CVS commit: [netbsd-5-2] xsrc

2015-04-19 Thread SAITOH Masanobu
Module Name:xsrc
Committed By:   msaitoh
Date:   Sun Apr 19 07:25:32 UTC 2015

Modified Files:
xsrc/external/mit/libX11/dist/include/X11 [netbsd-5-2]: Xlibint.h
xsrc/xfree/xc/lib/X11 [netbsd-5-2]: Xlibint.h

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1959):
xsrc/external/mit/libX11/dist/include/X11/Xlibint.h patch
xsrc/xfree/xc/lib/X11/Xlibint.h 1.2

Fix CVE-2013-7439: Buffer overflow in MakeBigReq macro in libX11.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/libX11/dist/include/X11/Xlibint.h
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.18.1 xsrc/xfree/xc/lib/X11/Xlibint.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libX11/dist/include/X11/Xlibint.h
diff -u xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1 xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1.4.1
--- xsrc/external/mit/libX11/dist/include/X11/Xlibint.h:1.1.1.1.2.1	Thu Sep 17 03:32:56 2009
+++ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h	Sun Apr 19 07:25:32 2015
@@ -530,6 +530,14 @@ extern LockInfoPtr _Xglobal_lock;
 #endif
 
 #ifdef WORD64
+/*
+ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
+ * length, after req->length, before the data in the request.  The new length
+ * includes the "n" extra 32-bit words.
+ *
+ * Do not use MakeBigReq if there is no data already in the request.
+ * req->length must already be >= 2.
+ */
 #define MakeBigReq(req,n) \
 { \
 char _BRdat[4]; \
@@ -548,7 +556,7 @@ extern LockInfoPtr _Xglobal_lock;
 CARD32 _BRlen = req->length - 1; \
 req->length = 0; \
 _BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
 ((CARD32 *)req)[1] = _BRlen + n + 2; \
 Data32(dpy, &_BRdat, 4); \
 }
@@ -559,13 +567,20 @@ extern LockInfoPtr _Xglobal_lock;
 CARD32 _BRlen = req->length - 1; \
 req->length = 0; \
 _BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
 ((CARD32 *)req)[1] = _BRlen + n + 2; \
 Data32(dpy, &_BRdat, 4); \
 }
 #endif
 #endif
 
+/*
+ * SetReqLen increases the count of 32-bit words in the request by "n",
+ * or by "badlen" if "n" is too large.
+ *
+ * Do not use SetReqLen if "req" does not already have data after the
+ * xReq header.  req->length must already be >= 2.
+ */
 #define SetReqLen(req,n,badlen) \
 if ((req->length + n) > (unsigned)65535) { \
 	if (dpy->bigreq_size) { \

Index: xsrc/xfree/xc/lib/X11/Xlibint.h
diff -u xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7 xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7.18.1
--- xsrc/xfree/xc/lib/X11/Xlibint.h:1.1.1.7	Fri Mar 18 13:04:29 2005
+++ xsrc/xfree/xc/lib/X11/Xlibint.h	Sun Apr 19 07:25:32 2015
@@ -528,6 +528,14 @@ extern LockInfoPtr _Xglobal_lock;
 #endif
 
 #ifdef WORD64
+/*
+ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
+ * length, after req->length, before the data in the request.  The new length
+ * includes the "n" extra 32-bit words.
+ *
+ * Do not use MakeBigReq if there is no data already in the request.
+ * req->length must already be >= 2.
+ */
 #define MakeBigReq(req,n) \
 { \
 char _BRdat[4]; \
@@ -546,7 +554,7 @@ extern LockInfoPtr _Xglobal_lock;
 CARD32 _BRlen = req->length - 1; \
 req->length = 0; \
 _BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
 ((CARD32 *)req)[1] = _BRlen + n + 2; \
 Data32(dpy, &_BRdat, 4); \
 }
@@ -557,13 +565,20 @@ extern LockInfoPtr _Xglobal_lock;
 CARD32 _BRlen = req->length - 1; \
 req->length = 0; \
 _BRdat = ((CARD32 *)req)[_BRlen]; \
-memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
+memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
 ((CARD32 *)req)[1] = _BRlen + n + 2; \
 Data32(dpy, &_BRdat, 4); \
 }
 #endif
 #endif
 
+/*
+ * SetReqLen increases the count of 32-bit words in the request by "n",
+ * or by "badlen" if "n" is too large.
+ *
+ * Do not use SetReqLen if "req" does not already have data after the
+ * xReq header.  req->length must already be >= 2.
+ */
 #define SetReqLen(req,n,badlen) \
 if ((req->length + n) > (unsigned)65535) { \
 	if (dpy->bigreq_size) { \



CVS commit: [netbsd-5-2] xsrc

2015-03-17 Thread Soren Jacobsen
Module Name:xsrc
Committed By:   snj
Date:   Tue Mar 17 18:44:15 UTC 2015

Modified Files:
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-5-2]: bdfread.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-5-2]: bdfread.c

Log Message:
Apply patch (requested by mrg in ticket #1953):
Fix the following security issues:
CVE-2015-1802: bdfReadProperties: property count needs range check

The bdf parser reads a count for the number of properties defined in
a font from the font file, and allocates arrays with entries for each
property based on that count.  It never checked to see if that count
was negative, or large enough to overflow when multiplied by the size
of the structures being allocated, and could thus allocate the wrong
buffer size, leading to out of bounds writes.

CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read

If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap
data and later crash when trying to read the bitmap from that pointer.

CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct

The bdf parser read metrics values as 32-bit integers, but stored
them into 16-bit integers.  Overflows could occur in various operations


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1.4.1 -r1.1.1.1.2.1.4.2 \
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
cvs rdiff -u -r1.2.12.1 -r1.2.12.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.4.1 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.4.2
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.4.1	Tue Jan  7 18:07:21 2014
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c	Tue Mar 17 18:44:15 2015
@@ -65,8 +65,16 @@ from The Open Group.
 
 #if HAVE_STDINT_H
 #include 
-#elif !defined(INT32_MAX)
-#define INT32_MAX 0x7fff
+#else
+# ifndef INT32_MAX
+#  define INT32_MAX 0x7fff
+# endif
+# ifndef INT16_MAX
+#  define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+#  define INT16_MIN (0 - 0x8000)
+# endif
 #endif
 
 #define INDICES 256
@@ -420,6 +428,12 @@ bdfReadCharacters(FontFilePtr file, Font
 	bdfError("DWIDTH y value must be zero\n");
 	goto BAILOUT;
 	}
+	/* xCharInfo metrics are stored as INT16 */
+	if ((wx < 0) || (wx > INT16_MAX)) {
+	bdfError("character '%s' has out of range width, %d\n",
+		 charName, wx);
+	goto BAILOUT;
+	}
 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
 	if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
 	bdfError("bad 'BBX'\n");
@@ -430,6 +444,14 @@ bdfReadCharacters(FontFilePtr file, Font
 		 charName, bw, bh);
 	goto BAILOUT;
 	}
+	/* xCharInfo metrics are read as int, but stored as INT16 */
+	if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
+	(bb > INT16_MAX) || (bb < INT16_MIN) ||
+	(bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
+	bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
+		 charName, bl, (bl+bw), (bh+bb), -bb);
+	goto BAILOUT;
+	}
 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
 	if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
 	for (p = line + strlen("ATTRIBUTES ");
@@ -461,7 +483,10 @@ bdfReadCharacters(FontFilePtr file, Font
 	ci->metrics.descent = -bb;
 	ci->metrics.characterWidth = wx;
 	ci->bits = NULL;
-	bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
+	if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
+		bdfError("could not read bitmap for character '%s'\n", charName);
+		goto BAILOUT;
+	}
 	ci++;
 	ndx++;
 	} else
@@ -607,7 +632,9 @@ bdfReadProperties(FontFilePtr file, Font
 	bdfError("missing 'STARTPROPERTIES'\n");
 	return (FALSE);
 }
-if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+	(nProps <= 0) ||
+	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
 	bdfError("bad 'STARTPROPERTIES'\n");
 	return (FALSE);
 }

Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.12.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.12.2
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.12.1	Tue Jan  7 18:07:21 2014
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c	Tue Mar 17 18:44:15 2015
@@ -63,8 +63,16 @@ from The Open Group.
 
 #if HAVE_STDINT_H
 #include 
-#elif !defined(INT32_MAX)
-#define INT32_MAX 0x7fff
+#else
+# ifndef INT32_MAX
+#  define INT32_MAX 0x7fff
+# endif
+# ifndef INT16_MAX
+#  define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+#  define INT16_MIN (0 - 0x8000)
+# en

CVS commit: [netbsd-5-2] xsrc

2015-02-11 Thread Martin Husemann
Module Name:xsrc
Committed By:   martin
Date:   Wed Feb 11 15:25:55 UTC 2015

Modified Files:
xsrc/external/mit/xorg-server/dist/xkb [netbsd-5-2]: xkb.c
xsrc/xfree/xc/programs/Xserver/xkb [netbsd-5-2]: xkb.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1949):
external/mit/xorg-server/dist/xkb/xkb.c: revision 1.2
xfree/xc/programs/Xserver/xkb/xkb.c: revision 1.2
apply fixes for CVE-2015-0255:
Information leak in the XkbSetGeometry request of X servers
http://www.x.org/wiki/Development/Security/Advisory-2015-02-10/
ported to xorg-server 1.10 and xfree myself.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/xkb/xkb.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.30.1 \
xsrc/xfree/xc/programs/Xserver/xkb/xkb.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.1.1.1.2.1	Thu Sep 17 03:35:48 2009
+++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c	Wed Feb 11 15:25:55 2015
@@ -4820,27 +4820,30 @@ ProcXkbGetGeometry(ClientPtr client)
 
 /******/
 
-static char *
-_GetCountedString(char **wire_inout,Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
 {
-char *	wire,*str;
-CARD16	len,*plen;
+char *wire, *next;
+CARD16 len;
 
-wire= *wire_inout;
-plen= (CARD16 *)wire;
-if (swap) {
-	register int n;
-	swaps(plen,n);
-}
-len= *plen;
-str= (char *)_XkbAlloc(len+1);
-if (str) {
-	memcpy(str,&wire[2],len);
-	str[len]= '\0';
+wire = *wire_inout;
+len = *(CARD16 *) wire;
+if (client->swapped) {
+	int n;
+swaps(&len, n);
 }
-wire+= XkbPaddedSize(len+2);
-*wire_inout= wire;
-return str;
+next = wire + XkbPaddedSize(len + 2);
+/* Check we're still within the size of the request */
+if (client->req_len <
+bytes_to_int32(next - (char *) client->requestBuffer))
+return BadValue;
+*str = malloc(len + 1);
+if (!*str)
+return BadAlloc;
+memcpy(*str, &wire[2], len);
+*(*str + len) = '\0';
+*wire_inout = next;
+return Success;
 }
 
