CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: msaitoh Date: Sun Apr 19 07:29:15 UTC 2015 Modified Files: xsrc/external/mit/libX11/dist/include/X11 [netbsd-5-1]: Xlibint.h xsrc/xfree/xc/lib/X11 [netbsd-5-1]: Xlibint.h Log Message: Pull up following revision(s) (requested by mrg in ticket #1959): xsrc/external/mit/libX11/dist/include/X11/Xlibint.h patch xsrc/xfree/xc/lib/X11/Xlibint.h 1.2 Fix CVE-2013-7439: Buffer overflow in MakeBigReq macro in libX11. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h cvs rdiff -u -r1.1.1.7 -r1.1.1.7.12.1 xsrc/xfree/xc/lib/X11/Xlibint.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libX11/dist/include/X11/Xlibint.h diff -u xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1 xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1 Thu Sep 17 03:32:56 2009 +++ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h Sun Apr 19 07:29:15 2015 @@ -530,6 +530,14 @@ extern LockInfoPtr _Xglobal_lock; #endif #ifdef WORD64 +/* + * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 + * length, after req->length, before the data in the request. The new length + * includes the "n" extra 32-bit words. + * + * Do not use MakeBigReq if there is no data already in the request. + * req->length must already be >= 2. + */ #define MakeBigReq(req,n) \ { \ char _BRdat[4]; \ @@ -548,7 +556,7 @@ extern LockInfoPtr _Xglobal_lock; CARD32 _BRlen = req->length - 1; \ req->length = 0; \ _BRdat = ((CARD32 *)req)[_BRlen]; \ -memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ +memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ ((CARD32 *)req)[1] = _BRlen + n + 2; \ Data32(dpy, &_BRdat, 4); \ } @@ -559,13 +567,20 @@ extern LockInfoPtr _Xglobal_lock; CARD32 _BRlen = req->length - 1; \ req->length = 0; \ _BRdat = ((CARD32 *)req)[_BRlen]; \ -memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ +memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ ((CARD32 *)req)[1] = _BRlen + n + 2; \ Data32(dpy, &_BRdat, 4); \ } #endif #endif +/* + * SetReqLen increases the count of 32-bit words in the request by "n", + * or by "badlen" if "n" is too large. + * + * Do not use SetReqLen if "req" does not already have data after the + * xReq header. req->length must already be >= 2. + */ #define SetReqLen(req,n,badlen) \ if ((req->length + n) > (unsigned)65535) { \ if (dpy->bigreq_size) { \ Index: xsrc/xfree/xc/lib/X11/Xlibint.h diff -u xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7 xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.12.1 --- xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7 Fri Mar 18 13:04:29 2005 +++ xsrc/xfree/xc/lib/X11/Xlibint.h Sun Apr 19 07:29:15 2015 @@ -528,6 +528,14 @@ extern LockInfoPtr _Xglobal_lock; #endif #ifdef WORD64 +/* + * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 + * length, after req->length, before the data in the request. The new length + * includes the "n" extra 32-bit words. + * + * Do not use MakeBigReq if there is no data already in the request. + * req->length must already be >= 2. + */ #define MakeBigReq(req,n) \ { \ char _BRdat[4]; \ @@ -546,7 +554,7 @@ extern LockInfoPtr _Xglobal_lock; CARD32 _BRlen = req->length - 1; \ req->length = 0; \ _BRdat = ((CARD32 *)req)[_BRlen]; \ -memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ +memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ ((CARD32 *)req)[1] = _BRlen + n + 2; \ Data32(dpy, &_BRdat, 4); \ } @@ -557,13 +565,20 @@ extern LockInfoPtr _Xglobal_lock; CARD32 _BRlen = req->length - 1; \ req->length = 0; \ _BRdat = ((CARD32 *)req)[_BRlen]; \ -memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ +memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ ((CARD32 *)req)[1] = _BRlen + n + 2; \ Data32(dpy, &_BRdat, 4); \ } #endif #endif +/* + * SetReqLen increases the count of 32-bit words in the request by "n", + * or by "badlen" if "n" is too large. + * + * Do not use SetReqLen if "req" does not already have data after the + * xReq header. req->length must already be >= 2. + */ #define SetReqLen(req,n,badlen) \ if ((req->length + n) > (unsigned)65535) { \ if (dpy->bigreq_size) { \
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: snj Date: Tue Mar 17 18:43:29 UTC 2015 Modified Files: xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-5-1]: bdfread.c xsrc/xfree/xc/lib/font/bitmap [netbsd-5-1]: bdfread.c Log Message: Apply patch (requested by mrg in ticket #1953): Fix the following security issues: CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1.2.1 -r1.1.1.1.2.1.2.2 \ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c cvs rdiff -u -r1.2.6.1 -r1.2.6.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.2.1 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.2.2 --- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.2.1 Tue Jan 7 18:07:27 2014 +++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c Tue Mar 17 18:43:29 2015 @@ -65,8 +65,16 @@ from The Open Group. #if HAVE_STDINT_H #include -#elif !defined(INT32_MAX) -#define INT32_MAX 0x7fff +#else +# ifndef INT32_MAX +# define INT32_MAX 0x7fff +# endif +# ifndef INT16_MAX +# define INT16_MAX 0x7fff +# endif +# ifndef INT16_MIN +# define INT16_MIN (0 - 0x8000) +# endif #endif #define INDICES 256 @@ -420,6 +428,12 @@ bdfReadCharacters(FontFilePtr file, Font bdfError("DWIDTH y value must be zero\n"); goto BAILOUT; } + /* xCharInfo metrics are stored as INT16 */ + if ((wx < 0) || (wx > INT16_MAX)) { + bdfError("character '%s' has out of range width, %d\n", + charName, wx); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { bdfError("bad 'BBX'\n"); @@ -430,6 +444,14 @@ bdfReadCharacters(FontFilePtr file, Font charName, bw, bh); goto BAILOUT; } + /* xCharInfo metrics are read as int, but stored as INT16 */ + if ((bl > INT16_MAX) || (bl < INT16_MIN) || + (bb > INT16_MAX) || (bb < INT16_MIN) || + (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { + bdfError("character '%s' has out of range metrics, %d %d %d %d\n", + charName, bl, (bl+bw), (bh+bb), -bb); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { for (p = line + strlen("ATTRIBUTES "); @@ -461,7 +483,10 @@ bdfReadCharacters(FontFilePtr file, Font ci->metrics.descent = -bb; ci->metrics.characterWidth = wx; ci->bits = NULL; - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { + bdfError("could not read bitmap for character '%s'\n", charName); + goto BAILOUT; + } ci++; ndx++; } else @@ -607,7 +632,9 @@ bdfReadProperties(FontFilePtr file, Font bdfError("missing 'STARTPROPERTIES'\n"); return (FALSE); } -if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { +if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || + (nProps <= 0) || + (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { bdfError("bad 'STARTPROPERTIES'\n"); return (FALSE); } Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.6.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.6.2 --- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.6.1 Tue Jan 7 18:07:27 2014 +++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Mar 17 18:43:29 2015 @@ -63,8 +63,16 @@ from The Open Group. #if HAVE_STDINT_H #include -#elif !defined(INT32_MAX) -#define INT32_MAX 0x7fff +#else +# ifndef INT32_MAX +# define INT32_MAX 0x7fff +# endif +# ifndef INT16_MAX +# define INT16_MAX 0x7fff +# endif +# ifndef INT16_MIN +# define INT16_MIN (0 - 0x8000) +# endif
