aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzeising <zeising@FreeBSD.org>2013-07-03 19:35:50 +0800
committerzeising <zeising@FreeBSD.org>2013-07-03 19:35:50 +0800
commit71edc70bb6fce70db627df90afe1e634321f32ef (patch)
tree564c278812328342a7e0204b350b55715362383d
parent37ab7d62814f5d251f50ea3bfe662c25e557067d (diff)
downloadfreebsd-ports-gnome-71edc70bb6fce70db627df90afe1e634321f32ef.tar.gz
freebsd-ports-gnome-71edc70bb6fce70db627df90afe1e634321f32ef.tar.zst
freebsd-ports-gnome-71edc70bb6fce70db627df90afe1e634321f32ef.zip
Update to 1.7.2
This release incorporates all security patches. Obtained from: xorg development repo
-rw-r--r--x11/libXi/Makefile3
-rw-r--r--x11/libXi/distinfo4
-rw-r--r--x11/libXi/files/patch-src_XGMotion.c63
-rw-r--r--x11/libXi/files/patch-src_XGetBMap.c61
-rw-r--r--x11/libXi/files/patch-src_XGetDCtl.c113
-rw-r--r--x11/libXi/files/patch-src_XGetDProp.c126
-rw-r--r--x11/libXi/files/patch-src_XGetFCtl.c94
-rw-r--r--x11/libXi/files/patch-src_XGetProp.c53
-rw-r--r--x11/libXi/files/patch-src_XIPassiveGrab.c27
-rw-r--r--x11/libXi/files/patch-src_XIProperties.c52
-rw-r--r--x11/libXi/files/patch-src_XISelEv.c85
-rw-r--r--x11/libXi/files/patch-src_XListDev.c83
-rw-r--r--x11/libXi/files/patch-src_XQueryDv.c63
13 files changed, 3 insertions, 824 deletions
diff --git a/x11/libXi/Makefile b/x11/libXi/Makefile
index 81b66525f9c9..25cb67b26931 100644
--- a/x11/libXi/Makefile
+++ b/x11/libXi/Makefile
@@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= libXi
-PORTVERSION= 1.7.1
-PORTREVISION= 1
+PORTVERSION= 1.7.2
PORTEPOCH= 1
CATEGORIES= x11
diff --git a/x11/libXi/distinfo b/x11/libXi/distinfo
index 10f6fc7d053b..a03dbae991b5 100644
--- a/x11/libXi/distinfo
+++ b/x11/libXi/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXi-1.7.1.tar.bz2) = e92adb6b69c53c51e05c1e65db97e23751b935a693000fb0606c11b88c0066c5
-SIZE (xorg/lib/libXi-1.7.1.tar.bz2) = 434569
+SHA256 (xorg/lib/libXi-1.7.2.tar.bz2) = df24781dc63645e2b561cd0b20bd8a0e7aff02e426a8d2a7641159004d4cb20e
+SIZE (xorg/lib/libXi-1.7.2.tar.bz2) = 440969
diff --git a/x11/libXi/files/patch-src_XGMotion.c b/x11/libXi/files/patch-src_XGMotion.c
deleted file mode 100644
index 4902168a6023..000000000000
--- a/x11/libXi/files/patch-src_XGMotion.c
+++ /dev/null
@@ -1,63 +0,0 @@
-From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
-
-If the number of events or axes reported by the server is large enough
-that it overflows when multiplied by the size of the appropriate struct,
-then memory corruption can occur when more bytes are copied from the
-X server reply than the size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XGMotion.c b/src/XGMotion.c
-index 5feac85..a4c75b6 100644
---- src/XGMotion.c
-+++ src/XGMotion.c
-@@ -59,6 +59,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- XDeviceTimeCoord *
- XGetDeviceMotionEvents(
-@@ -74,7 +75,7 @@ XGetDeviceMotionEvents(
- xGetDeviceMotionEventsReply rep;
- XDeviceTimeCoord *tc;
- int *data, *bufp, *readp, *savp;
-- long size, size2;
-+ unsigned long size;
- int i, j;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-
-@@ -104,10 +105,21 @@ XGetDeviceMotionEvents(