 static Status
@@ -4852,6 +4855,7 @@ _CheckSetDoodad(	char **		wire_inout,
 char *			wire;
 xkbDoodadWireDesc *	dWire;
 XkbDoodadPtr		doodad;
+Status status;
 
 dWire= (xkbDoodadWireDesc *)(*wire_inout);
 wire= (char *)&dWire[1];
@@ -4901,8 +4905,14 @@ XkbDoodadPtr		doodad;
 	doodad->text.width= dWire->text.width;
 	doodad->text.height= dWire->text.height;
 	doodad->text.color_ndx= dWire->text.colorNdx;
-	doodad->text.text= _GetCountedString(&wire,client->swapped);
-	doodad->text.font= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &doodad->text.text);
+if (status != Success)
+return status;
+status = _GetCountedString(&wire, client, &doodad->text.font);
+if (status != Success) {
+free (doodad->text.text);
+return status;
+}
 	break;
 	case XkbIndicatorDoodad:
 	if (dWire->indicator.onColorNdx>=geom->num_colors) {
@@ -4937,7 +4947,9 @@ XkbDoodadPtr		doodad;
 	}
 	doodad->logo.color_ndx= dWire->logo.colorNdx;
 	doodad->logo.shape_ndx= dWire->logo.shapeNdx;
-	doodad->logo.logo_name= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+if (status != Success)
+return status;
 	break;
 	default:
 	client->errorValue= _XkbErrCode2(0x4F,dWire->any.type);
@@ -5172,17 +5184,19 @@ Status		status;
 char *		wire;
 
 wire= (char *)&req[1];
-geom->label_font= _GetCountedString(&wire,client->swapped);
+status = _GetCountedString(&wire, client, &geom->label_font);
+if (status != Success)
+return status;
 
-for (i=0;inProperties;i++) {
-	char *name,*val;
-	name= _GetCountedString(&wire,client->swapped);
-if (!name)
-return BadAlloc;
-	val= _GetCountedString(&wire,client->swapped);
-if (!val) {
+for (i = 0; i < req->nProperties; i++) {
+	char *name, *val;
+status = _GetCountedString(&wire, client, &name);
+if (status != Success)
+return status;
+status = _GetCountedString(&wire, client, &val);
+if (status != Success) {
 xfree(name);
-return BadAlloc;
+return status;
 }
 	if (XkbAddGeomProperty(geom,name,val)==NULL) {
 xfree(name);
@@ -5211,11 +5225,11 @@ char *		wire;
 	return BadMatch;
 

CVS commit: [netbsd-5-2] xsrc/external/mit/xorg-server/dist

2014-12-22 Thread SAITOH Masanobu
Module Name:xsrc
Committed By:   msaitoh
Date:   Mon Dec 22 12:52:54 UTC 2014

Modified Files:
xsrc/external/mit/xorg-server/dist/exa [netbsd-5-2]: exa_render.c
xsrc/external/mit/xorg-server/dist/render [netbsd-5-2]: picture.h

Log Message:
Pullup additional patches requested by mrg in ticket #1935:

xsrc/external/mit/xorg-server/dist/exa/exa_render.c 1.2
xsrc/external/mit/xorg-server/dist/render/picture.h 1.2

fixes for CVE CVE-2013-6424:
If t->bottom is close to MIN_INT, removing top can wraparound, so do
the check properly.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/exa/exa_render.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/render/picture.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/exa/exa_render.c
diff -u xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/xorg-server/dist/exa/exa_render.c:1.1.1.1.2.1	Thu Sep 17 03:34:54 2009
+++ xsrc/external/mit/xorg-server/dist/exa/exa_render.c	Mon Dec 22 12:52:54 2014
@@ -1074,6 +1074,7 @@ exaTrapezoids (CARD8 op, PicturePtr pSrc
 
 	exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
 	for (; ntrap; ntrap--, traps++)
+  if (xTrapezoidValid(traps))
 	(*ps->RasterizeTrapezoid) (pPicture, traps,
    -bounds.x1, -bounds.y1);
 	exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);

Index: xsrc/external/mit/xorg-server/dist/render/picture.h
diff -u xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1.4.1
--- xsrc/external/mit/xorg-server/dist/render/picture.h:1.1.1.1.2.1	Thu Sep 17 03:35:47 2009
+++ xsrc/external/mit/xorg-server/dist/render/picture.h	Mon Dec 22 12:52:54 2014
@@ -201,7 +201,7 @@ typedef	pixman_fixed_t	xFixed;
 /* whether 't' is a well defined not obviously empty trapezoid */
 #define xTrapezoidValid(t)  ((t)->left.p1.y != (t)->left.p2.y && \
 			 (t)->right.p1.y != (t)->right.p2.y && \
-			 (int) ((t)->bottom - (t)->top) > 0)
+			 ((t)->bottom > (t)->top))
 
 /*
  * Standard NTSC luminance conversions:



CVS commit: [netbsd-5-2] xsrc/xfree/xc/programs/Xserver

2014-12-14 Thread Soren Jacobsen
Module Name:xsrc
Committed By:   snj
Date:   Mon Dec 15 07:03:50 UTC 2014

Modified Files:
xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-5-2]: single2.c
single2swap.c singlepix.c singlepixswap.c
xsrc/xfree/xc/programs/Xserver/Xext [netbsd-5-2]: EVI.c xf86vmode.c