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: martin Date: Wed Feb 11 15:27:21 UTC 2015 Modified Files: xsrc/external/mit/xorg-server/dist/xkb [netbsd-5-1]: xkb.c xsrc/xfree/xc/programs/Xserver/xkb [netbsd-5-1]: xkb.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1949): external/mit/xorg-server/dist/xkb/xkb.c: revision 1.2 xfree/xc/programs/Xserver/xkb/xkb.c: revision 1.2 apply fixes for CVE-2015-0255: Information leak in the XkbSetGeometry request of X servers http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/ ported to xorg-server 1.10 and xfree myself. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/xkb/xkb.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 \ xsrc/xfree/xc/programs/Xserver/xkb/xkb.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1 Thu Sep 17 03:35:48 2009 +++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c Wed Feb 11 15:27:21 2015 @@ -4820,27 +4820,30 @@ ProcXkbGetGeometry(ClientPtr client) /******/ -static char * -_GetCountedString(char **wire_inout,Bool swap) +static Status +_GetCountedString(char **wire_inout, ClientPtr client, char **str) { -char * wire,*str; -CARD16 len,*plen; +char *wire, *next; +CARD16 len; -wire= *wire_inout; -plen= (CARD16 *)wire; -if (swap) { - register int n; - swaps(plen,n); -} -len= *plen; -str= (char *)_XkbAlloc(len+1); -if (str) { - memcpy(str,&wire[2],len); - str[len]= '\0'; +wire = *wire_inout; +len = *(CARD16 *) wire; +if (client->swapped) { + int n; +swaps(&len, n); } -wire+= XkbPaddedSize(len+2); -*wire_inout= wire; -return str; +next = wire + XkbPaddedSize(len + 2); +/* Check we're still within the size of the request */ +if (client->req_len < +bytes_to_int32(next - (char *) client->requestBuffer)) +return BadValue; +*str = malloc(len + 1); +if (!*str) +return BadAlloc; +memcpy(*str, &wire[2], len); +*(*str + len) = '\0'; +*wire_inout = next; +return Success; } static Status @@ -4852,6 +4855,7 @@ _CheckSetDoodad( char ** wire_inout, char * wire; xkbDoodadWireDesc * dWire; XkbDoodadPtr doodad; +Status status; dWire= (xkbDoodadWireDesc *)(*wire_inout); wire= (char *)&dWire[1]; @@ -4901,8 +4905,14 @@ XkbDoodadPtr doodad; doodad->text.width= dWire->text.width; doodad->text.height= dWire->text.height; doodad->text.color_ndx= dWire->text.colorNdx; - doodad->text.text= _GetCountedString(&wire,client->swapped); - doodad->text.font= _GetCountedString(&wire,client->swapped); +status = _GetCountedString(&wire, client, &doodad->text.text); +if (status != Success) +return status; +status = _GetCountedString(&wire, client, &doodad->text.font); +if (status != Success) { +free (doodad->text.text); +return status; +} break; case XkbIndicatorDoodad: if (dWire->indicator.onColorNdx>=geom->num_colors) { @@ -4937,7 +4947,9 @@ XkbDoodadPtr doodad; } doodad->logo.color_ndx= dWire->logo.colorNdx; doodad->logo.shape_ndx= dWire->logo.shapeNdx; - doodad->logo.logo_name= _GetCountedString(&wire,client->swapped); +status = _GetCountedString(&wire, client, &doodad->logo.logo_name); +if (status != Success) +return status; break; default: client->errorValue= _XkbErrCode2(0x4F,dWire->any.type); @@ -5172,17 +5184,19 @@ Status status; char * wire; wire= (char *)&req[1]; -geom->label_font= _GetCountedString(&wire,client->swapped); +status = _GetCountedString(&wire, client, &geom->label_font); +if (status != Success) +return status; -for (i=0;inProperties;i++) { - char *name,*val; - name= _GetCountedString(&wire,client->swapped); -if (!name) -return BadAlloc; - val= _GetCountedString(&wire,client->swapped); -if (!val) { +for (i = 0; i < req->nProperties; i++) { + char *name, *val; +status = _GetCountedString(&wire, client, &name); +if (status != Success) +return status; +status = _GetCountedString(&wire, client, &val); +if (status != Success) { xfree(name); -return BadAlloc; +return status; } if (XkbAddGeomProperty(geom,name,val)==NULL) { xfree(name); @@ -5211,11 +5225,11 @@ char * wire; return BadMatch;
CVS commit: [netbsd-5-1] xsrc/external/mit/xorg-server/dist
Module Name:xsrc Committed By: msaitoh Date: Mon Dec 22 12:56:04 UTC 2014 Modified Files: xsrc/external/mit/xorg-server/dist/exa [netbsd-5-1]: exa_render.c xsrc/external/mit/xorg-server/dist/render [netbsd-5-1]: picture.h Log Message: Pullup additional patches requested by mrg in ticket #1935: xsrc/external/mit/xorg-server/dist/exa/exa_render.c 1.2 xsrc/external/mit/xorg-server/dist/render/picture.h 1.2 fixes for CVE CVE-2013-6424: If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/exa/exa_render.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/render/picture.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/exa/exa_render.c diff -u xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1 Thu Sep 17 03:34:54 2009 +++ xsrc/external/mit/xorg-server/dist/exa/exa_render.c Mon Dec 22 12:56:03 2014 @@ -1074,6 +1074,7 @@ exaTrapezoids (CARD8 op, PicturePtr pSrc exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); for (; ntrap; ntrap--, traps++) + if (xTrapezoidValid(traps)) (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); Index: xsrc/external/mit/xorg-server/dist/render/picture.h diff -u xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1.2.1 --- xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1 Thu Sep 17 03:35:47 2009 +++ xsrc/external/mit/xorg-server/dist/render/picture.h Mon Dec 22 12:56:03 2014 @@ -201,7 +201,7 @@ typedef pixman_fixed_t xFixed; /* whether 't' is a well defined not obviously empty trapezoid */ #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ (t)->right.p1.y != (t)->right.p2.y && \ - (int) ((t)->bottom - (t)->top) > 0) + ((t)->bottom > (t)->top)) /* * Standard NTSC luminance conversions:
CVS commit: [netbsd-5-1] xsrc/xfree/xc/programs/Xserver
