[Midnightbsd-cvs] mports [24080] trunk/x11-servers/xorg-server/files: add more patches
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sun Sep 2 17:39:52 EDT 2018
Revision: 24080
http://svnweb.midnightbsd.org/mports/?rev=24080
Author: laffer1
Date: 2018-09-02 17:39:52 -0400 (Sun, 02 Sep 2018)
Log Message:
-----------
add more patches
Modified Paths:
--------------
trunk/x11-servers/xorg-server/files/patch-config_config.c
trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86Xinput.c
Added Paths:
-----------
trunk/x11-servers/xorg-server/files/patch-glamor_glamor__dash.c
trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86AutoConfig.c
trunk/x11-servers/xorg-server/files/patch-os_io.c
Removed Paths:
-------------
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8094
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8095
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8096
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8099
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8101
trunk/x11-servers/xorg-server/files/patch-CVE-2014-8102
trunk/x11-servers/xorg-server/files/patch-CVE-2015-0255
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,128 +0,0 @@
-From 97015a07b9e15d8ec5608b95d95ec0eb51202acb Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Wed, 22 Jan 2014 22:37:15 -0800
-Subject: [PATCH 03/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
- 3/4]
-
-RegionSizeof contains several integer overflows if a large length
-value is passed in. Once we fix it to return 0 on overflow, we
-also have to fix the callers to handle this error condition
-
-v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
----
- dix/region.c | 20 +++++++++++++-------
- include/regionstr.h | 10 +++++++---
- 2 files changed, 20 insertions(+), 10 deletions(-)
-
-diff --git a/dix/region.c b/dix/region.c
-index ce1014e..04e5901 100644
---- dix/region.c
-+++ dix/region.c
-@@ -169,7 +169,6 @@ Equipment Corporation.
- ((r1)->y1 <= (r2)->y1) && \
- ((r1)->y2 >= (r2)->y2) )
-
--#define xallocData(n) malloc(RegionSizeof(n))
- #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
-
- #define RECTALLOC_BAIL(pReg,n,bail) \
-@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
- #define DOWNSIZE(reg,numRects) \
- if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
- { \
-- RegDataPtr NewData; \
-- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
-+ size_t NewSize = RegionSizeof(numRects); \
-+ RegDataPtr NewData = \
-+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
- if (NewData) \
- { \
- NewData->size = (numRects); \
-@@ -345,17 +345,20 @@ Bool
- RegionRectAlloc(RegionPtr pRgn, int n)
- {
- RegDataPtr data;
-+ size_t rgnSize;
-
- if (!pRgn->data) {
- n++;
-- pRgn->data = xallocData(n);
-+ rgnSize = RegionSizeof(n);
-+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
- if (!pRgn->data)
- return RegionBreak(pRgn);
- pRgn->data->numRects = 1;
- *RegionBoxptr(pRgn) = pRgn->extents;
- }
- else if (!pRgn->data->size) {
-- pRgn->data = xallocData(n);
-+ rgnSize = RegionSizeof(n);
-+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
- if (!pRgn->data)
- return RegionBreak(pRgn);
- pRgn->data->numRects = 0;
-@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
- n = 250;
- }
- n += pRgn->data->numRects;
-- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
-+ rgnSize = RegionSizeof(n);
-+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
- if (!data)
- return RegionBreak(pRgn);
- pRgn->data = data;
-@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
- {
-
- RegionPtr pRgn;
-+ size_t rgnSize;
- RegDataPtr pData;
- BoxPtr pBox;
- int i;
-@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
- }
- return pRgn;
- }
-- pData = xallocData(nrects);
-+ rgnSize = RegionSizeof(nrects);
-+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
- if (!pData) {
- RegionBreak(pRgn);
- return pRgn;
-diff --git a/include/regionstr.h b/include/regionstr.h
-index 515e93f..079375d 100644
---- include/regionstr.h
-+++ include/regionstr.h
-@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
- static inline size_t
- RegionSizeof(size_t n)
- {
-- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
-+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+ else
-+ return 0;
- }
-
- static inline void
-@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
- (_pReg)->data = (RegDataPtr) NULL;
- }
- else {
-+ size_t rgnSize;
- (_pReg)->extents = RegionEmptyBox;
-- if (((_size) > 1) && ((_pReg)->data =
-- (RegDataPtr) malloc(RegionSizeof(_size)))) {
-+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
-+ (((_pReg)->data = (RegDataPtr) malloc(rgnSize)) != NULL)) {
- (_pReg)->data->size = (_size);
- (_pReg)->data->numRects = 0;
- }
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,32 +0,0 @@
-From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp at keithp.com>
-Date: Tue, 9 Dec 2014 09:30:59 -0800
-Subject: [PATCH 38/40] Missing parens in REQUEST_FIXED_SIZE macro
- [CVE-2014-8092 pt. 5]
-
-The 'n' parameter must be surrounded by parens in both places to
-prevent precedence from mis-computing things.
-
-Signed-off-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- include/dix.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/dix.h b/include/dix.h
-index 21176a8..921156b 100644
---- include/dix.h
-+++ include/dix.h
-@@ -80,7 +80,7 @@ SOFTWARE.
-
- #define REQUEST_FIXED_SIZE(req, n)\
- if (((sizeof(req) >> 2) > client->req_len) || \
-- ((n >> 2) >= client->req_len) || \
-+ (((n) >> 2) >= client->req_len) || \
- ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
- return(BadLength)
-
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,35 +0,0 @@
-From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp at keithp.com>
-Date: Tue, 9 Dec 2014 09:31:00 -0800
-Subject: [PATCH 39/40] dix: GetHosts bounds check using wrong pointer value
- [CVE-2014-8092 pt. 6]
-
-GetHosts saves the pointer to allocated memory in *data, and then
-wants to bounds-check writes to that region, but was mistakenly using
-a bare 'data' instead of '*data'. Also, data is declared as void **,
-so we need a cast to turn it into a byte pointer so we can actually do
-pointer comparisons.
-
-Signed-off-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- os/access.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/os/access.c b/os/access.c
-index f393c8d..28f2d32 100644
---- os/access.c
-+++ os/access.c
-@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
- }
- for (host = validhosts; host; host = host->next) {
- len = host->len;
-- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
-+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
- break;
- ((xHostEntry *) ptr)->family = host->family;
- ((xHostEntry *) ptr)->length = len;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,47 +0,0 @@
-From 23fe7718bb171e71db2d1a30505c2ca2988799d9 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:36 -0500
-Subject: [PATCH 19/40] glx: Be more paranoid about variable-length requests
- [CVE-2014-8093 1/6]
-
-If the size computation routine returns -1 we should just reject the
-request outright. Clamping it to zero could give an attacker the
-opportunity to also mangle cmdlen in such a way that the subsequent
-length check passes, and the request would get executed, thus passing
-data we wanted to reject to the renderer.
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxcmds.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index 009fd9b..ea42e2a 100644
---- glx/glxcmds.c
-+++ glx/glxcmds.c
-@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
- extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
- client->swapped);
- if (extra < 0) {
-- extra = 0;
-+ return BadLength;
- }
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
- return BadLength;
-@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
- client->swapped);
- if (extra < 0) {
-- extra = 0;
-+ return BadLength;
- }
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,165 +0,0 @@
-From ab2ba9338aa5e85b4487bc7fbe69985c76483e01 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:37 -0500
-Subject: [PATCH 20/40] glx: Be more strict about rejecting invalid image sizes
- [CVE-2014-8093 2/6]
-
-Before this we'd just clamp the image size to 0, which was just
-hideously stupid; if the parameters were such that they'd overflow an
-integer, you'd allocate a small buffer, then pass huge values into (say)
-ReadPixels, and now you're scribbling over arbitrary server memory.
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/singlepix.c | 16 ++++++++--------
- glx/singlepixswap.c | 16 ++++++++--------
- 2 files changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/glx/singlepix.c b/glx/singlepix.c
-index 506fdaa..8b6c261 100644
---- glx/singlepix.c
-+++ glx/singlepix.c
-@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
- lsbFirst = *(GLboolean *) (pc + 25);
- compsize = __glReadPixels_size(format, type, width, height);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
- compsize =
- __glGetTexImage_size(target, level, format, type, width, height, depth);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
- if (compsize2 < 0)
-- compsize2 = 0;
-+ return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
-
-@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-
- compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
-index 8469101..8dc304f 100644
---- glx/singlepixswap.c
-+++ glx/singlepixswap.c
-@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
- lsbFirst = *(GLboolean *) (pc + 25);
- compsize = __glReadPixels_size(format, type, width, height);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
- compsize =
- __glGetTexImage_size(target, level, format, type, width, height, depth);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
- if (compsize2 < 0)
-- compsize2 = 0;
-+ return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
-
-@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-
- compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- */
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- if (compsize < 0)
-- compsize = 0;
-+ return BadLength;
-
- glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,59 +0,0 @@
-From 717a1b37767b41e14859e5022ae9e679152821a9 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:38 -0500
-Subject: [PATCH 21/40] glx: Additional paranoia in __glXGetAnswerBuffer /
- __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
-
-If the computed reply size is negative, something went wrong, treat it
-as an error.
-
-v2: Be more careful about size_t being unsigned (Matthieu Herrb)
-v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
-
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/indirect_util.c | 7 ++++++-
- glx/unpack.h | 3 ++-
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index 926e57c..de81491 100644
---- glx/indirect_util.c
-+++ glx/indirect_util.c
-@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
- const unsigned mask = alignment - 1;
-
- if (local_size < required_size) {
-- const size_t worst_case_size = required_size + alignment;
-+ size_t worst_case_size;
- intptr_t temp_buf;
-
-+ if (required_size < SIZE_MAX - alignment)
-+ worst_case_size = required_size + alignment;
-+ else
-+ return NULL;
-+
- if (cl->returnBufSize < worst_case_size) {
- void *temp = realloc(cl->returnBuf, worst_case_size);
-
-diff --git a/glx/unpack.h b/glx/unpack.h
-index 52fba74..2b1ebcf 100644
---- glx/unpack.h
-+++ glx/unpack.h
-@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
- ** pointer.
- */
- #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
-- if ((size) > sizeof(answerBuffer)) { \
-+ if (size < 0) return BadLength; \
-+ else if ((size) > sizeof(answerBuffer)) { \
- int bump; \
- if ((cl)->returnBufSize < (size)+(align)) { \
- (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,82 +0,0 @@
-From 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:40 -0500
-Subject: [PATCH 23/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
-
-These are paranoid about integer overflow, and will return -1 if their
-operation would overflow a (signed) integer or if either argument is
-negative.
-
-Note that RenderLarge requests are sized with a uint32_t so in principle
-this could be sketchy there, but dix limits bigreqs to 128M so you
-shouldn't ever notice, and honestly if you're sending more than 2G of
-rendering commands you're already doing something very wrong.
-
-v2: Use INT_MAX for consistency with the rest of the server (jcristau)
-v3: Reject negative arguments (anholt)
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/glx/glxserver.h b/glx/glxserver.h
-index a324b29..9482601 100644
---- glx/glxserver.h
-+++ glx/glxserver.h
-@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
- * Routines for computing the size of variably-sized rendering commands.
