aboutsummaryrefslogtreecommitdiff
path: root/x11-servers
diff options
context:
space:
mode:
authorKoop Mast <kwm@FreeBSD.org>2014-12-10 21:35:13 +0000
committerKoop Mast <kwm@FreeBSD.org>2014-12-10 21:35:13 +0000
commit1ef33079b39900dcc3d50c5e019eb2f8901c525b (patch)
tree49084ca45edd067095895911788343ae39bf660b /x11-servers
parent1f9994ea648d15bf32a588a1dd68772c0e2e8882 (diff)
downloadports-1ef33079b39900dcc3d50c5e019eb2f8901c525b.tar.gz
ports-1ef33079b39900dcc3d50c5e019eb2f8901c525b.zip
Notes
Diffstat (limited to 'x11-servers')
-rw-r--r--x11-servers/xorg-server/Makefile3
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-1-437
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-2-449
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4128
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-4-434
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-pt532
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8092-pt635
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-1-647
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6165
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-3-659
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-4-682
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6225
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8093-6-634
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-809435
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8095561
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-809627
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-809773
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8097-pt250
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-1-859
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-2-875
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8153
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-4-851
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-6-845
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8553
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8964
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8099179
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8100-1-230
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2140
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-810151
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2014-810227
30 files changed, 4002 insertions, 1 deletions
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index b608dfa530c1..183136dbc8bb 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -35,13 +35,14 @@ OPTIONS_EXCLUDE_sparc64= HAL
.if defined(WITH_NEW_XORG)
XORG_VERSION= 1.12.4
-XORG_REVISION= 9
+XORG_REVISION= 10
PLIST_SUB+= OLD="@comment " NEW=""
EXTRA_PATCHES+= ${FILESDIR}/extra-clang \
${FILESDIR}/extra-configure \
${FILESDIR}/extra-new-bad-impl \
${FILESDIR}/extra-new-dix_dixfonts.c
.else
+FORBIDDEN= unfixed security issues
XORG_VERSION= 1.7.7
XORG_REVISION= 14
PLIST_SUB+= OLD="" NEW="@comment "
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4
new file mode 100644
index 000000000000..d04a03be0054
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4
@@ -0,0 +1,37 @@
+From eeae42d60bf3d5663ea088581f6c28a82cd17829 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 21:11:16 -0800
+Subject: [PATCH 01/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
+ 1/4]
+
+ProcPutImage() calculates a length field from a width, left pad and depth
+specified by the client (if the specified format is XYPixmap).
+
+The calculations for the total amount of memory the server needs for the
+pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
+on 32-bit systems (since the length is stored in a long int variable).
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/dispatch.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index d844a09..55b978d 100644
+--- dix/dispatch.c
++++ dix/dispatch.c
+@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
+ tmpImage = (char *) &stuff[1];
+ lengthProto = length;
+
++ if (lengthProto >= (INT32_MAX / stuff->height))
++ return BadLength;
++
+ if ((bytes_to_int32(lengthProto * stuff->height) +
+ bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
+ return BadLength;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4
new file mode 100644
index 000000000000..25d58bd418a5
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4
@@ -0,0 +1,49 @@
+From bc8e20430b6f6378daf6ce4329029248a88af08b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 6 Jan 2014 23:30:14 -0800
+Subject: [PATCH 02/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
+
+GetHosts() iterates over all the hosts it has in memory, and copies
+them to a buffer. The buffer length is calculated by iterating over
+all the hosts and adding up all of their combined length. There is a
+potential integer overflow, if there are lots and lots of hosts (with
+a combined length of > ~4 gig). This should be possible by repeatedly
+calling ProcChangeHosts() on 64bit machines with enough memory.