Log Message:
Apply patch (requested by mrg in ticket 1935):
Fix build.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.6.18.1 -r1.1.1.6.18.2 \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c
cvs rdiff -u -r1.1.1.3.32.1 -r1.1.1.3.32.2 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c
cvs rdiff -u -r1.1.1.4.32.1 -r1.1.1.4.32.2 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.30.1 \
xsrc/xfree/xc/programs/Xserver/Xext/EVI.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.30.1 \
xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.18.1 xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.18.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c:1.1.1.6.18.1	Fri Dec 12 06:58:36 2014
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c	Mon Dec 15 07:03:50 2014
@@ -42,6 +42,8 @@
 #include "g_disptab.h"
 #include "GL/glx_ansic.h"
 
+#include 
+
 int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
 {
 ClientPtr client = cl->client;
Index: xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.18.1 xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.18.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c:1.1.1.6.18.1	Fri Dec 12 06:58:36 2014
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c	Mon Dec 15 07:03:50 2014
@@ -42,6 +42,8 @@
 #include "g_disptab.h"
 #include "GL/glx_ansic.h"
 
+#include 
+
 int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
 {
 ClientPtr client = cl->client;

Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.32.1 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.32.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c:1.1.1.3.32.1	Fri Dec 12 06:58:36 2014
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c	Mon Dec 15 07:03:50 2014
@@ -42,6 +42,8 @@
 #include "g_disptab.h"
 #include "g_disptab_EXT.h"
 
+#include 
+
 int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
 {
 GLsizei width, height;

Index: xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c
diff -u xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.32.1 xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.32.2
--- xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c:1.1.1.4.32.1	Fri Dec 12 06:58:36 2014
+++ xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c	Mon Dec 15 07:03:50 2014
@@ -42,6 +42,8 @@
 #include "g_disptab.h"
 #include "g_disptab_EXT.h"
 
+#include 
+
 int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
 {
 GLsizei width, height;

Index: xsrc/xfree/xc/programs/Xserver/Xext/EVI.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4 xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4.30.1
--- xsrc/xfree/xc/programs/Xserver/Xext/EVI.c:1.1.1.4	Fri Mar  5 14:27:38 2004
+++ xsrc/xfree/xc/programs/Xserver/Xext/EVI.c	Mon Dec 15 07:03:50 2014
@@ -33,6 +33,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include "EVIstruct.h"
 #include "modinit.h"
 
+#include 
+
 #if 0
 static unsigned char XEVIReqCode = 0;
 #endif

Index: xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c
diff -u xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6 xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6.30.1
--- xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c:1.1.1.6	Fri Mar  5 14:27:40 2004
+++ xsrc/xfree/xc/programs/Xserver/Xext/xf86vmode.c	Mon Dec 15 07:03:50 2014
@@ -51,6 +51,8 @@ from Kaleb S. KEITHLEY
 #include "xf86_ansic.h"
 #endif
 
+#include 
+
 static int VidModeErrorBase;
 static int VidModeGeneration = 0;
 static int VidModeClientPrivateIndex;



CVS commit: [netbsd-5-2] xsrc/xfree/xc/programs/Xserver

2014-12-11 Thread Soren Jacobsen
Module Name:xsrc
Committed By:   snj
Date:   Fri Dec 12 06:58:37 UTC 2014

Modified Files:
xsrc/xfree/xc/programs/Xserver/GL/glx [netbsd-5-2]: glxcmds.c
glxcmdsswap.c glxserver.h rensize.c single2.c single2swap.c
singlepix.c singlepixswap.c unpack.h
xsrc/xfree/xc/programs/Xserver/Xext [netbsd-5-2]: xcmisc.c xvdisp.c
xsrc/xfree/xc/programs/Xserver/Xi [netbsd-5-2]: chgdctl.c chgfctl.c
sendexev.c
xsrc/xfree/xc/programs/Xserver/dbe [netbsd-5-2]: dbe.c
xsrc/xfree/xc/programs/Xserver/dix [netbsd-5-2]: dispatch.c
xsrc/xfree/xc/programs/Xserver/include [netbsd-5-2]: dix.h misc.h
xsrc/xfree/xc/programs/Xserver/os [netbsd-5-2]: access.c rpcauth.c
xsrc/xfree/xc/programs/Xserver/randr [netbsd-5-2]: randr.c
xsrc/xfree/xc/programs/Xserver/render [netbsd-5-2]: render.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1935):
xfree/xc/programs/Xserver/dix/dispatch.c: revision 1.2
xfree/xc/programs/Xserver/Xext/xvdisp.c: revision 1.2
xfree/xc/programs/Xserver/include/misc.h: revision 1.2
xfree/xc/programs/Xserver/render/render.c: revision 1.4
xfree/xc/programs/Xserver/GL/glx/singlepixswap.c: revision 1.2
xfree/xc/programs/Xserver/Xi/sendexev.c: revision 1.2
xfree/xc/programs/Xserver/include/dix.h: revision 1.2
xfree/xc/programs/Xserver/os/access.c: revision 1.7
xfree/xc/programs/Xserver/GL/glx/glxserver.h: revision 1.2
xfree/xc/programs/Xserver/GL/glx/rensize.c: revision 1.2
xfree/xc/programs/Xserver/GL/glx/unpack.h: revision 1.2
xfree/xc/programs/Xserver/GL/glx/singlepix.c: revision 1.2
xfree/xc/programs/Xserver/Xi/chgfctl.c: revision 1.2
xfree/xc/programs/Xserver/Xi/chgdctl.c: revision 1.2
xfree/xc/programs/Xserver/GL/glx/glxcmds.c: revision 1.2
xfree/xc/programs/Xserver/Xext/xcmisc.c: revision 1.3
xfree/xc/programs/Xserver/randr/randr.c: revision 1.2
xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c: revision 1.2
xfree/xc/programs/Xserver/os/rpcauth.c: revision 1.2
xfree/xc/programs/Xserver/dbe/dbe.c: revision 1.3
xfree/xc/programs/Xserver/GL/glx/single2.c: revision 1.2
xfree/xc/programs/Xserver/GL/glx/single2swap.c: revision 1.2
pull over from xorg-server, porting as necessary.
- --
apply fixes for:
X.Org Security Advisory:  Dec. 9, 2014
Protocol handling issues in X Window System servers
backported to 1.10.x by myself.
included are fixes for:
denial of service due to unchecked malloc in client authentication
CVE-2014-8091
integer overflows calculating memory needs for requests
CVE-2014-8092
CVE-2014-8093
CVE-2014-8094
out of bounds access due to not validating length or offset values in requests
CVE-2014-8095
CVE-2014-8096
CVE-2014-8097
CVE-2014-8098
CVE-2014-8099
CVE-2014-8100
CVE-2014-8101
CVE-2014-8102
CVE-2014-8103
- --
apply two more parts of CVE-2014-8092:
  Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
  dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
- --


