diff options
| author | zeising <zeising@FreeBSD.org> | 2013-06-05 03:31:29 +0800 |
|---|---|---|
| committer | zeising <zeising@FreeBSD.org> | 2013-06-05 03:31:29 +0800 |
| commit | 442ad832d5fd90880adaa0438bc6fc47b10d207b (patch) | |
| tree | b5553ea72e286d166ab601ab26b551eaadb9b1e9 /x11 | |
| parent | d165698a45f50cf55e3d4a80d867422aff7e8f36 (diff) | |
| download | freebsd-ports-gnome-442ad832d5fd90880adaa0438bc6fc47b10d207b.tar.gz freebsd-ports-gnome-442ad832d5fd90880adaa0438bc6fc47b10d207b.tar.zst freebsd-ports-gnome-442ad832d5fd90880adaa0438bc6fc47b10d207b.zip | |
Fix security issues in xorg client libraries.
Most libraries were updated to newer versions, in some cases patches
were backported instead.
Most notably, x11/libX11 was updated to 1.6.0
Security: CVE-2013-1981
CVE-2013-1982
CVE-2013-1983
CVE-2013-1984
CVE-2013-1985
CVE-2013-1986
CVE-2013-1987
CVE-2013-1988
CVE-2013-1989
CVE-2013-1990
CVE-2013-1991
CVE-2013-1992
CVE-2013-1993
CVE-2013-1994
CVE-2013-1995
CVE-2013-1996
CVE-2013-1997
CVE-2013-1998
CVE-2013-1999
CVE-2013-2000
CVE-2013-2001
CVE-2013-2002
CVE-2013-2003
CVE-2013-2004
CVE-2013-2005
CVE-2013-2062
CVE-2013-2063
CVE-2013-2064
CVE-2013-2066
Diffstat (limited to 'x11')
48 files changed, 1217 insertions, 72 deletions
diff --git a/x11/libX11/Makefile b/x11/libX11/Makefile index 5f0863957e50..a810c2fcb0ac 100644 --- a/x11/libX11/Makefile +++ b/x11/libX11/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libX11 -PORTVERSION= 1.5.0 +PORTVERSION= 1.6.0 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libX11/distinfo b/x11/libX11/distinfo index 1c81e743e3b8..657b129d3a0c 100644 --- a/x11/libX11/distinfo +++ b/x11/libX11/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libX11-1.5.0.tar.bz2) = c382efd7e92bfc3cef39a4b7f1ecf2744ba4414a705e3bc1e697f75502bd4d86 -SIZE (xorg/lib/libX11-1.5.0.tar.bz2) = 2322265 +SHA256 (xorg/lib/libX11-1.6.0.tar.bz2) = 53131412343ec252307fe14903deaf54c356f9414d72d49180c2091dcd7019fa +SIZE (xorg/lib/libX11-1.6.0.tar.bz2) = 2373718 diff --git a/x11/libX11/pkg-plist b/x11/libX11/pkg-plist index 30a0fa6103b6..336805d2f18c 100644 --- a/x11/libX11/pkg-plist +++ b/x11/libX11/pkg-plist @@ -94,15 +94,9 @@ lib/X11/locale/iso8859-9e/XLC_LOCALE lib/X11/locale/ja.JIS/Compose lib/X11/locale/ja.JIS/XI18N_OBJS lib/X11/locale/ja.JIS/XLC_LOCALE -lib/X11/locale/ja.S90/Compose -lib/X11/locale/ja.S90/XI18N_OBJS -lib/X11/locale/ja.S90/XLC_LOCALE lib/X11/locale/ja.SJIS/Compose lib/X11/locale/ja.SJIS/XI18N_OBJS lib/X11/locale/ja.SJIS/XLC_LOCALE -lib/X11/locale/ja.U90/Compose -lib/X11/locale/ja.U90/XI18N_OBJS -lib/X11/locale/ja.U90/XLC_LOCALE lib/X11/locale/ja/Compose lib/X11/locale/ja/XI18N_OBJS lib/X11/locale/ja/XLC_LOCALE @@ -234,9 +228,7 @@ libdata/pkgconfig/x11.pc @dirrm lib/X11/locale/ko_KR.UTF-8 @dirrm lib/X11/locale/ko @dirrm lib/X11/locale/ja_JP.UTF-8 -@dirrm lib/X11/locale/ja.U90 @dirrm lib/X11/locale/ja.SJIS -@dirrm lib/X11/locale/ja.S90 @dirrm lib/X11/locale/ja.JIS @dirrm lib/X11/locale/ja @dirrm lib/X11/locale/iso8859-9e diff --git a/x11/libXcursor/Makefile b/x11/libXcursor/Makefile index 0bbf537a8044..0ca8874d9eda 100644 --- a/x11/libXcursor/Makefile +++ b/x11/libXcursor/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXcursor -PORTVERSION= 1.1.13 +PORTVERSION= 1.1.14 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXcursor/distinfo b/x11/libXcursor/distinfo index 1fe7655141f3..5c656234e020 100644 --- a/x11/libXcursor/distinfo +++ b/x11/libXcursor/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXcursor-1.1.13.tar.bz2) = f78827de4a1b7ce8cceca24a9ab9d1b1d2f6a61362f505166ffc19b07c0bad8f -SIZE (xorg/lib/libXcursor-1.1.13.tar.bz2) = 302525 +SHA256 (xorg/lib/libXcursor-1.1.14.tar.bz2) = 9bc6acb21ca14da51bda5bc912c8955bc6e5e433f0ab00c5e8bef842596c33df +SIZE (xorg/lib/libXcursor-1.1.14.tar.bz2) = 311896 diff --git a/x11/libXext/Makefile b/x11/libXext/Makefile index 0f046e620cea..53af3f304c5f 100644 --- a/x11/libXext/Makefile +++ b/x11/libXext/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXext -PORTVERSION= 1.3.1 +PORTVERSION= 1.3.2 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXext/distinfo b/x11/libXext/distinfo index 62e30f6f288b..9adb5b34a857 100644 --- a/x11/libXext/distinfo +++ b/x11/libXext/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXext-1.3.1.tar.bz2) = 56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859 -SIZE (xorg/lib/libXext-1.3.1.tar.bz2) = 372728 +SHA256 (xorg/lib/libXext-1.3.2.tar.bz2) = f829075bc646cdc085fa25d98d5885d83b1759ceb355933127c257e8e50432e0 +SIZE (xorg/lib/libXext-1.3.2.tar.bz2) = 378901 diff --git a/x11/libXfixes/Makefile b/x11/libXfixes/Makefile index 35aacb4f6a04..c47b7fef96e7 100644 --- a/x11/libXfixes/Makefile +++ b/x11/libXfixes/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= libXfixes -PORTVERSION= 5.0 -PORTREVISION= 2 +PORTVERSION= 5.0.1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXfixes/distinfo b/x11/libXfixes/distinfo index e9cd526ca9c9..963d614c26da 100644 --- a/x11/libXfixes/distinfo +++ b/x11/libXfixes/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXfixes-5.0.tar.bz2) = 537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 -SIZE (xorg/lib/libXfixes-5.0.tar.bz2) = 253777 +SHA256 (xorg/lib/libXfixes-5.0.1.tar.bz2) = 63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 +SIZE (xorg/lib/libXfixes-5.0.1.tar.bz2) = 291978 diff --git a/x11/libXi/Makefile b/x11/libXi/Makefile index b36c6f4c4220..81b66525f9c9 100644 --- a/x11/libXi/Makefile +++ b/x11/libXi/Makefile @@ -3,6 +3,7 @@ PORTNAME= libXi PORTVERSION= 1.7.1 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXi/files/patch-src_XGMotion.c b/x11/libXi/files/patch-src_XGMotion.c new file mode 100644 index 000000000000..4902168a6023 --- /dev/null +++ b/x11/libXi/files/patch-src_XGMotion.c @@ -0,0 +1,63 @@ +From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8] + +If the number of events or