+
+This patch caps the list at 1mb, because multi-megabyte hostname
+lists for X access control are insane.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ os/access.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/os/access.c b/os/access.c
+index 5c510de..f393c8d 100644
+--- os/access.c
++++ os/access.c
+@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
+ for (host = validhosts; host; host = host->next) {
+ nHosts++;
+ n += pad_to_int32(host->len) + sizeof(xHostEntry);
++ /* Could check for INT_MAX, but in reality having more than 1mb of
++ hostnames in the access list is ridiculous */
++ if (n >= 1048576)
++ break;
+ }
+ if (n) {
+ *data = ptr = malloc(n);
+@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
+ }
+ for (host = validhosts; host; host = host->next) {
+ len = host->len;
++ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
++ break;
+ ((xHostEntry *) ptr)->family = host->family;
+ ((xHostEntry *) ptr)->length = len;
+ ptr += sizeof(xHostEntry);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
new file mode 100644
index 000000000000..e05101bac9e3
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
@@ -0,0 +1,128 @@
+From 97015a07b9e15d8ec5608b95d95ec0eb51202acb Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 22:37:15 -0800
+Subject: [PATCH 03/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
+ 3/4]
+
+RegionSizeof contains several integer overflows if a large length
+value is passed in. Once we fix it to return 0 on overflow, we
+also have to fix the callers to handle this error condition
+
+v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/region.c | 20 +++++++++++++-------
+ include/regionstr.h | 10 +++++++---
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/dix/region.c b/dix/region.c
+index ce1014e..04e5901 100644
+--- dix/region.c
++++ dix/region.c
+@@ -169,7 +169,6 @@ Equipment Corporation.
+ ((r1)->y1 <= (r2)->y1) && \
+ ((r1)->y2 >= (r2)->y2) )
+
+-#define xallocData(n) malloc(RegionSizeof(n))
+ #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
+
+ #define RECTALLOC_BAIL(pReg,n,bail) \
+@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
+ #define DOWNSIZE(reg,numRects) \
+ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
+ { \
+- RegDataPtr NewData; \
+- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
++ size_t NewSize = RegionSizeof(numRects); \
++ RegDataPtr NewData = \
++ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
+ if (NewData) \
+ { \
+ NewData->size = (numRects); \
+@@ -345,17 +345,20 @@ Bool
+ RegionRectAlloc(RegionPtr pRgn, int n)
+ {
+ RegDataPtr data;
++ size_t rgnSize;
+
+ if (!pRgn->data) {
+ n++;
+- pRgn->data = xallocData(n);
++ rgnSize = RegionSizeof(n);
++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+ if (!pRgn->data)
+ return RegionBreak(pRgn);
+ pRgn->data->numRects = 1;
+ *RegionBoxptr(pRgn) = pRgn->extents;
+ }
+ else if (!pRgn->data->size) {
+- pRgn->data = xallocData(n);
++ rgnSize = RegionSizeof(n);
++ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+ if (!pRgn->data)
+ return RegionBreak(pRgn);
+ pRgn->data->numRects = 0;
+@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
+ n = 250;
+ }
+ n += pRgn->data->numRects;
+- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
++ rgnSize = RegionSizeof(n);
++ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
+ if (!data)
+ return RegionBreak(pRgn);
+ pRgn->data = data;
+@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
+ {
+
+ RegionPtr pRgn;
++ size_t rgnSize;
+ RegDataPtr pData;
+ BoxPtr pBox;
+ int i;
+@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
+ }
+ return pRgn;
+ }
+- pData = xallocData(nrects);
++ rgnSize = RegionSizeof(nrects);
++ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+ if (!pData) {
+ RegionBreak(pRgn);
+ return pRgn;
+diff --git a/include/regionstr.h b/include/regionstr.h
+index 515e93f..079375d 100644
+--- include/regionstr.h
++++ include/regionstr.h
+@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
+ static inline size_t
+ RegionSizeof(size_t n)
+ {
+- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
++ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++ else
++ return 0;
+ }
+
+ static inline void
+@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
+ (_pReg)->data = (RegDataPtr) NULL;
+ }
+ else {
++ size_t rgnSize;
+ (_pReg)->extents = RegionEmptyBox;
+- if (((_size) > 1) && ((_pReg)->data =
+- (RegDataPtr) malloc(RegionSizeof(_size)))) {
++ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
++ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
+ (_pReg)->data->size = (_size);
+ (_pReg)->data->numRects = 0;
+ }
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4
new file mode 100644
index 000000000000..64436ed41424
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4
@@ -0,0 +1,34 @@
+From e0e11644622a589129a01e11e5d105dc74a098de Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:44:46 -0800
+Subject: [PATCH 04/40] dix: integer overflow in REQUEST_FIXED_SIZE()
+ [CVE-2014-8092 4/4]
+
+Force use of 64-bit integers when evaluating data provided by clients
+in 32-bit fields which can overflow when added or multiplied during
+checks.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ include/dix.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/dix.h b/include/dix.h
+index 991a3ce..e0c6ed8 100644
+--- include/dix.h
++++ include/dix.h
+@@ -76,7 +76,8 @@ SOFTWARE.