Module Name:xsrc Committed By: snj Date: Mon Dec 15 07:03:26 UTC 2014 Modified Files: xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-5-1]: single2.c single2swap.c singlepix.c singlepixswap.c xsrc/xfree/xc/programs/Xserver/Xext [netbsd-5-1]: EVI.c xf86vmode.c Log Message: Apply patch (requested by mrg in ticket 1935): Fix build. To generate a diff of this commit: cvs rdiff -u -r1.1.1.6.12.1 -r1.1.1.6.12.2 \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c cvs rdiff -u -r1.1.1.3.26.1 -r1.1.1.3.26.2 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c cvs rdiff -u -r1.1.1.4.26.1 -r1.1.1.4.26.2 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.24.1 \ xsrc/xfree/xc/programs/Xserver/Xext/EVI.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 \ xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.12.1 xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.12.2 --- xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.12.1 Fri Dec 12 06:56:53 2014 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c Mon Dec 15 07:03:25 2014 @@ -42,6 +42,8 @@ #include "g_disptab.h" #include "GL/glx_ansic.h" +#include + int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.12.1 xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.12.2 --- xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.12.1 Fri Dec 12 06:56:53 2014 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c Mon Dec 15 07:03:25 2014 @@ -42,6 +42,8 @@ #include "g_disptab.h" #include "GL/glx_ansic.h" +#include + int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc) { ClientPtr client = cl->client; Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.26.1 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.26.2 --- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.26.1 Fri Dec 12 06:56:53 2014 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c Mon Dec 15 07:03:25 2014 @@ -42,6 +42,8 @@ #include "g_disptab.h" #include "g_disptab_EXT.h" +#include + int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc) { GLsizei width, height; Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.26.1 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.26.2 --- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.26.1 Fri Dec 12 06:56:53 2014 +++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c Mon Dec 15 07:03:25 2014 @@ -42,6 +42,8 @@ #include "g_disptab.h" #include "g_disptab_EXT.h" +#include + int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc) { GLsizei width, height; Index: xsrc/xfree/xc/programs/Xserver/Xext/EVI.c diff -u xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4.24.1 --- xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4 Fri Mar 5 14:27:38 2004 +++ xsrc/xfree/xc/programs/Xserver/Xext/EVI.c Mon Dec 15 07:03:26 2014 @@ -33,6 +33,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #include "EVIstruct.h" #include "modinit.h" +#include + #if 0 static unsigned char XEVIReqCode = 0; #endif Index: xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c diff -u xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6.24.1 --- xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6 Fri Mar 5 14:27:40 2004 +++ xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c Mon Dec 15 07:03:26 2014 @@ -51,6 +51,8 @@ from Kaleb S. KEITHLEY #include "xf86_ansic.h" #endif +#include + static int VidModeErrorBase; static int VidModeGeneration = 0; static int VidModeClientPrivateIndex;
CVS commit: [netbsd-5-1] xsrc/xfree/xc/programs/Xserver
Module Name:xsrc Committed By: snj Date: Fri Dec 12 06:56:54 UTC 2014 Modified Files: xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-5-1]: glxcmds.c glxcmdsswap.c glxserver.h rensize.c single2.c single2swap.c singlepix.c singlepixswap.c unpack.h xsrc/xfree/xc/programs/Xserver/Xext [netbsd-5-1]: xcmisc.c xvdisp.c xsrc/xfree/xc/programs/Xserver/Xi [netbsd-5-1]: chgdctl.c chgfctl.c sendexev.c xsrc/xfree/xc/programs/Xserver/dbe [netbsd-5-1]: dbe.c xsrc/xfree/xc/programs/Xserver/dix [netbsd-5-1]: dispatch.c xsrc/xfree/xc/programs/Xserver/include [netbsd-5-1]: dix.h misc.h xsrc/xfree/xc/programs/Xserver/os [netbsd-5-1]: access.c rpcauth.c xsrc/xfree/xc/programs/Xserver/randr [netbsd-5-1]: randr.c xsrc/xfree/xc/programs/Xserver/render [netbsd-5-1]: render.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1935): xfree/xc/programs/Xserver/dix/dispatch.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xvdisp.c: revision 1.2 xfree/xc/programs/Xserver/include/misc.h: revision 1.2 xfree/xc/programs/Xserver/render/render.c: revision 1.4 xfree/xc/programs/Xserver/GL/glx/singlepixswap.c: revision 1.2 xfree/xc/programs/Xserver/Xi/sendexev.c: revision 1.2 xfree/xc/programs/Xserver/include/dix.h: revision 1.2 xfree/xc/programs/Xserver/os/access.c: revision 1.7 xfree/xc/programs/Xserver/GL/glx/glxserver.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/rensize.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/unpack.h: revision 1.2 xfree/xc/programs/Xserver/GL/glx/singlepix.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgfctl.c: revision 1.2 xfree/xc/programs/Xserver/Xi/chgdctl.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmds.c: revision 1.2 xfree/xc/programs/Xserver/Xext/xcmisc.c: revision 1.3 xfree/xc/programs/Xserver/randr/randr.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c: revision 1.2 xfree/xc/programs/Xserver/os/rpcauth.c: revision 1.2 xfree/xc/programs/Xserver/dbe/dbe.c: revision 1.3 xfree/xc/programs/Xserver/GL/glx/single2.c: revision 1.2 xfree/xc/programs/Xserver/GL/glx/single2swap.c: revision 1.2 pull over from xorg-server, porting as necessary. - -- apply fixes for: X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers backported to 1.10.x by myself. included are fixes for: denial of service due to unchecked malloc in client authentication CVE-2014-8091 integer overflows calculating memory needs for requests CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 out of bounds access due to not validating length or offset values in requests CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 - -- apply two more parts of CVE-2014-8092: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] - -- To generate a diff of this commit: cvs rdiff -u -r1.1.1.6 -r1.1.1.6.12.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c \ xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h cvs rdiff -u -r1.1.1.7 -r1.1.1.7.12.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.26.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.26.1 \ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c cvs rdiff -u -r1.2 -r1.2.6.1 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.24.1 \ xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.26.1 \ xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c \ xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c cvs rdiff -u -r1.2 -r1.2.6.1 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c cvs rdiff -u -r1.1.1.7 -r1.1.1.7.12.1 \ xsrc/xfree/xc/programs/Xserver/dix/dispatch.c cvs rdiff -u -r1.1.1.6 -r1.1.1.6.24.1 \ xsrc/xfree/xc/programs/Xserver/include/dix.h cvs rdiff -u -r1.1.1.6 -r1.1.1.6.12.1 \ xsrc/xfree/xc/programs/Xserver/include/misc.h cvs rdiff -u -r1.6 -r1.6.12.1 xsrc/xfree/xc/programs/Xserver/os/access.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.24.1 \ xsrc/xfree/xc/programs/Xserver/os/rpcauth.c cvs rdiff -u -r1.1.1.3 -r1.1.1.3.24.1 \ xsrc/xfree/xc/programs/Xserver/randr/randr.c cvs rdiff -u -r1.3 -r1.3.6.1 xsrc/xfree/xc/programs/Xserver/render/render.c Please note that diff