- SyncHandle();
- return (NULL);
- }
-- size = rep.length << 2;
-- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
-- savp = readp = (int *)Xmalloc(size);
-- bufp = (int *)Xmalloc(size2);
-+ if (rep.length < (INT_MAX >> 2)) {
-+ size = rep.length << 2;
-+ savp = readp = Xmalloc(size);
-+ } else {
-+ size = 0;
-+ savp = readp = NULL;
-+ }
-+ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
-+ if (rep.nEvents <
-+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
-+ size_t bsize = rep.nEvents *
-+ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
-+ bufp = Xmalloc(bsize);
-+ } else
-+ bufp = NULL;
- if (!bufp || !savp) {
- Xfree(bufp);
- Xfree(savp);
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XGetBMap.c b/x11/libXi/files/patch-src_XGetBMap.c
deleted file mode 100644
index d395088fb500..000000000000
--- a/x11/libXi/files/patch-src_XGetBMap.c
+++ /dev/null
@@ -1,61 +0,0 @@
-From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:26:52 +0000
-Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
-
-We copy the entire reply sent by the server into the fixed size
-mapping[] array on the stack, even if the server says it's a larger
-size than the mapping array can hold. HULK SMASH STACK!
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XGetBMap.c b/src/XGetBMap.c
-index 211c9ca..002daba 100644
---- src/XGetBMap.c
-+++ src/XGetBMap.c
-@@ -60,6 +60,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- #ifdef MIN /* some systems define this in <sys/param.h> */
- #undef MIN
-@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
- {
- int status = 0;
- unsigned char mapping[256]; /* known fixed size */
-- long nbytes;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-
- register xGetDeviceButtonMappingReq *req;
-@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
-
- status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
- if (status == 1) {
-- nbytes = (long)rep.length << 2;
-- _XRead(dpy, (char *)mapping, nbytes);
--
-- /* don't return more data than the user asked for. */
-- if (rep.nElts)
-- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
-- status = rep.nElts;
-+ if (rep.length <= (sizeof(mapping) >> 2)) {
-+ unsigned long nbytes = rep.length << 2;
-+ _XRead(dpy, (char *)mapping, nbytes);
-+
-+ /* don't return more data than the user asked for. */
-+ if (rep.nElts)
-+ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
-+ status = rep.nElts;
-+ } else {
-+ _XEatDataWords(dpy, rep.length);
-+ status = 0;
-+ }
- } else
- status = 0;
- UnlockDisplay(dpy);
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XGetDCtl.c b/x11/libXi/files/patch-src_XGetDCtl.c
deleted file mode 100644
index d93276c74c64..000000000000
--- a/x11/libXi/files/patch-src_XGetDCtl.c
+++ /dev/null
@@ -1,113 +0,0 @@
-From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
-
-If the number of valuators reported by the server is large enough that
-it overflows when multiplied by the size of the appropriate struct, then
-memory corruption can occur when more bytes are copied from the X server
-reply than the size of the buffer we allocated to hold them.