+
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
++ ((n >> 2) >= client->req_len) || \
++ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
+ return(BadLength)
+
+ #define LEGAL_NEW_RESOURCE(id,client)\
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
new file mode 100644
index 000000000000..4446b4898426
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
@@ -0,0 +1,32 @@
+From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Tue, 9 Dec 2014 09:30:59 -0800
+Subject: [PATCH 38/40] Missing parens in REQUEST_FIXED_SIZE macro
+ [CVE-2014-8092 pt. 5]
+
+The 'n' parameter must be surrounded by parens in both places to
+prevent precedence from mis-computing things.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ include/dix.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/dix.h b/include/dix.h
+index 21176a8..921156b 100644
+--- include/dix.h
++++ include/dix.h
+@@ -80,7 +80,7 @@ SOFTWARE.
+
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+- ((n >> 2) >= client->req_len) || \
++ (((n) >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
+ return(BadLength)
+
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
new file mode 100644
index 000000000000..5adb2b02cc9b
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
@@ -0,0 +1,35 @@
+From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Tue, 9 Dec 2014 09:31:00 -0800
+Subject: [PATCH 39/40] dix: GetHosts bounds check using wrong pointer value
+ [CVE-2014-8092 pt. 6]
+
+GetHosts saves the pointer to allocated memory in *data, and then
+wants to bounds-check writes to that region, but was mistakenly using
+a bare 'data' instead of '*data'. Also, data is declared as void **,
+so we need a cast to turn it into a byte pointer so we can actually do
+pointer comparisons.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ os/access.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/os/access.c b/os/access.c
+index f393c8d..28f2d32 100644
+--- os/access.c
++++ os/access.c
+@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
+ }
+ for (host = validhosts; host; host = host->next) {
+ len = host->len;
+- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
++ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
+ break;
+ ((xHostEntry *) ptr)->family = host->family;
+ ((xHostEntry *) ptr)->length = len;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
new file mode 100644
index 000000000000..ffa7e3995647
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
@@ -0,0 +1,47 @@
+From 23fe7718bb171e71db2d1a30505c2ca2988799d9 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:36 -0500
+Subject: [PATCH 19/40] glx: Be more paranoid about variable-length requests
+ [CVE-2014-8093 1/6]
+
+If the size computation routine returns -1 we should just reject the
+request outright. Clamping it to zero could give an attacker the
+opportunity to also mangle cmdlen in such a way that the subsequent
+length check passes, and the request would get executed, thus passing
+data we wanted to reject to the renderer.
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 009fd9b..ea42e2a 100644
+--- glx/glxcmds.c
++++ glx/glxcmds.c
+@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+ client->swapped);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+ return BadLength;
+@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
+ extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
+ client->swapped);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ /* large command's header is 4 bytes longer, so add 4 */
+ if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
new file mode 100644
index 000000000000..6be272144ba2
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
@@ -0,0 +1,165 @@
+From ab2ba9338aa5e85b4487bc7fbe69985c76483e01 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:37 -0500
+Subject: [PATCH 20/40] glx: Be more strict about rejecting invalid image sizes
+ [CVE-2014-8093 2/6]
+
+Before this we'd just clamp the image size to 0, which was just
+hideously stupid; if the parameters were such that they'd overflow an
+integer, you'd allocate a small buffer, then pass huge values into (say)
+ReadPixels, and now you're scribbling over arbitrary server memory.