CVS commit: [netbsd-5-1] xsrc/external/mit/xorg-server/dist
Module Name:xsrc Committed By: snj Date: Wed Dec 10 22:59:26 UTC 2014 Modified Files: xsrc/external/mit/xorg-server/dist/include [netbsd-5-1]: dix.h xsrc/external/mit/xorg-server/dist/os [netbsd-5-1]: access.c Log Message: Pull up following revision(s) (requested by mrg in ticket #1935): external/mit/xorg-server/dist/include/dix.h: revision 1.3 external/mit/xorg-server/dist/os/access.c: revision 1.3 via patch apply two more parts of CVE-2014-8092: Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5] dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6] To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1.2.1 -r1.1.1.1.2.1.2.2 \ xsrc/external/mit/xorg-server/dist/include/dix.h cvs rdiff -u -r1.1.1.1.2.1.2.1 -r1.1.1.1.2.1.2.2 \ xsrc/external/mit/xorg-server/dist/os/access.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/include/dix.h diff -u xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.2.1 xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.2.2 --- xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.2.1 Tue Dec 9 19:56:35 2014 +++ xsrc/external/mit/xorg-server/dist/include/dix.h Wed Dec 10 22:59:26 2014 @@ -78,7 +78,7 @@ SOFTWARE. #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ -((n >> 2) >= client->req_len) || \ +(((n) >> 2) >= client->req_len) || \ uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) Index: xsrc/external/mit/xorg-server/dist/os/access.c diff -u xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.2.1 xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.2.2 --- xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.2.1 Tue Dec 9 19:56:35 2014 +++ xsrc/external/mit/xorg-server/dist/os/access.c Wed Dec 10 22:59:26 2014 @@ -1474,7 +1474,7 @@ GetHosts ( for (host = validhosts; host; host = host->next) { len = host->len; -if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *)data + n)) +if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) break; ((xHostEntry *)ptr)->family = host->family; ((xHostEntry *)ptr)->length = len;
CVS commit: [netbsd-5-1] xsrc/external/mit/xorg-server/dist
Module Name:xsrc Committed By: snj Date: Tue Dec 9 19:56:35 UTC 2014 Modified Files: xsrc/external/mit/xorg-server/dist/Xext [netbsd-5-1]: xcmisc.c xvdisp.c xsrc/external/mit/xorg-server/dist/Xi [netbsd-5-1]: chgdctl.c chgfctl.c sendexev.c xiproperty.c xsrc/external/mit/xorg-server/dist/dbe [netbsd-5-1]: dbe.c xsrc/external/mit/xorg-server/dist/dix [netbsd-5-1]: dispatch.c xsrc/external/mit/xorg-server/dist/glx [netbsd-5-1]: glxcmds.c glxcmdsswap.c glxserver.h indirect_program.c indirect_reqsize.c indirect_reqsize.h indirect_texture_compression.c indirect_util.c rensize.c single2.c single2swap.c singlepix.c singlepixswap.c swap_interval.c unpack.h xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2 [netbsd-5-1]: dri2ext.c xsrc/external/mit/xorg-server/dist/include [netbsd-5-1]: dix.h misc.h xsrc/external/mit/xorg-server/dist/os [netbsd-5-1]: access.c rpcauth.c xsrc/external/mit/xorg-server/dist/randr [netbsd-5-1]: rrsdispatch.c xsrc/external/mit/xorg-server/dist/render [netbsd-5-1]: render.c xsrc/external/mit/xorg-server/dist/xfixes [netbsd-5-1]: select.c Log Message: Apply patch (requested by mrg in ticket #1935): apply fixes for X.Org Security Advisory: Dec. 9, 2014 Protocol handling issues in X Window System servers included are fixes for: denial of service due to unchecked malloc in client authentication CVE-2014-8091 integer overflows calculating memory needs for requests CVE-2014-8092 CVE-2014-8093 CVE-2014-8094 out of bounds access due to not validating length or offset values in requests CVE-2014-8095 CVE-2014-8096 CVE-2014-8097 CVE-2014-8098 CVE-2014-8099 CVE-2014-8100 CVE-2014-8101 CVE-2014-8102 CVE-2014-8103 To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c \ xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c \ xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c \ xsrc/external/mit/xorg-server/dist/Xi/sendexev.c cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \ xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/dbe/dbe.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/dix/dispatch.c cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \ xsrc/external/mit/xorg-server/dist/glx/glxcmds.c cvs rdiff -u -r1.1.1.1.2.2 -r1.1.1.1.2.2.2.1 \ xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c \ xsrc/external/mit/xorg-server/dist/glx/glxserver.h \ xsrc/external/mit/xorg-server/dist/glx/indirect_program.c \ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c \ xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h \ xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c \ xsrc/external/mit/xorg-server/dist/glx/indirect_util.c \ xsrc/external/mit/xorg-server/dist/glx/rensize.c \ xsrc/external/mit/xorg-server/dist/glx/single2.c \ xsrc/external/mit/xorg-server/dist/glx/single2swap.c \ xsrc/external/mit/xorg-server/dist/glx/singlepix.c \ xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c \ xsrc/external/mit/xorg-server/dist/glx/swap_interval.c \ xsrc/external/mit/xorg-server/dist/glx/unpack.h cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.2.1 \ xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/include/dix.h \ xsrc/external/mit/xorg-server/dist/include/misc.h cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/os/access.c \ xsrc/external/mit/xorg-server/dist/os/rpcauth.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/render/render.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/xfixes/select.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c diff -u xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1 Thu Sep 17 03:34:49 2009 +++ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c Tue Dec 9 19:56:34 2014 @@ -200,6 +200,7 @@ SProcXCMiscGetXIDList(client) { int n; REQUEST(xXCMiscGetXIDListReq); +REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); swaps(&stuff->le