axes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XGMotion.c b/src/XGMotion.c +index 5feac85..a4c75b6 100644 +--- src/XGMotion.c ++++ src/XGMotion.c +@@ -59,6 +59,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceTimeCoord * + XGetDeviceMotionEvents( +@@ -74,7 +75,7 @@ XGetDeviceMotionEvents( + xGetDeviceMotionEventsReply rep; + XDeviceTimeCoord *tc; + int *data, *bufp, *readp, *savp; +- long size, size2; ++ unsigned long size; + int i, j; + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -104,10 +105,21 @@ XGetDeviceMotionEvents( + SyncHandle(); + return (NULL); + } +- size = rep.length << 2; +- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); +- savp = readp = (int *)Xmalloc(size); +- bufp = (int *)Xmalloc(size2); ++ if (rep.length < (INT_MAX >> 2)) { ++ size = rep.length << 2; ++ savp = readp = Xmalloc(size); ++ } else { ++ size = 0; ++ savp = readp = NULL; ++ } ++ /* rep.axes is a CARD8, so assume max number of axes for bounds check */ ++ if (rep.nEvents < ++ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { ++ size_t bsize = rep.nEvents * ++ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); ++ bufp = Xmalloc(bsize); ++ } else ++ bufp = NULL; + if (!bufp || !savp) { + Xfree(bufp); + Xfree(savp); +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetBMap.c b/x11/libXi/files/patch-src_XGetBMap.c new file mode 100644 index 000000000000..d395088fb500 --- /dev/null +++ b/x11/libXi/files/patch-src_XGetBMap.c @@ -0,0 +1,61 @@ +From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:26:52 +0000 +Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3] + +We copy the entire reply sent by the server into the fixed size +mapping[] array on the stack, even if the server says it's a larger +size than the mapping array can hold. HULK SMASH STACK! + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XGetBMap.c b/src/XGetBMap.c +index 211c9ca..002daba 100644 +--- src/XGetBMap.c ++++ src/XGetBMap.c +@@ -60,6 +60,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + #ifdef MIN /* some systems define this in <sys/param.h> */ + #undef MIN +@@ -75,7 +76,6 @@ XGetDeviceButtonMapping( + { + int status = 0; + unsigned char mapping[256]; /* known fixed size */ +- long nbytes; + XExtDisplayInfo *info = XInput_find_display(dpy); + + register xGetDeviceButtonMappingReq *req; +@@ -92,13 +92,18 @@ XGetDeviceButtonMapping( + + status = _XReply(dpy, (xReply *) & rep, 0, xFalse); + if (status == 1) { +- nbytes = (long)rep.length << 2; +- _XRead(dpy, (char *)mapping, nbytes); +- +- /* don't return more data than the user asked for. */ +- if (rep.nElts) +- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap)); +- status = rep.nElts; ++ if (rep.length <= (sizeof(mapping) >> 2)) { ++ unsigned long nbytes = rep.length << 2; ++ _XRead(dpy, (char *)mapping, nbytes); ++ ++ /* don't return more data than the user asked for. */ ++ if (rep.nElts) ++ memcpy(map, mapping, MIN((int)rep.nElts, nmap)); ++ status = rep.nElts; ++ } else { ++ _XEatDataWords(dpy, rep.length); ++ status = 0; ++ } + } else + status = 0; + UnlockDisplay(dpy); +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetDCtl.c b/x11/libXi/files/patch-src_XGetDCtl.c new file mode 100644 index 000000000000..d93276c74c64 --- /dev/null +++ b/x11/libXi/files/patch-src_XGetDCtl.c @@ -0,0 +1,113 @@ +From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8] + +If the number of valuators reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, then +memory corruption can occur when more bytes are copied from the X server +reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so +we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c +index f73a4e8..51ed0ae 100644 +--- src/XGetDCtl.c ++++ src/XGetDCtl.c +@@ -61,6 +61,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceControl * + XGetDeviceControl( +@@ -68,8 +69,6 @@ XGetDeviceControl( + XDevice *dev, + int control) + { +- int size = 0; +- int nbytes, i; + XDeviceControl *Device = NULL; + XDeviceControl *Sav = NULL; + xDeviceState *d = NULL; +@@ -92,8 +91,12 @@ XGetDeviceControl( + goto out; + + if (rep.length > 0) { +- nbytes = (long)rep.length << 2; +- d = (xDeviceState *) Xmalloc((unsigned)nbytes); ++ unsigned long nbytes; ++ size_t size = 0; ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = (unsigned long) rep.length << 2; ++ d = Xmalloc(nbytes); ++ } + if (!d) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -111,33 +114,46 @@ XGetDeviceControl( + case DEVICE_RESOLUTION: + { + xDeviceResolutionState *r; ++ size_t val_size; + + r = (xDeviceResolutionState *) d; +- size += sizeof(XDeviceResolutionState) + +- (3 * sizeof(int) * r->num_valuators); ++ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) ++ goto out; ++ val_size = 3 * sizeof(int) * r->num_valuators; ++ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) ++ goto out; ++ size += sizeof(XDeviceResolutionState) + val_size; + break; + } + case DEVICE_ABS_CALIB: + { ++ if (sizeof(xDeviceAbsCalibState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsCalibState); + break; + } + case DEVICE_ABS_AREA: + { ++ if (sizeof(xDeviceAbsAreaState) > nbytes) ++ goto out; + size += sizeof(XDeviceAbsAreaState); + break; + } + case DEVICE_CORE: + { ++ if (sizeof(xDeviceCoreState) > nbytes) ++ goto out; + size += sizeof(XDeviceCoreState); + break; + } + default: ++ if (d->length > nbytes) ++ goto out; + size += d->length; + break; + } + +- Device = (XDeviceControl *) Xmalloc((unsigned)size); ++ Device = Xmalloc(size); + if (!Device) + goto out; + +@@ -150,6 +166,7 @@ XGetDeviceControl( + int *iptr, *iptr2; + xDeviceResolutionState *r; + XDeviceResolutionState *R; ++ unsigned int i; + + r = (xDeviceResolutionState *) d; + R = (XDeviceResolutionState *) Device; +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetDProp.c b/x11/libXi/files/patch-src_XGetDProp.c new file mode 100644 index 000000000000..7ad4e6d9a282 --- /dev/null +++ b/x11/libXi/files/patch-src_XGetDProp.c @@ -0,0 +1,126 @@ +From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 20:30:55 +0000 +Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8] + +If the number of items as reported by the Xserver is too large, it +could overflow the calculation for the size of the buffer to copy the +reply into, causing memory corruption. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +--- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000 ++++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000 +@@ -38,6 +38,7 @@ in this Software without prior written a + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + int + XGetDeviceProperty(Display* dpy, XDevice* dev, +@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice + { + xGetDevicePropertyReq *req; + xGetDevicePropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; ++ int ret = Success; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. ++ * ++ * Maximum item limits are set to both prevent integer overflow when ++ * calculating the amount of memory to malloc, and to limit how much ++ * memory will be used if a server provides an insanely high count. + */ + switch (rep.format) { + case 8: +- nbytes = rep.nItems; +- rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XReadPad (dpy, (char *) *prop, nbytes); ++ if (rep.nItems < INT_MAX) { ++ nbytes = rep.nItems; ++ rbytes = rep.nItems + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XReadPad (dpy, (char *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 16: +- nbytes = rep.nItems << 1; +- rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead16Pad (dpy, (short *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (short))) { ++ nbytes = rep.nItems << 1; ++ rbytes = rep.nItems * sizeof (short) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead16Pad (dpy, (short *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + case 32: +- nbytes = rep.nItems << 2; +- rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) +- _XRead32 (dpy, (long *) *prop, nbytes); ++ if (rep.nItems < (INT_MAX / sizeof (long))) { ++ nbytes = rep.nItems << 2; ++ rbytes = rep.nItems * sizeof (long) + 1; ++ if ((*prop = Xmalloc (rbytes))) ++ _XRead32 (dpy, (long *) *prop, nbytes); ++ else ++ ret = BadAlloc; ++ } + break; + + default: +@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice + * This part of the code should never be reached. If it is, + * the server sent back a property with an invalid format. + */ +- nbytes = rep.length << 2; +- _XEatData(dpy, (unsigned long) nbytes); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadImplementation); ++ ret = BadImplementation; + } + if (! *prop) { +- _XEatData(dpy, (unsigned long) nbytes); +- UnlockDisplay(dpy); +- SyncHandle(); +- return(BadAlloc); ++ _XEatDataWords(dpy, rep.length); ++ if (ret == Success) ++ ret = BadAlloc; ++ goto out; + } + (*prop)[rbytes - 1] = '\0'; + } +@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice + *actual_format = rep.format; + *nitems = rep.nItems; + *bytes_after = rep.bytesAfter; ++ out: + UnlockDisplay (dpy); + SyncHandle (); + +- return Success; ++ return ret; + } + diff --git a/x11/libXi/files/patch-src_XGetFCtl.c b/x11/libXi/files/patch-src_XGetFCtl.c new file mode 100644 index 000000000000..6c9949b61446 --- /dev/null +++ b/x11/libXi/files/patch-src_XGetFCtl.c @@ -0,0 +1,94 @@ +From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8] + +If the number of feedbacks reported by the server is large enough that +it overflows when multiplied by the size of the appropriate struct, or +if the total size of all the feedback structures overflows when added +together, then memory corruption can occur when more bytes are copied from +the X server reply than the size of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, so + we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c +index 28fab4d..bb50bf3 100644 +--- src/XGetFCtl.c ++++ src/XGetFCtl.c +@@ -61,6 +61,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XFeedbackState * + XGetFeedbackControl( +@@ -68,8 +69,6 @@ XGetFeedbackControl( + XDevice *dev, + int *num_feedbacks) + { +- int size = 0; +- int nbytes, i; + XFeedbackState *Feedback = NULL; + XFeedbackState *Sav = NULL; + xFeedbackState *f = NULL; +@@ -91,9 +90,16 @@ XGetFeedbackControl( + goto out; + + if (rep.length > 0) { ++ unsigned long nbytes; ++ size_t size = 0; ++ int i; ++ + *num_feedbacks = rep.num_feedbacks; +- nbytes = (long)rep.length << 2; +- f = (xFeedbackState *) Xmalloc((unsigned)nbytes); ++ ++ if (rep.length < (INT_MAX >> 2)) { ++ nbytes = rep.length << 2; ++ f = Xmalloc(nbytes); ++ } + if (!f) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -102,6 +108,10 @@ XGetFeedbackControl( + _XRead(dpy, (char *)f, nbytes); + + for (i = 0; i < *num_feedbacks; i++) { ++ if (f->length > nbytes) ++ goto out; ++ nbytes -= f->length; ++ + switch (f->class) { + case KbdFeedbackClass: + size += sizeof(XKbdFeedbackState); +@@ -116,6 +126,8 @@ XGetFeedbackControl( + { + xStringFeedbackState *strf = (xStringFeedbackState *) f; + ++ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym))) ++ goto out; + size += sizeof(XStringFeedbackState) + + (strf->num_syms_supported * sizeof(KeySym)); + } +@@ -130,10 +142,12 @@ XGetFeedbackControl( + size += f->length; + break; + } ++ if (size > INT_MAX) ++ goto out; + f = (xFeedbackState *) ((char *)f + f->length); + } + +- Feedback = (XFeedbackState *) Xmalloc((unsigned)size); ++ Feedback = Xmalloc(size); + if (!Feedback) + goto out; + +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetProp.c b/x11/libXi/files/patch-src_XGetProp.c new file mode 100644 index 000000000000..8049cf6fd4bc --- /dev/null +++ b/x11/libXi/files/patch-src_XGetProp.c @@ -0,0 +1,53 @@ +From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8] + +If the number of event classes reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +V2: EatData if count