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.18.1 \
xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmds.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/glxcmdsswap.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/glxserver.h \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/single2swap.c \
xsrc/xfree/xc/programs/Xserver/GL/glx/unpack.h
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.18.1 \
xsrc/xfree/xc/programs/Xserver/GL/glx/rensize.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.32.1 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepix.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.32.1 \
xsrc/xfree/xc/programs/Xserver/GL/glx/singlepixswap.c
cvs rdiff -u -r1.2 -r1.2.12.1 xsrc/xfree/xc/programs/Xserver/Xext/xcmisc.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 \
xsrc/xfree/xc/programs/Xserver/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.32.1 \
xsrc/xfree/xc/programs/Xserver/Xi/chgdctl.c \
xsrc/xfree/xc/programs/Xserver/Xi/chgfctl.c \
xsrc/xfree/xc/programs/Xserver/Xi/sendexev.c
cvs rdiff -u -r1.2 -r1.2.12.1 xsrc/xfree/xc/programs/Xserver/dbe/dbe.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.18.1 \
xsrc/xfree/xc/programs/Xserver/dix/dispatch.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.30.1 \
xsrc/xfree/xc/programs/Xserver/include/dix.h
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.18.1 \
xsrc/xfree/xc/programs/Xserver/include/misc.h
cvs rdiff -u -r1.6 -r1.6.18.1 xsrc/xfree/xc/programs/Xserver/os/access.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.30.1 \
xsrc/xfree/xc/programs/Xserver/os/rpcauth.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.30.1 \
xsrc/xfree/xc/programs/Xserver/randr/randr.c
cvs rdiff -u -r1.3 -r1.3.12.1 xsrc/xfree/xc/programs/Xserver/render/render.c

Please note that d

CVS commit: [netbsd-5-2] xsrc/external/mit/xorg-server/dist

2014-12-10 Thread Soren Jacobsen
Module Name:xsrc
Committed By:   snj
Date:   Wed Dec 10 22:59:53 UTC 2014

Modified Files:
xsrc/external/mit/xorg-server/dist/include [netbsd-5-2]: dix.h
xsrc/external/mit/xorg-server/dist/os [netbsd-5-2]: access.c

Log Message:
Pull up following revision(s) (requested by mrg in ticket #1935):
external/mit/xorg-server/dist/include/dix.h: revision 1.3
external/mit/xorg-server/dist/os/access.c: revision 1.3 via patch
apply two more parts of CVE-2014-8092:
  Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
  dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1.4.1 -r1.1.1.1.2.1.4.2 \
xsrc/external/mit/xorg-server/dist/include/dix.h
cvs rdiff -u -r1.1.1.1.2.1.4.1 -r1.1.1.1.2.1.4.2 \
xsrc/external/mit/xorg-server/dist/os/access.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/include/dix.h
diff -u xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.4.1 xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.4.2
--- xsrc/external/mit/xorg-server/dist/include/dix.h:1.1.1.1.2.1.4.1	Tue Dec  9 19:58:23 2014
+++ xsrc/external/mit/xorg-server/dist/include/dix.h	Wed Dec 10 22:59:53 2014
@@ -78,7 +78,7 @@ SOFTWARE.
 
 #define REQUEST_FIXED_SIZE(req, n)\
 if (((sizeof(req) >> 2) > client->req_len) || \
-((n >> 2) >= client->req_len) || \
+(((n) >> 2) >= client->req_len) || \
 uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
  return(BadLength)
 

Index: xsrc/external/mit/xorg-server/dist/os/access.c
diff -u xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.4.1 xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.4.2
--- xsrc/external/mit/xorg-server/dist/os/access.c:1.1.1.1.2.1.4.1	Tue Dec  9 19:58:23 2014
+++ xsrc/external/mit/xorg-server/dist/os/access.c	Wed Dec 10 22:59:53 2014
@@ -1474,7 +1474,7 @@ GetHosts (
 for (host = validhosts; host; host = host->next)
 	{
 	len = host->len;
-if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *)data + n))
+if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
 break;
 	((xHostEntry *)ptr)->family = host->family;
 	((xHostEntry *)ptr)->length = len;



CVS commit: [netbsd-5-2] xsrc/external/mit/xorg-server/dist

2014-12-09 Thread Soren Jacobsen
Module Name:xsrc
Committed By:   snj
Date:   Tue Dec  9 19:58:24 UTC 2014