- */
-
-+static _X_INLINE int
-+safe_add(int a, int b)
-+{
-+ if (a < 0 || b < 0)
-+ return -1;
-+
-+ if (INT_MAX - a < b)
-+ return -1;
-+
-+ return a + b;
-+}
-+
-+static _X_INLINE int
-+safe_mul(int a, int b)
-+{
-+ if (a < 0 || b < 0)
-+ return -1;
-+
-+ if (a == 0 || b == 0)
-+ return 0;
-+
-+ if (a > INT_MAX / b)
-+ return -1;
-+
-+ return a * b;
-+}
-+
-+static _X_INLINE int
-+safe_pad(int a)
-+{
-+ int ret;
-+
-+ if (a < 0)
-+ return -1;
-+
-+ if ((ret = safe_add(a, 3)) < 0)
-+ return -1;
-+
-+ return ret & (GLuint)~3;
-+}
-+
- extern int __glXTypeSize(GLenum enm);
- extern int __glXImageSize(GLenum format, GLenum type,
- GLenum target, GLsizei w, GLsizei h, GLsizei d,
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,225 +0,0 @@
-From 698888e6671d54c7ae41e9d456f7f5483a3459d2 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:42 -0500
-Subject: [PATCH 25/40] glx: Integer overflow protection for non-generated
- render requests (v3) [CVE-2014-8093 5/6]
-
-v2:
-Fix constants in __glXMap2fReqSize (Michal Srb)
-Validate w/h/d for proxy targets too (Keith Packard)
-
-v3:
-Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/rensize.c | 77 +++++++++++++++++++++++++++++++----------------------------
- 1 file changed, 41 insertions(+), 36 deletions(-)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index 9ff73c7..d46334a 100644
---- glx/rensize.c
-+++ glx/rensize.c
-@@ -43,19 +43,11 @@
- (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
- ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-
--static int
--Map1Size(GLint k, GLint order)
--{
-- if (order <= 0 || k < 0)
-- return -1;
-- return k * order;
--}
--
- int
- __glXMap1dReqSize(const GLbyte * pc, Bool swap)
- {
- GLenum target;
-- GLint order, k;
-+ GLint order;
-
- target = *(GLenum *) (pc + 16);
- order = *(GLint *) (pc + 20);
-@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
- target = SWAPL(target);
- order = SWAPL(order);
- }
-- k = __glMap1d_size(target);
-- return 8 * Map1Size(k, order);
-+ if (order < 1)
-+ return -1;
-+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
- }
-
- int
- __glXMap1fReqSize(const GLbyte * pc, Bool swap)
- {
- GLenum target;
-- GLint order, k;
-+ GLint order;
-
- target = *(GLenum *) (pc + 0);
- order = *(GLint *) (pc + 12);
-@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
- target = SWAPL(target);
- order = SWAPL(order);
- }
-- k = __glMap1f_size(target);
-- return 4 * Map1Size(k, order);
-+ if (order < 1)
-+ return -1;
-+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
- }
-
- static int
- Map2Size(int k, int majorOrder, int minorOrder)
- {
-- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
-+ if (majorOrder < 1 || minorOrder < 1)
- return -1;
-- return k * majorOrder * minorOrder;
-+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
- }
-
- int
- __glXMap2dReqSize(const GLbyte * pc, Bool swap)
- {
- GLenum target;
-- GLint uorder, vorder, k;
-+ GLint uorder, vorder;
-
- target = *(GLenum *) (pc + 32);
- uorder = *(GLint *) (pc + 36);
-@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
- uorder = SWAPL(uorder);
- vorder = SWAPL(vorder);
- }
-- k = __glMap2d_size(target);
-- return 8 * Map2Size(k, uorder, vorder);
-+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
- }
-
- int
- __glXMap2fReqSize(const GLbyte * pc, Bool swap)
- {
- GLenum target;
-- GLint uorder, vorder, k;
-+ GLint uorder, vorder;
-
- target = *(GLenum *) (pc + 0);
- uorder = *(GLint *) (pc + 12);
-@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
- uorder = SWAPL(uorder);
- vorder = SWAPL(vorder);
- }
-- k = __glMap2f_size(target);
-- return 4 * Map2Size(k, uorder, vorder);
-+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
- }
-
- /**
-@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- GLint bytesPerElement, elementsPerGroup, groupsPerRow;
- GLint groupSize, rowSize, padding, imageSize;
-
-+ if (w == 0 || h == 0 || d == 0)
-+ return 0;
-+
- if (w < 0 || h < 0 || d < 0 ||
- (type == GL_BITMAP &&
- (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
- return -1;
- }
-- if (w == 0 || h == 0 || d == 0)
-- return 0;
-
-+ /* proxy targets have no data */
- switch (target) {
- case GL_PROXY_TEXTURE_1D:
- case GL_PROXY_TEXTURE_2D:
-@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- return 0;
- }
-
-+ /* real data has to have real sizes */
-+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
-+ return -1;
-+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
-+ return -1;
-+
- if (type == GL_BITMAP) {
- if (rowLength > 0) {
- groupsPerRow = rowLength;
-@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- groupsPerRow = w;
- }
- rowSize = bits_to_bytes(groupsPerRow);
-+ if (rowSize < 0)
-+ return -1;
- padding = (rowSize % alignment);
- if (padding) {
- rowSize += alignment - padding;
- }
-- return ((h + skipRows) * rowSize);
-+
-+ return safe_mul(safe_add(h, skipRows), rowSize);
- }
- else {
- switch (format) {
-@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- default:
- return -1;
- }
-+ /* known safe by the switches above, not checked */
- groupSize = bytesPerElement * elementsPerGroup;
- if (rowLength > 0) {
- groupsPerRow = rowLength;
-@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- else {
- groupsPerRow = w;
- }
-- rowSize = groupsPerRow * groupSize;
-+
-+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
-+ return -1;
- padding = (rowSize % alignment);
- if (padding) {
- rowSize += alignment - padding;
- }
-- if (imageHeight > 0) {
-- imageSize = (imageHeight + skipRows) * rowSize;
-- }
-- else {
-- imageSize = (h + skipRows) * rowSize;
-- }
-- return ((d + skipImages) * imageSize);
-+
-+ if (imageHeight > 0)
-+ h = imageHeight;
-+ h = safe_add(h, skipRows);
-+
-+ imageSize = safe_mul(h, rowSize);
-+
-+ return safe_mul(safe_add(d, skipImages), imageSize);
- }
- }
-
-@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
- /* XXX Should rowLength be used for either or both image? */
- image1size = __glXImageSize(format, type, 0, w, 1, 1,
- 0, rowLength, 0, 0, alignment);
-- image1size = __GLX_PAD(image1size);
- image2size = __glXImageSize(format, type, 0, h, 1, 1,
- 0, rowLength, 0, 0, alignment);
-- return image1size + image2size;
--
-+ return safe_add(safe_pad(image1size), image2size);
- }
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,34 +0,0 @@
-From 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001
-From: Robert Morell <rmorell at nvidia.com>
-Date: Wed, 12 Nov 2014 18:51:43 -0800
-Subject: [PATCH 32/40] glx: Fix mask truncation in __glXGetAnswerBuffer
- [CVE-2014-8093 6/6]
-
-On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
-bitwise not operation will result in a mask that clears all high bits
-from temp_buf in the expression:
- temp_buf = (temp_buf + mask) & ~mask;
-
-Signed-off-by: Robert Morell <rmorell at nvidia.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/indirect_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index de81491..9ba2815 100644
---- glx/indirect_util.c
-+++ glx/indirect_util.c
-@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
- void *local_buffer, size_t local_size, unsigned alignment)
- {
- void *buffer = local_buffer;
-- const unsigned mask = alignment - 1;
-+ const intptr_t mask = alignment - 1;
-
- if (local_size < required_size) {
- size_t worst_case_size;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8094
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8094 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8094 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,35 +0,0 @@
-From 6692670fde081bbfe9313f17d84037ae9116702a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Wed, 22 Jan 2014 23:40:18 -0800
-Subject: [PATCH 05/40] dri2: integer overflow in ProcDRI2GetBuffers()
- [CVE-2014-8094]
-
-ProcDRI2GetBuffers() tries to validate a length field (count).
-There is an integer overflow in the validation. This can cause
-out of bound reads and memory corruption later on.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
----
- hw/xfree86/dri2/dri2ext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
-index ffd66fa..221ec53 100644
---- hw/xfree86/dri2/dri2ext.c
-+++ hw/xfree86/dri2/dri2ext.c
-@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
- unsigned int *attachments;
-
- REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-+ if (stuff->count > (INT_MAX / 4))
-+ return BadLength;
-+
- if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
- &pDrawable, &status))
- return status;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8095
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8095 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8095 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,551 +0,0 @@
-From 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 10:54:41 -0800
-Subject: [PATCH 07/40] Xi: unvalidated lengths in Xinput extension
- [CVE-2014-8095]
-
-Multiple functions in the Xinput extension handling of requests from
-clients failed to check that the length of the request sent by the
-client was large enough to perform all the required operations and
-thus could read or write to memory outside the bounds of the request
-buffer.