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: msaitoh Date: Wed May 14 05:26:15 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-1]: dirfile.c xsrc/xfree/xc/lib/font/fc [netbsd-5-1]: fsconvert.c fserve.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-1]: dirfile.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1905): src/sys/compat/linux/common/linux_exec_elf32.c 1.91 via patch A specially-crafted binary could easily control a kernel array index. Add some checks to ensure that nothing will be read outside the allocated area. Rewrite the code so that we don't need to allocate the whole section. Spotted by several developers, patch from chs@/enami@ To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \ xsrc/external/mit/libXfont/dist/src/fc/fserve.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c cvs rdiff -u -r1.4 -r1.4.24.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \ xsrc/xfree/xc/lib/font/fc/fserve.c cvs rdiff -u -r1.4 -r1.4.12.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c Wed May 14 05:26:15 2014 @@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position >= pi->data_len) || + (local_off.name.length > + (pi->data_len - local_off.name.position))) + goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp dprop->value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.name.position >= pi->data_len) || + (local_off.name.length > + (pi->data_len - local_off.name.position))) + goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { + bail: free (pfi->props); pfi->nprops = 0; pfi->props = 0; @@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; -glyphs = malloc (sizeof (FSGlyphRec) + size); +if (size < (INT_MAX - sizeof (FSGlyphRec))) + glyphs = malloc (sizeof (FSGlyphRec) + size); +else +glyphs = NULL; +if (glyphs == NULL) +return NULL; glyphs->next = fsfont->glyphs; fsfont->glyphs = glyphs; return (pointer) (glyphs + 1); Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c Wed May 14 05:26:15 2014 @@ -73,6 +73,7 @@ in this Software without prior written a #include "fservestr.h" #include #include +#include #include #define Time_t time_t @@ -94,6 +95,15 @@ in this Software without prior written a (pci)->descent || \ (pci)->characterWidth) +/* + * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, + * so this converts for doing size comparisons. + */ +#define LENGTHOF(r)(SIZEOF(r) >> 2) + +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) + extern void ErrorF(const char *f, ...); static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -209,9 +219,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri rep->sequenceNumber, conn->reqbuffer[i].opcode); } + +#define _fs_reply_failed(rep, name, op) do {\ +if (rep) { \ +if (rep->type == FS_Error) \ +fprintf (stderr, "Error: %d Request: %s\n", \ + ((fsError *)rep)->request, #name); \ +else\ +fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ +
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: bouyer Date: Tue Jan 7 18:07:27 UTC 2014 Modified Files: xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-5-1]: bdfread.c xsrc/xfree/xc/lib/font/bitmap [netbsd-5-1]: bdfread.c Log Message: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.cpatch xsrc/xfree/xc/lib/font/bitmap/bdfread.c patch Fix CVE-2013-6462: scanf without field width limits can crash with huge input data. [wiz, ticket #1896] To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c cvs rdiff -u -r1.2 -r1.2.6.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1 Thu Sep 17 03:33:14 2009 +++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c Tue Jan 7 18:07:27 2014 @@ -72,6 +72,7 @@ from The Open Group. #define INDICES 256 #define MAXENCODING 0x #define BDFLINELEN 1024 +#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */ static Bool bdfPadToTerminal(FontPtr pFont); extern int bdfFileLineNum; @@ -341,7 +342,7 @@ bdfReadCharacters(FontFilePtr file, Font charcharName[100]; int ignore; - if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { + if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { bdfError("bad character name in BDF file\n"); goto BAILOUT; /* bottom of function, free and return error */ } @@ -547,13 +548,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS unsigned charlineBuf[BDFLINELEN]; line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 || +if (!line || + sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 || !bdfStrEqual(namebuf, "2.1")) { bdfError("bad 'STARTFONT'\n"); return (FALSE); } line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) { +#if MAXFONTNAMELEN != 1024 +# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1" +#endif +if (!line || + sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) { bdfError("bad 'FONT'\n"); return (FALSE); } @@ -636,7 +642,9 @@ bdfReadProperties(FontFilePtr file, Font while (*line && isspace(*line)) line++; - switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) { + switch (sscanf((char *) line, + BDFLINESTR BDFLINESTR BDFLINESTR, + namebuf, secondbuf, thirdbuf)) { default: bdfError("missing '%s' parameter value\n", namebuf); goto BAILOUT; Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.6.1 --- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 Tue Apr 3 20:10:34 2007 +++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Jan 7 18:07:27 2014 @@ -70,6 +70,7 @@ from The Open Group. #define INDICES 256 #define MAXENCODING 0x #define BDFLINELEN 1024 +#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */ static Bool bdfPadToTerminal(FontPtr pFont); extern int bdfFileLineNum; @@ -340,7 +341,7 @@ bdfReadCharacters(FontFilePtr file, Font charcharName[100]; int ignore; - if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { + if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { bdfError("bad character name in BDF file\n"); goto BAILOUT; /* bottom of function, free and return error */ } @@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS unsigned charlineBuf[BDFLINELEN]; line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 || +if (!line || + sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 || !bdfStrEqual(namebuf, "2.1")) { bdfError("bad 'STARTFONT'\n"); return (FALSE); } line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) { +#if MAXFONTNAMELEN != 1024 +# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1" +#endif +if (!line || + sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) { bdfError("bad 'FONT'\n"); return (FALSE); } @@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font while (*line && isspace(*line)) line++; - switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) { + switch (sscanf((char *) line, + BDFLINESTR BD