Modified Files:
xsrc/external/mit/xorg-server/dist/Xext [netbsd-5-2]: xcmisc.c xvdisp.c
xsrc/external/mit/xorg-server/dist/Xi [netbsd-5-2]: chgdctl.c chgfctl.c
sendexev.c xiproperty.c
xsrc/external/mit/xorg-server/dist/dbe [netbsd-5-2]: dbe.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-5-2]: dispatch.c
xsrc/external/mit/xorg-server/dist/glx [netbsd-5-2]: glxcmds.c
glxcmdsswap.c glxserver.h indirect_program.c indirect_reqsize.c
indirect_reqsize.h indirect_texture_compression.c indirect_util.c
rensize.c single2.c single2swap.c singlepix.c singlepixswap.c
swap_interval.c unpack.h
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2 [netbsd-5-2]:
dri2ext.c
xsrc/external/mit/xorg-server/dist/include [netbsd-5-2]: dix.h misc.h
xsrc/external/mit/xorg-server/dist/os [netbsd-5-2]: access.c rpcauth.c
xsrc/external/mit/xorg-server/dist/randr [netbsd-5-2]: rrsdispatch.c
xsrc/external/mit/xorg-server/dist/render [netbsd-5-2]: render.c
xsrc/external/mit/xorg-server/dist/xfixes [netbsd-5-2]: select.c

Log Message:
Apply patch (requested by mrg in ticket #1935):
apply fixes for X.Org Security Advisory:  Dec. 9, 2014
Protocol handling issues in X Window System servers

included are fixes for:

denial of service due to unchecked malloc in client authentication
   CVE-2014-8091
integer overflows calculating memory needs for requests
   CVE-2014-8092
   CVE-2014-8093
   CVE-2014-8094
out of bounds access due to not validating length or offset values in requests
   CVE-2014-8095
   CVE-2014-8096
   CVE-2014-8097
   CVE-2014-8098
   CVE-2014-8099
   CVE-2014-8100
   CVE-2014-8101
   CVE-2014-8102
   CVE-2014-8103


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c \
xsrc/external/mit/xorg-server/dist/Xext/xvdisp.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/Xi/chgdctl.c \
xsrc/external/mit/xorg-server/dist/Xi/chgfctl.c \
xsrc/external/mit/xorg-server/dist/Xi/sendexev.c
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.4.1 \
xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/dbe/dbe.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/dix/dispatch.c
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.4.1 \
xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
cvs rdiff -u -r1.1.1.1.2.2 -r1.1.1.1.2.2.4.1 \
xsrc/external/mit/xorg-server/dist/glx/glxcmdsswap.c \
xsrc/external/mit/xorg-server/dist/glx/glxserver.h \
xsrc/external/mit/xorg-server/dist/glx/indirect_program.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_reqsize.h \
xsrc/external/mit/xorg-server/dist/glx/indirect_texture_compression.c \
xsrc/external/mit/xorg-server/dist/glx/indirect_util.c \
xsrc/external/mit/xorg-server/dist/glx/rensize.c \
xsrc/external/mit/xorg-server/dist/glx/single2.c \
xsrc/external/mit/xorg-server/dist/glx/single2swap.c \
xsrc/external/mit/xorg-server/dist/glx/singlepix.c \
xsrc/external/mit/xorg-server/dist/glx/singlepixswap.c \
xsrc/external/mit/xorg-server/dist/glx/swap_interval.c \
xsrc/external/mit/xorg-server/dist/glx/unpack.h
cvs rdiff -u -r1.1.1.2.2.2 -r1.1.1.2.2.2.4.1 \
xsrc/external/mit/xorg-server/dist/hw/xfree86/dri2/dri2ext.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/include/dix.h \
xsrc/external/mit/xorg-server/dist/include/misc.h
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/os/access.c \
xsrc/external/mit/xorg-server/dist/os/rpcauth.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/randr/rrsdispatch.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/render/render.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/xfixes/select.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c
diff -u xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c:1.1.1.1.2.1	Thu Sep 17 03:34:49 2009
+++ xsrc/external/mit/xorg-server/dist/Xext/xcmisc.c	Tue Dec  9 19:58:23 2014
@@ -200,6 +200,7 @@ SProcXCMiscGetXIDList(client)
 {
 int n;
 REQUEST(xXCMiscGetXIDListReq);
+REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
 
 swaps(&stuff->le

CVS commit: [netbsd-5-2] xsrc

2014-05-13 Thread SAITOH Masanobu
Module Name:xsrc
Committed By:   msaitoh
Date:   Wed May 14 05:27:33 UTC 2014

Modified Files:
xsrc/external/mit/libXfont/dist/src/fc [netbsd-5-2]: fsconvert.c
fserve.c
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-2]: dirfile.c
xsrc/xfree/xc/lib/font/fc [netbsd-5-2]: fsconvert.c fserve.c
xsrc/xfree/xc/lib/font/fontfile [netbsd-5-2]: dirfile.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1905):
src/sys/compat/linux/common/linux_exec_elf32.c  1.91 via patch

A specially-crafted binary could easily control a kernel array index.
Add some checks to ensure that nothing will be read outside the allocated
area. Rewrite the code so that we don't need to allocate the whole section.

Spotted by several developers, patch from chs@/enami@


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c \
xsrc/external/mit/libXfont/dist/src/fc/fserve.c
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.4 -r1.4.30.1 xsrc/xfree/xc/lib/font/fc/fsconvert.c \
xsrc/xfree/xc/lib/font/fc/fserve.c
cvs rdiff -u -r1.4 -r1.4.18.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c
diff -u xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c:1.1.1.1.2.1	Thu Sep 17 03:33:15 2009
+++ xsrc/external/mit/libXfont/dist/src/fc/fsconvert.c	Wed May 14 05:27:33 2014
@@ -120,6 +120,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp
 for (i = 0; i < nprops; i++, dprop++, is_str++) 
 {
 	memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+	if ((local_off.name.position >= pi->data_len) ||
+		(local_off.name.length >
+		(pi->data_len - local_off.name.position)))
+	goto bail; 
 	dprop->name = MakeAtom(&pdc[local_off.name.position],
 			   local_off.name.length, 1);
 	if (local_off.type != PropTypeString) {
@@ -127,10 +131,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp
 	dprop->value = local_off.value.position;
 	} else {
 	*is_str = TRUE;
+	if ((local_off.name.position >= pi->data_len) ||
+		(local_off.name.length >
+		(pi->data_len - local_off.name.position)))
+		goto bail; 
 	dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
 	local_off.value.length, 1);
 	if (dprop->value == BAD_RESOURCE)
 	{
+	  bail:
 		free (pfi->props);
 		pfi->nprops = 0;
 		pfi->props = 0;
@@ -714,7 +723,12 @@ fs_alloc_glyphs (FontPtr pFont, int size
 FSGlyphPtr	glyphs;
 FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
 
-glyphs = malloc (sizeof (FSGlyphRec) + size);
+if (size < (INT_MAX - sizeof (FSGlyphRec)))
+	glyphs = malloc (sizeof (FSGlyphRec) + size);
+else
+glyphs = NULL;
+if (glyphs == NULL)
+return NULL;
 glyphs->next = fsfont->glyphs;
 fsfont->glyphs = glyphs;
 return (pointer) (glyphs + 1);
Index: xsrc/external/mit/libXfont/dist/src/fc/fserve.c
diff -u xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/libXfont/dist/src/fc/fserve.c:1.1.1.1.2.1	Thu Sep 17 03:33:15 2009
+++ xsrc/external/mit/libXfont/dist/src/fc/fserve.c	Wed May 14 05:27:33 2014
@@ -73,6 +73,7 @@ in this Software without prior written a
 #include	"fservestr.h"
 #include	
 #include	
+#include
 
 #include	
 #define Time_t time_t
@@ -94,6 +95,15 @@ in this Software without prior written a
 			 (pci)->descent || \
 			 (pci)->characterWidth)
 
+/*
+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
+ * so this converts for doing size comparisons.
+ */
+#define LENGTHOF(r)(SIZEOF(r) >> 2)
+
+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
+#define MAX_REPLY_LENGTH   ((64 * 1024 * 1024) >> 2)
+
 extern void ErrorF(const char *f, ...);
 
 static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -209,9 +219,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri
 		 rep->sequenceNumber,
 		 conn->reqbuffer[i].opcode);
 }
+
+#define _fs_reply_failed(rep, name, op) do {\
+if (rep) {  \
+if (rep->type == FS_Error)  \
+fprintf (stderr, "Error: %d Request: %s\n", \
+ ((fsError *)rep)->request, #name); \
+else\
+fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
+  

CVS commit: [netbsd-5-2] xsrc

2014-01-07 Thread Manuel Bouyer
Module Name:xsrc
Committed By:   bouyer
Date:   Tue Jan  7 18:07:21 UTC 2014

Modified Files:
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-5-2]: bdfread.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-5-2]: bdfread.c

Log Message:
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.cpatch
xsrc/xfree/xc/lib/font/bitmap/bdfread.c patch

Fix CVE-2013-6462: scanf without field width limits can crash
with huge input data.
[wiz, ticket #1896]


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
cvs rdiff -u -r1.2 -r1.2.12.1 xsrc/xfree/xc/lib/font/bitmap/bdfread.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1 xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c:1.1.1.1.2.1	Thu Sep 17 03:33:14 2009
+++ xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c	Tue Jan  7 18:07:21 2014
@@ -72,6 +72,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0x
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -341,7 +342,7 @@ bdfReadCharacters(FontFilePtr file, Font
 	charcharName[100];
 	int ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	bdfError("bad character name in BDF file\n");
 	goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -547,13 +548,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
 unsigned charlineBuf[BDFLINELEN];
 
 line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+if (!line ||
+	sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	!bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
 }
 line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+if (!line ||
+	sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
 }
@@ -636,7 +642,9 @@ bdfReadProperties(FontFilePtr file, Font
 	while (*line && isspace(*line))
 	line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line,
+			BDFLINESTR BDFLINESTR BDFLINESTR,
+			namebuf, secondbuf, thirdbuf)) {
 	default:
 	bdfError("missing '%s' parameter value\n", namebuf);
 	goto BAILOUT;

Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2.12.1
--- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2	Tue Apr  3 20:10:34 2007
+++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c	Tue Jan  7 18:07:21 2014
@@ -70,6 +70,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0x
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -340,7 +341,7 @@ bdfReadCharacters(FontFilePtr file, Font
 	charcharName[100];
 	int ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	bdfError("bad character name in BDF file\n");
 	goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
 unsigned charlineBuf[BDFLINELEN];
 
 line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+if (!line ||
+	sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	!bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
 }
 line = bdfGetLine(file, lineBuf, BDFLINELEN);
-if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1" 
+#endif 
+if (!line ||
+	sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
 }
@@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font
 	while (*line && isspace(*line))
 	line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line, 
+			BDFLINESTR 

CVS commit: [netbsd-5-2] xsrc

2013-10-13 Thread Julian Coleman
Module Name:xsrc
Committed By:   jdc
Date:   Sun Oct 13 07:25:12 UTC 2013

Modified Files:
xsrc/external/mit/xorg-server/dist/dix [netbsd-5-2]: dixfonts.c
xsrc/xfree/xc/programs/Xserver/dix [netbsd-5-2]: dixfonts.c

Log Message:
Pull up revisions:
  xsrc/external/mit/xorg-server/dist/dix/dixfonts.c revision 1.2 via patch
  xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c revision 1.4 via patch
(requested by spz in ticket #1884).

Fix CVE-2013-4396 using a patch from:

--- snip ---
>From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith 
Date: Mon, 16 Sep 2013 21:47:16 -0700
Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()

Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original.  If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.

Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.

Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.

Reported-by: Pedro Ribeiro 
Signed-off-by: Alan Coopersmith 
Reviewed-by: Julien Cristau 


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1 -r1.1.1.1.2.1.4.1 \
xsrc/external/mit/xorg-server/dist/dix/dixfonts.c
cvs rdiff -u -r1.2 -r1.2.14.1 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/xorg-server/dist/dix/dixfonts.c
diff -u xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1 xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1.4.1
--- xsrc/external/mit/xorg-server/dist/dix/dixfonts.c:1.1.1.1.2.1	Thu Sep 17 03:34:53 2009
+++ xsrc/external/mit/xorg-server/dist/dix/dixfonts.c	Sun Oct 13 07:25:12 2013
@@ -1512,6 +1512,7 @@ doImageText(ClientPtr client, ITclosureP
 	GC *pGC;
 	unsigned char *data;
 	ITclosurePtr new_closure;
+ITclosurePtr old_closure;
 
 	/* We're putting the client to sleep.  We need to
 	   save some state.  Similar problem to that handled
@@ -1524,6 +1525,7 @@ doImageText(ClientPtr client, ITclosureP
 		err = BadAlloc;
 		goto bail;
 	}
+	old_closure = c;
 	*new_closure = *c;
 	c = new_closure;
 
@@ -1531,6 +1533,7 @@ doImageText(ClientPtr client, ITclosureP
 	if (!data)
 	{
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}
@@ -1542,6 +1545,7 @@ doImageText(ClientPtr client, ITclosureP
 	{
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}
@@ -1555,6 +1559,7 @@ doImageText(ClientPtr client, ITclosureP
 		FreeScratchGC(pGC);
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}

Index: xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c
diff -u xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2 xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2.14.1
--- xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c:1.2	Sun Jul  2 19:17:56 2006
+++ xsrc/xfree/xc/programs/Xserver/dix/dixfonts.c	Sun Oct 13 07:25:12 2013
@@ -1544,6 +1544,7 @@ doImageText(client, c)
 	GC *pGC;
 	unsigned char *data;
 	ITclosurePtr new_closure;
+	ITclosurePtr old_closure;
 
 	/* We're putting the client to sleep.  We need to
 	   save some state.  Similar problem to that handled
@@ -1556,6 +1557,7 @@ doImageText(client, c)
 		err = BadAlloc;
 		goto bail;
 	}
+	old_closure = c;
 	*new_closure = *c;
 	c = new_closure;
 
@@ -1563,6 +1565,7 @@ doImageText(client, c)
 	if (!data)
 	{
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}
@@ -1574,6 +1577,7 @@ doImageText(client, c)
 	{
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}
@@ -1587,6 +1591,7 @@ doImageText(client, c)
 		FreeScratchGC(pGC);
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	}



CVS commit: [netbsd-5-2] xsrc/external/mit/libX11/dist/src/xkb

2013-09-18 Thread Manuel Bouyer
Module Name:xsrc
Committed By:   bouyer
Date:   Wed Sep 18 19:46:23 UTC 2013

Modified Files:
xsrc/external/mit/libX11/dist/src/xkb [netbsd-5-2]: XKBGetMap.c
XKBNames.c

Log Message:
Apply patch, requested by riz in ticket #1877
xsrc/external/mit/libX11/dist/src/xkb/XKBNames.cpatch

The size of the arrays is max_key_code + 1. This makes these functions
consistent with the other checks added for CVE-2013-1997.
Check the XkbGetNames reply when names->keys was just allocated
Should fix PR lib/48170.


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1.2.1.4.1 -r1.1.1.1.2.1.4.2 \
xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c \
xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.4.1 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.4.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.1.2.1.4.1	Thu Jun  6 16:40:00 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c	Wed Sep 18 19:46:23 2013
@@ -431,7 +431,7 @@ XkbServerMapPtr		srv;
 
 if ( rep->totalVModMapKeys>0 ) {
 	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
-	 > xkb->max_key_code)
+	 > xkb->max_key_code + 1)
 	return BadLength;
 	if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
 	(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
Index: xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.4.1 xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.4.2
--- xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c:1.1.1.1.2.1.4.1	Thu Jun  6 16:40:00 2013
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBNames.c	Wed Sep 18 19:46:23 2013
@@ -184,7 +184,7 @@ _XkbReadGetNamesReply(	Display *		dpy,
 	nKeys= xkb->max_key_code+1;
 	names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
 	}
-	else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
+	if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
 	goto BAILOUT;
 	if (names->keys!=NULL) {
 	if (!_XkbCopyFromReadBuffer(&buf,