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/singlepix.c | 16 ++++++++--------
+ glx/singlepixswap.c | 16 ++++++++--------
+ 2 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/glx/singlepix.c b/glx/singlepix.c
+index 506fdaa..8b6c261 100644
+--- glx/singlepix.c
++++ glx/singlepix.c
+@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
+ lsbFirst = *(GLboolean *) (pc + 25);
+ compsize = __glReadPixels_size(format, type, width, height);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
+@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
+ compsize =
+ __glGetTexImage_size(target, level, format, type, width, height, depth);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+ if (compsize2 < 0)
+- compsize2 = 0;
++ return BadLength;
+ compsize = __GLX_PAD(compsize);
+ compsize2 = __GLX_PAD(compsize2);
+
+@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+
+ compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
+index 8469101..8dc304f 100644
+--- glx/singlepixswap.c
++++ glx/singlepixswap.c
+@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
+ lsbFirst = *(GLboolean *) (pc + 25);
+ compsize = __glReadPixels_size(format, type, width, height);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
+@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
+ compsize =
+ __glGetTexImage_size(target, level, format, type, width, height, depth);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+ if (compsize2 < 0)
+- compsize2 = 0;
++ return BadLength;
+ compsize = __GLX_PAD(compsize);
+ compsize2 = __GLX_PAD(compsize2);
+
+@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+
+ compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
+ */
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ if (compsize < 0)
+- compsize = 0;
++ return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
new file mode 100644
index 000000000000..0145fc1f85f0
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
@@ -0,0 +1,59 @@
+From 717a1b37767b41e14859e5022ae9e679152821a9 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:38 -0500
+Subject: [PATCH 21/40] glx: Additional paranoia in __glXGetAnswerBuffer /
+ __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
+
+If the computed reply size is negative, something went wrong, treat it
+as an error.
+
+v2: Be more careful about size_t being unsigned (Matthieu Herrb)
+v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/indirect_util.c | 7 ++++++-
+ glx/unpack.h | 3 ++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/glx/indirect_util.c b/glx/indirect_util.c
+index 926e57c..de81491 100644
+--- glx/indirect_util.c
++++ glx/indirect_util.c
+@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
+ const unsigned mask = alignment - 1;
+
+ if (local_size < required_size) {
+- const size_t worst_case_size = required_size + alignment;
++ size_t worst_case_size;
+ intptr_t temp_buf;
+
++ if (required_size < SIZE_MAX - alignment)
++ worst_case_size = required_size + alignment;
++ else
++ return NULL;
++
+ if (cl->returnBufSize < worst_case_size) {
+ void *temp = realloc(cl->returnBuf, worst_case_size);
+
+diff --git a/glx/unpack.h b/glx/unpack.h
+index 52fba74..2b1ebcf 100644
+--- glx/unpack.h
++++ glx/unpack.h
+@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
+ ** pointer.
+ */
+ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
+- if ((size) > sizeof(answerBuffer)) { \
++ if (size < 0) return BadLength; \
++ else if ((size) > sizeof(answerBuffer)) { \
+ int bump; \
+ if ((cl)->returnBufSize < (size)+(align)) { \
+ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
new file mode 100644
index 000000000000..6a461c92e105
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
@@ -0,0 +1,82 @@
+From 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:40 -0500
+Subject: [PATCH 23/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
+
+These are paranoid about integer overflow, and will return -1 if their
+operation would overflow a (signed) integer or if either argument is
+negative.
+
+Note that RenderLarge requests are sized with a uint32_t so in principle
+this could be sketchy there, but dix limits bigreqs to 128M so you
+shouldn't ever notice, and honestly if you're sending more than 2G of
+rendering commands you're already doing something very wrong.
+
+v2: Use INT_MAX for consistency with the rest of the server (jcristau)
+v3: Reject negative arguments (anholt)
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/glx/glxserver.h b/glx/glxserver.h
+index a324b29..9482601 100644
+--- glx/glxserver.h
++++ glx/glxserver.h
+@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
+ * Routines for computing the size of variably-sized rendering commands.