-
-This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
-macro in include/dix.h for the common case of needing to ensure a
-request is large enough to include both the request itself and a
-minimum amount of extra data following the request header.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- Xi/chgdctl.c | 8 ++++++--
- Xi/chgfctl.c | 2 ++
- Xi/sendexev.c | 3 +++
- Xi/xiallowev.c | 2 ++
- Xi/xichangecursor.c | 2 +-
- Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++---
- Xi/xigetclientpointer.c | 1 +
- Xi/xigrabdev.c | 9 ++++++++-
- Xi/xipassivegrab.c | 12 ++++++++++--
- Xi/xiproperty.c | 14 ++++++--------
- Xi/xiquerydevice.c | 1 +
- Xi/xiquerypointer.c | 2 ++
- Xi/xiselectev.c | 8 ++++++++
- Xi/xisetclientpointer.c | 3 ++-
- Xi/xisetdevfocus.c | 4 ++++
- Xi/xiwarppointer.c | 2 ++
- include/dix.h | 4 ++++
- 17 files changed, 94 insertions(+), 18 deletions(-)
-
-diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
-index d078aa2..b3ee867 100644
---- Xi/chgdctl.c
-+++ Xi/chgdctl.c
-@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
-
- REQUEST(xChangeDeviceControlReq);
- swaps(&stuff->length);
-- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
- swaps(&stuff->control);
- ctl = (xDeviceCtl *) &stuff[1];
- swaps(&ctl->control);
-@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
- xDeviceEnableCtl *e;
-
- REQUEST(xChangeDeviceControlReq);
-- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
-
- len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
-@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
- break;
- case DEVICE_ENABLE:
- e = (xDeviceEnableCtl *) &stuff[1];
-+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
-+ ret = BadLength;
-+ goto out;
-+ }
-
- if (IsXTestDevice(dev, NULL))
- status = !Success;
-diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
-index 6dcf60c..224c2ba 100644
---- Xi/chgfctl.c
-+++ Xi/chgfctl.c
-@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
-
- if (client->swapped) {
-+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
-+ return BadLength;
- swaps(&f->num_keysyms);
- }
- if (len !=
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 3c21386..183f88d 100644
---- Xi/sendexev.c
-+++ Xi/sendexev.c
-@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
- if (ret != Success)
- return ret;
-
-+ if (stuff->num_events == 0)
-+ return ret;
-+
- /* The client's event type must be one defined by an extension. */
-
- first = ((xEvent *) &stuff[1]);
-diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
-index ebef233..ca263ef 100644
---- Xi/xiallowev.c
-+++ Xi/xiallowev.c
-@@ -48,6 +48,7 @@ int
- SProcXIAllowEvents(ClientPtr client)
- {
- REQUEST(xXIAllowEventsReq);
-+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
- if (stuff->length > 3) {
- xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
-
-+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
- swapl(&req_xi22->touchid);
- swapl(&req_xi22->grab_window);
- }
-diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
-index 7a1bb7a..8e6255b 100644
---- Xi/xichangecursor.c
-+++ Xi/xichangecursor.c
-@@ -57,11 +57,11 @@ int
- SProcXIChangeCursor(ClientPtr client)
- {
- REQUEST(xXIChangeCursorReq);
-+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
- swaps(&stuff->length);
- swapl(&stuff->win);
- swapl(&stuff->cursor);
- swaps(&stuff->deviceid);
-- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
- return (ProcXIChangeCursor(client));
- }
-
-diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
-index 9e36354..2732445 100644
---- Xi/xichangehierarchy.c
-+++ Xi/xichangehierarchy.c
-@@ -411,7 +411,7 @@ int
- ProcXIChangeHierarchy(ClientPtr client)
- {
- xXIAnyHierarchyChangeInfo *any;
-- int required_len = sizeof(xXIChangeHierarchyReq);
-+ size_t len; /* length of data remaining in request */
- int rc = Success;
- int flags[MAXDEVICES] = { 0 };
-
-@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
- if (!stuff->num_changes)
- return rc;
-
-+ if (stuff->length > (INT_MAX >> 2))
-+ return BadAlloc;
-+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
-+
- any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
- while (stuff->num_changes--) {
-+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
-+ rc = BadLength;
-+ goto unwind;
-+ }
-+
- SWAPIF(swaps(&any->type));
- SWAPIF(swaps(&any->length));
-
-- required_len += any->length;
-- if ((stuff->length * 4) < required_len)
-+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
- return BadLength;
-
-+#define CHANGE_SIZE_MATCH(type) \
-+ do { \
-+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
-+ rc = BadLength; \
-+ goto unwind; \
-+ } \
-+ } while(0)
-+
- switch (any->type) {
- case XIAddMaster:
- {
- xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
-
-+ /* Variable length, due to appended name string */
-+ if (len < sizeof(xXIAddMasterInfo)) {
-+ rc = BadLength;
-+ goto unwind;
-+ }
- SWAPIF(swaps(&c->name_len));
-+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
-+ rc = BadLength;
-+ goto unwind;
-+ }
-
- rc = add_master(client, c, flags);
- if (rc != Success)
-@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
- {
- xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
-
-+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
- rc = remove_master(client, r, flags);
- if (rc != Success)
- goto unwind;
-@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
- {
- xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
-
-+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
- rc = detach_slave(client, c, flags);
- if (rc != Success)
- goto unwind;
-@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
- {
- xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
-
-+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
- rc = attach_slave(client, c, flags);
- if (rc != Success)
- goto unwind;
-@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
- break;
- }
-
-+ len -= any->length * 4;
- any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
- }
-
-diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
-index 3c90d58..306dd39 100644
---- Xi/xigetclientpointer.c
-+++ Xi/xigetclientpointer.c
-@@ -50,6 +50,7 @@ int
- SProcXIGetClientPointer(ClientPtr client)
- {
- REQUEST(xXIGetClientPointerReq);
-+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
-
- swaps(&stuff->length);
- swapl(&stuff->win);
-diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
-index 63d95bc..e2a2ae3 100644
---- Xi/xigrabdev.c
-+++ Xi/xigrabdev.c
-@@ -47,6 +47,11 @@ int
- SProcXIGrabDevice(ClientPtr client)
- {
- REQUEST(xXIGrabDeviceReq);
-+ /*
-+ * Check here for at least the length of the struct we swap, then
-+ * let ProcXIGrabDevice check the full size after we swap mask_len.
-+ */
-+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
- unsigned int pointer_mode;
-
- REQUEST(xXIGrabDeviceReq);
-- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
-+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
-
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
- if (ret != Success)
-@@ -131,6 +136,7 @@ int
- SProcXIUngrabDevice(ClientPtr client)
- {
- REQUEST(xXIUngrabDeviceReq);
-+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
- TimeStamp time;
-
- REQUEST(xXIUngrabDeviceReq);
-+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
-
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
- if (ret != Success)
---- Xi/xipassivegrab.c.orig 2014-04-15 03:01:56.000000000 +0200
-+++ Xi/xipassivegrab.c 2014-12-11 09:00:53.965074134 +0100
-@@ -53,6 +53,7 @@
- uint32_t *mods;
-
- REQUEST(xXIPassiveGrabDeviceReq);
-+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-@@ -63,7 +64,9 @@
- swaps(&stuff->mask_len);
- swaps(&stuff->num_modifiers);
-
-- mods = (uint32_t *) &stuff[1];
-+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
-+ mods = (uint32_t *) &stuff[1] + stuff->mask_len;
-
- for (i = 0; i < stuff->num_modifiers; i++, mods++) {
- swapl(mods);
-@@ -92,7 +95,8 @@
- int mask_len;
-
- REQUEST(xXIPassiveGrabDeviceReq);
-- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
-+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
-
- if (stuff->deviceid == XIAllDevices)
- dev = inputInfo.all_devices;
-@@ -248,6 +252,7 @@
- uint32_t *modifiers;
-
- REQUEST(xXIPassiveUngrabDeviceReq);
-+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
-
- swaps(&stuff->length);
- swapl(&stuff->grab_window);
-@@ -255,6 +260,8 @@
- swapl(&stuff->detail);
- swaps(&stuff->num_modifiers);
-
-+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+ ((uint32_t) stuff->num_modifiers) << 2);
- modifiers = (uint32_t *) &stuff[1];
-
- for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
-@@ -273,7 +280,8 @@
- int i, rc;
-
- REQUEST(xXIPassiveUngrabDeviceReq);
-- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
-+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+ ((uint32_t) stuff->num_modifiers) << 2);
-
- if (stuff->deviceid == XIAllDevices)
- dev = inputInfo.all_devices;
-diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
-index 463607d..8e8e4b0 100644
---- Xi/xiproperty.c
-+++ Xi/xiproperty.c
-@@ -1013,10 +1013,9 @@ int
- SProcXListDeviceProperties(ClientPtr client)
- {
- REQUEST(xListDevicePropertiesReq);
-+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
-
- swaps(&stuff->length);
--
-- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
- return (ProcXListDeviceProperties(client));
- }
-
-@@ -1037,10 +1036,10 @@ int
- SProcXDeleteDeviceProperty(ClientPtr client)
- {
- REQUEST(xDeleteDevicePropertyReq);
-+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
-
- swaps(&stuff->length);
- swapl(&stuff->property);
-- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
- return (ProcXDeleteDeviceProperty(client));
- }
-
-@@ -1048,13 +1047,13 @@ int
- SProcXGetDeviceProperty(ClientPtr client)
- {
- REQUEST(xGetDevicePropertyReq);
-+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
-
- swaps(&stuff->length);
- swapl(&stuff->property);
- swapl(&stuff->type);
- swapl(&stuff->longOffset);
- swapl(&stuff->longLength);
-- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
- return (ProcXGetDeviceProperty(client));
- }
-
-@@ -1253,11 +1252,10 @@ int
- SProcXIListProperties(ClientPtr client)
- {
- REQUEST(xXIListPropertiesReq);
-+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
--
-- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
- return (ProcXIListProperties(client));
- }
-
-@@ -1279,11 +1277,11 @@ int
- SProcXIDeleteProperty(ClientPtr client)
- {
- REQUEST(xXIDeletePropertyReq);
-+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
- swapl(&stuff->property);
-- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
- return (ProcXIDeleteProperty(client));
- }
-
-@@ -1291,6 +1289,7 @@ int
- SProcXIGetProperty(ClientPtr client)
- {
- REQUEST(xXIGetPropertyReq);
-+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
- swapl(&stuff->type);
- swapl(&stuff->offset);
- swapl(&stuff->len);
-- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
- return (ProcXIGetProperty(client));
- }
-
-diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
-index 4e544f0..67a9a4f 100644
---- Xi/xiquerydevice.c
-+++ Xi/xiquerydevice.c
-@@ -54,6 +54,7 @@ int
- SProcXIQueryDevice(ClientPtr client)
- {
- REQUEST(xXIQueryDeviceReq);
-+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
-
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
-index e9bdd42..7ec0c85 100644
---- Xi/xiquerypointer.c
-+++ Xi/xiquerypointer.c
-@@ -63,6 +63,8 @@ int
- SProcXIQueryPointer(ClientPtr client)
- {
- REQUEST(xXIQueryPointerReq);
-+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
-+
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
- swapl(&stuff->win);
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index 45a996e..168579f 100644
---- Xi/xiselectev.c
-+++ Xi/xiselectev.c
-@@ -114,6 +114,7 @@ int
- SProcXISelectEvents(ClientPtr client)
- {
- int i;
-+ int len;
- xXIEventMask *evmask;
-
- REQUEST(xXISelectEventsReq);
-@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
- swapl(&stuff->win);
- swaps(&stuff->num_masks);
-
-+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
- evmask = (xXIEventMask *) &stuff[1];
- for (i = 0; i < stuff->num_masks; i++) {
-+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
-+ return BadLength;
-+ len -= bytes_to_int32(sizeof(xXIEventMask));
- swaps(&evmask->deviceid);
- swaps(&evmask->mask_len);
-+ if (len < evmask->mask_len)
-+ return BadLength;
-+ len -= evmask->mask_len;
- evmask =
- (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
- }
-diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
-index 38ff51e..24d4a53 100644
---- Xi/xisetclientpointer.c
-+++ Xi/xisetclientpointer.c
-@@ -51,10 +51,11 @@ int
- SProcXISetClientPointer(ClientPtr client)
- {
- REQUEST(xXISetClientPointerReq);
-+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
-+
- swaps(&stuff->length);
- swapl(&stuff->win);
- swaps(&stuff->deviceid);
-- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
- return (ProcXISetClientPointer(client));
- }
-
-diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
-index 372ec24..96a9a16 100644
---- Xi/xisetdevfocus.c
-+++ Xi/xisetdevfocus.c
-@@ -44,6 +44,8 @@ int
- SProcXISetFocus(ClientPtr client)
- {
- REQUEST(xXISetFocusReq);
-+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
-+
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
- swapl(&stuff->focus);
-@@ -56,6 +58,8 @@ int
- SProcXIGetFocus(ClientPtr client)
- {
- REQUEST(xXIGetFocusReq);
-+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
-+
- swaps(&stuff->length);
- swaps(&stuff->deviceid);
-
-diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
-index 3f051f7..780758a 100644
---- Xi/xiwarppointer.c
-+++ Xi/xiwarppointer.c
-@@ -56,6 +56,8 @@ int
- SProcXIWarpPointer(ClientPtr client)
- {
- REQUEST(xXIWarpPointerReq);
-+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
-+
- swaps(&stuff->length);
- swapl(&stuff->src_win);
- swapl(&stuff->dst_win);
-diff --git a/include/dix.h b/include/dix.h
-index e0c6ed8..21176a8 100644
---- include/dix.h
-+++ include/dix.h
-@@ -74,6 +74,10 @@ SOFTWARE.
- if ((sizeof(req) >> 2) > client->req_len )\
- return(BadLength)
-
-+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
-+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
-+ return(BadLength)
-+
- #define REQUEST_FIXED_SIZE(req, n)\
- if (((sizeof(req) >> 2) > client->req_len) || \
- ((n >> 2) >= client->req_len) || \
---
-cgit v0.10.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8096
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8096 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8096 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,27 +0,0 @@
-From 7553082b9b883b5f130044f3d53bce2f0b660e52 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 17:18:54 -0800
-Subject: [PATCH 08/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
- [CVE-2014-8096]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- Xext/xcmisc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
-index 034bfb6..1e91010 100644
---- Xext/xcmisc.c
-+++ Xext/xcmisc.c
-@@ -167,6 +167,7 @@ static int
- SProcXCMiscGetXIDList(ClientPtr client)
- {
- REQUEST(xXCMiscGetXIDListReq);
-+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
-
- swaps(&stuff->length);
- swapl(&stuff->count);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,73 +0,0 @@
-From 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Wed, 22 Jan 2014 23:12:04 -0800
-Subject: [PATCH 06/40] dbe: unvalidated lengths in DbeSwapBuffers calls
- [CVE-2014-8097]
-
-ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
-from a buffer. The length is never validated, which can lead to out of
-bound reads, and possibly returning the data read from out of bounds to
-the misbehaving client via an X Error packet.