is 0 but length is > 0 to avoid XIOErrors + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +(limited to 'src/XGetProp.c') + +--- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000 ++++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000 +@@ -60,6 +60,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XEventClass * + XGetDeviceDontPropagateList( +@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList( + } + *count = rep.count; + +- if (*count) { +- rlen = rep.length << 2; +- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); ++ if (rep.length != 0) { ++ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass)))) ++ list = Xmalloc(rep.length * sizeof(XEventClass)); + if (list) { +- int i; ++ unsigned int i; + CARD32 ec; + + /* read and assign each XEventClass separately because +@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList( + list[i] = (XEventClass) ec; + } + } else +- _XEatData(dpy, (unsigned long)rlen); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay(dpy); diff --git a/x11/libXi/files/patch-src_XIPassiveGrab.c b/x11/libXi/files/patch-src_XIPassiveGrab.c new file mode 100644 index 000000000000..b41d9f4b15a3 --- /dev/null +++ b/x11/libXi/files/patch-src_XIPassiveGrab.c @@ -0,0 +1,27 @@ +From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 07:37:23 +0000 +Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3] + +If the server returned more modifiers than the caller asked for, +we'd just keep copying past the end of the array provided by the +caller, writing over who-knows-what happened to be there. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c +index ac17c01..53b4084 100644 +--- src/XIPassiveGrab.c ++++ src/XIPassiveGrab.c +@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, + return -1; + _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo)); + +- for (i = 0; i < reply.num_modifiers; i++) ++ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++) + { + modifiers_inout[i].status = failed_mods[i].status; + modifiers_inout[i].modifiers = failed_mods[i].modifiers; +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XIProperties.c b/x11/libXi/files/patch-src_XIProperties.c new file mode 100644 index 000000000000..4d62f1962984 --- /dev/null +++ b/x11/libXi/files/patch-src_XIProperties.c @@ -0,0 +1,52 @@ +From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XIGetProperty() [CVE-2013-1984 5/8] + +If the number of items reported by the server is large enough that +it overflows when multiplied by the size of the appropriate item type, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XIProperties.c b/src/XIProperties.c +index 5e58fb6..32436d1 100644 +--- src/XIProperties.c ++++ src/XIProperties.c +@@ -38,6 +38,7 @@ + #include <X11/extensions/XInput2.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + Atom* + XIListProperties(Display* dpy, int deviceid, int *num_props_return) +@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + { + xXIGetPropertyReq *req; + xXIGetPropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + * recopy the string to make it null terminated. + */ + +- nbytes = rep.num_items * rep.format/8; +- rbytes = nbytes + 1; +- *data = Xmalloc(rbytes); ++ if (rep.num_items < (INT_MAX / (rep.format/8))) { ++ nbytes = rep.num_items * rep.format/8; ++ rbytes = nbytes + 1; ++ *data = Xmalloc(rbytes); ++ } + + if (!(*data)) { + _XEatDataWords(dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XISelEv.c b/x11/libXi/files/patch-src_XISelEv.c new file mode 100644 index 000000000000..c86656f2cfb7 --- /dev/null +++ b/x11/libXi/files/patch-src_XISelEv.c @@ -0,0 +1,85 @@ +From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 06:55:23 +0000 +Subject: integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8] + +If the number of events or masks reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +or the sizes overflow as they are totaled up, then memory corruption can +occur when more bytes are copied from the X server reply than the size +of the buffer we allocated to hold them. + +v2: check that reply size fits inside the data read from the server, + so that we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XISelEv.c b/src/XISelEv.c +index f871222..0471bef 100644 +--- src/XISelEv.c ++++ src/XISelEv.c +@@ -42,6 +42,7 @@ in this Software without prior written authorization from the author. + #include <X11/extensions/ge.h> + #include <X11/extensions/geproto.h> + #include "XIint.h" ++#include <limits.h> + + int + XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks) +@@ -101,13 +102,14 @@ out: + XIEventMask* + XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + { +- int i, len = 0; ++ unsigned int i, len = 0; + unsigned char *mask; + XIEventMask *mask_out = NULL; + xXIEventMask *mask_in = NULL, *mi; + xXIGetSelectedEventsReq *req; + xXIGetSelectedEventsReply reply; + XExtDisplayInfo *info = XInput_find_display(dpy); ++ size_t rbytes; + + *num_masks_return = -1; + LockDisplay(dpy); +@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + goto out; + } + +- mask_in = Xmalloc(reply.length * 4); +- if (!mask_in) ++ if (reply.length < (INT_MAX >> 2)) { ++ rbytes = (unsigned long) reply.length << 2; ++ mask_in = Xmalloc(rbytes); ++ } ++ if (!mask_in) { ++ _XEatDataWords(dpy, reply.length); + goto out; ++ } + +- _XRead(dpy, (char*)mask_in, reply.length * 4); ++ _XRead(dpy, (char*)mask_in, rbytes); + + /* + * This function takes interleaved xXIEventMask structs & masks off +@@ -148,8 +155,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) + + for (i = 0, mi = mask_in; i < reply.num_masks; i++) + { +- len += mi->mask_len * 4; +- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4); ++ unsigned int mask_bytes = mi->mask_len * 4; ++ len += mask_bytes; ++ if (len > INT_MAX) ++ goto out; ++ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes) ++ goto out; ++ rbytes -= (sizeof(xXIEventMask) + mask_bytes); ++ mi = (xXIEventMask*)((char*)mi + mask_bytes); + mi++; + } + +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XListDev.c b/x11/libXi/files/patch-src_XListDev.c new file mode 100644 index 000000000000..8231e6b59089 --- /dev/null +++ b/x11/libXi/files/patch-src_XListDev.c @@ -0,0 +1,83 @@ +From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sun, 10 Mar 2013 08:16:22 +0000 +Subject: sign extension issue in XListInputDevices() [CVE-2013-1995] + +nptr is (signed) char, which can be negative, and will sign extend +when added to the int size, which means size can be subtracted from, +leading to allocating too small a buffer to hold the data being copied +from the X server's reply. + +v2: check that string size fits inside the data read from the server, + so that we don't read out of bounds either + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XListDev.c b/src/XListDev.c +index 1c14b96..b85ff3c 100644 +--- src/XListDev.c ++++ src/XListDev.c +@@ -73,7 +73,7 @@ static int pad_to_xid(int base_size) + return ((base_size + padsize - 1)/padsize) * padsize; + } + +-static int ++static size_t + SizeClassInfo(xAnyClassPtr *any, int num_classes) + { + int size = 0; +@@ -170,7 +170,7 @@ XListInputDevices( + register Display *dpy, + int *ndevices) + { +- int size; ++ size_t size; + xListInputDevicesReq *req; + xListInputDevicesReply rep; + xDeviceInfo *list, *slist = NULL; +@@ -178,7 +178,7 @@ XListInputDevices( + XDeviceInfo *clist = NULL; + xAnyClassPtr any, sav_any; + XAnyClassPtr Any; +- char *nptr, *Nptr; ++ unsigned char *nptr, *Nptr; + int i; + unsigned long rlen; + XExtDisplayInfo *info = XInput_find_display(dpy); +@@ -217,9 +217,12 @@ XListInputDevices( + size += SizeClassInfo(&any, (int)list->num_classes); + } + +- for (i = 0, nptr = (char *)any; i < *ndevices; i++) { ++ Nptr = ((unsigned char *)list) + rlen + 1; ++ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { + size += *nptr + 1; + nptr += (*nptr + 1); ++ if (nptr > Nptr) ++ goto out; + } + + clist = (XDeviceInfoPtr) Xmalloc(size); +@@ -245,8 +248,8 @@ XListInputDevices( + } + + clist = sclist; +- nptr = (char *)any; +- Nptr = (char *)Any; ++ nptr = (unsigned char *)any; ++ Nptr = (unsigned char *)Any; + for (i = 0; i < *ndevices; i++, clist++) { + clist->name = (char *)Nptr; + memcpy(Nptr, nptr + 1, *nptr); +@@ -256,6 +259,7 @@ XListInputDevices( + } + } + ++ out: + XFree((char *)slist); + UnlockDisplay(dpy); + SyncHandle(); +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XQueryDv.c b/x11/libXi/files/patch-src_XQueryDv.c new file mode 100644 index 000000000000..23e60c2c278c --- /dev/null +++ b/x11/libXi/files/patch-src_XQueryDv.c @@ -0,0 +1,63 @@ +From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 27 Apr 2013 05:48:36 +0000 +Subject: unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3] + +If the lengths given for each class state in the reply add up to more +than the rep.length, we could read past the end of the buffer allocated +to hold the data read from the server. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +--- +diff --git a/src/XQueryDv.c b/src/XQueryDv.c +index 69c285b..3836777 100644 +--- src/XQueryDv.c ++++ src/XQueryDv.c +@@ -59,6 +59,7 @@ SOFTWARE. + #include <X11/extensions/XInput.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + XDeviceState * + XQueryDeviceState( +@@ -66,8 +67,8 @@ XQueryDeviceState( + XDevice *dev) + { + int i, j; +- int rlen; +- int size = 0; ++ unsigned long rlen; ++ size_t size = 0; + xQueryDeviceStateReq *req; + xQueryDeviceStateReply rep; + XDeviceState *state = NULL; +@@ -87,9 +88,11 @@ XQueryDeviceState( + if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) + goto out; + +- rlen = rep.length << 2; +- if (rlen > 0) { +- data = Xmalloc(rlen); ++ if (rep.length > 0) { ++ if (rep.length < (INT_MAX >> 2)) { ++ rlen = (unsigned long) rep.length << 2; ++ data = Xmalloc(rlen); ++ } + if (!data) { + _XEatDataWords(dpy, rep.length); + goto out; +@@ -97,6 +100,10 @@ XQueryDeviceState( + _XRead(dpy, data, rlen); + + for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { ++ if (any->length > rlen) ++ goto out; ++ rlen -= any->length; ++ + switch (any->class) { + case KeyClass: + size += sizeof(XKeyState); +-- +cgit v0.9.0.2-2-gbebe diff --git a/x11/libXinerama/Makefile b/x11/libXinerama/Makefile index 30d0b179c7c9..18b663d2d812 100644 --- a/x11/libXinerama/Makefile +++ b/x11/libXinerama/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXinerama -PORTVERSION= 1.1.2 +PORTVERSION= 1.1.3 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXinerama/distinfo b/x11/libXinerama/distinfo index a039aabf99cf..9f78734d2c62 100644 --- a/x11/libXinerama/distinfo +++ b/x11/libXinerama/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXinerama-1.1.2.tar.bz2) = a4e77c2fd88372e4ae365f3ca0434a23613da96c5b359b1a64bf43614ec06aac -SIZE (xorg/lib/libXinerama-1.1.2.tar.bz2) = 279682 +SHA256 (xorg/lib/libXinerama-1.1.3.tar.bz2) = 7a45699f1773095a3f821e491cbd5e10c887c5a5fce5d8d3fced15c2ff7698e2 +SIZE (xorg/lib/libXinerama-1.1.3.tar.bz2) = 278026 diff --git a/x11/libXp/Makefile b/x11/libXp/Makefile index 561199421d83..e7b2ae727a52 100644 --- a/x11/libXp/Makefile +++ b/x11/libXp/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXp -PORTVERSION= 1.0.1 +PORTVERSION= 1.0.2 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXp/distinfo b/x11/libXp/distinfo index 760f538f4554..239c5d11e166 100644 --- a/x11/libXp/distinfo +++ b/x11/libXp/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXp-1.0.1.tar.bz2) = 71d1f260005616d646b8c8788365f2b7d93911dac57bb53b65753d9f9e6443d2 -SIZE (xorg/lib/libXp-1.0.1.tar.bz2) = 300427 +SHA256 (xorg/lib/libXp-1.0.2.tar.bz2) = 952fe5b5e90abd2cf04739aef3a9b63a253cd9309ed066a82bab7ca9112fd0b5 +SIZE (xorg/lib/libXp-1.0.2.tar.bz2) = 298632 diff --git a/x11/libXrandr/Makefile b/x11/libXrandr/Makefile index da7abf5080f4..0dbc91cfe359 100644 --- a/x11/libXrandr/Makefile +++ b/x11/libXrandr/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXrandr -PORTVERSION= 1.4.0 +PORTVERSION= 1.4.1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXrandr/distinfo b/x11/libXrandr/distinfo index 11f34982fccf..e0248d9fd368 100644 --- a/x11/libXrandr/distinfo +++ b/x11/libXrandr/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXrandr-1.4.0.tar.bz2) = 033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3 -SIZE (xorg/lib/libXrandr-1.4.0.tar.bz2) = 306649 +SHA256 (xorg/lib/libXrandr-1.4.1.tar.bz2) = d914a0490fd0a2ea6c3194505b5b28c56e2a277d8f4648b0275ee0ee370fb905 +SIZE (xorg/lib/libXrandr-1.4.1.tar.bz2) = 312857 diff --git a/x11/libXrender/Makefile b/x11/libXrender/Makefile index 0f605472b6a5..4205a28f20c4 100644 --- a/x11/libXrender/Makefile +++ b/x11/libXrender/Makefile @@ -3,6 +3,7 @@ PORTNAME= libXrender PORTVERSION= 0.9.7 +PORTREVISION= 1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXrender/files/patch-src_Filter.c b/x11/libXrender/files/patch-src_Filter.c new file mode 100644 index 000000000000..9bd1784ec5ca --- /dev/null +++ b/x11/libXrender/files/patch-src_Filter.c @@ -0,0 +1,70 @@ +--- src/Filter.c.orig 2013-06-03 19:11:25.000000000 +0000 ++++ src/Filter.c 2013-06-03 19:11:31.000000000 +0000 +@@ -25,6 +25,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XFilters * + XRenderQueryFilters (Display *dpy, Drawable drawable) +@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawa + char *name; + char len; + int i; +- long nbytes, nbytesAlias, nbytesName; ++ unsigned long nbytes, nbytesAlias, nbytesName; + + if (!RenderHasExtension (info)) + return NULL; +@@ -60,26 +61,36 @@ XRenderQueryFilters (Display *dpy, Drawa + SyncHandle (); + return NULL; + } +- /* +- * Compute total number of bytes for filter names +- */ +- nbytes = (long)rep.length << 2; +- nbytesAlias = rep.numAliases * 2; +- if (rep.numAliases & 1) +- nbytesAlias += 2; +- nbytesName = nbytes - nbytesAlias; + + /* +- * Allocate one giant block for the whole data structure ++ * Limit each component of combined size to 1/4 the max, which is far ++ * more than they should ever possibly need. + */ +- filters = Xmalloc (sizeof (XFilters) + +- rep.numFilters * sizeof (char *) + +- rep.numAliases * sizeof (short) + +- nbytesName); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && ++ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { ++ /* ++ * Compute total number of bytes for filter names ++ */ ++ nbytes = (unsigned long)rep.length << 2; ++ nbytesAlias = rep.numAliases * 2; ++ if (rep.numAliases & 1) ++ nbytesAlias += 2; ++ nbytesName = nbytes - nbytesAlias; ++ ++ /* ++ * Allocate one giant block for the whole data structure ++ */ ++ filters = Xmalloc (sizeof (XFilters) + ++ (rep.numFilters * sizeof (char *)) + ++ (rep.numAliases * sizeof (short)) + ++ nbytesName); ++ } else ++ filters = NULL; + + if (!filters) + { +- _XEatData (dpy, (unsigned long) rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; diff --git a/x11/libXrender/files/patch-src_Xrender.c b/x11/libXrender/files/patch-src_Xrender.c new file mode 100644 index 000000000000..0d282cb8c3e9 --- /dev/null +++ b/x11/libXrender/files/patch-src_Xrender.c @@ -0,0 +1,114 @@ +--- src/Xrender.c.orig 2013-06-03 19:11:25.000000000 +0000 ++++ src/Xrender.c 2013-06-03 19:11:34.000000000 +0000 +@@ -26,6 +26,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XRenderExtInfo XRenderExtensionInfo; + char XRenderExtensionName[] = RENDER_NAME; +@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy) + CARD32 *xSubpixel; + void *xData; + int nf, ns, nd, nv; +- int rlength; +- int nbytes; ++ unsigned long rlength; ++ unsigned long nbytes; + + RenderCheckExtension (dpy, info, 0); + LockDisplay (dpy); +@@ -458,24 +459,35 @@ XRenderQueryFormats (Display *dpy) + if (async_state.major_version == 0 && async_state.minor_version < 6) + rep.numSubpixel = 0; + +- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) + +- rep.numFormats * sizeof (XRenderPictFormat) + +- rep.numScreens * sizeof (XRenderScreen) + +- rep.numDepths * sizeof (XRenderDepth) + +- rep.numVisuals * sizeof (XRenderVisual)); +- rlength = (rep.numFormats * sizeof (xPictFormInfo) + +- rep.numScreens * sizeof (xPictScreen) + +- rep.numDepths * sizeof (xPictDepth) + +- rep.numVisuals * sizeof (xPictVisual) + +- rep.numSubpixel * 4); +- xData = (void *) Xmalloc (rlength); +- nbytes = (int) rep.length << 2; ++ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && ++ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && ++ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && ++ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && ++ (rep.numSubpixel < ((INT_MAX / 4) / 4)) && ++ (rep.length < (INT_MAX >> 2)) ) { ++ xri = Xmalloc (sizeof (XRenderInfo) + ++ (rep.numFormats * sizeof (XRenderPictFormat)) + ++ (rep.numScreens * sizeof (XRenderScreen)) + ++ (rep.numDepths * sizeof (XRenderDepth)) + ++ (rep.numVisuals * sizeof (XRenderVisual))); ++ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) + ++ (rep.numScreens * sizeof (xPictScreen)) + ++ (rep.numDepths * sizeof (xPictDepth)) + ++ (rep.numVisuals * sizeof (xPictVisual)) + ++ (rep.numSubpixel * 4)); ++ xData = Xmalloc (rlength); ++ nbytes = (unsigned long) rep.length << 2; ++ } else { ++ xri = NULL; ++ xData = NULL; ++ rlength = nbytes = 0; ++ } + + if (!xri || !xData || nbytes < rlength) + { + if (xri) Xfree (xri); + if (xData) Xfree (xData); +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; +@@ -832,7 +844,7 @@ XRenderQueryPictIndexValues(Display *d + xRenderQueryPictIndexValuesReq *req; + xRenderQueryPictIndexValuesReply rep; + XIndexValue *values; +- int nbytes, nread, rlength, i; ++ unsigned int nbytes, nread, rlength, i; + + RenderCheckExtension (dpy, info, NULL); + +@@ -848,18 +860,25 @@ XRenderQueryPictIndexValues(Display *d + return NULL; + } + +- /* request data length */ +- nbytes = (long)rep.length << 2; +- /* bytes of actual data in the request */ +- nread = rep.numIndexValues * SIZEOF (xIndexValue); +- /* size of array returned to application */ +- rlength = rep.numIndexValues * sizeof (XIndexValue); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { ++ /* request data length */ ++ nbytes = rep.length << 2; ++ /* bytes of actual data in the request */ ++ nread = rep.numIndexValues * SIZEOF (xIndexValue); ++ /* size of array returned to application */ ++ rlength = rep.numIndexValues * sizeof (XIndexValue); ++ ++ /* allocate returned data */ ++ values = Xmalloc (rlength); ++ } else { ++ nbytes = nread = rlength = 0; ++ values = NULL; ++ } + +- /* allocate returned data */ +- values = (XIndexValue *)Xmalloc (rlength); + if (!values) + { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; diff --git a/x11/libXres/Makefile b/x11/libXres/Makefile index 08f9da9bb393..1aaec3bd5c0d 100644 --- a/x11/libXres/Makefile +++ b/x11/libXres/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXres -PORTVERSION= 1.0.6 +PORTVERSION= 1.0.7 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXres/distinfo b/x11/libXres/distinfo index f2ddd524023a..d4308a680854 100644 --- a/x11/libXres/distinfo +++ b/x11/libXres/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXres-1.0.6.tar.bz2) = ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890 -SIZE (xorg/lib/libXres-1.0.6.tar.bz2) = 282035 +SHA256 (xorg/lib/libXres-1.0.7.tar.bz2) = 26899054aa87f81b17becc68e8645b240f140464cf90c42616ebb263ec5fa0e5 +SIZE (xorg/lib/libXres-1.0.7.tar.bz2) = 282925 diff --git a/x11/libXtst/Makefile b/x11/libXtst/Makefile index 547b575c80b8..a3822378b53f 100644 --- a/x11/libXtst/Makefile +++ b/x11/libXtst/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXtst -PORTVERSION= 1.2.1 +PORTVERSION= 1.2.2 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXtst/distinfo b/x11/libXtst/distinfo index 89e0259ea1d5..5e039ffb5462 100644 --- a/x11/libXtst/distinfo +++ b/x11/libXtst/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXtst-1.2.1.tar.bz2) = 7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0 -SIZE (xorg/lib/libXtst-1.2.1.tar.bz2) = 313147 +SHA256 (xorg/lib/libXtst-1.2.2.tar.bz2) = ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9 +SIZE (xorg/lib/libXtst-1.2.2.tar.bz2) = 321784 diff --git a/x11/libXv/Makefile b/x11/libXv/Makefile index d3ee77e03550..32baa16ff747 100644 --- a/x11/libXv/Makefile +++ b/x11/libXv/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXv -PORTVERSION= 1.0.7 +PORTVERSION= 1.0.8 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXv/distinfo b/x11/libXv/distinfo index 05bce5162938..85bd0b57578c 100644 --- a/x11/libXv/distinfo +++ b/x11/libXv/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXv-1.0.7.tar.bz2) = 5d664aeb641f8c867331a0c6b4574a5e7e420f00bf5fcefd874e8d003ea59010 -SIZE (xorg/lib/libXv-1.0.7.tar.bz2) = 285379 +SHA256 (xorg/lib/libXv-1.0.8.tar.bz2) = 4f00eb5347390909cea4e53a69425839d2a6a44e0e0613321d59e7e4aeaf73d7 +SIZE (xorg/lib/libXv-1.0.8.tar.bz2) = 308065 diff --git a/x11/libXv/pkg-plist b/x11/libXv/pkg-plist index 9765424b3a75..6fb5643302a0 100644 --- a/x11/libXv/pkg-plist +++ b/x11/libXv/pkg-plist @@ -4,3 +4,4 @@ lib/libXv.la lib/libXv.so lib/libXv.so.1 libdata/pkgconfig/xv.pc +@dirrmtry include/X11/extensions diff --git a/x11/libXvMC/Makefile b/x11/libXvMC/Makefile index c9e9a9e99082..7e1f250a7bee 100644 --- a/x11/libXvMC/Makefile +++ b/x11/libXvMC/Makefile @@ -3,6 +3,7 @@ PORTNAME= libXvMC PORTVERSION= 1.0.7 +PORTREVISION= 1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXvMC/files/patch-src_XvMC.c b/x11/libXvMC/files/patch-src_XvMC.c new file mode 100644 index 000000000000..5701f804af7f --- /dev/null +++ b/x11/libXvMC/files/patch-src_XvMC.c @@ -0,0 +1,166 @@ +--- src/XvMC.c.orig 2012-03-08 05:31:17.000000000 +0000 ++++ src/XvMC.c 2013-06-03 19:17:33.000000000 +0000 +@@ -16,6 +16,7 @@ + #include <sys/time.h> + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> ++#include <limits.h> + + static XExtensionInfo _xvmc_info_data; + static XExtensionInfo *xvmc_info = &_xvmc_info_data; +@@ -111,8 +112,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(D + } + + if(rep.num > 0) { +- surface_info = +- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); ++ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo))) ++ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); + + if(surface_info) { + xvmcSurfaceInfo sinfo; +@@ -134,7 +135,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(D + surface_info[i].flags = sinfo.flags; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -172,8 +173,8 @@ XvImageFormatValues * XvMCListSubpicture + } + + if(rep.num > 0) { +- ret = +- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues)); ++ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues))) ++ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues)); + + if(ret) { + xvImageFormatInfo Info; +@@ -207,7 +208,7 @@ XvImageFormatValues * XvMCListSubpicture + ret[i].scanline_order = Info.scanline_order; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -273,12 +274,13 @@ Status _xvmc_create_context ( + context->flags = rep.flags_return; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -354,12 +356,13 @@ Status _xvmc_create_surface ( + } + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -444,12 +447,13 @@ Status _xvmc_create_subpicture ( + subpicture->component_order[3] = rep.component_order[3]; + + if(rep.length) { +- *priv_data = Xmalloc(rep.length << 2); ++ if (rep.length < (INT_MAX >> 2)) ++ *priv_data = Xmalloc(rep.length << 2); + if(*priv_data) { + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -484,7 +488,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPor + XExtDisplayInfo *info = xvmc_find_display(dpy); + xvmcGetDRInfoReply rep; + xvmcGetDRInfoReq *req; +- char *tmpBuf = NULL; + CARD32 magic; + + #ifdef HAVE_SHMAT +@@ -495,6 +498,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPor + here.tz_dsttime = 0; + #endif + ++ *name = NULL; ++ *busID = NULL; ++ + XvMCCheckExtension (dpy, info, BadImplementation); + + LockDisplay (dpy); +@@ -553,33 +559,33 @@ Status XvMCGetDRInfo(Display *dpy, XvPor + #endif + + if (rep.length > 0) { ++ unsigned long realSize = 0; ++ char *tmpBuf = NULL; + +- int realSize = rep.length << 2; +- +- tmpBuf = (char *) Xmalloc(realSize); +- if (tmpBuf) { +- *name = (char *) Xmalloc(rep.nameLen); +- if (*name) { +- *busID = (char *) Xmalloc(rep.busIDLen); +- if (! *busID) { +- XFree(*name); +- XFree(tmpBuf); +- } +- } else { +- XFree(tmpBuf); ++ if (rep.length < (INT_MAX >> 2)) { ++ realSize = rep.length << 2; ++ if (realSize >= (rep.nameLen + rep.busIDLen)) { ++ tmpBuf = Xmalloc(realSize); ++ *name = Xmalloc(rep.nameLen); ++ *busID = Xmalloc(rep.busIDLen); + } + } + + if (*name && *busID && tmpBuf) { +- + _XRead(dpy, tmpBuf, realSize); + strncpy(*name,tmpBuf,rep.nameLen); ++ (*name)[rep.nameLen - 1] = '\0'; + strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); ++ (*busID)[rep.busIDLen - 1] = '\0'; + XFree(tmpBuf); +- + } else { ++ XFree(*name); ++ *name = NULL; ++ XFree(*busID); ++ *busID = NULL; ++ XFree(tmpBuf); + +- _XEatData(dpy, realSize); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return -1; diff --git a/x11/libXxf86dga/Makefile b/x11/libXxf86dga/Makefile index 73e7dcf77411..60fc3f916475 100644 --- a/x11/libXxf86dga/Makefile +++ b/x11/libXxf86dga/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXxf86dga -PORTVERSION= 1.1.3 +PORTVERSION= 1.1.4 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXxf86dga/distinfo b/x11/libXxf86dga/distinfo index d0b4606f504c..6f752e7ed35b 100644 --- a/x11/libXxf86dga/distinfo +++ b/x11/libXxf86dga/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXxf86dga-1.1.3.tar.bz2) = 551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 -SIZE (xorg/lib/libXxf86dga-1.1.3.tar.bz2) = 290347 +SHA256 (xorg/lib/libXxf86dga-1.1.4.tar.bz2) = 8eecd4b6c1df9a3704c04733c2f4fa93ef469b55028af5510b25818e2456c77e +SIZE (xorg/lib/libXxf86dga-1.1.4.tar.bz2) = 280216 diff --git a/x11/libXxf86dga/files/patch-src_XF86DGA2.c b/x11/libXxf86dga/files/patch-src_XF86DGA2.c deleted file mode 100644 index 69ede4ecd9da..000000000000 --- a/x11/libXxf86dga/files/patch-src_XF86DGA2.c +++ /dev/null @@ -1,20 +0,0 @@ ---- src/XF86DGA2.c.orig 2013-03-25 20:23:42.796859881 +0100 -+++ src/XF86DGA2.c 2013-03-25 20:23:17.997856725 +0100 -@@ -21,6 +21,8 @@ - #include <X11/extensions/extutil.h> - #include <stdio.h> - -+#include <stdint.h> -+ - - /* If you change this, change the Bases[] array below as well */ - #define MAX_HEADS 16 -@@ -928,7 +930,7 @@ - if ((pMap->fd = open(name, O_RDWR)) < 0) - return False; - pMap->virtual = mmap(NULL, size, PROT_READ | PROT_WRITE, -- MAP_FILE | MAP_SHARED, pMap->fd, (off_t)base); -+ MAP_FILE | MAP_SHARED, pMap->fd, (off_t)(uintptr_t)base); - if (pMap->virtual == (void *)-1) - return False; - mprotect(pMap->virtual, size, PROT_READ | PROT_WRITE); diff --git a/x11/libXxf86vm/Makefile b/x11/libXxf86vm/Makefile index 995f210ac46d..117479e144f6 100644 --- a/x11/libXxf86vm/Makefile +++ b/x11/libXxf86vm/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libXxf86vm -PORTVERSION= 1.1.2 +PORTVERSION= 1.1.3 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXxf86vm/distinfo b/x11/libXxf86vm/distinfo index 33220e85f47f..3205819f70ec 100644 --- a/x11/libXxf86vm/distinfo +++ b/x11/libXxf86vm/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXxf86vm-1.1.2.tar.bz2) = a564172fb866b1b587bbccb7d041088931029845245e0d15c32ca7f1bb48fc84 -SIZE (xorg/lib/libXxf86vm-1.1.2.tar.bz2) = 284717 +SHA256 (xorg/lib/libXxf86vm-1.1.3.tar.bz2) = da5e86c32ee2069b9e6d820e4c2e4242d4877cb155a2b2fbf2675a1480ec37b8 +SIZE (xorg/lib/libXxf86vm-1.1.3.tar.bz2) = 284279 diff --git a/x11/libdmx/Makefile b/x11/libdmx/Makefile index 12b60d3ff151..efc36924731a 100644 --- a/x11/libdmx/Makefile +++ b/x11/libdmx/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libdmx -PORTVERSION= 1.1.2 +PORTVERSION= 1.1.3 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libdmx/distinfo b/x11/libdmx/distinfo index 292d922c7116..8e7cf6204c3c 100644 --- a/x11/libdmx/distinfo +++ b/x11/libdmx/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libdmx-1.1.2.tar.bz2) = a7870b648a8768d65432af76dd11581ff69f3955118540d5967eb1eef43838ba -SIZE (xorg/lib/libdmx-1.1.2.tar.bz2) = 290694 +SHA256 (xorg/lib/libdmx-1.1.3.tar.bz2) = c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201 +SIZE (xorg/lib/libdmx-1.1.3.tar.bz2) = 290859 diff --git a/x11/libxcb/Makefile b/x11/libxcb/Makefile index 27a6564c1de9..eab4f99081b7 100644 --- a/x11/libxcb/Makefile +++ b/x11/libxcb/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libxcb -PORTVERSION= 1.9 +PORTVERSION= 1.9.1 CATEGORIES= x11 python MASTER_SITES= http://xcb.freedesktop.org/dist/ @@ -13,7 +13,6 @@ LICENSE= MIT LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= ${LOCALBASE}/lib/libcheck.a:${PORTSDIR}/devel/libcheck \ - xsltproc:${PORTSDIR}/textproc/libxslt \ xcb-proto>=1.7:${PORTSDIR}/x11/xcb-proto \ ${LOCALBASE}/libdata/pkgconfig/pthread-stubs.pc:${PORTSDIR}/devel/libpthread-stubs RUN_DEPENDS= ${LOCALBASE}/libdata/pkgconfig/pthread-stubs.pc:${PORTSDIR}/devel/libpthread-stubs @@ -22,6 +21,7 @@ CONFIGURE_ARGS+= --disable-build-docs --without-doxygen --enable-xinput USE_BZIP2= yes USES= pathfix +USE_GNOME= libxslt:build USE_GMAKE= yes USE_LDCONFIG= yes USE_XORG= xau xdmcp diff --git a/x11/libxcb/distinfo b/x11/libxcb/distinfo index adcd292ded24..1143ac88627b 100644 --- a/x11/libxcb/distinfo +++ b/x11/libxcb/distinfo @@ -1,2 +1,2 @@ -SHA256 (libxcb-1.9.tar.bz2) = 8857e62b3aae2976c7e10043643e45a85964fd1dcb4469dfde0d04d3d1b12c96 -SIZE (libxcb-1.9.tar.bz2) = 387612 +SHA256 (libxcb-1.9.1.tar.bz2) = d44a5ff4eb0b9569e6f7183b51fdaf6f58da90e7d6bfc36b612d7263f83e362f +SIZE (libxcb-1.9.1.tar.bz2) = 373312 |