+ */
+
++static _X_INLINE int
++safe_add(int a, int b)
++{
++ if (a < 0 || b < 0)
++ return -1;
++
++ if (INT_MAX - a < b)
++ return -1;
++
++ return a + b;
++}
++
++static _X_INLINE int
++safe_mul(int a, int b)
++{
++ if (a < 0 || b < 0)
++ return -1;
++
++ if (a == 0 || b == 0)
++ return 0;
++
++ if (a > INT_MAX / b)
++ return -1;
++
++ return a * b;
++}
++
++static _X_INLINE int
++safe_pad(int a)
++{
++ int ret;
++
++ if (a < 0)
++ return -1;
++
++ if ((ret = safe_add(a, 3)) < 0)
++ return -1;
++
++ return ret & (GLuint)~3;
++}
++
+ extern int __glXTypeSize(GLenum enm);
+ extern int __glXImageSize(GLenum format, GLenum type,
+ GLenum target, GLsizei w, GLsizei h, GLsizei d,
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
new file mode 100644
index 000000000000..6384cd634f99
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
@@ -0,0 +1,225 @@
+From 698888e6671d54c7ae41e9d456f7f5483a3459d2 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:42 -0500
+Subject: [PATCH 25/40] glx: Integer overflow protection for non-generated
+ render requests (v3) [CVE-2014-8093 5/6]
+
+v2:
+Fix constants in __glXMap2fReqSize (Michal Srb)
+Validate w/h/d for proxy targets too (Keith Packard)
+
+v3:
+Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/rensize.c | 77 +++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 41 insertions(+), 36 deletions(-)
+
+diff --git a/glx/rensize.c b/glx/rensize.c
+index 9ff73c7..d46334a 100644
+--- glx/rensize.c
++++ glx/rensize.c
+@@ -43,19 +43,11 @@
+ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
+ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
+
+-static int
+-Map1Size(GLint k, GLint order)
+-{
+- if (order <= 0 || k < 0)
+- return -1;
+- return k * order;
+-}
+-
+ int
+ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
+ {
+ GLenum target;
+- GLint order, k;
++ GLint order;
+
+ target = *(GLenum *) (pc + 16);
+ order = *(GLint *) (pc + 20);
+@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
+ target = SWAPL(target);
+ order = SWAPL(order);
+ }
+- k = __glMap1d_size(target);
+- return 8 * Map1Size(k, order);
++ if (order < 1)
++ return -1;
++ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
+ }
+
+ int
+ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
+ {
+ GLenum target;
+- GLint order, k;
++ GLint order;
+
+ target = *(GLenum *) (pc + 0);
+ order = *(GLint *) (pc + 12);
+@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
+ target = SWAPL(target);
+ order = SWAPL(order);
+ }
+- k = __glMap1f_size(target);
+- return 4 * Map1Size(k, order);
++ if (order < 1)
++ return -1;
++ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
+ }
+
+ static int
+ Map2Size(int k, int majorOrder, int minorOrder)
+ {
+- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
++ if (majorOrder < 1 || minorOrder < 1)
+ return -1;
+- return k * majorOrder * minorOrder;
++ return safe_mul(k, safe_mul(majorOrder, minorOrder));
+ }
+
+ int
+ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
+ {
+ GLenum target;
+- GLint uorder, vorder, k;
++ GLint uorder, vorder;
+
+ target = *(GLenum *) (pc + 32);
+ uorder = *(GLint *) (pc + 36);
+@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
+ uorder = SWAPL(uorder);
+ vorder = SWAPL(vorder);
+ }
+- k = __glMap2d_size(target);
+- return 8 * Map2Size(k, uorder, vorder);
++ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
+ }
+
+ int
+ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
+ {
+ GLenum target;
+- GLint uorder, vorder, k;
++ GLint uorder, vorder;
+
+ target = *(GLenum *) (pc + 0);
+ uorder = *(GLint *) (pc + 12);
+@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
+ uorder = SWAPL(uorder);
+ vorder = SWAPL(vorder);
+ }
+- k = __glMap2f_size(target);
+- return 4 * Map2Size(k, uorder, vorder);
++ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
+ }
+
+ /**
+@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ GLint bytesPerElement, elementsPerGroup, groupsPerRow;
+ GLint groupSize, rowSize, padding, imageSize;
+
++ if (w == 0 || h == 0 || d == 0)
++ return 0;
++
+ if (w < 0 || h < 0 || d < 0 ||
+ (type == GL_BITMAP &&
+ (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
+ return -1;
+ }
+- if (w == 0 || h == 0 || d == 0)
+- return 0;
+
++ /* proxy targets have no data */
+ switch (target) {
+ case GL_PROXY_TEXTURE_1D:
+ case GL_PROXY_TEXTURE_2D:
+@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ return 0;
+ }
+
++ /* real data has to have real sizes */
++ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
++ return -1;
++ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
++ return -1;
++
+ if (type == GL_BITMAP) {
+ if (rowLength > 0) {
+ groupsPerRow = rowLength;