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: jdc Date: Sun Oct 13 07:25:06 UTC 2013 Modified Files: xsrc/external/mit/xorg-server/dist/dix [netbsd-5-1]: dixfonts.c xsrc/xfree/xc/programs/Xserver/dix [netbsd-5-1]: dixfonts.c Log Message: Pull up revisions: xsrc/external/mit/xorg-server/dist/dix/dixfonts.c revision 1.2 via patch xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c revision 1.4 via patch (requested by spz in ticket #1884). Fix CVE-2013-4396 using a patch from: --- snip --- >From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 16 Sep 2013 21:47:16 -0700 Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash. Reported-by: Pedro Ribeiro Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/xorg-server/dist/dix/dixfonts.c cvs rdiff -u -r1.2 -r1.2.12.1 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/xorg-server/dist/dix/dixfonts.c diff -u xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1 Thu Sep 17 03:34:53 2009 +++ xsrc/external/mit/xorg-server/dist/dix/dixfonts.c Sun Oct 13 07:25:06 2013 @@ -1512,6 +1512,7 @@ doImageText(ClientPtr client, ITclosureP GC *pGC; unsigned char *data; ITclosurePtr new_closure; +ITclosurePtr old_closure; /* We're putting the client to sleep. We need to save some state. Similar problem to that handled @@ -1524,6 +1525,7 @@ doImageText(ClientPtr client, ITclosureP err = BadAlloc; goto bail; } + old_closure = c; *new_closure = *c; c = new_closure; @@ -1531,6 +1533,7 @@ doImageText(ClientPtr client, ITclosureP if (!data) { xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1542,6 +1545,7 @@ doImageText(ClientPtr client, ITclosureP { xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1555,6 +1559,7 @@ doImageText(ClientPtr client, ITclosureP FreeScratchGC(pGC); xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } Index: xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c diff -u xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2.12.1 --- xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2 Sun Jul 2 19:17:56 2006 +++ xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c Sun Oct 13 07:25:06 2013 @@ -1544,6 +1544,7 @@ doImageText(client, c) GC *pGC; unsigned char *data; ITclosurePtr new_closure; + ITclosurePtr old_closure; /* We're putting the client to sleep. We need to save some state. Similar problem to that handled @@ -1556,6 +1557,7 @@ doImageText(client, c) err = BadAlloc; goto bail; } + old_closure = c; *new_closure = *c; c = new_closure; @@ -1563,6 +1565,7 @@ doImageText(client, c) if (!data) { xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1574,6 +1577,7 @@ doImageText(client, c) { xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1587,6 +1591,7 @@ doImageText(client, c) FreeScratchGC(pGC); xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; }
CVS commit: [netbsd-5-1] xsrc/external/mit/libX11/dist/src/xkb
Module Name:xsrc Committed By: bouyer Date: Wed Sep 18 19:45:40 UTC 2013 Modified Files: xsrc/external/mit/libX11/dist/src/xkb [netbsd-5-1]: XKBGetMap.c XKBNames.c Log Message: Apply patch, requested by riz in ticket #1877 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.cpatch The size of the arrays is max_key_code + 1. This makes these functions consistent with the other checks added for CVE-2013-1997. Check the XkbGetNames reply when names->keys was just allocated Should fix PR lib/48170. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1.2.1 -r1.1.1.1.2.1.2.2 \ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c \ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.2.1 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.2.2 --- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.2.1 Thu Jun 6 16:39:19 2013 +++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c Wed Sep 18 19:45:40 2013 @@ -431,7 +431,7 @@ XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { if (((int) rep->firstVModMapKey + rep->nVModMapKeys) - > xkb->max_key_code) + > xkb->max_key_code + 1) return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { Index: xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.2.1 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.2.2 --- xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.2.1 Thu Jun 6 16:39:19 2013 +++ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c Wed Sep 18 19:45:40 2013 @@ -184,7 +184,7 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } - else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf,
CVS commit: [netbsd-5-1] xsrc/external/mit/expat/dist
Module Name:xsrc Committed By: riz Date: Mon Nov 26 19:59:57 UTC 2012 Modified Files: xsrc/external/mit/expat/dist/lib [netbsd-5-1]: expat.h xmlparse.c xsrc/external/mit/expat/dist/xmlwf [netbsd-5-1]: readfilemap.c Log Message: xsrc/external/mit/expat/dist/lib/expat.hpatch xsrc/external/mit/expat/dist/lib/xmlparse.c patch xsrc/external/mit/expat/dist/xmlwf/readfilemap.cpatch Address CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876. [spz, ticket #1821] To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.6.1 xsrc/external/mit/expat/dist/lib/expat.h cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/expat/dist/lib/xmlparse.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.6.1 \ xsrc/external/mit/expat/dist/xmlwf/readfilemap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/expat/dist/lib/expat.h diff -u xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1 xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1.6.1 --- xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1 Tue Jul 29 05:35:06 2008 +++ xsrc/external/mit/expat/dist/lib/expat.h Mon Nov 26 19:59:57 2012 @@ -883,6 +883,15 @@ XMLPARSEAPI(int) XML_SetParamEntityParsing(XML_Parser parser, enum XML_ParamEntityParsing parsing); +/* Sets the hash salt to use for internal hash calculations. + Helps in preventing DoS attacks based on predicting hash + function behavior. This must be called before parsing is started. + Returns 1 if successful, 0 when called after parsing has started. +*/ +XMLPARSEAPI(int) +XML_SetHashSalt(XML_Parser parser, +unsigned long hash_salt); + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then XML_GetErrorCode returns information about the error. */ Index: xsrc/external/mit/expat/dist/lib/xmlparse.c diff -u xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.2.1 xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.2.1 Wed Jan 27 20:43:00 2010 +++ xsrc/external/mit/expat/dist/lib/xmlparse.c Mon Nov 26 19:59:57 2012 @@ -5,6 +5,8 @@ #include #include /* memset(), memcpy() */ #include +#include /* UINT_MAX */ +#include/* time() */ #define XML_BUILDING_EXPAT 1 @@ -391,12 +393,13 @@ static void dtdReset(DTD *p, const XML_M static void dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms); static int -dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms); +dtdCopy(XML_Parser oldParser, +DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms); static int -copyEntityTable(HASH_TABLE *, STRING_POOL *, const HASH_TABLE *); - +copyEntityTable(XML_Parser oldParser, +HASH_TABLE *, STRING_POOL *, const HASH_TABLE *); static NAMED * -lookup(HASH_TABLE *table, KEY name, size_t createSize); +lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize); static void FASTCALL hashTableInit(HASH_TABLE *, const XML_Memory_Handling_Suite *ms); static void FASTCALL hashTableClear(HASH_TABLE *); @@ -429,11 +432,15 @@ static ELEMENT_TYPE * getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, const char *end); +static unsigned long generate_hash_secret_salt(void); +static XML_Bool startParsing(XML_Parser parser); + static XML_Parser parserCreate(const XML_Char *encodingName, const XML_Memory_Handling_Suite *memsuite, const XML_Char *nameSep, DTD *dtd); + static void parserInit(XML_Parser parser, const XML_Char *encodingName); @@ -546,6 +553,7 @@ struct XML_ParserStruct { XML_Bool m_useForeignDTD; enum XML_ParamEntityParsing m_paramEntityParsing; #endif + unsigned long m_hash_secret_salt; }; #define MALLOC(s) (parser->m_mem.malloc_fcn((s))) @@ -653,6 +661,7 @@ struct XML_ParserStruct { #define useForeignDTD (parser->m_useForeignDTD) #define paramEntityParsing (parser->m_paramEntityParsing) #endif /* XML_DTD */ +#define hash_secret_salt (parser->m_hash_secret_salt) XML_Parser XMLCALL XML_ParserCreate(const XML_Char *encodingName) @@ -677,22 +686,35 @@ static const XML_Char implicitContext[] ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0' }; +static unsigned long +generate_hash_secret_salt(void) +{ + unsigned int seed = time(NULL) % UINT_MAX; + srand(seed); + return rand(); +} + +static XML_Bool /* only valid for root parser */ +startParsing(XML_Parser parser) +{ +/* hash functions must be initialized before setContext() is called */ +if (hash_secret_salt == 0) + hash_secret_salt = generate_hash_secret_salt(); +if (ns) { + /* implicit context only set for root parser, since child + parsers (i.e. externa
CVS commit: [netbsd-5-1] xsrc/xfree/xc/programs/Xserver
Module Name:xsrc Committed By: snj Date: Mon Jan 2 23:51:37 UTC 2012 Modified Files: xsrc/xfree/xc/programs/Xserver/fb [netbsd-5-1]: fbpict.c xsrc/xfree/xc/programs/Xserver/mi [netbsd-5-1]: miarc.c misprite.c Log Message: Pull up following revision(s) (requested by is in ticket #1707): xfree/xc/programs/Xserver/mi/misprite.c: revision 1.2 xfree/xc/programs/Xserver/mi/miarc.c: revision 1.2 xfree/xc/programs/Xserver/fb/fbpict.c: revision 1.5 This fix is taken from xorg-server 1.9.2. mod(a,b) used to be defined with a - in front of naked a, such that uses of mod with certain arithmetic expressions as a led to surprising results, namely the one in Xrender praised in CVE-2010-1166. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.6.1 xsrc/xfree/xc/programs/Xserver/fb/fbpict.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.24.1 \ xsrc/xfree/xc/programs/Xserver/mi/miarc.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.26.1 \ xsrc/xfree/xc/programs/Xserver/mi/misprite.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/programs/Xserver/fb/fbpict.c diff -u xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4 xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4.6.1 --- xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4 Sat Apr 19 19:00:39 2008 +++ xsrc/xfree/xc/programs/Xserver/fb/fbpict.c Mon Jan 2 23:51:37 2012 @@ -908,7 +908,7 @@ fbCompositeSolidMask_nx1xn (CARD8 o 0x0); } -# define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) void fbComposite (CARD8 op, Index: xsrc/xfree/xc/programs/Xserver/mi/miarc.c diff -u xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5.24.1 --- xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5 Fri Mar 5 14:29:39 2004 +++ xsrc/xfree/xc/programs/Xserver/mi/miarc.c Mon Jan 2 23:51:37 2012 @@ -1554,7 +1554,7 @@ miRoundCap( # define Dsin(d) ((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0))) # define Dcos(d) ((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0))) -# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) static double miDcos (double a) Index: xsrc/xfree/xc/programs/Xserver/mi/misprite.c diff -u xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5.26.1 --- xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5 Fri Feb 28 13:20:27 2003 +++ xsrc/xfree/xc/programs/Xserver/mi/misprite.c Mon Jan 2 23:51:37 2012 @@ -1978,7 +1978,7 @@ miSpriteLineHelper() #ifdef RENDER -# define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((b) == 1 ? 0 : (a) >= 0 ? (a) % (b) : (b) - (-(a)) % (b)) static void miSpritePictureOverlap (PicturePtr pPict,
CVS commit: [netbsd-5-1] xsrc/xfree/xc/extras/freetype2/src/lzw
Module Name:xsrc Committed By: riz Date: Mon Aug 22 17:48:56 UTC 2011 Modified Files: xsrc/xfree/xc/extras/freetype2/src/lzw [netbsd-5-1]: zopen.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1661): Additional pullup to fix build on some architectures xfree/xc/extras/freetype2/src/lzw/zopen.c: revision 1.3 Don't assign errno here. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.14.1 -r1.1.1.1.14.2 \ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c diff -u xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.14.1 xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.14.2 --- xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.14.1 Fri Aug 19 20:58:12 2011 +++ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c Mon Aug 22 17:48:55 2011 @@ -1,5 +1,5 @@ /* $XFree86: xc/extras/freetype2/src/lzw/zopen.c,v 1.2 2004/12/16 22:15:48 tsi Exp $ */ -/* $NetBSD: zopen.c,v 1.1.1.1.14.1 2011/08/19 20:58:12 riz Exp $ */ +/* $NetBSD: zopen.c,v 1.1.1.1.14.2 2011/08/22 17:48:55 riz Exp $ */ /*- * Copyright (c) 1985, 1986, 1992, 1993 @@ -47,7 +47,7 @@ #if 0 static char sccsid[] = "@(#)zopen.c 8.1 (Berkeley) 6/27/93"; #else -static char rcsid[] = "$NetBSD: zopen.c,v 1.1.1.1.14.1 2011/08/19 20:58:12 riz Exp $"; +static char rcsid[] = "$NetBSD: zopen.c,v 1.1.1.1.14.2 2011/08/22 17:48:55 riz Exp $"; #endif #endif /* LIBC_SCCS and not lint */ @@ -242,7 +242,6 @@ if (code >= free_ent) { if (code > free_ent || oldcode == -1) { /* Bad stream. */ -errno = EINVAL; return (-1); } *stackp++ = finchar;
CVS commit: [netbsd-5-1] xsrc