-
-SProcDbeSwapBuffers() swaps data (for correct endianness) before
-handing it off to the real proc. While doing the swapping, the
-length field is not validated, which can cause memory corruption.
-
-v2: reorder checks to avoid compilers optimizing out checks for overflow
-that happen after we'd already have done the overflowing multiplications.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- dbe/dbe.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/dbe/dbe.c b/dbe/dbe.c
-index 527588c..df2ad5c 100644
---- dbe/dbe.c
-+++ dbe/dbe.c
-@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
- DbeSwapInfoPtr swapInfo;
- xDbeSwapInfo *dbeSwapInfo;
- int error;
-- register int i, j;
-- int nStuff;
-+ unsigned int i, j;
-+ unsigned int nStuff;
-
- REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
- nStuff = stuff->n; /* use local variable for performance. */
-
- if (nStuff == 0) {
-+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
- return Success;
- }
-
- if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
-+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
-
- /* Get to the swap info appended to the end of the request. */
- dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
-@@ -914,13 +916,16 @@ static int
- SProcDbeSwapBuffers(ClientPtr client)
- {
- REQUEST(xDbeSwapBuffersReq);
-- register int i;
-+ unsigned int i;
- xDbeSwapInfo *pSwapInfo;
-
- swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
-
- swapl(&stuff->n);
-+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-+ return BadAlloc;
-+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
-
- if (stuff->n != 0) {
- pSwapInfo = (xDbeSwapInfo *) stuff + 1;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,50 +0,0 @@
-From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp at keithp.com>
-Date: Tue, 9 Dec 2014 09:30:57 -0800
-Subject: [PATCH 36/40] dbe: Call to DDX SwapBuffers requires address of int,
- not unsigned int [CVE-2014-8097 pt. 2]
-
-When the local types used to walk the DBE request were changed, this
-changed the type of the parameter passed to the DDX SwapBuffers API,
-but there wasn't a matching change in the API definition.
-
-At this point, with the API frozen, I just stuck a new variable in
-with the correct type. Because we've already bounds-checked nStuff to
-be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
-fit in a signed int without overflow.
-
-Signed-off-by: Keith Packard <keithp at keithp.com
-Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- dbe/dbe.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/dbe/dbe.c b/dbe/dbe.c
-index df2ad5c..e5d928d 100644
---- dbe/dbe.c
-+++ dbe/dbe.c
-@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
- int error;
- unsigned int i, j;
- unsigned int nStuff;
-+ int nStuff_i; /* DDX API requires int for nStuff */
-
- REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
- nStuff = stuff->n; /* use local variable for performance. */
-@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
- * could deal with cross-screen synchronization.
- */
-
-- while (nStuff > 0) {
-+ nStuff_i = nStuff;
-+ while (nStuff_i > 0) {
- pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
-- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
-+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
- if (error != Success) {
- free(swapInfo);
- return error;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,59 +0,0 @@
-From 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:39 -0500
-Subject: [PATCH 22/40] glx: Fix image size computation for EXT_texture_integer
- [CVE-2014-8098 1/8]
-
-Without this we'd reject the request with BadLength. Note that some old
-versions of Mesa had a bug in the same place, and would _send_ zero
-bytes of image data; these will now be rejected, correctly.
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/rensize.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index ba22d10..9ff73c7 100644
---- glx/rensize.c
-+++ glx/rensize.c
-@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- case GL_ALPHA:
- case GL_LUMINANCE:
- case GL_INTENSITY:
-+ case GL_RED_INTEGER_EXT:
-+ case GL_GREEN_INTEGER_EXT:
-+ case GL_BLUE_INTEGER_EXT:
-+ case GL_ALPHA_INTEGER_EXT:
-+ case GL_LUMINANCE_INTEGER_EXT:
- elementsPerGroup = 1;
- break;
- case GL_422_EXT:
-@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
- case GL_DEPTH_STENCIL_MESA:
- case GL_YCBCR_MESA:
- case GL_LUMINANCE_ALPHA:
-+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
- elementsPerGroup = 2;
- break;
- case GL_RGB:
- case GL_BGR:
-+ case GL_RGB_INTEGER_EXT:
-+ case GL_BGR_INTEGER_EXT:
- elementsPerGroup = 3;
- break;
- case GL_RGBA:
- case GL_BGRA:
-+ case GL_RGBA_INTEGER_EXT:
-+ case GL_BGRA_INTEGER_EXT:
- case GL_ABGR_EXT:
- elementsPerGroup = 4;
- break;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,75 +0,0 @@
-From be09e0c988ffdb0371293af49fb4ea8f49ed324a Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau at debian.org>
-Date: Mon, 10 Nov 2014 12:13:41 -0500
-Subject: [PATCH 24/40] glx: Length checking for GLXRender requests (v2)
- [CVE-2014-8098 2/8]
-
-v2:
-Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
-
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Julien Cristau <jcristau at debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxcmds.c | 21 ++++++++++-----------
- 1 file changed, 10 insertions(+), 11 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index ea42e2a..ddd9119 100644
---- glx/glxcmds.c
-+++ glx/glxcmds.c
-@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
- left = (req->length << 2) - sz_xGLXRenderReq;
- while (left > 0) {
- __GLXrenderSizeData entry;
-- int extra;
-+ int extra = 0;
- __GLXdispatchRenderProcPtr proc;
- int err;
-
-@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
- cmdlen = hdr->length;
- opcode = hdr->opcode;
-
-+ if (left < cmdlen)
-+ return BadLength;
-+
- /*
- ** Check for core opcodes and grab entry data.
- */
-@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
- return __glXError(GLXBadRenderRequest);
- }
-
-+ if (cmdlen < entry.bytes) {
-+ return BadLength;
-+ }
-+
- if (entry.varsize) {
- /* variable size command */
- extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
- if (extra < 0) {
- return BadLength;
- }
-- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-- return BadLength;
-- }
- }
-- else {
-- /* constant size command */
-- if (cmdlen != __GLX_PAD(entry.bytes)) {
-- return BadLength;
-- }
-- }
-- if (left < cmdlen) {
-+
-+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
- return BadLength;
- }
-
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,153 +0,0 @@
-From a33a939e6abb255b14d8dbc85fcbd2c55b958bae Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:43 -0500
-Subject: [PATCH 26/40] glx: Length checking for RenderLarge requests (v2)
- [CVE-2014-8098 3/8]
-
-This is a half-measure until we start passing request length into the
-varsize function, but it's better than the nothing we had before.
-
-v2: Verify that there's at least a large render header's worth of
-dataBytes (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 34 insertions(+), 23 deletions(-)
-
---- glx/glxcmds.c.orig 2014-12-10 14:30:17.826442820 +0100
-+++ glx/glxcmds.c 2014-12-10 14:32:34.472432537 +0100
-@@ -2032,6 +2032,8 @@
-
- __GLX_DECLARE_SWAP_VARIABLES;
-
-+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
-+
- req = (xGLXRenderLargeReq *) pc;
- if (client->swapped) {
- __GLX_SWAP_SHORT(&req->length);
-@@ -2047,12 +2049,14 @@
- __glXResetLargeCommandStatus(cl);
- return error;
- }
-+ if (safe_pad(req->dataBytes) < 0)
-+ return BadLength;
- dataBytes = req->dataBytes;
-
- /*
- ** Check the request length.
- */
-- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
-+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
- client->errorValue = req->length;
- /* Reset in case this isn't 1st request. */
- __glXResetLargeCommandStatus(cl);
-@@ -2062,7 +2066,7 @@
-
- if (cl->largeCmdRequestsSoFar == 0) {
- __GLXrenderSizeData entry;
-- int extra;
-+ int extra = 0;
- size_t cmdlen;
- int err;
-
-@@ -2075,13 +2079,17 @@
- return __glXError(GLXBadLargeRequest);
- }
-
-+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
-+ return BadLength;
-+
- hdr = (__GLXrenderLargeHeader *) pc;
- if (client->swapped) {
- __GLX_SWAP_INT(&hdr->length);
- __GLX_SWAP_INT(&hdr->opcode);
- }
-- cmdlen = hdr->length;
- opcode = hdr->opcode;
-+ if ((cmdlen = safe_pad(hdr->length)) < 0)
-+ return BadLength;
-
- /*
- ** Check for core opcodes and grab entry data.
-@@ -2103,17 +2111,13 @@
- if (extra < 0) {
- return BadLength;
- }
-- /* large command's header is 4 bytes longer, so add 4 */
-- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
-- return BadLength;
-- }
- }
-- else {
-- /* constant size command */
-- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
-- return BadLength;
-- }
-+
-+ /* the +4 is safe because we know entry.bytes is small */
-+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
-+ return BadLength;
- }
-+
- /*
- ** Make enough space in the buffer, then copy the entire request.
- */
-@@ -2143,6 +2147,7 @@
- ** We are receiving subsequent (i.e. not the first) requests of a
- ** multi request command.
- */
-+ int bytesSoFar; /* including this packet */
-
- /*
- ** Check the request number and the total request count.
-@@ -2161,11 +2166,18 @@
- /*
- ** Check that we didn't get too much data.
- */
-- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
-+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
-+ client->errorValue = dataBytes;
-+ __glXResetLargeCommandStatus(cl);
-+ return __glXError(GLXBadLargeRequest);
-+ }
-+
-+ if (bytesSoFar > cl->largeCmdBytesTotal) {
- client->errorValue = dataBytes;
- __glXResetLargeCommandStatus(cl);
- return __glXError(GLXBadLargeRequest);
- }
-+
- memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
- cl->largeCmdBytesSoFar += dataBytes;
- cl->largeCmdRequestsSoFar++;
-@@ -2177,17 +2189,16 @@
- ** This is the last request; it must have enough bytes to complete
- ** the command.
- */
-- /* NOTE: the two pad macros have been added below; they are needed
-- ** because the client library pads the total byte count, but not
-- ** the per-request byte counts. The Protocol Encoding says the
-- ** total byte count should not be padded, so a proposal will be
-- ** made to the ARB to relax the padding constraint on the total
-- ** byte count, thus preserving backward compatibility. Meanwhile,
-- ** the padding done below fixes a bug that did not allow
-- ** large commands of odd sizes to be accepted by the server.
-+ /* NOTE: the pad macro below is needed because the client library
-+ ** pads the total byte count, but not the per-request byte counts.
-+ ** The Protocol Encoding says the total byte count should not be
-+ ** padded, so a proposal will be made to the ARB to relax the
-+ ** padding constraint on the total byte count, thus preserving
-+ ** backward compatibility. Meanwhile, the padding done below
-+ ** fixes a bug that did not allow large commands of odd sizes to
-+ ** be accepted by the server.