+@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ groupsPerRow = w;
+ }
+ rowSize = bits_to_bytes(groupsPerRow);
++ if (rowSize < 0)
++ return -1;
+ padding = (rowSize % alignment);
+ if (padding) {
+ rowSize += alignment - padding;
+ }
+- return ((h + skipRows) * rowSize);
++
++ return safe_mul(safe_add(h, skipRows), rowSize);
+ }
+ else {
+ switch (format) {
+@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ default:
+ return -1;
+ }
++ /* known safe by the switches above, not checked */
+ groupSize = bytesPerElement * elementsPerGroup;
+ if (rowLength > 0) {
+ groupsPerRow = rowLength;
+@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ else {
+ groupsPerRow = w;
+ }
+- rowSize = groupsPerRow * groupSize;
++
++ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
++ return -1;
+ padding = (rowSize % alignment);
+ if (padding) {
+ rowSize += alignment - padding;
+ }
+- if (imageHeight > 0) {
+- imageSize = (imageHeight + skipRows) * rowSize;
+- }
+- else {
+- imageSize = (h + skipRows) * rowSize;
+- }
+- return ((d + skipImages) * imageSize);
++
++ if (imageHeight > 0)
++ h = imageHeight;
++ h = safe_add(h, skipRows);
++
++ imageSize = safe_mul(h, rowSize);
++
++ return safe_mul(safe_add(d, skipImages), imageSize);
+ }
+ }
+
+@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
+ /* XXX Should rowLength be used for either or both image? */
+ image1size = __glXImageSize(format, type, 0, w, 1, 1,
+ 0, rowLength, 0, 0, alignment);
+- image1size = __GLX_PAD(image1size);
+ image2size = __glXImageSize(format, type, 0, h, 1, 1,
+ 0, rowLength, 0, 0, alignment);
+- return image1size + image2size;
+-
++ return safe_add(safe_pad(image1size), image2size);
+ }
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
new file mode 100644
index 000000000000..ce3041385c77
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
@@ -0,0 +1,34 @@
+From 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001
+From: Robert Morell <rmorell@nvidia.com>
+Date: Wed, 12 Nov 2014 18:51:43 -0800
+Subject: [PATCH 32/40] glx: Fix mask truncation in __glXGetAnswerBuffer
+ [CVE-2014-8093 6/6]
+
+On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
+bitwise not operation will result in a mask that clears all high bits
+from temp_buf in the expression:
+ temp_buf = (temp_buf + mask) & ~mask;
+
+Signed-off-by: Robert Morell <rmorell@nvidia.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/indirect_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glx/indirect_util.c b/glx/indirect_util.c
+index de81491..9ba2815 100644
+--- glx/indirect_util.c
++++ glx/indirect_util.c
+@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
+ void *local_buffer, size_t local_size, unsigned alignment)
+ {
+ void *buffer = local_buffer;
+- const unsigned mask = alignment - 1;
++ const intptr_t mask = alignment - 1;
+
+ if (local_size < required_size) {
+ size_t worst_case_size;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8094 b/x11-servers/xorg-server/files/patch-CVE-2014-8094
new file mode 100644
index 000000000000..b634b6522b13
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8094
@@ -0,0 +1,35 @@
+From 6692670fde081bbfe9313f17d84037ae9116702a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:40:18 -0800
+Subject: [PATCH 05/40] dri2: integer overflow in ProcDRI2GetBuffers()
+ [CVE-2014-8094]
+
+ProcDRI2GetBuffers() tries to validate a length field (count).
+There is an integer overflow in the validation. This can cause
+out of bound reads and memory corruption later on.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ hw/xfree86/dri2/dri2ext.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
+index ffd66fa..221ec53 100644
+--- hw/xfree86/dri2/dri2ext.c
++++ hw/xfree86/dri2/dri2ext.c
+@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
+ unsigned int *attachments;
+
+ REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
++ if (stuff->count > (INT_MAX / 4))
++ return BadLength;
++
+ if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
+ &pDrawable, &status))
+ return status;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8095 b/x11-servers/xorg-server/files/patch-CVE-2014-8095
new file mode 100644
index 000000000000..8c8a3f0bd6d5
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8095
@@ -0,0 +1,561 @@
+From 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 10:54:41 -0800
+Subject: [PATCH 07/40] Xi: unvalidated lengths in Xinput extension
+ [CVE-2014-8095]
+
+Multiple functions in the Xinput extension handling of requests from
+clients failed to check that the length of the request sent by the
+client was large enough to perform all the required operations and
+thus could read or write to memory outside the bounds of the request
+buffer.