Module Name:xsrc Committed By: riz Date: Fri Aug 19 20:58:12 UTC 2011 Modified Files: xsrc/external/mit/freetype/dist/src/lzw [netbsd-5-1]: ftzopen.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-1]: decompress.c xsrc/xfree/xc/extras/freetype2/src/lzw [netbsd-5-1]: zopen.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-1]: decompress.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1661): xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c: revision 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c: revision 1.3 src/usr.bin/gzip/zuncompress.c: revision 1.9-1.11 src/usr.bin/compress/zopen.c: revision 1.14-1.15 xsrc/xfree/xc/lib/font/fontfile/decompress.c: revision 1.2 xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c: revision 1.2 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c: revision 1.4 P Fix CVS-2011-2895, buffer overflow in decompress provisional fix for CVS-2011-2895, buffer overflow when uncompressing provisional fix for CVE-2011-2895, buffer overflow in decompression set errno on overflow return. Do proper input validation without penalizing performance. Do proper input validation. Allow decompressing all input streams. Increase robustness of LZW decoding to avoid buffer overflow on arbitrary manipulated input streams in combination with uninitalised memory. Increase strictness of LZW parser. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.2.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.14.1 \ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.26.1 \ xsrc/xfree/xc/lib/font/fontfile/decompress.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c diff -u xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.2.1 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.2.1 Thu Jul 2 05:08:09 2009 +++ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c Fri Aug 19 20:58:12 2011 @@ -266,7 +266,7 @@ state->block_mode = max_bits & LZW_BLOCK_MASK; state->max_free = (FT_UInt)( ( 1UL << state->max_bits ) - 256 ); -if ( state->max_bits > LZW_MAX_BITS ) +if ( state->max_bits > LZW_MAX_BITS || state->max_bits < 12) goto Eof; state->num_bits = LZW_INIT_BITS; @@ -277,19 +277,7 @@ state->free_bits = state->num_bits < state->max_bits ? (FT_UInt)( ( 1UL << state->num_bits ) - 256 ) : state->max_free + 1; - -c = ft_lzwstate_get_code( state ); -if ( c < 0 ) - goto Eof; - -old_code = old_char = (FT_UInt)c; - -if ( buffer ) - buffer[result] = (FT_Byte)old_char; - -if ( ++result >= out_size ) - goto Exit; - +old_code = -1; state->phase = FT_LZW_PHASE_CODE; } /* fall-through */ @@ -309,14 +297,10 @@ if ( code == LZW_CLEAR && state->block_mode ) { - /* why not LZW_FIRST-256 ? */ - state->free_ent = ( LZW_FIRST - 1 ) - 256; + state->free_ent = LZW_FIRST - 256; state->buf_clear = 1; - c = ft_lzwstate_get_code( state ); - if ( c < 0 ) -goto Eof; - - code = (FT_UInt)c; + old_code = -1; + goto NextCode; } in_code = code; /* save code for later */ @@ -326,6 +310,8 @@ /* special case for KwKwKwK */ if ( code - 256U >= state->free_ent ) { +if ( code - 256U > state->free_ent ) + goto Eof; /* Broken stream */ FTLZW_STACK_PUSH( old_char ); code = old_code; } @@ -361,7 +347,7 @@ } /* now create new entry */ -if ( state->free_ent < state->max_free ) +if ( state->free_ent < state->max_free && old_code != -1) { if ( state->free_ent >= state->prefix_size && ft_lzwstate_prefix_grow( state ) < 0 ) Index: xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c diff -u xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1.2.1.2.1 --- xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1.2.1 Thu Sep 17 03:33:15 2009 +++ xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c Fri Aug 19 20:58:12 2011 @@ -99,7 +99,7 @@ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 8192 +#define STACK_SIZE 6
CVS commit: [netbsd-5-1] xsrc/external/mit/xrdb/dist
Module Name:xsrc Committed By: snj Date: Thu Apr 7 16:28:20 UTC 2011 Removed Files: xsrc/external/mit/xrdb/dist [netbsd-5-1]: NEWS xrdb.man Log Message: Remove these two files. Missed in ticket 1594. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r0 xsrc/external/mit/xrdb/dist/NEWS cvs rdiff -u -r1.1.1.1.6.1 -r0 xsrc/external/mit/xrdb/dist/xrdb.man Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: [netbsd-5-1] xsrc/external/mit/xrdb/dist/man
Module Name:xsrc Committed By: snj Date: Thu Apr 7 06:58:38 UTC 2011 Added Files: xsrc/external/mit/xrdb/dist/man [netbsd-5-1]: Makefile.am Makefile.in xrdb.man Log Message: Apply patch (requested by mrg in ticket #1594): Fix CVE-2011-0465 To generate a diff of this commit: cvs rdiff -u -r0 -r1.1.1.1.6.2 xsrc/external/mit/xrdb/dist/man/Makefile.am \ xsrc/external/mit/xrdb/dist/man/Makefile.in \ xsrc/external/mit/xrdb/dist/man/xrdb.man Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: xsrc/external/mit/xrdb/dist/man/Makefile.am diff -u /dev/null xsrc/external/mit/xrdb/dist/man/Makefile.am:1.1.1.1.6.2 --- /dev/null Thu Apr 7 06:58:38 2011 +++ xsrc/external/mit/xrdb/dist/man/Makefile.am Thu Apr 7 06:58:38 2011 @@ -0,0 +1,12 @@ + +appmandir = $(APP_MAN_DIR) +appman_PRE = xrdb.man +appman_DATA = $(appman_PRE:man=$(APP_MAN_SUFFIX)) + +EXTRA_DIST = $(appman_PRE) +CLEANFILES = $(appman_DATA) +SUFFIXES = .$(APP_MAN_SUFFIX) .man + +# String replacements in MAN_SUBSTS now come from xorg-macros.m4 via configure +.man.$(APP_MAN_SUFFIX): + $(AM_V_GEN)$(SED) $(MAN_SUBSTS) < $< > $@ Index: xsrc/external/mit/xrdb/dist/man/Makefile.in diff -u /dev/null xsrc/external/mit/xrdb/dist/man/Makefile.in:1.1.1.1.6.2 --- /dev/null Thu Apr 7 06:58:38 2011 +++ xsrc/external/mit/xrdb/dist/man/Makefile.in Thu Apr 7 06:58:38 2011 @@ -0,0 +1,415 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = man +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_GEN = $(am__v_GEN_$(V)) +am__v_GEN_ = $(am__v_GEN_$(AM_DEFAULT_VERBOSITY)) +am__v_GEN_0 = @echo " GEN " $@; +AM_V_at = $(am__v_at_$(V)) +am__v_at_ = $(am__v_at_$(AM_DEFAULT_VERBOSITY)) +am__v_at_0 = @ +SOURCES = +DIST_SOURCES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ +$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ +*) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ +if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ +END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(appmandir)" +DATA = $(appman_DATA) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ADMIN_MAN_DIR = @ADMIN_MAN_DIR@ +ADMIN_MAN_SUFFIX = @ADMIN_MAN_SUFFIX@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +APP_MAN_DIR = @APP_MAN_DIR@ +APP_MAN_SUFFIX = @APP_MAN_SUFFIX@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CHANGELOG_CMD = @CHANGELOG_CMD@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPP_PATH = @CPP_PATH@ +CWARNFLAGS = @CWARNFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPD