463,7 +475,9 @@ int + __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -471,7 +485,9 @@ int + __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -529,7 +545,9 @@ int + __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -537,7 +555,9 @@ int + __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } + +@@ -605,7 +625,9 @@ int + __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16); + return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); + } + +@@ -613,6 +635,8 @@ int + __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) + { + const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); ++ ClientPtr client = cl->client; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); + return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); + } diff --git a/x11/modular-xorg-server112/patches/patch-glx_swap__interval.c b/x11/modular-xorg-server112/patches/patch-glx_swap__interval.c new file mode 100644 index 00000000000..a7c2cecae90 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_swap__interval.c @@ -0,0 +1,16 @@ +$NetBSD: patch-glx_swap__interval.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/swap_interval.c.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/swap_interval.c +@@ -50,6 +50,8 @@ DoSwapInterval(__GLXclientState * cl, GL + __GLXcontext *cx; + GLint interval; + ++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); ++ + cx = __glXLookupContextByTag(cl, tag); + + if ((cx == NULL) || (cx->pGlxScreen == NULL)) { diff --git a/x11/modular-xorg-server112/patches/patch-glx_unpack.h b/x11/modular-xorg-server112/patches/patch-glx_unpack.h new file mode 100644 index 00000000000..18c1a6d10d1 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-glx_unpack.h @@ -0,0 +1,17 @@ +$NetBSD: patch-glx_unpack.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- glx/unpack.h.orig 2012-05-17 17:09:02.000000000 +0000 ++++ glx/unpack.h +@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; + ** pointer. + */ + #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ +- if ((size) > sizeof(answerBuffer)) { \ ++ if (size < 0) return BadLength; \ ++ else if ((size) > sizeof(answerBuffer)) { \ + int bump; \ + if ((cl)->returnBufSize < (size)+(align)) { \ + (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ diff --git a/x11/modular-xorg-server112/patches/patch-hw_xfree86_common_compiler.h b/x11/modular-xorg-server112/patches/patch-hw_xfree86_common_compiler.h new file mode 100644 index 00000000000..bad74c05208 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-hw_xfree86_common_compiler.h @@ -0,0 +1,53 @@ +$NetBSD: patch-hw_xfree86_common_compiler.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +--- hw/xfree86/common/compiler.h.orig 2013-05-21 17:33:57.000000000 +0000 ++++ hw/xfree86/common/compiler.h +@@ -1392,26 +1392,26 @@ inl(unsigned short port) + static __inline__ void + outb(unsigned short port, unsigned char val) + { +- __asm__ __volatile__("out%B0 (%1)"::"a"(val), "d"(port)); ++ __asm__ __volatile__("outb %0, %1"::"a"(val), "d"(port)); + } + + static __inline__ void + outw(unsigned short port, unsigned short val) + { +- __asm__ __volatile__("out%W0 (%1)"::"a"(val), "d"(port)); ++ __asm__ __volatile__("outw %0, %1"::"a"(val), "d"(port)); + } + + static __inline__ void + outl(unsigned short port, unsigned int val) + { +- __asm__ __volatile__("out%L0 (%1)"::"a"(val), "d"(port)); ++ __asm__ __volatile__("outl %0, %1"::"a"(val), "d"(port)); + } + + static __inline__ unsigned int + inb(unsigned short port) + { + unsigned char ret; +- __asm__ __volatile__("in%B0 (%1)":"=a"(ret):"d"(port)); ++ __asm__ __volatile__("inb %1, %0":"=a"(ret):"d"(port)); + + return ret; + } +@@ -1420,7 +1420,7 @@ static __inline__ unsigned int + inw(unsigned short port) + { + unsigned short ret; +- __asm__ __volatile__("in%W0 (%1)":"=a"(ret):"d"(port)); ++ __asm__ __volatile__("inw %1, %0":"=a"(ret):"d"(port)); + + return ret; + } +@@ -1429,7 +1429,7 @@ static __inline__ unsigned int + inl(unsigned short port) + { + unsigned int ret; +- __asm__ __volatile__("in%L0 (%1)":"=a"(ret):"d"(port)); ++ __asm__ __volatile__("inl %1, %0":"=a"(ret):"d"(port)); + + return ret; + } diff --git a/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2.c b/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2.c new file mode 100644 index 00000000000..d1e1541aa98 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2.c @@ -0,0 +1,40 @@ +$NetBSD: patch-hw_xfree86_dri2_dri2.