-
-v2: check that reply size fits inside the data read from the server, so
-we don't read out of bounds either
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
-index f73a4e8..51ed0ae 100644
---- src/XGetDCtl.c
-+++ src/XGetDCtl.c
-@@ -61,6 +61,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- XDeviceControl *
- XGetDeviceControl(
-@@ -68,8 +69,6 @@ XGetDeviceControl(
- XDevice *dev,
- int control)
- {
-- int size = 0;
-- int nbytes, i;
- XDeviceControl *Device = NULL;
- XDeviceControl *Sav = NULL;
- xDeviceState *d = NULL;
-@@ -92,8 +91,12 @@ XGetDeviceControl(
- goto out;
-
- if (rep.length > 0) {
-- nbytes = (long)rep.length << 2;
-- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
-+ unsigned long nbytes;
-+ size_t size = 0;
-+ if (rep.length < (INT_MAX >> 2)) {
-+ nbytes = (unsigned long) rep.length << 2;
-+ d = Xmalloc(nbytes);
-+ }
- if (!d) {
- _XEatDataWords(dpy, rep.length);
- goto out;
-@@ -111,33 +114,46 @@ XGetDeviceControl(
- case DEVICE_RESOLUTION:
- {
- xDeviceResolutionState *r;
-+ size_t val_size;
-
- r = (xDeviceResolutionState *) d;
-- size += sizeof(XDeviceResolutionState) +
-- (3 * sizeof(int) * r->num_valuators);
-+ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
-+ goto out;
-+ val_size = 3 * sizeof(int) * r->num_valuators;
-+ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
-+ goto out;
-+ size += sizeof(XDeviceResolutionState) + val_size;
- break;
- }
- case DEVICE_ABS_CALIB:
- {
-+ if (sizeof(xDeviceAbsCalibState) > nbytes)
-+ goto out;
- size += sizeof(XDeviceAbsCalibState);
- break;
- }
- case DEVICE_ABS_AREA:
- {
-+ if (sizeof(xDeviceAbsAreaState) > nbytes)
-+ goto out;
- size += sizeof(XDeviceAbsAreaState);
- break;
- }
- case DEVICE_CORE:
- {
-+ if (sizeof(xDeviceCoreState) > nbytes)
-+ goto out;
- size += sizeof(XDeviceCoreState);
- break;
- }
- default:
-+ if (d->length > nbytes)
-+ goto out;
- size += d->length;
- break;
- }
-
-- Device = (XDeviceControl *) Xmalloc((unsigned)size);
-+ Device = Xmalloc(size);
- if (!Device)
- goto out;
-
-@@ -150,6 +166,7 @@ XGetDeviceControl(
- int *iptr, *iptr2;
- xDeviceResolutionState *r;
- XDeviceResolutionState *R;
-+ unsigned int i;
-
- r = (xDeviceResolutionState *) d;
- R = (XDeviceResolutionState *) Device;
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XGetDProp.c b/x11/libXi/files/patch-src_XGetDProp.c
deleted file mode 100644
index 7ad4e6d9a282..000000000000
--- a/x11/libXi/files/patch-src_XGetDProp.c
+++ /dev/null
@@ -1,126 +0,0 @@
-From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 20:30:55 +0000
-Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
-
-If the number of items as reported by the Xserver is too large, it
-could overflow the calculation for the size of the buffer to copy the
-reply into, causing memory corruption.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
---- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000
-+++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000
-@@ -38,6 +38,7 @@ in this Software without prior written a
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- int
- XGetDeviceProperty(Display* dpy, XDevice* dev,
-@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice
- {
- xGetDevicePropertyReq *req;
- xGetDevicePropertyReply rep;
-- long nbytes, rbytes;
-+ unsigned long nbytes, rbytes;
-+ int ret = Success;
-
- XExtDisplayInfo *info = XInput_find_display(dpy);
-
-@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice
- * data, but this last byte is null terminated and convenient for
- * returning string properties, so the client doesn't then have to
- * recopy the string to make it null terminated.
-+ *
-+ * Maximum item limits are set to both prevent integer overflow when
-+ * calculating the amount of memory to malloc, and to limit how much
-+ * memory will be used if a server provides an insanely high count.
- */
- switch (rep.format) {
- case 8:
-- nbytes = rep.nItems;
-- rbytes = rep.nItems + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-- _XReadPad (dpy, (char *) *prop, nbytes);
-+ if (rep.nItems < INT_MAX) {
-+ nbytes = rep.nItems;
-+ rbytes = rep.nItems + 1;
-+ if ((*prop = Xmalloc (rbytes)))
-+ _XReadPad (dpy, (char *) *prop, nbytes);
-+ else
-+ ret = BadAlloc;
-+ }
- break;
-
- case 16:
-- nbytes = rep.nItems << 1;
-- rbytes = rep.nItems * sizeof (short) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-- _XRead16Pad (dpy, (short *) *prop, nbytes);
-+ if (rep.nItems < (INT_MAX / sizeof (short))) {
-+ nbytes = rep.nItems << 1;
-+ rbytes = rep.nItems * sizeof (short) + 1;
-+ if ((*prop = Xmalloc (rbytes)))
-+ _XRead16Pad (dpy, (short *) *prop, nbytes);
-+ else
-+ ret = BadAlloc;
-+ }
- break;
-
- case 32:
-- nbytes = rep.nItems << 2;
-- rbytes = rep.nItems * sizeof (long) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-- _XRead32 (dpy, (long *) *prop, nbytes);
-+ if (rep.nItems < (INT_MAX / sizeof (long))) {
-+ nbytes = rep.nItems << 2;
-+ rbytes = rep.nItems * sizeof (long) + 1;
-+ if ((*prop = Xmalloc (rbytes)))
-+ _XRead32 (dpy, (long *) *prop, nbytes);
-+ else
-+ ret = BadAlloc;
-+ }
- break;
-
- default:
-@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice
- * This part of the code should never be reached. If it is,
- * the server sent back a property with an invalid format.