- */
-- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
-- __GLX_PAD(cl->largeCmdBytesTotal)) {
-+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
- client->errorValue = dataBytes;
- __glXResetLargeCommandStatus(cl);
- return __glXError(GLXBadLargeRequest);
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,51 +0,0 @@
-From c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:44 -0500
-Subject: [PATCH 27/40] glx: Top-level length checking for swapped
- VendorPrivate requests [CVE-2014-8098 4/8]
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxcmdsswap.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
-index 5d179f3..9ec1222 100644
---- glx/glxcmdsswap.c
-+++ glx/glxcmdsswap.c
-@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- xGLXVendorPrivateReq *req;
- GLint vendorcode;
- __GLXdispatchVendorPrivProcPtr proc;
-
- __GLX_DECLARE_SWAP_VARIABLES;
-+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
-
- req = (xGLXVendorPrivateReq *) pc;
- __GLX_SWAP_SHORT(&req->length);
-@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- xGLXVendorPrivateWithReplyReq *req;
- GLint vendorcode;
- __GLXdispatchVendorPrivProcPtr proc;
-
- __GLX_DECLARE_SWAP_VARIABLES;
-+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
-
- req = (xGLXVendorPrivateWithReplyReq *) pc;
- __GLX_SWAP_SHORT(&req->length);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,45 +0,0 @@
-From 44ba149f28ece93c2fbfc9cc980588de5322dd4b Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:46 -0500
-Subject: [PATCH 29/40] glx: Length-checking for non-generated vendor private
- requests [CVE-2014-8098 6/8]
-
-Reviewed-by: Keith Packard <keithp at keithp.com>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/indirect_program.c | 2 ++
- glx/swap_interval.c | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/glx/indirect_program.c b/glx/indirect_program.c
-index cda139e..5caee7b 100644
---- glx/indirect_program.c
-+++ glx/indirect_program.c
-@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
- __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
- ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
-+
- pc += __GLX_VENDPRIV_HDR_SIZE;
- if (cx != NULL) {
- GLenum target;
-diff --git a/glx/swap_interval.c b/glx/swap_interval.c
-index 17bc992..2320550 100644
---- glx/swap_interval.c
-+++ glx/swap_interval.c
-@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
- __GLXcontext *cx;
- GLint interval;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
-+
- cx = __glXLookupContextByTag(cl, tag);
-
- if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,553 +0,0 @@
-From 984583a497c813df5827ae22483133e704fee79c Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:47 -0500
-Subject: [PATCH 30/40] glx: Length checking for non-generated single requests
- (v2) [CVE-2014-8098 7/8]
-
-v2:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-v3:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Julien Cristau <jcristau at debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/indirect_texture_compression.c | 4 ++++
- glx/single2.c | 23 +++++++++++++++-----
- glx/single2swap.c | 19 ++++++++++++----
- glx/singlepix.c | 44 +++++++++++++++++++++++++-------------
- glx/singlepixswap.c | 34 ++++++++++++++++++++++++-----
- 5 files changed, 95 insertions(+), 29 deletions(-)
-
-diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
-index cda7656..1ebf7f3 100644
---- glx/indirect_texture_compression.c
-+++ glx/indirect_texture_compression.c
-@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
- __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
- ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
- pc += __GLX_SINGLE_HDR_SIZE;
- if (cx != NULL) {
- const GLenum target = *(GLenum *) (pc + 0);
-@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
- __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
- ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
- pc += __GLX_SINGLE_HDR_SIZE;
- if (cx != NULL) {
- const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
---- glx/single2.c.orig 2014-04-15 03:01:57.000000000 +0200
-+++ glx/single2.c 2014-12-11 09:08:22.788060618 +0100
-@@ -49,11 +49,14 @@
- int
- __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- GLsizei size;
- GLenum type;
- __GLXcontext *cx;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -80,10 +83,13 @@
- int
- __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- GLsizei size;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -108,7 +114,7 @@
- int
- __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
-- ClientPtr client;
-+ ClientPtr client = cl->client;
- xGLXRenderModeReply reply;
- __GLXcontext *cx;
- GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -116,6 +122,8 @@
- GLenum newMode;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -192,7 +200,6 @@
- ** selection array, as per the API for glRenderMode itself.
- */
- noChangeAllowed:;
-- client = cl->client;
- reply = (xGLXRenderModeReply) {
- .type = X_Reply,
- .sequenceNumber = client->sequence,
-@@ -211,9 +218,12 @@
- int
- __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- int error;
-
-+ REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -227,10 +237,12 @@
- int
- __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
-- ClientPtr client;
- int error;
-
-+ REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -321,7 +332,7 @@
- int
- DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
- {
-- ClientPtr client;
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- GLenum name;
- const char *string;
-@@ -331,6 +342,8 @@
- char *buf = NULL, *buf1 = NULL;
- GLint length = 0;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- /* If the client has the opposite byte order, swap the contextTag and
- * the name.
- */
-@@ -347,7 +360,6 @@
- pc += __GLX_SINGLE_HDR_SIZE;
- name = *(GLenum *) (pc + 0);
- string = (const char *) CALL_GetString(GET_DISPATCH(), (name));
-- client = cl->client;
-
- if (string == NULL)
- string = "";
---- glx/single2swap.c.orig 2014-04-15 03:01:57.000000000 +0200
-+++ glx/single2swap.c 2014-12-11 09:05:12.670056539 +0100
-@@ -45,6 +45,7 @@
- int
- __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- GLsizei size;
- GLenum type;
-
-@@ -52,6 +53,8 @@
- __GLXcontext *cx;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -81,12 +84,15 @@
- int
- __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- GLsizei size;
-
- __GLX_DECLARE_SWAP_VARIABLES;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -113,7 +119,7 @@
- int
- __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
-- ClientPtr client;
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- xGLXRenderModeReply reply;
- GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -124,6 +130,8 @@
- __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
- int error;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -204,7 +212,6 @@
- ** selection array, as per the API for glRenderMode itself.
- */
- noChangeAllowed:;
-- client = cl->client;
- reply = (xGLXRenderModeReply) {
- .type = X_Reply,
- .sequenceNumber = client->sequence,
-@@ -228,11 +235,14 @@
- int
- __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
- int error;
-
- __GLX_DECLARE_SWAP_VARIABLES;
-
-+ REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -247,12 +257,14 @@
- int
- __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+ ClientPtr client = cl->client;
- __GLXcontext *cx;
-- ClientPtr client;
- int error;
-
- __GLX_DECLARE_SWAP_VARIABLES;
-
-+ REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -264,7 +276,6 @@
- cx->hasUnflushedCommands = GL_FALSE;
-
- /* Send empty reply packet to indicate finish is finished */
-- client = cl->client;
- __GLX_BEGIN_REPLY(0);
- __GLX_PUT_RETVAL(0);
- __GLX_SWAP_REPLY_HEADER();
---- glx/singlepix.c.orig 2014-12-11 09:04:51.072058678 +0100
-+++ glx/singlepix.c 2014-12-11 09:10:51.484033826 +0100
-@@ -55,6 +55,8 @@
- int error;
- char *answer, answerBuffer[200];
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -107,6 +109,8 @@
- char *answer, answerBuffer[200];
- GLint width = 0, height = 0, depth = 1;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -169,6 +173,8 @@
- GLubyte answerBuffer[200];
- char *answer;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
- return error;
-@@ -231,15 +237,13 @@
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-
-- if (compsize < 0)
-+ if ((compsize = safe_pad(compsize)) < 0)
- return BadLength;
-- if (compsize2 < 0)
-+ if ((compsize2 = safe_pad(compsize2)) < 0)
- return BadLength;
-- compsize = __GLX_PAD(compsize);
-- compsize2 = __GLX_PAD(compsize2);
-
- CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
-- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
- __glXClearErrorOccured();
- CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
- *(GLenum *) (pc + 4),
-@@ -265,7 +269,8 @@
- __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -273,7 +278,8 @@
- __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -343,7 +349,8 @@
- __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -351,7 +358,8 @@
- __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -411,7 +419,8 @@
- __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -419,7 +428,8 @@
- __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -471,7 +481,8 @@
- __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -479,7 +490,8 @@
- __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -540,7 +552,8 @@
- __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -548,6 +561,7 @@
- __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+ ClientPtr client = cl->client;
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
---- glx/singlepixswap.c.orig 2014-12-11 09:04:51.073058638 +0100
-+++ glx/singlepixswap.c 2014-12-11 09:12:14.151301716 +0100
-@@ -57,6 +57,8 @@
- int error;
- char *answer, answerBuffer[200];
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -122,6 +124,8 @@
- char *answer, answerBuffer[200];
- GLint width = 0, height = 0, depth = 1;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -197,6 +201,8 @@
-
- __GLX_DECLARE_SWAP_VARIABLES;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
- __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
- cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
- if (!cx) {
-@@ -266,15 +272,13 @@
- compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
- compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
-
-- if (compsize < 0)
-+ if ((compsize =safe_pad(compsize)) < 0)
- return BadLength;
-- if (compsize2 < 0)
-+ if ((compsize2 = safe_pad(compsize2)) < 0)
- return BadLength;
-- compsize = __GLX_PAD(compsize);
-- compsize2 = __GLX_PAD(compsize2);
-
- CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
-- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
- __glXClearErrorOccured();
- CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
- *(GLenum *) (pc + 4),
-@@ -302,7 +306,9 @@
- __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -310,7 +316,9 @@
- __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -388,7 +396,9 @@
- __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -396,7 +406,9 @@
- __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -463,7 +475,9 @@
- __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -471,7 +485,9 @@
- __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -529,7 +545,9 @@
- __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -537,7 +555,9 @@
- __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
-
-@@ -605,7 +625,9 @@
- __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
- return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
-
-@@ -613,6 +635,8 @@
- __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
- const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+ ClientPtr client = cl->client;
-
-+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
- return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,964 +0,0 @@
-From e883c170c15493ab3637c0a01890f5a7ca4e16a5 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax at redhat.com>
-Date: Mon, 10 Nov 2014 12:13:48 -0500
-Subject: [PATCH 31/40] glx: Pass remaining request length into ->varsize (v2)
- [CVE-2014-8098 8/8]
-
-v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
-
-Reviewed-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Michal Srb <msrb at suse.com>
-Reviewed-by: Andy Ritger <aritger at nvidia.com>
-Signed-off-by: Adam Jackson <ajax at redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- glx/glxcmds.c | 7 +-
- glx/glxserver.h | 2 +-
- glx/indirect_reqsize.c | 142 +++++++++++++++++++-------------------
- glx/indirect_reqsize.h | 181 ++++++++++++++++++++++++++++++-------------------
- glx/rensize.c | 27 +++++---
- 5 files changed, 205 insertions(+), 154 deletions(-)
-
---- glx/glxcmds.c.orig 2014-12-10 15:58:29.877078381 +0100
-+++ glx/glxcmds.c 2014-12-10 16:02:02.578063888 +0100
-@@ -1990,7 +1990,8 @@
- if (entry.varsize) {
- /* variable size command */
- extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-- client->swapped);
-+ client->swapped,
-+ left - __GLX_RENDER_HDR_SIZE);
- if (extra < 0) {
- return BadLength;
- }
-@@ -2067,6 +2068,7 @@
- if (cl->largeCmdRequestsSoFar == 0) {
- __GLXrenderSizeData entry;
- int extra = 0;
-+ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
- size_t cmdlen;
- int err;
-
-@@ -2107,7 +2109,8 @@
- ** will be in the 1st request, so it's okay to do this.
- */
- extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
-- client->swapped);
-+ client->swapped,
-+ left - __GLX_RENDER_LARGE_HDR_SIZE);
- if (extra < 0) {
- return BadLength;
- }
---- glx/glxserver.h.orig 2012-05-17 19:09:02.000000000 +0200
-+++ glx/glxserver.h 2014-12-10 14:55:50.575337222 +0100
-@@ -167,7 +167,7 @@
- /*
- * Tables for computing the size of each rendering command.
- */
--typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
-+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
-
- typedef struct {
- int bytes;
---- glx/indirect_reqsize.c.orig 2012-05-17 19:09:02.000000000 +0200
-+++ glx/indirect_reqsize.c 2014-12-10 15:28:31.264202211 +0100
-@@ -31,24 +31,22 @@
- #include "indirect_size.h"
- #include "indirect_reqsize.h"
-
--#define __GLX_PAD(x) (((x) + 3) & ~3)
--
- #if defined(__CYGWIN__) || defined(__MINGW32__)
- #undef HAVE_ALIAS
- #endif
- #ifdef HAVE_ALIAS
- #define ALIAS2(from,to) \
-- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
- __attribute__ ((alias( # to )));
- #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
- #else
- #define ALIAS(from,to) \
-- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-- { return __glX ## to ## ReqSize( pc, swap ); }
-+ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-+ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
- #endif
-
- int
--__glXCallListsReqSize(const GLbyte * pc, Bool swap)
-+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 0);
- GLenum type = *(GLenum *) (pc + 4);
-@@ -60,11 +58,11 @@
- }
-
- compsize = __glCallLists_size(type);
-- return __GLX_PAD((compsize * n));
-+ return safe_pad(safe_mul(compsize, n));
- }
-
- int
--__glXBitmapReqSize(const GLbyte * pc, Bool swap)
-+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -88,7 +86,7 @@
- }
-
- int
--__glXFogfvReqSize(const GLbyte * pc, Bool swap)
-+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 0);
- GLsizei compsize;
-@@ -98,11 +96,11 @@
- }
-
- compsize = __glFogfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXLightfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -112,11 +110,11 @@
- }
-
- compsize = __glLightfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 0);
- GLsizei compsize;
-@@ -126,11 +124,11 @@
- }
-
- compsize = __glLightModelfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
-+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -140,11 +138,11 @@
- }
-
- compsize = __glMaterialfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
-+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -164,7 +162,7 @@
- }
-
- int
--__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -174,11 +172,11 @@
- }
-
- compsize = __glTexParameterfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -206,7 +204,7 @@
- }
-
- int
--__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -236,7 +234,7 @@
- }
-
- int
--__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -246,11 +244,11 @@
- }
-
- compsize = __glTexEnvfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -260,11 +258,11 @@
- }
-
- compsize = __glTexGendv_size(pname);
-- return __GLX_PAD((compsize * 8));
-+ return safe_pad(safe_mul(compsize, 8));
- }
-
- int
--__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -274,11 +272,11 @@
- }
-
- compsize = __glTexGenfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei mapsize = *(GLsizei *) (pc + 4);
-
-@@ -286,11 +284,11 @@
- mapsize = bswap_32(mapsize);
- }
-
-- return __GLX_PAD((mapsize * 4));
-+ return safe_pad(safe_mul(mapsize, 4));
- }
-
- int
--__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei mapsize = *(GLsizei *) (pc + 4);
-
-@@ -298,11 +296,11 @@
- mapsize = bswap_32(mapsize);
- }
-
-- return __GLX_PAD((mapsize * 2));
-+ return safe_pad(safe_mul(mapsize, 2));
- }
-
- int
--__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -330,7 +328,7 @@
- }
-
- int
--__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
-+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 0);
-
-@@ -338,11 +336,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 4) + (n * 4));
-+ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
- }
-
- int
--__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -370,7 +368,7 @@
- }
-
- int
--__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -400,7 +398,7 @@
- }
-
- int
--__glXColorTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -428,7 +426,7 @@
- }
-
- int
--__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -438,11 +436,11 @@
- }
-
- compsize = __glColorTableParameterfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -470,7 +468,7 @@
- }
-
- int
--__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -498,7 +496,7 @@
- }
-
- int
--__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = 0;
-@@ -528,7 +526,7 @@
- }
-
- int
--__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 4);
- GLsizei compsize;
-@@ -538,11 +536,11 @@
- }
-
- compsize = __glConvolutionParameterfv_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = *(GLint *) (pc + 8);
-@@ -579,7 +577,7 @@
- }
-
- int
--__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLint row_length = *(GLint *) (pc + 4);
- GLint image_height = *(GLint *) (pc + 8);
-@@ -613,7 +611,7 @@
- }
-
- int
--__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei imageSize = *(GLsizei *) (pc + 20);
-
-@@ -621,11 +619,11 @@
- imageSize = bswap_32(imageSize);
- }
-
-- return __GLX_PAD(imageSize);
-+ return safe_pad(imageSize);
- }
-
- int
--__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei imageSize = *(GLsizei *) (pc + 24);
-
-@@ -633,11 +631,11 @@
- imageSize = bswap_32(imageSize);
- }
-
-- return __GLX_PAD(imageSize);
-+ return safe_pad(imageSize);
- }
-
- int
--__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei imageSize = *(GLsizei *) (pc + 28);
-
-@@ -645,11 +643,11 @@
- imageSize = bswap_32(imageSize);
- }
-
-- return __GLX_PAD(imageSize);
-+ return safe_pad(imageSize);
- }
-
- int
--__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei imageSize = *(GLsizei *) (pc + 36);
-
-@@ -657,11 +655,11 @@
- imageSize = bswap_32(imageSize);
- }
-
-- return __GLX_PAD(imageSize);
-+ return safe_pad(imageSize);
- }
-
- int
--__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei len = *(GLsizei *) (pc + 8);
-
-@@ -669,11 +667,11 @@
- len = bswap_32(len);
- }
-
-- return __GLX_PAD(len);
-+ return safe_pad(len);
- }
-
- int
--__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 0);
-
-@@ -681,11 +679,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 4));
-+ return safe_pad(safe_mul(n, 4));
- }
-
- int
--__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
-+__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum pname = *(GLenum *) (pc + 0);
- GLsizei compsize;
-@@ -695,11 +693,11 @@
- }
-
- compsize = __glPointParameterfvEXT_size(pname);
-- return __GLX_PAD((compsize * 4));
-+ return safe_pad(safe_mul(compsize, 4));
- }
-
- int
--__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei num = *(GLsizei *) (pc + 8);
-
-@@ -707,11 +705,11 @@
- num = bswap_32(num);
- }
-
-- return __GLX_PAD((num * 32));
-+ return safe_pad(safe_mul(num, 32));
- }
-
- int
--__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei num = *(GLsizei *) (pc + 8);
-
-@@ -719,11 +717,11 @@
- num = bswap_32(num);
- }
-
-- return __GLX_PAD((num * 16));
-+ return safe_pad(safe_mul(num, 16));
- }
-
- int
--__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -731,11 +729,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 8));
-+ return safe_pad(safe_mul(n, 8));
- }
-
- int
--__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -743,11 +741,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 16));
-+ return safe_pad(safe_mul(n, 16));
- }
-
- int
--__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -755,11 +753,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 24));
-+ return safe_pad(safe_mul(n, 24));
- }
-
- int
--__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -767,11 +765,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 12));
-+ return safe_pad(safe_mul(n, 12));
- }
-
- int
--__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -779,11 +777,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 6));
-+ return safe_pad(safe_mul(n, 6));
- }
-
- int
--__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei n = *(GLsizei *) (pc + 4);
-
-@@ -791,11 +789,11 @@
- n = bswap_32(n);
- }
-
-- return __GLX_PAD((n * 32));
-+ return safe_pad(safe_mul(n, 32));
- }
-
- int
--__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLsizei len = *(GLsizei *) (pc + 4);
-
-@@ -803,7 +801,7 @@
- len = bswap_32(len);
- }
-
-- return __GLX_PAD(len);
-+ return safe_pad(len);
- }
-
- ALIAS(Fogiv, Fogfv)
---- glx/indirect_reqsize.h.orig 2012-05-17 19:09:02.000000000 +0200
-+++ glx/indirect_reqsize.h 2014-12-10 15:45:48.967149775 +0100
-@@ -36,128 +36,169 @@
- #define PURE
- #endif
-
--extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
-- Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
-- Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
-+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
-- Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
-+ Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
-- Bool swap);
--extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
-+ Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
-- Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
-+ Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *
-- pc, Bool swap);
-+ pc, Bool swap,
-+ int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc,
-- Bool swap);
-+ Bool swap, int reqlen);
-
- #undef PURE
-
---- glx/rensize.c.orig 2012-05-17 19:09:02.000000000 +0200
-+++ glx/rensize.c 2014-12-10 14:55:50.580336482 +0100
-@@ -52,7 +52,7 @@
- }
-
- int
--__glXMap1dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum target;
- GLint order, k;
-@@ -68,7 +68,7 @@
- }
-
- int
--__glXMap1fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum target;
- GLint order, k;
-@@ -92,7 +92,7 @@
- }
-
- int
--__glXMap2dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum target;
- GLint uorder, vorder, k;
-@@ -110,7 +110,7 @@
- }
-
- int
--__glXMap2fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- GLenum target;
- GLint uorder, vorder, k;
-@@ -342,13 +342,14 @@
- }
-
- int
--__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
- __GLXdispatchDrawArraysComponentHeader *compHeader;
- GLint numVertexes = hdr->numVertexes;
- GLint numComponents = hdr->numComponents;
- GLint arrayElementSize = 0;
-+ GLint x, size;
- int i;
-
- if (swap) {
-@@ -357,6 +358,13 @@
- }
-
- pc += sizeof(__GLXdispatchDrawArraysHeader);
-+ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
-+
-+ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
-+ numComponents);
-+ if (size < 0 || reqlen < 0 || reqlen < size)
-+ return -1;
-+
- compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
-
- for (i = 0; i < numComponents; i++) {
-@@ -400,17 +408,18 @@
- return -1;
- }
-
-- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
-+ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
-+ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
-+ return -1;
-
- pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
- }
-
-- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
-- (numVertexes * arrayElementSize));
-+ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
- }
-
- int
--__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
- __GLXdispatchConvolutionFilterHeader *hdr =
- (__GLXdispatchConvolutionFilterHeader *) pc;
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8099
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8099 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8099 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,179 +0,0 @@
-From 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 19:23:17 -0800
-Subject: [PATCH 09/40] Xv: unvalidated lengths in XVideo extension swapped
- procs [CVE-2014-8099]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- Xext/xvdisp.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
-index 86f982a..c2d0fc9 100644
---- Xext/xvdisp.c
-+++ Xext/xvdisp.c
-@@ -1121,6 +1121,7 @@ static int
- SProcXvQueryExtension(ClientPtr client)
- {
- REQUEST(xvQueryExtensionReq);
-+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
- swaps(&stuff->length);
- return XvProcVector[xv_QueryExtension] (client);
- }
-@@ -1129,6 +1130,7 @@ static int
- SProcXvQueryAdaptors(ClientPtr client)
- {
- REQUEST(xvQueryAdaptorsReq);
-+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
- swaps(&stuff->length);
- swapl(&stuff->window);
- return XvProcVector[xv_QueryAdaptors] (client);
-@@ -1138,6 +1140,7 @@ static int
- SProcXvQueryEncodings(ClientPtr client)
- {
- REQUEST(xvQueryEncodingsReq);
-+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- return XvProcVector[xv_QueryEncodings] (client);
-@@ -1147,6 +1150,7 @@ static int
- SProcXvGrabPort(ClientPtr client)
- {
- REQUEST(xvGrabPortReq);
-+ REQUEST_SIZE_MATCH(xvGrabPortReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->time);
-@@ -1157,6 +1161,7 @@ static int
- SProcXvUngrabPort(ClientPtr client)
- {
- REQUEST(xvUngrabPortReq);
-+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->time);
-@@ -1167,6 +1172,7 @@ static int
- SProcXvPutVideo(ClientPtr client)
- {
- REQUEST(xvPutVideoReq);
-+ REQUEST_SIZE_MATCH(xvPutVideoReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1186,6 +1192,7 @@ static int
- SProcXvPutStill(ClientPtr client)
- {
- REQUEST(xvPutStillReq);
-+ REQUEST_SIZE_MATCH(xvPutStillReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1205,6 +1212,7 @@ static int
- SProcXvGetVideo(ClientPtr client)
- {
- REQUEST(xvGetVideoReq);
-+ REQUEST_SIZE_MATCH(xvGetVideoReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1224,6 +1232,7 @@ static int
- SProcXvGetStill(ClientPtr client)
- {
- REQUEST(xvGetStillReq);
-+ REQUEST_SIZE_MATCH(xvGetStillReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1243,6 +1252,7 @@ static int
- SProcXvPutImage(ClientPtr client)
- {
- REQUEST(xvPutImageReq);
-+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1266,6 +1276,7 @@ static int
- SProcXvShmPutImage(ClientPtr client)
- {
- REQUEST(xvShmPutImageReq);
-+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1293,6 +1304,7 @@ static int
- SProcXvSelectVideoNotify(ClientPtr client)
- {
- REQUEST(xvSelectVideoNotifyReq);
-+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
- swaps(&stuff->length);
- swapl(&stuff->drawable);
- return XvProcVector[xv_SelectVideoNotify] (client);
-@@ -1302,6 +1314,7 @@ static int
- SProcXvSelectPortNotify(ClientPtr client)
- {
- REQUEST(xvSelectPortNotifyReq);
-+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- return XvProcVector[xv_SelectPortNotify] (client);
-@@ -1311,6 +1324,7 @@ static int
- SProcXvStopVideo(ClientPtr client)
- {
- REQUEST(xvStopVideoReq);
-+ REQUEST_SIZE_MATCH(xvStopVideoReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->drawable);
-@@ -1321,6 +1335,7 @@ static int
- SProcXvSetPortAttribute(ClientPtr client)
- {
- REQUEST(xvSetPortAttributeReq);
-+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->attribute);
-@@ -1332,6 +1347,7 @@ static int
- SProcXvGetPortAttribute(ClientPtr client)
- {
- REQUEST(xvGetPortAttributeReq);
-+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->attribute);
-@@ -1342,6 +1358,7 @@ static int
- SProcXvQueryBestSize(ClientPtr client)
- {
- REQUEST(xvQueryBestSizeReq);
-+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swaps(&stuff->vid_w);
-@@ -1355,6 +1372,7 @@ static int
- SProcXvQueryPortAttributes(ClientPtr client)
- {
- REQUEST(xvQueryPortAttributesReq);
-+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- return XvProcVector[xv_QueryPortAttributes] (client);
-@@ -1364,6 +1382,7 @@ static int
- SProcXvQueryImageAttributes(ClientPtr client)
- {
- REQUEST(xvQueryImageAttributesReq);
-+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- swapl(&stuff->id);
-@@ -1376,6 +1395,7 @@ static int
- SProcXvListImageFormats(ClientPtr client)
- {
- REQUEST(xvListImageFormatsReq);
-+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
- swaps(&stuff->length);
- swapl(&stuff->port);
- return XvProcVector[xv_ListImageFormats] (client);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,36 +0,0 @@
-From b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau at debian.org>
-Date: Tue, 28 Oct 2014 10:30:04 +0100
-Subject: [PATCH 13/40] render: check request size before reading it
- [CVE-2014-8100 1/2]
-
-Otherwise we may be reading outside of the client request.
-
-Signed-off-by: Julien Cristau <jcristau at debian.org>
-Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- render/render.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/render/render.c b/render/render.c
-index e3031da..200e0c8 100644
---- render/render.c
-+++ render/render.c
-@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
-
- REQUEST(xRenderQueryVersionReq);
-
-+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-+
- pRenderClient->major_version = stuff->majorVersion;
- pRenderClient->minor_version = stuff->minorVersion;
-
-- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
--
- if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
- (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
- rep.majorVersion = stuff->majorVersion;
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,140 +0,0 @@
-From 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 19:51:29 -0800
-Subject: [PATCH 14/40] render: unvalidated lengths in Render extn. swapped
- procs [CVE-2014-8100 2/2]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- render/render.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/render/render.c b/render/render.c
-index 200e0c8..723f380 100644
---- render/render.c
-+++ render/render.c
-@@ -1995,7 +1995,7 @@ static int
- SProcRenderQueryVersion(ClientPtr client)
- {
- REQUEST(xRenderQueryVersionReq);
--
-+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
- swaps(&stuff->length);
- swapl(&stuff->majorVersion);
- swapl(&stuff->minorVersion);
-@@ -2006,6 +2006,7 @@ static int
- SProcRenderQueryPictFormats(ClientPtr client)
- {
- REQUEST(xRenderQueryPictFormatsReq);
-+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
- swaps(&stuff->length);
- return (*ProcRenderVector[stuff->renderReqType]) (client);
- }
-@@ -2014,6 +2015,7 @@ static int
- SProcRenderQueryPictIndexValues(ClientPtr client)
- {
- REQUEST(xRenderQueryPictIndexValuesReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
- swaps(&stuff->length);
- swapl(&stuff->format);
- return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2029,6 +2031,7 @@ static int
- SProcRenderCreatePicture(ClientPtr client)
- {
- REQUEST(xRenderCreatePictureReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
- swaps(&stuff->length);
- swapl(&stuff->pid);
- swapl(&stuff->drawable);
-@@ -2042,6 +2045,7 @@ static int
- SProcRenderChangePicture(ClientPtr client)
- {
- REQUEST(xRenderChangePictureReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
- swaps(&stuff->length);
- swapl(&stuff->picture);
- swapl(&stuff->mask);
-@@ -2053,6 +2057,7 @@ static int
- SProcRenderSetPictureClipRectangles(ClientPtr client)
- {
- REQUEST(xRenderSetPictureClipRectanglesReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
- swaps(&stuff->length);
- swapl(&stuff->picture);
- swaps(&stuff->xOrigin);
-@@ -2065,6 +2070,7 @@ static int
- SProcRenderFreePicture(ClientPtr client)
- {
- REQUEST(xRenderFreePictureReq);
-+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
- swaps(&stuff->length);
- swapl(&stuff->picture);
- return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2074,6 +2080,7 @@ static int
- SProcRenderComposite(ClientPtr client)
- {
- REQUEST(xRenderCompositeReq);
-+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
- swaps(&stuff->length);
- swapl(&stuff->src);
- swapl(&stuff->mask);
-@@ -2093,6 +2100,7 @@ static int
- SProcRenderScale(ClientPtr client)
- {
- REQUEST(xRenderScaleReq);
-+ REQUEST_SIZE_MATCH(xRenderScaleReq);
- swaps(&stuff->length);
- swapl(&stuff->src);
- swapl(&stuff->dst);
-@@ -2193,6 +2201,7 @@ static int
- SProcRenderCreateGlyphSet(ClientPtr client)
- {
- REQUEST(xRenderCreateGlyphSetReq);
-+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
- swaps(&stuff->length);
- swapl(&stuff->gsid);
- swapl(&stuff->format);
-@@ -2203,6 +2212,7 @@ static int
- SProcRenderReferenceGlyphSet(ClientPtr client)
- {
- REQUEST(xRenderReferenceGlyphSetReq);
-+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
- swaps(&stuff->length);
- swapl(&stuff->gsid);
- swapl(&stuff->existing);
-@@ -2213,6 +2223,7 @@ static int
- SProcRenderFreeGlyphSet(ClientPtr client)
- {
- REQUEST(xRenderFreeGlyphSetReq);
-+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
- swaps(&stuff->length);
- swapl(&stuff->glyphset);
- return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
- xGlyphInfo *gi;
-
- REQUEST(xRenderAddGlyphsReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
- swaps(&stuff->length);
- swapl(&stuff->glyphset);
- swapl(&stuff->nglyphs);
-@@ -2261,6 +2273,7 @@ static int
- SProcRenderFreeGlyphs(ClientPtr client)
- {
- REQUEST(xRenderFreeGlyphsReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
- swaps(&stuff->length);
- swapl(&stuff->glyphset);
- SwapRestL(stuff);
-@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
- int size;
-
- REQUEST(xRenderCompositeGlyphsReq);
-+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
-
- switch (stuff->renderReqType) {
- default:
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8101
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8101 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8101 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,51 +0,0 @@
-From 3df2fcf12499ebdb26b9b67419ea485a42041f33 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 19:38:09 -0800
-Subject: [PATCH 12/40] randr: unvalidated lengths in RandR extension swapped
- procs [CVE-2014-8101]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- randr/rrsdispatch.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
-index 08c3b6a..47558cf 100644
---- randr/rrsdispatch.c
-+++ randr/rrsdispatch.c
-@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
- {
- REQUEST(xRRQueryVersionReq);
-
-+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
- swaps(&stuff->length);
- swapl(&stuff->majorVersion);
- swapl(&stuff->minorVersion);
-@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
- {
- REQUEST(xRRGetScreenInfoReq);
-
-+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
- swaps(&stuff->length);
- swapl(&stuff->window);
- return (*ProcRandrVector[stuff->randrReqType]) (client);
-@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
- {
- REQUEST(xRRSelectInputReq);
-
-+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
- swaps(&stuff->length);
- swapl(&stuff->window);
- swaps(&stuff->enable);
-@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
- {
- REQUEST(xRRConfigureOutputPropertyReq);
-
-+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
- swaps(&stuff->length);
- swapl(&stuff->output);
- swapl(&stuff->property);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2014-8102
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2014-8102 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2014-8102 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,27 +0,0 @@
-From a0ece23a8bd300c8be10812d368dc8058c97c63e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Sun, 26 Jan 2014 20:02:20 -0800
-Subject: [PATCH 15/40] xfixes: unvalidated length in
- SProcXFixesSelectSelectionInput [CVE-2014-8102]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
----
- xfixes/select.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/xfixes/select.c b/xfixes/select.c
-index c088ed3..e964d58 100644
---- xfixes/select.c
-+++ xfixes/select.c
-@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
- {
- REQUEST(xXFixesSelectSelectionInputReq);
-
-+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
- swaps(&stuff->length);
- swapl(&stuff->window);
- swapl(&stuff->selection);
---
-2.1.2
-
Deleted: trunk/x11-servers/xorg-server/files/patch-CVE-2015-0255
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-CVE-2015-0255 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-CVE-2015-0255 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,175 +0,0 @@
-This patch has two commits. One is needed to address the CVE the other
-is allow the patch to apply.
-
-http://lists.freedesktop.org/archives/xorg/2015-February/057158.html
-
-http://cgit.freedesktop.org/xorg/xserver/patch/?id=20079c36cf7d377938ca5478447d8b9045cb7d43
-http://cgit.freedesktop.org/xorg/xserver/patch/?id=81c90dc8f0aae3b65730409b1b615b5fa7280ebd
-
---- xkb/xkb.c.orig 2015-02-12 20:30:54.131767000 +0100
-+++ xkb/xkb.c 2015-02-12 20:31:01.849633000 +0100
-@@ -4958,26 +4958,29 @@ ProcXkbGetGeometry(ClientPtr client)
-
- /***====================================================================***/
-
--static char *
--_GetCountedString(char **wire_inout, Bool swap)
-+static Status
-+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
- {
-- char *wire, *str;
-- CARD16 len, *plen;
-+ char *wire, *next;
-+ CARD16 len;
-
- wire = *wire_inout;
-- plen = (CARD16 *) wire;
-- if (swap) {
-- swaps(plen);
-- }
-- len = *plen;
-- str = malloc(len + 1);
-- if (str) {
-- memcpy(str, &wire[2], len);
-- str[len] = '\0';
-+ len = *(CARD16 *) wire;
-+ if (client->swapped) {
-+ swaps(&len);
- }
-- wire += XkbPaddedSize(len + 2);
-- *wire_inout = wire;
-- return str;
-+ next = wire + XkbPaddedSize(len + 2);
-+ /* Check we're still within the size of the request */
-+ if (client->req_len <
-+ bytes_to_int32(next - (char *) client->requestBuffer))
-+ return BadValue;
-+ *str = malloc(len + 1);
-+ if (!*str)
-+ return BadAlloc;
-+ memcpy(*str, &wire[2], len);
-+ *(*str + len) = '\0';
-+ *wire_inout = next;
-+ return Success;
- }
-
- static Status
-@@ -4986,25 +4989,29 @@ _CheckSetDoodad(char **wire_inout,
- {
- char *wire;
- xkbDoodadWireDesc *dWire;
-+ xkbAnyDoodadWireDesc any;
-+ xkbTextDoodadWireDesc text;
- XkbDoodadPtr doodad;
-+ Status status;
-
- dWire = (xkbDoodadWireDesc *) (*wire_inout);
-+ any = dWire->any;
- wire = (char *) &dWire[1];
- if (client->swapped) {
-- swapl(&dWire->any.name);
-- swaps(&dWire->any.top);
-- swaps(&dWire->any.left);
-- swaps(&dWire->any.angle);
-+ swapl(&any.name);
-+ swaps(&any.top);
-+ swaps(&any.left);
-+ swaps(&any.angle);
- }
- CHK_ATOM_ONLY(dWire->any.name);
-- doodad = XkbAddGeomDoodad(geom, section, dWire->any.name);
-+ doodad = XkbAddGeomDoodad(geom, section, any.name);
- if (!doodad)
- return BadAlloc;
- doodad->any.type = dWire->any.type;
- doodad->any.priority = dWire->any.priority;
-- doodad->any.top = dWire->any.top;
-- doodad->any.left = dWire->any.left;
-- doodad->any.angle = dWire->any.angle;
-+ doodad->any.top = any.top;
-+ doodad->any.left = any.left;
-+ doodad->any.angle = any.angle;
- switch (doodad->any.type) {
- case XkbOutlineDoodad:
- case XkbSolidDoodad:
-@@ -5027,15 +5034,22 @@ _CheckSetDoodad(char **wire_inout,
- dWire->text.colorNdx);
- return BadMatch;
- }
-+ text = dWire->text;
- if (client->swapped) {
-- swaps(&dWire->text.width);
-- swaps(&dWire->text.height);
-+ swaps(&text.width);
-+ swaps(&text.height);
- }
-- doodad->text.width = dWire->text.width;
-- doodad->text.height = dWire->text.height;
-+ doodad->text.width = text.width;
-+ doodad->text.height = text.height;
- doodad->text.color_ndx = dWire->text.colorNdx;
-- doodad->text.text = _GetCountedString(&wire, client->swapped);
-- doodad->text.font = _GetCountedString(&wire, client->swapped);
-+ status = _GetCountedString(&wire, client, &doodad->text.text);
-+ if (status != Success)
-+ return status;
-+ status = _GetCountedString(&wire, client, &doodad->text.font);
-+ if (status != Success) {
-+ free (doodad->text.text);
-+ return status;
-+ }
- break;
- case XkbIndicatorDoodad:
- if (dWire->indicator.onColorNdx >= geom->num_colors) {
-@@ -5070,7 +5084,9 @@ _CheckSetDoodad(char **wire_inout,
- }
- doodad->logo.color_ndx = dWire->logo.colorNdx;
- doodad->logo.shape_ndx = dWire->logo.shapeNdx;
-- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
-+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
-+ if (status != Success)
-+ return status;
- break;
- default:
- client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
-@@ -5302,18 +5318,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
- char *wire;
-
- wire = (char *) &req[1];
-- geom->label_font = _GetCountedString(&wire, client->swapped);
-+ status = _GetCountedString(&wire, client, &geom->label_font);
-+ if (status != Success)
-+ return status;
-
- for (i = 0; i < req->nProperties; i++) {
- char *name, *val;
-
-- name = _GetCountedString(&wire, client->swapped);
-- if (!name)
-- return BadAlloc;
-- val = _GetCountedString(&wire, client->swapped);
-- if (!val) {
-+ status = _GetCountedString(&wire, client, &name);
-+ if (status != Success)
-+ return status;
-+ status = _GetCountedString(&wire, client, &val);
-+ if (status != Success) {
- free(name);
-- return BadAlloc;
-+ return status;
- }
- if (XkbAddGeomProperty(geom, name, val) == NULL) {
- free(name);
-@@ -5347,9 +5365,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
- for (i = 0; i < req->nColors; i++) {
- char *name;
-
-- name = _GetCountedString(&wire, client->swapped);
-- if (!name)
-- return BadAlloc;
-+ status = _GetCountedString(&wire, client, &name);
-+ if (status != Success)
-+ return status;
- if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
- free(name);
- return BadAlloc;
Modified: trunk/x11-servers/xorg-server/files/patch-config_config.c
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-config_config.c 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-config_config.c 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,21 +1,21 @@
---- config/config.c.orig 2014-04-12 15:29:14 UTC
+--- config/config.c.orig 2016-07-19 17:07:29 UTC
+++ config/config.c
-@@ -64,6 +64,9 @@ config_init(void)
+@@ -55,6 +55,9 @@ config_init(void)
#elif defined(CONFIG_WSCONS)
if (!config_wscons_init())
ErrorF("[config] failed to initialise wscons\n");
+#elif defined(CONFIG_DEVD)
-+ if (!config_devd_init())
-+ ErrorF("[config] failed to initialise devd\n");
++ if (!config_devd_init())
++ ErrorF("[config] failed to initialise devd\n");
#endif
}
-@@ -82,6 +85,8 @@ config_fini(void)
- config_dbus_core_fini();
+@@ -67,6 +70,8 @@ config_fini(void)
+ config_hal_fini();
#elif defined(CONFIG_WSCONS)
config_wscons_fini();
+#elif defined(CONFIG_DEVD)
-+ config_devd_fini();
++ config_devd_fini();
#endif
}
Added: trunk/x11-servers/xorg-server/files/patch-glamor_glamor__dash.c
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-glamor_glamor__dash.c (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-glamor_glamor__dash.c 2018-09-02 21:39:52 UTC (rev 24080)
@@ -0,0 +1,27 @@
+From: Eric Anholt <eric at anholt.net>
+Date: Wed Mar 15 17:51:46 2017 -0700
+Subject: [PATCH]glamor: Fix dashed line rendering.
+Patch-mainline: fe0b297420fc1de8a7fab28457d0864b3182e967
+References: boo#1021803
+Signed-off-by: Max Staudt <mstaudt at suse.de>
+
+We were binding the screen pixmap as the dash and sampling its alpha,
+which is usually just 1.0 (no dashing at all).
+
+Please cherry-pick this to active stable branches.
+
+Signed-off-by: Eric Anholt <eric at anholt.net>
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
+
+--- glamor/glamor_dash.c.orig 2016-07-18 19:08:16 UTC
++++ glamor/glamor_dash.c
+@@ -146,7 +146,7 @@ glamor_dash_setup(DrawablePtr drawable, GCPtr gc)
+ goto bail;
+
+ dash_pixmap = glamor_get_dash_pixmap(gc);
+- dash_priv = glamor_get_pixmap_private(pixmap);
++ dash_priv = glamor_get_pixmap_private(dash_pixmap);
+
+ if (!GLAMOR_PIXMAP_PRIV_HAS_FBO(dash_priv))
+ goto bail;
Property changes on: trunk/x11-servers/xorg-server/files/patch-glamor_glamor__dash.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86AutoConfig.c
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86AutoConfig.c (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86AutoConfig.c 2018-09-02 21:39:52 UTC (rev 24080)
@@ -0,0 +1,23 @@
+--- hw/xfree86/common/xf86AutoConfig.c.orig 2017-01-11 20:00:58 UTC
++++ hw/xfree86/common/xf86AutoConfig.c
+@@ -276,7 +276,7 @@ listPossibleVideoDrivers(char *matches[]
+ i += xf86PciMatchDriver(&matches[i], nmatches - i);
+ #endif
+
+-#if defined(__linux__)
++#if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
+ matches[i++] = xnfstrdup("modesetting");
+ #endif
+
+@@ -285,8 +285,10 @@ listPossibleVideoDrivers(char *matches[]
+ if (i < (nmatches - 1)) {
+ #if !defined(__linux__) && defined(__sparc__)
+ matches[i++] = xnfstrdup("wsfb");
+-#else
++#elif defined(__linux__)
+ matches[i++] = xnfstrdup("fbdev");
++#elif defined(__FreeBSD__)
++ matches[i++] = xnfstrdup("scfb");
+ #endif
+ }
+ #endif /* !__sun */
Property changes on: trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86AutoConfig.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Modified: trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86Xinput.c
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86Xinput.c 2018-09-02 21:39:14 UTC (rev 24079)
+++ trunk/x11-servers/xorg-server/files/patch-hw_xfree86_common_xf86Xinput.c 2018-09-02 21:39:52 UTC (rev 24080)
@@ -1,5 +1,15 @@
-Index: hw/xfree86/common/xf86Xinput.c
-@@ -942,6 +942,7 @@
+--- hw/xfree86/common/xf86Xinput.c.orig 2016-07-19 17:07:29 UTC
++++ hw/xfree86/common/xf86Xinput.c
+@@ -841,7 +841,7 @@ xf86NewInputDevice(InputInfoPtr pInfo, D
+ {
+ InputDriverPtr drv = NULL;
+ DeviceIntPtr dev = NULL;
+- Bool paused;
++ Bool paused = 0;
+ int rval;
+ char *path = NULL;
+
+@@ -996,6 +996,7 @@ NewInputDeviceRequest(InputOption *optio
if (strcmp(key, "_source") == 0 &&
(strcmp(value, "server/hal") == 0 ||
strcmp(value, "server/udev") == 0 ||
Added: trunk/x11-servers/xorg-server/files/patch-os_io.c
===================================================================
--- trunk/x11-servers/xorg-server/files/patch-os_io.c (rev 0)
+++ trunk/x11-servers/xorg-server/files/patch-os_io.c 2018-09-02 21:39:52 UTC (rev 24080)
@@ -0,0 +1,34 @@
+From e751722a7b0c5b595794e60b054ade0b3f6cdb4d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb at suse.com>
+Date: Fri, 7 Jul 2017 17:04:03 +0200
+Subject: os: Make sure big requests have sufficient length.
+
+A client can send a big request where the 32B "length" field has value
+0. When the big request header is removed and the length corrected,
+the value will underflow to 0xFFFFFFFF. Functions processing the
+request later will think that the client sent much more data and may
+touch memory beyond the receive buffer.
+
+Signed-off-by: Eric Anholt <eric at anholt.net>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
+
+diff --git a/os/io.c b/os/io.c
+index f80580c..70f07f3 100644
+--- os/io.c
++++ os/io.c
+@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
+ if (!gotnow)
+ AvailableInput = oc;
+ if (move_header) {
++ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
++ YieldControlDeath();
++ return -1;
++ }
++
+ request = (xReq *) oci->bufptr;
+ oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
+ *(xReq *) oci->bufptr = *request;
+--
+cgit v0.10.2
+
Property changes on: trunk/x11-servers/xorg-server/files/patch-os_io.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
More information about the Midnightbsd-cvs
mailing list