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Fix uninitialized variables warning from clang (X crashes without this) + +dri2.c:242:27: note: initialize the variable 'ref' to silence this warning + DRI2DrawableRefPtr ref; +dri2.c:320:27: note: initialize the variable 'ref' to silence this warning + DRI2DrawableRefPtr ref, next; +dri2.c:601:27: note: initialize the variable 'ref' to silence this warning + DRI2DrawableRefPtr ref; + +--- hw/xfree86/dri2/dri2.c.orig 2012-08-02 00:05:32.000000000 +0000 ++++ hw/xfree86/dri2/dri2.c +@@ -239,7 +239,7 @@ typedef struct DRI2DrawableRefRec { + static DRI2DrawableRefPtr + DRI2LookupDrawableRef(DRI2DrawablePtr pPriv, XID id) + { +- DRI2DrawableRefPtr ref; ++ DRI2DrawableRefPtr ref = NULL; + + xorg_list_for_each_entry(ref, &pPriv->reference_list, link) { + if (ref->id == id) +@@ -317,7 +317,7 @@ DRI2DrawableGone(pointer p, XID id) + { + DRI2DrawablePtr pPriv = p; + DRI2ScreenPtr ds = pPriv->dri2_screen; +- DRI2DrawableRefPtr ref, next; ++ DRI2DrawableRefPtr ref = NULL, next; + WindowPtr pWin; + PixmapPtr pPixmap; + DrawablePtr pDraw; +@@ -598,7 +598,7 @@ static void + DRI2InvalidateDrawable(DrawablePtr pDraw) + { + DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw); +- DRI2DrawableRefPtr ref; ++ DRI2DrawableRefPtr ref = NULL; + + if (!pPriv || !pPriv->needInvalidate) + return; diff --git a/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2ext.c b/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2ext.c new file mode 100644 index 00000000000..84e51782bb0 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2ext.c @@ -0,0 +1,17 @@ +$NetBSD: patch-hw_xfree86_dri2_dri2ext.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- hw/xfree86/dri2/dri2ext.c.orig 2012-05-17 17:09:03.000000000 +0000 ++++ hw/xfree86/dri2/dri2ext.c +@@ -263,6 +263,9 @@ ProcDRI2GetBuffers(ClientPtr client) + unsigned int *attachments; + + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); ++ if (stuff->count > (INT_MAX / 4)) ++ return BadLength; ++ + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, + &pDrawable, &status)) + return status; diff --git a/x11/modular-xorg-server112/patches/patch-hw_xfree86_os-support_xf86__OSlib.h b/x11/modular-xorg-server112/patches/patch-hw_xfree86_os-support_xf86__OSlib.h new file mode 100644 index 00000000000..d2961aef5ef --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-hw_xfree86_os-support_xf86__OSlib.h @@ -0,0 +1,15 @@ +$NetBSD: patch-hw_xfree86_os-support_xf86__OSlib.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +* treat DragonFly same as newer FreeBSD. + +--- hw/xfree86/os-support/xf86_OSlib.h.orig 2012-05-17 17:09:03.000000000 +0000 ++++ hw/xfree86/os-support/xf86_OSlib.h +@@ -277,7 +277,7 @@ struct pcvtid { + #include <dev/wscons/wsdisplay_usl_io.h> + #endif /* WSCONS_SUPPORT */ + #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__) +-#if defined(__FreeBSD_kernel_version) && (__FreeBSD_kernel_version >= 500013) ++#if defined(__FreeBSD_kernel_version) && (__FreeBSD_kernel_version >= 500013) || defined(__DragonFly__) + #include <sys/mouse.h> + #else + #undef MOUSE_GETINFO diff --git a/x11/modular-xorg-server112/patches/patch-include_dix.h b/x11/modular-xorg-server112/patches/patch-include_dix.h new file mode 100644 index 00000000000..eb34262266a --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-include_dix.h @@ -0,0 +1,21 @@ +$NetBSD: patch-include_dix.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- include/dix.h.orig 2012-05-17 17:09:04.000000000 +0000 ++++ include/dix.h +@@ -72,8 +72,13 @@ SOFTWARE. + if ((sizeof(req) >> 2) > client->req_len )\ + return(BadLength) + ++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ ++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ ++ return(BadLength) ++ + #define REQUEST_FIXED_SIZE(req, n)\ + if (((sizeof(req) >> 2) > client->req_len) || \ ++ (((n) >> 2) >= client->req_len) || \ + (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + return(BadLength) + diff --git a/x11/modular-xorg-server112/patches/patch-include_regionstr.h b/x11/modular-xorg-server112/patches/patch-include_regionstr.h new file mode 100644 index 00000000000..2b591c15699 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-include_regionstr.h @@ -0,0 +1,32 @@ +$NetBSD: patch-include_regionstr.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- include/regionstr.h.orig 2012-05-17 17:09:04.000000000 +0000 ++++ include/regionstr.h +@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg) + static inline size_t + RegionSizeof(int n) + { +- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) ++ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); ++ else ++ return 0; + } + + static inline void +@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect + (_pReg)->data = (RegDataPtr) NULL; + } + else { ++ size_t rgnSize; + (_pReg)->extents = RegionEmptyBox; +- if (((_size) > 1) && ((_pReg)->data = +- (RegDataPtr) malloc(RegionSizeof(_size)))) { ++ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && ++ (((_pReg)->data = malloc(rgnSize)) != NULL)) { + (_pReg)->data->size = (_size); + (_pReg)->data->numRects = 0; + } diff --git a/x11/modular-xorg-server112/patches/patch-os_access.c b/x11/modular-xorg-server112/patches/patch-os_access.c new file mode 100644 index 00000000000..eab38558e7d --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-os_access.c @@ -0,0 +1,27 @@ +$NetBSD: patch-os_access.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- os/access.c.orig 2012-05-17 17:09:04.000000000 +0000 ++++ os/access.c +@@ -1331,6 +1331,10 @@ GetHosts(pointer *data, int *pnHosts, in + for (host = validhosts; host; host = host->next) { + nHosts++; + n += pad_to_int32(host->len) + sizeof(xHostEntry); ++ /* Could check for INT_MAX, but in reality having more than 1mb of ++ hostnames in the access list is ridiculous */ ++ if (n >= 1048576) ++ break; + } + if (n) { + *data = ptr = malloc(n); +@@ -1339,6 +1343,8 @@ GetHosts(pointer *data, int *pnHosts, in + } + for (host = validhosts; host; host = host->next) { + len = host->len; ++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) ++ break; + ((xHostEntry *) ptr)->family = host->family; + ((xHostEntry *) ptr)->length = len; + ptr += sizeof(xHostEntry); diff --git a/x11/modular-xorg-server112/patches/patch-os_rpcauth.c b/x11/modular-xorg-server112/patches/patch-os_rpcauth.c new file mode 100644 index 00000000000..ce25e854dea --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-os_rpcauth.c @@ -0,0 +1,18 @@ +$NetBSD: patch-os_rpcauth.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- os/rpcauth.c.orig 2012-05-17 17:09:04.000000000 +0000 ++++ os/rpcauth.c +@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int + SVCXPRT xprt; + + temp_inmsg = malloc(len); ++ if (temp_inmsg == NULL) { ++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ ++ return NULL; ++ } + memmove(temp_inmsg, inmsg, len); + + memset((char *) &msg, 0, sizeof(msg)); diff --git a/x11/modular-xorg-server112/patches/patch-randr_randr.c b/x11/modular-xorg-server112/patches/patch-randr_randr.c new file mode 100644 index 00000000000..efffc7dd6ee --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-randr_randr.c @@ -0,0 +1,21 @@ +$NetBSD: patch-randr_randr.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Implements RRSetChanged() + +--- randr/randr.c.orig 2012-08-02 00:30:15.000000000 +0000 ++++ randr/randr.c +@@ -435,6 +435,14 @@ RRTellChanged(ScreenPtr pScreen) + } + } + ++void ++RRSetChanged(ScreenPtr pScreen) ++{ ++ rrScrPriv(pScreen); ++ ++ pScrPriv->changed = TRUE; ++} ++ + /* + * Return the first output which is connected to an active CRTC + * Used in emulating 1.0 behaviour diff --git a/x11/modular-xorg-server112/patches/patch-randr_randrstr.h b/x11/modular-xorg-server112/patches/patch-randr_randrstr.h new file mode 100644 index 00000000000..9cf508a090b --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-randr_randrstr.h @@ -0,0 +1,16 @@ +$NetBSD: patch-randr_randrstr.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Implements RRSetChanged() + +--- randr/randrstr.h.orig 2012-05-17 17:09:05.000000000 +0000 ++++ randr/randrstr.h +@@ -438,6 +438,9 @@ extern _X_EXPORT void + extern _X_EXPORT void + RRTellChanged(ScreenPtr pScreen); + ++extern _X_EXPORT void ++ RRSetChanged(ScreenPtr pScreen); ++ + /* + * Poll the driver for changed information + */ diff --git a/x11/modular-xorg-server112/patches/patch-randr_rrsdispatch.c b/x11/modular-xorg-server112/patches/patch-randr_rrsdispatch.c new file mode 100644 index 00000000000..c2f9573f4e5 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-randr_rrsdispatch.c @@ -0,0 +1,39 @@ +$NetBSD: patch-randr_rrsdispatch.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- randr/rrsdispatch.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ randr/rrsdispatch.c +@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) + { + REQUEST(xRRQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRRQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) + { + REQUEST(xRRGetScreenInfoReq); + ++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); + swaps(&stuff->length); + swapl(&stuff->window); + return (*ProcRandrVector[stuff->randrReqType]) (client); +@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) + { + REQUEST(xRRSelectInputReq); + ++ REQUEST_SIZE_MATCH(xRRSelectInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swaps(&stuff->enable); +@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr + { + REQUEST(xRRConfigureOutputPropertyReq); + ++ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); + swaps(&stuff->length); + swapl(&stuff->output); + swapl(&stuff->property); diff --git a/x11/modular-xorg-server112/patches/patch-render_picture.h b/x11/modular-xorg-server112/patches/patch-render_picture.h new file mode 100644 index 00000000000..3796e216321 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-render_picture.h @@ -0,0 +1,16 @@ +$NetBSD: patch-render_picture.h,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +Fix CVE-2013-6424 using +http://lists.x.org/archives/xorg-devel/2013-October/037996.html + +--- render/picture.h.orig 2012-05-17 17:09:05.000000000 +0000 ++++ render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: diff --git a/x11/modular-xorg-server112/patches/patch-render_render.c b/x11/modular-xorg-server112/patches/patch-render_render.c new file mode 100644 index 00000000000..76e9aad8d7f --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-render_render.c @@ -0,0 +1,141 @@ +$NetBSD: patch-render_render.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- render/render.c.orig 2014-12-21 14:51:52.000000000 +0000 ++++ render/render.c +@@ -271,10 +271,11 @@ ProcRenderQueryVersion(ClientPtr client) + + REQUEST(xRenderQueryVersionReq); + ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); ++ + pRenderClient->major_version = stuff->majorVersion; + pRenderClient->minor_version = stuff->minorVersion; + +- REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + memset(&rep, 0, sizeof(xRenderQueryVersionReply)); + rep.type = X_Reply; + rep.length = 0; +@@ -1994,7 +1995,7 @@ static int + SProcRenderQueryVersion(ClientPtr client) + { + REQUEST(xRenderQueryVersionReq); +- ++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + swaps(&stuff->length); + swapl(&stuff->majorVersion); + swapl(&stuff->minorVersion); +@@ -2005,6 +2006,7 @@ static int + SProcRenderQueryPictFormats(ClientPtr client) + { + REQUEST(xRenderQueryPictFormatsReq); ++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); + swaps(&stuff->length); + return (*ProcRenderVector[stuff->renderReqType]) (client); + } +@@ -2013,6 +2015,7 @@ static int + SProcRenderQueryPictIndexValues(ClientPtr client) + { + REQUEST(xRenderQueryPictIndexValuesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); + swaps(&stuff->length); + swapl(&stuff->format); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2028,6 +2031,7 @@ static int + SProcRenderCreatePicture(ClientPtr client) + { + REQUEST(xRenderCreatePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); + swaps(&stuff->length); + swapl(&stuff->pid); + swapl(&stuff->drawable); +@@ -2041,6 +2045,7 @@ static int + SProcRenderChangePicture(ClientPtr client) + { + REQUEST(xRenderChangePictureReq); ++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swapl(&stuff->mask); +@@ -2052,6 +2057,7 @@ static int + SProcRenderSetPictureClipRectangles(ClientPtr client) + { + REQUEST(xRenderSetPictureClipRectanglesReq); ++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); + swaps(&stuff->length); + swapl(&stuff->picture); + swaps(&stuff->xOrigin); +@@ -2064,6 +2070,7 @@ static int + SProcRenderFreePicture(ClientPtr client) + { + REQUEST(xRenderFreePictureReq); ++ REQUEST_SIZE_MATCH(xRenderFreePictureReq); + swaps(&stuff->length); + swapl(&stuff->picture); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2073,6 +2080,7 @@ static int + SProcRenderComposite(ClientPtr client) + { + REQUEST(xRenderCompositeReq); ++ REQUEST_SIZE_MATCH(xRenderCompositeReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->mask); +@@ -2092,6 +2100,7 @@ static int + SProcRenderScale(ClientPtr client) + { + REQUEST(xRenderScaleReq); ++ REQUEST_SIZE_MATCH(xRenderScaleReq); + swaps(&stuff->length); + swapl(&stuff->src); + swapl(&stuff->dst); +@@ -2192,6 +2201,7 @@ static int + SProcRenderCreateGlyphSet(ClientPtr client) + { + REQUEST(xRenderCreateGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->format); +@@ -2202,6 +2212,7 @@ static int + SProcRenderReferenceGlyphSet(ClientPtr client) + { + REQUEST(xRenderReferenceGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->gsid); + swapl(&stuff->existing); +@@ -2212,6 +2223,7 @@ static int + SProcRenderFreeGlyphSet(ClientPtr client) + { + REQUEST(xRenderFreeGlyphSetReq); ++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + return (*ProcRenderVector[stuff->renderReqType]) (client); +@@ -2226,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) + xGlyphInfo *gi; + + REQUEST(xRenderAddGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + swapl(&stuff->nglyphs); +@@ -2260,6 +2273,7 @@ static int + SProcRenderFreeGlyphs(ClientPtr client) + { + REQUEST(xRenderFreeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); + swaps(&stuff->length); + swapl(&stuff->glyphset); + SwapRestL(stuff); +@@ -2277,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr cli + int size; + + REQUEST(xRenderCompositeGlyphsReq); ++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); + + switch (stuff->renderReqType) { + default: diff --git a/x11/modular-xorg-server112/patches/patch-test_Makefile.am b/x11/modular-xorg-server112/patches/patch-test_Makefile.am new file mode 100644 index 00000000000..fa70a698ae4 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_Makefile.am @@ -0,0 +1,16 @@ +$NetBSD: patch-test_Makefile.am,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/Makefile.am.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/Makefile.am +@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string touch + if XORG + # Tests that require at least some DDX functions in order to fully link + # For now, requires xf86 ddx, could be adjusted to use another +-SUBDIRS += xi2 ++SUBDIRS += xi1 xi2 + noinst_PROGRAMS += xkb input xtest misc fixes xfree86 + endif + check_LTLIBRARIES = libxservertest.la diff --git a/x11/modular-xorg-server112/patches/patch-test_misc.c b/x11/modular-xorg-server112/patches/patch-test_misc.c new file mode 100644 index 00000000000..158198055b0 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_misc.c @@ -0,0 +1,63 @@ +$NetBSD: patch-test_misc.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/misc.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/misc.c +@@ -28,6 +28,8 @@ + #include <stdint.h> + #include "misc.h" + #include "scrnintstr.h" ++#include "dix.h" ++#include "dixstruct.h" + + ScreenInfo screenInfo; + +@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void) + assert_dimensions(-w2, -h2, w2, h2); + } + ++static int ++dix_request_fixed_size_overflow(ClientRec *client) ++{ ++ xReq req = { 0 }; ++ ++ client->req_len = req.length = 1; ++ REQUEST_FIXED_SIZE(req, SIZE_MAX); ++ return Success; ++} ++ ++static int ++dix_request_fixed_size_match(ClientRec *client) ++{ ++ xReq req = { 0 }; ++ ++ client->req_len = req.length = 9; ++ REQUEST_FIXED_SIZE(req, 30); ++ return Success; ++} ++ ++static void ++dix_request_size_checks(void) ++{ ++ ClientRec client = { 0 }; ++ int rc; ++ ++ rc = dix_request_fixed_size_overflow(&client); ++ assert(rc == BadLength); ++ ++ rc = dix_request_fixed_size_match(&client); ++ assert(rc == Success); ++} ++ ++ + int + main(int argc, char **argv) + { + dix_version_compare(); + dix_update_desktop_dimensions(); ++ dix_request_size_checks(); + + return 0; + } diff --git a/x11/modular-xorg-server112/patches/patch-test_xi1_Makefile.am b/x11/modular-xorg-server112/patches/patch-test_xi1_Makefile.am new file mode 100644 index 00000000000..ba76991721a --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi1_Makefile.am @@ -0,0 +1,42 @@ +$NetBSD: patch-test_xi1_Makefile.am,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi1/Makefile.am.orig 2014-12-21 14:51:52.000000000 +0000 ++++ test/xi1/Makefile.am +@@ -0,0 +1,34 @@ ++if ENABLE_UNIT_TESTS ++if HAVE_LD_WRAP ++noinst_PROGRAMS = \ ++ protocol-xchangedevicecontrol ++ ++TESTS=$(noinst_PROGRAMS) ++TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV) ++ ++AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@ ++AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2 ++TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS) ++COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c ++ ++if SPECIAL_DTRACE_OBJECTS ++TEST_LDADD += $(OS_LIB) $(DIX_LIB) ++endif ++ ++protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD) ++ ++protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient ++ ++protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c ++ ++else ++# Print that xi1-tests were skipped (exit code 77 for automake test harness) ++TESTS = xi1-tests ++CLEANFILES = $(TESTS) ++ ++xi1-tests: ++ @echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@ ++ @echo 'exit 77' >> $@ ++ $(AM_V_GEN)chmod +x $@ ++endif ++endif diff --git a/x11/modular-xorg-server112/patches/patch-test_xi1_protocol-xchangedevicecontrol.c b/x11/modular-xorg-server112/patches/patch-test_xi1_protocol-xchangedevicecontrol.c new file mode 100644 index 00000000000..f94a560cdb7 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi1_protocol-xchangedevicecontrol.c @@ -0,0 +1,130 @@ +$NetBSD: patch-test_xi1_protocol-xchangedevicecontrol.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi1/protocol-xchangedevicecontrol.c.orig 2014-12-21 14:51:52.000000000 +0000 ++++ test/xi1/protocol-xchangedevicecontrol.c +@@ -0,0 +1,122 @@ ++/** ++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++ ++#ifdef HAVE_DIX_CONFIG_H ++#include <dix-config.h> ++#endif ++ ++/* ++ * Protocol testing for ChangeDeviceControl request. ++ */ ++#include <stdint.h> ++#include <X11/X.h> ++#include <X11/Xproto.h> ++#include <X11/extensions/XIproto.h> ++#include "inputstr.h" ++#include "chgdctl.h" ++ ++#include "protocol-common.h" ++ ++static ClientRec client_request; ++ ++static void ++reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata) ++{ ++ xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data; ++ ++ if (client->swapped) { ++ swapl(&rep->length); ++ swaps(&rep->sequenceNumber); ++ } ++ ++ reply_check_defaults(rep, len, ChangeDeviceControl); ++ ++ /* XXX: check status code in reply */ ++} ++ ++static void ++request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req, ++ xDeviceCtl *ctl, int error) ++{ ++ int rc; ++ ++ client_request.req_len = req->length; ++ rc = ProcXChangeDeviceControl(&client_request); ++ assert(rc == error); ++ ++ /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */ ++ ++ client_request.swapped = TRUE; ++ swaps(&req->length); ++ swaps(&req->control); ++ swaps(&ctl->length); ++ swaps(&ctl->control); ++ /* XXX: swap other contents of ctl, depending on type */ ++ rc = SProcXChangeDeviceControl(&client_request); ++ assert(rc == error); ++} ++ ++static unsigned char *data[4096]; /* the request buffer */ ++ ++static void ++test_ChangeDeviceControl(void) ++{ ++ xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data; ++ xDeviceCtl *control = (xDeviceCtl *) (&request[1]); ++ ++ request_init(request, ChangeDeviceControl); ++ ++ reply_handler = reply_ChangeDeviceControl; ++ ++ client_request = init_client(request->length, request); ++ ++ printf("Testing invalid lengths:\n"); ++ printf(" -- no control struct\n"); ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ printf(" -- xDeviceResolutionCtl\n"); ++ request_init(request, ChangeDeviceControl); ++ request->control = DEVICE_RESOLUTION; ++ control->length = (sizeof(xDeviceResolutionCtl) >> 2); ++ request->length += control->length - 2; ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ printf(" -- xDeviceEnableCtl\n"); ++ request_init(request, ChangeDeviceControl); ++ request->control = DEVICE_ENABLE; ++ control->length = (sizeof(xDeviceEnableCtl) >> 2); ++ request->length += control->length - 2; ++ request_ChangeDeviceControl(&client_request, request, control, BadLength); ++ ++ /* XXX: Test functionality! */ ++} ++ ++int ++main(int argc, char **argv) ++{ ++ init_simple(); ++ ++ test_ChangeDeviceControl(); ++ ++ return 0; ++} diff --git a/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xigetclientpointer.c b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xigetclientpointer.c new file mode 100644 index 00000000000..674174bd670 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xigetclientpointer.c @@ -0,0 +1,19 @@ +$NetBSD: patch-test_xi2_protocol-xigetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xigetclientpointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xigetclientpointer.c +@@ -124,6 +124,11 @@ test_XIGetClientPointer(void) + request.win = INVALID_WINDOW_ID; + request_XIGetClientPointer(&client_request, &request, BadWindow); + ++ printf("Testing invalid length\n"); ++ client_request.req_len -= 4; ++ request_XIGetClientPointer(&client_request, &request, BadLength); ++ client_request.req_len += 4; ++ + test_data.cp_is_set = FALSE; + + printf("Testing window None, unset ClientPointer.\n"); diff --git a/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xipassivegrabdevice.c b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xipassivegrabdevice.c new file mode 100644 index 00000000000..faee68c1896 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xipassivegrabdevice.c @@ -0,0 +1,29 @@ +$NetBSD: patch-test_xi2_protocol-xipassivegrabdevice.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xipassivegrabdevice.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xipassivegrabdevice.c +@@ -137,6 +137,7 @@ request_XIPassiveGrabDevice(ClientPtr cl + int rc; + int modifiers; + ++ client_request.req_len = req->length; + rc = ProcXIPassiveGrabDevice(&client_request); + assert(rc == error); + +@@ -187,6 +188,13 @@ test_XIPassiveGrabDevice(void) + request_XIPassiveGrabDevice(&client_request, request, BadDevice, + request->deviceid); + ++ printf("Testing invalid length\n"); ++ request->length -= 2; ++ request_XIPassiveGrabDevice(&client_request, request, BadLength, ++ client_request.errorValue); ++ /* re-init request since swapped length test leaves some values swapped */ ++ request_init(request, XIPassiveGrabDevice); ++ request->grab_window = CLIENT_WINDOW_ID; + request->deviceid = XIAllMasterDevices; + + printf("Testing invalid grab types\n"); diff --git a/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiquerypointer.c b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiquerypointer.c new file mode 100644 index 00000000000..e9b3e06a0ad --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiquerypointer.c @@ -0,0 +1,18 @@ +$NetBSD: patch-test_xi2_protocol-xiquerypointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xiquerypointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xiquerypointer.c +@@ -200,6 +200,10 @@ test_XIQueryPointer(void) + test_data.dev = devices.mouse; + request.deviceid = devices.mouse->id; + request_XIQueryPointer(&client_request, &request, Success); ++ ++ /* test REQUEST_SIZE_MATCH */ ++ client_request.req_len -= 4; ++ request_XIQueryPointer(&client_request, &request, BadLength); + } + + int diff --git a/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiwarppointer.c b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiwarppointer.c new file mode 100644 index 00000000000..63b63966924 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiwarppointer.c @@ -0,0 +1,17 @@ +$NetBSD: patch-test_xi2_protocol-xiwarppointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- test/xi2/protocol-xiwarppointer.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ test/xi2/protocol-xiwarppointer.c +@@ -197,6 +197,9 @@ test_XIWarpPointer(void) + request_XIWarpPointer(&client_request, &request, Success); + + /* FIXME: src_x/y checks */ ++ ++ client_request.req_len -= 2; /* invalid length */ ++ request_XIWarpPointer(&client_request, &request, BadLength); + } + + int diff --git a/x11/modular-xorg-server112/patches/patch-xfixes_select.c b/x11/modular-xorg-server112/patches/patch-xfixes_select.c new file mode 100644 index 00000000000..026d8f80ded --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-xfixes_select.c @@ -0,0 +1,15 @@ +$NetBSD: patch-xfixes_select.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +X.Org Security Advisory: Dec. 9, 2014 +Protocol handling issues in X Window System servers + +--- xfixes/select.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ xfixes/select.c +@@ -204,6 +204,7 @@ SProcXFixesSelectSelectionInput(ClientPt + { + REQUEST(xXFixesSelectSelectionInputReq); + ++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); + swaps(&stuff->length); + swapl(&stuff->window); + swapl(&stuff->selection); diff --git a/x11/modular-xorg-server112/patches/patch-xkb_xkb.c b/x11/modular-xorg-server112/patches/patch-xkb_xkb.c new file mode 100644 index 00000000000..0aad269cc74 --- /dev/null +++ b/x11/modular-xorg-server112/patches/patch-xkb_xkb.c @@ -0,0 +1,140 @@ +$NetBSD: patch-xkb_xkb.c,v 1.1 2015/04/03 09:46:18 tnn Exp $ + +From cc830bd3a5b44796f1e8721f336dca4f565a8130 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Fri, 16 Jan 2015 08:44:45 +0100 +Subject: [PATCH] xkb: Check strings length against request size + +Ensure that the given strings length in an XkbSetGeometry request remain +within the limits of the size of the request. + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +--- + xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------ + 1 file changed, 40 insertions(+), 25 deletions(-) + +--- xkb/xkb.c.orig 2012-05-17 17:09:05.000000000 +0000 ++++ xkb/xkb.c +@@ -4946,26 +4946,29 @@ ProcXkbGetGeometry(ClientPtr client) + + /***====================================================================***/ + +-static char * +-_GetCountedString(char **wire_inout, Bool swap) ++static Status ++_GetCountedString(char **wire_inout, ClientPtr client, char **str) + { +- char *wire, *str; +- CARD16 len, *plen; ++ char *wire, *next; ++ CARD16 len; + + wire = *wire_inout; +- plen = (CARD16 *) wire; +- if (swap) { +- swaps(plen); +- } +- len = *plen; +- str = malloc(len + 1); +- if (str) { +- memcpy(str, &wire[2], len); +- str[len] = '\0'; ++ len = *(CARD16 *) wire; ++ if (client->swapped) { ++ swaps(&len); + } +- wire += XkbPaddedSize(len + 2); +- *wire_inout = wire; +- return str; ++ next = wire + XkbPaddedSize(len + 2); ++ /* Check we're still within the size of the request */ ++ if (client->req_len < ++ bytes_to_int32(next - (char *) client->requestBuffer)) ++ return BadValue; ++ *str = malloc(len + 1); ++ if (!*str) ++ return BadAlloc; ++ memcpy(*str, &wire[2], len); ++ *(*str + len) = '\0'; ++ *wire_inout = next; ++ return Success; + } + + static Status +@@ -4975,6 +4978,7 @@ _CheckSetDoodad(char **wire_inout, + char *wire; + xkbDoodadWireDesc *dWire; + XkbDoodadPtr doodad; ++ Status status; + + dWire = (xkbDoodadWireDesc *) (*wire_inout); + wire = (char *) &dWire[1]; +@@ -5022,8 +5026,14 @@ _CheckSetDoodad(char **wire_inout, + doodad->text.width = dWire->text.width; + doodad->text.height = dWire->text.height; + doodad->text.color_ndx = dWire->text.colorNdx; +- doodad->text.text = _GetCountedString(&wire, client->swapped); +- doodad->text.font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->text.text); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &doodad->text.font); ++ if (status != Success) { ++ free (doodad->text.text); ++ return status; ++ } + break; + case XkbIndicatorDoodad: + if (dWire->indicator.onColorNdx >= geom->num_colors) { +@@ -5058,7 +5068,9 @@ _CheckSetDoodad(char **wire_inout, + } + doodad->logo.color_ndx = dWire->logo.colorNdx; + doodad->logo.shape_ndx = dWire->logo.shapeNdx; +- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &doodad->logo.logo_name); ++ if (status != Success) ++ return status; + break; + default: + client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); +@@ -5290,18 +5302,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe + char *wire; + + wire = (char *) &req[1]; +- geom->label_font = _GetCountedString(&wire, client->swapped); ++ status = _GetCountedString(&wire, client, &geom->label_font); ++ if (status != Success) ++ return status; + + for (i = 0; i < req->nProperties; i++) { + char *name, *val; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; +- val = _GetCountedString(&wire, client->swapped); +- if (!val) { ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; ++ status = _GetCountedString(&wire, client, &val); ++ if (status != Success) { + free(name); +- return BadAlloc; ++ return status; + } + if (XkbAddGeomProperty(geom, name, val) == NULL) { + free(name); +@@ -5335,9 +5349,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe + for (i = 0; i < req->nColors; i++) { + char *name; + +- name = _GetCountedString(&wire, client->swapped); +- if (!name) +- return BadAlloc; ++ status = _GetCountedString(&wire, client, &name); ++ if (status != Success) ++ return status; + if (!XkbAddGeomColor(geom, name, geom->num_colors)) { + free(name); + return BadAlloc; |