- */
-- nbytes = rep.length << 2;
-- _XEatData(dpy, (unsigned long) nbytes);
-- UnlockDisplay(dpy);
-- SyncHandle();
-- return(BadImplementation);
-+ ret = BadImplementation;
- }
- if (! *prop) {
-- _XEatData(dpy, (unsigned long) nbytes);
-- UnlockDisplay(dpy);
-- SyncHandle();
-- return(BadAlloc);
-+ _XEatDataWords(dpy, rep.length);
-+ if (ret == Success)
-+ ret = BadAlloc;
-+ goto out;
- }
- (*prop)[rbytes - 1] = '\0';
- }
-@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice
- *actual_format = rep.format;
- *nitems = rep.nItems;
- *bytes_after = rep.bytesAfter;
-+ out:
- UnlockDisplay (dpy);
- SyncHandle ();
-
-- return Success;
-+ return ret;
- }
-
diff --git a/x11/libXi/files/patch-src_XGetFCtl.c b/x11/libXi/files/patch-src_XGetFCtl.c
deleted file mode 100644
index 6c9949b61446..000000000000
--- a/x11/libXi/files/patch-src_XGetFCtl.c
+++ /dev/null
@@ -1,94 +0,0 @@
-From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
-
-If the number of feedbacks reported by the server is large enough that
-it overflows when multiplied by the size of the appropriate struct, or
-if the total size of all the feedback structures overflows when added
-together, then memory corruption can occur when more bytes are copied from
-the X server reply than the size of the buffer we allocated to hold them.
-
-v2: check that reply size fits inside the data read from the server, so
- we don't read out of bounds either
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
-index 28fab4d..bb50bf3 100644
---- src/XGetFCtl.c
-+++ src/XGetFCtl.c
-@@ -61,6 +61,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- XFeedbackState *
- XGetFeedbackControl(
-@@ -68,8 +69,6 @@ XGetFeedbackControl(
- XDevice *dev,
- int *num_feedbacks)
- {
-- int size = 0;
-- int nbytes, i;
- XFeedbackState *Feedback = NULL;
- XFeedbackState *Sav = NULL;
- xFeedbackState *f = NULL;
-@@ -91,9 +90,16 @@ XGetFeedbackControl(
- goto out;
-
- if (rep.length > 0) {
-+ unsigned long nbytes;
-+ size_t size = 0;
-+ int i;
-+
- *num_feedbacks = rep.num_feedbacks;
-- nbytes = (long)rep.length << 2;
-- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
-+
-+ if (rep.length < (INT_MAX >> 2)) {
-+ nbytes = rep.length << 2;
-+ f = Xmalloc(nbytes);
-+ }
- if (!f) {
- _XEatDataWords(dpy, rep.length);
- goto out;
-@@ -102,6 +108,10 @@ XGetFeedbackControl(
- _XRead(dpy, (char *)f, nbytes);
-
- for (i = 0; i < *num_feedbacks; i++) {
-+ if (f->length > nbytes)
-+ goto out;
-+ nbytes -= f->length;
-+
- switch (f->class) {
- case KbdFeedbackClass:
- size += sizeof(XKbdFeedbackState);
-@@ -116,6 +126,8 @@ XGetFeedbackControl(
- {
- xStringFeedbackState *strf = (xStringFeedbackState *) f;
-
-+ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
-+ goto out;
- size += sizeof(XStringFeedbackState) +
- (strf->num_syms_supported * sizeof(KeySym));
- }
-@@ -130,10 +142,12 @@ XGetFeedbackControl(
- size += f->length;
- break;
- }
-+ if (size > INT_MAX)
-+ goto out;
- f = (xFeedbackState *) ((char *)f + f->length);
- }
-
-- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
-+ Feedback = Xmalloc(size);
- if (!Feedback)
- goto out;
-
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XGetProp.c b/x11/libXi/files/patch-src_XGetProp.c
deleted file mode 100644
index 8049cf6fd4bc..000000000000
--- a/x11/libXi/files/patch-src_XGetProp.c
+++ /dev/null
@@ -1,53 +0,0 @@
-From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
-
-If the number of event classes reported by the server is large enough
-that it overflows when multiplied by the size of the appropriate struct,
-then memory corruption can occur when more bytes are copied from the
-X server reply than the size of the buffer we allocated to hold them.
-
-V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-(limited to 'src/XGetProp.c')
-
---- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000
-+++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000
-@@ -60,6 +60,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- XEventClass *
- XGetDeviceDontPropagateList(
-@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList(
- }
- *count = rep.count;
-
-- if (*count) {
-- rlen = rep.length << 2;
-- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
-+ if (rep.length != 0) {
-+ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
-+ list = Xmalloc(rep.length * sizeof(XEventClass));
- if (list) {
-- int i;
-+ unsigned int i;
- CARD32 ec;
-
- /* read and assign each XEventClass separately because
-@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList(
- list[i] = (XEventClass) ec;
- }
- } else
-- _XEatData(dpy, (unsigned long)rlen);
-+ _XEatDataWords(dpy, rep.length);
- }
-
- UnlockDisplay(dpy);
diff --git a/x11/libXi/files/patch-src_XIPassiveGrab.c b/x11/libXi/files/patch-src_XIPassiveGrab.c
deleted file mode 100644
index b41d9f4b15a3..000000000000
--- a/x11/libXi/files/patch-src_XIPassiveGrab.c
+++ /dev/null
@@ -1,27 +0,0 @@
-From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 07:37:23 +0000
-Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
-
-If the server returned more modifiers than the caller asked for,
-we'd just keep copying past the end of the array provided by the
-caller, writing over who-knows-what happened to be there.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
-index ac17c01..53b4084 100644
---- src/XIPassiveGrab.c
-+++ src/XIPassiveGrab.c
-@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
- return -1;
- _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
-
-- for (i = 0; i < reply.num_modifiers; i++)
-+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
- {
- modifiers_inout[i].status = failed_mods[i].status;
- modifiers_inout[i].modifiers = failed_mods[i].modifiers;
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XIProperties.c b/x11/libXi/files/patch-src_XIProperties.c
deleted file mode 100644
index 4d62f1962984..000000000000
--- a/x11/libXi/files/patch-src_XIProperties.c
+++ /dev/null
@@ -1,52 +0,0 @@
-From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
-
-If the number of items reported by the server is large enough that
-it overflows when multiplied by the size of the appropriate item type,
-then memory corruption can occur when more bytes are copied from the
-X server reply than the size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XIProperties.c b/src/XIProperties.c
-index 5e58fb6..32436d1 100644
---- src/XIProperties.c
-+++ src/XIProperties.c
-@@ -38,6 +38,7 @@
- #include <X11/extensions/XInput2.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- Atom*
- XIListProperties(Display* dpy, int deviceid, int *num_props_return)
-@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
- {
- xXIGetPropertyReq *req;
- xXIGetPropertyReply rep;
-- long nbytes, rbytes;
-+ unsigned long nbytes, rbytes;
-
- XExtDisplayInfo *info = XInput_find_display(dpy);
-
-@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
- * recopy the string to make it null terminated.
- */
-
-- nbytes = rep.num_items * rep.format/8;
-- rbytes = nbytes + 1;
-- *data = Xmalloc(rbytes);
-+ if (rep.num_items < (INT_MAX / (rep.format/8))) {
-+ nbytes = rep.num_items * rep.format/8;
-+ rbytes = nbytes + 1;
-+ *data = Xmalloc(rbytes);
-+ }
-
- if (!(*data)) {
- _XEatDataWords(dpy, rep.length);
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XISelEv.c b/x11/libXi/files/patch-src_XISelEv.c
deleted file mode 100644
index c86656f2cfb7..000000000000
--- a/x11/libXi/files/patch-src_XISelEv.c
+++ /dev/null
@@ -1,85 +0,0 @@
-From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 06:55:23 +0000
-Subject: integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
-
-If the number of events or masks reported by the server is large enough
-that it overflows when multiplied by the size of the appropriate struct,
-or the sizes overflow as they are totaled up, then memory corruption can
-occur when more bytes are copied from the X server reply than the size
-of the buffer we allocated to hold them.
-
-v2: check that reply size fits inside the data read from the server,
- so that we don't read out of bounds either
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XISelEv.c b/src/XISelEv.c
-index f871222..0471bef 100644
---- src/XISelEv.c
-+++ src/XISelEv.c
-@@ -42,6 +42,7 @@ in this Software without prior written authorization from the author.
- #include <X11/extensions/ge.h>
- #include <X11/extensions/geproto.h>
- #include "XIint.h"
-+#include <limits.h>
-
- int
- XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
-@@ -101,13 +102,14 @@ out:
- XIEventMask*
- XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
- {
-- int i, len = 0;
-+ unsigned int i, len = 0;
- unsigned char *mask;
- XIEventMask *mask_out = NULL;
- xXIEventMask *mask_in = NULL, *mi;
- xXIGetSelectedEventsReq *req;
- xXIGetSelectedEventsReply reply;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-+ size_t rbytes;
-
- *num_masks_return = -1;
- LockDisplay(dpy);
-@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
- goto out;
- }
-
-- mask_in = Xmalloc(reply.length * 4);
-- if (!mask_in)
-+ if (reply.length < (INT_MAX >> 2)) {
-+ rbytes = (unsigned long) reply.length << 2;
-+ mask_in = Xmalloc(rbytes);
-+ }
-+ if (!mask_in) {
-+ _XEatDataWords(dpy, reply.length);
- goto out;
-+ }
-
-- _XRead(dpy, (char*)mask_in, reply.length * 4);
-+ _XRead(dpy, (char*)mask_in, rbytes);
-
- /*
- * This function takes interleaved xXIEventMask structs & masks off
-@@ -148,8 +155,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
-
- for (i = 0, mi = mask_in; i < reply.num_masks; i++)
- {
-- len += mi->mask_len * 4;
-- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4);
-+ unsigned int mask_bytes = mi->mask_len * 4;
-+ len += mask_bytes;
-+ if (len > INT_MAX)
-+ goto out;
-+ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes)
-+ goto out;
-+ rbytes -= (sizeof(xXIEventMask) + mask_bytes);
-+ mi = (xXIEventMask*)((char*)mi + mask_bytes);
- mi++;
- }
-
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XListDev.c b/x11/libXi/files/patch-src_XListDev.c
deleted file mode 100644
index 8231e6b59089..000000000000
--- a/x11/libXi/files/patch-src_XListDev.c
+++ /dev/null
@@ -1,83 +0,0 @@
-From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 10 Mar 2013 08:16:22 +0000
-Subject: sign extension issue in XListInputDevices() [CVE-2013-1995]
-
-nptr is (signed) char, which can be negative, and will sign extend
-when added to the int size, which means size can be subtracted from,
-leading to allocating too small a buffer to hold the data being copied
-from the X server's reply.
-
-v2: check that string size fits inside the data read from the server,
- so that we don't read out of bounds either
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XListDev.c b/src/XListDev.c
-index 1c14b96..b85ff3c 100644
---- src/XListDev.c
-+++ src/XListDev.c
-@@ -73,7 +73,7 @@ static int pad_to_xid(int base_size)
- return ((base_size + padsize - 1)/padsize) * padsize;
- }
-
--static int
-+static size_t
- SizeClassInfo(xAnyClassPtr *any, int num_classes)
- {
- int size = 0;
-@@ -170,7 +170,7 @@ XListInputDevices(
- register Display *dpy,
- int *ndevices)
- {
-- int size;
-+ size_t size;
- xListInputDevicesReq *req;
- xListInputDevicesReply rep;
- xDeviceInfo *list, *slist = NULL;
-@@ -178,7 +178,7 @@ XListInputDevices(
- XDeviceInfo *clist = NULL;
- xAnyClassPtr any, sav_any;
- XAnyClassPtr Any;
-- char *nptr, *Nptr;
-+ unsigned char *nptr, *Nptr;
- int i;
- unsigned long rlen;
- XExtDisplayInfo *info = XInput_find_display(dpy);
-@@ -217,9 +217,12 @@ XListInputDevices(
- size += SizeClassInfo(&any, (int)list->num_classes);
- }
-
-- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
-+ Nptr = ((unsigned char *)list) + rlen + 1;
-+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
- size += *nptr + 1;
- nptr += (*nptr + 1);
-+ if (nptr > Nptr)
-+ goto out;
- }
-
- clist = (XDeviceInfoPtr) Xmalloc(size);
-@@ -245,8 +248,8 @@ XListInputDevices(
- }
-
- clist = sclist;
-- nptr = (char *)any;
-- Nptr = (char *)Any;
-+ nptr = (unsigned char *)any;
-+ Nptr = (unsigned char *)Any;
- for (i = 0; i < *ndevices; i++, clist++) {
- clist->name = (char *)Nptr;
- memcpy(Nptr, nptr + 1, *nptr);
-@@ -256,6 +259,7 @@ XListInputDevices(
- }
- }
-
-+ out:
- XFree((char *)slist);
- UnlockDisplay(dpy);
- SyncHandle();
---
-cgit v0.9.0.2-2-gbebe
diff --git a/x11/libXi/files/patch-src_XQueryDv.c b/x11/libXi/files/patch-src_XQueryDv.c
deleted file mode 100644
index 23e60c2c278c..000000000000
--- a/x11/libXi/files/patch-src_XQueryDv.c
+++ /dev/null
@@ -1,63 +0,0 @@
-From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 27 Apr 2013 05:48:36 +0000
-Subject: unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
-
-If the lengths given for each class state in the reply add up to more
-than the rep.length, we could read past the end of the buffer allocated
-to hold the data read from the server.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
-diff --git a/src/XQueryDv.c b/src/XQueryDv.c
-index 69c285b..3836777 100644
---- src/XQueryDv.c
-+++ src/XQueryDv.c
-@@ -59,6 +59,7 @@ SOFTWARE.
- #include <X11/extensions/XInput.h>
- #include <X11/extensions/extutil.h>
- #include "XIint.h"
-+#include <limits.h>
-
- XDeviceState *
- XQueryDeviceState(
-@@ -66,8 +67,8 @@ XQueryDeviceState(
- XDevice *dev)
- {
- int i, j;
-- int rlen;
-- int size = 0;
-+ unsigned long rlen;
-+ size_t size = 0;
- xQueryDeviceStateReq *req;
- xQueryDeviceStateReply rep;
- XDeviceState *state = NULL;
-@@ -87,9 +88,11 @@ XQueryDeviceState(
- if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
- goto out;
-
-- rlen = rep.length << 2;
-- if (rlen > 0) {
-- data = Xmalloc(rlen);
-+ if (rep.length > 0) {
-+ if (rep.length < (INT_MAX >> 2)) {
-+ rlen = (unsigned long) rep.length << 2;
-+ data = Xmalloc(rlen);
-+ }
- if (!data) {
- _XEatDataWords(dpy, rep.length);
- goto out;
-@@ -97,6 +100,10 @@ XQueryDeviceState(
- _XRead(dpy, data, rlen);
-
- for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
-+ if (any->length > rlen)
-+ goto out;
-+ rlen -= any->length;
-+
- switch (any->class) {
- case KeyClass:
- size += sizeof(XKeyState);
---
-cgit v0.9.0.2-2-gbebe