+
+This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
+macro in include/dix.h for the common case of needing to ensure a
+request is large enough to include both the request itself and a
+minimum amount of extra data following the request header.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xi/chgdctl.c | 8 ++++++--
+ Xi/chgfctl.c | 2 ++
+ Xi/sendexev.c | 3 +++
+ Xi/xiallowev.c | 2 ++
+ Xi/xichangecursor.c | 2 +-
+ Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++---
+ Xi/xigetclientpointer.c | 1 +
+ Xi/xigrabdev.c | 9 ++++++++-
+ Xi/xipassivegrab.c | 12 ++++++++++--
+ Xi/xiproperty.c | 14 ++++++--------
+ Xi/xiquerydevice.c | 1 +
+ Xi/xiquerypointer.c | 2 ++
+ Xi/xiselectev.c | 8 ++++++++
+ Xi/xisetclientpointer.c | 3 ++-
+ Xi/xisetdevfocus.c | 4 ++++
+ Xi/xiwarppointer.c | 2 ++
+ include/dix.h | 4 ++++
+ 17 files changed, 94 insertions(+), 18 deletions(-)
+
+diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
+index d078aa2..b3ee867 100644
+--- Xi/chgdctl.c
++++ Xi/chgdctl.c
+@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
+
+ REQUEST(xChangeDeviceControlReq);
+ swaps(&stuff->length);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+ swaps(&stuff->control);
+ ctl = (xDeviceCtl *) &stuff[1];
+ swaps(&ctl->control);
+@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
+ xDeviceEnableCtl *e;
+
+ REQUEST(xChangeDeviceControlReq);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+
+ len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
+@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
+ break;
+ case DEVICE_ENABLE:
+ e = (xDeviceEnableCtl *) &stuff[1];
++ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
++ ret = BadLength;
++ goto out;
++ }
+
+ if (IsXTestDevice(dev, NULL))
+ status = !Success;
+diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
+index 6dcf60c..224c2ba 100644
+--- Xi/chgfctl.c
++++ Xi/chgfctl.c
+@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
+ xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+
+ if (client->swapped) {
++ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
++ return BadLength;
+ swaps(&f->num_keysyms);
+ }
+ if (len !=
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 3c21386..183f88d 100644
+--- Xi/sendexev.c
++++ Xi/sendexev.c
+@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
+ if (ret != Success)
+ return ret;
+
++ if (stuff->num_events == 0)
++ return ret;
++
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
+index ebef233..ca263ef 100644
+--- Xi/xiallowev.c
++++ Xi/xiallowev.c
+@@ -48,6 +48,7 @@ int
+ SProcXIAllowEvents(ClientPtr client)
+ {
+ REQUEST(xXIAllowEventsReq);
++ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
+ if (stuff->length > 3) {
+ xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+
++ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
+ swapl(&req_xi22->touchid);
+ swapl(&req_xi22->grab_window);
+ }
+diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
+index 7a1bb7a..8e6255b 100644
+--- Xi/xichangecursor.c
++++ Xi/xichangecursor.c
+@@ -57,11 +57,11 @@ int
+ SProcXIChangeCursor(ClientPtr client)
+ {
+ REQUEST(xXIChangeCursorReq);
++ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
+ swaps(&stuff->length);
+ swapl(&stuff->win);
+ swapl(&stuff->cursor);
+ swaps(&stuff->deviceid);
+- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
+ return (ProcXIChangeCursor(client));
+ }
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 9e36354..2732445 100644
+--- Xi/xichangehierarchy.c
++++ Xi/xichangehierarchy.c
+@@ -411,7 +411,7 @@ int
+ ProcXIChangeHierarchy(ClientPtr client)
+ {
+ xXIAnyHierarchyChangeInfo *any;
+- int required_len = sizeof(xXIChangeHierarchyReq);
++ size_t len; /* length of data remaining in request */
+ int rc = Success;
+ int flags[MAXDEVICES] = { 0 };
+
+@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
++ if (stuff->length > (INT_MAX >> 2))
++ return BadAlloc;
++ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
++ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
++ rc = BadLength;
++ goto unwind;
++ }
++
+ SWAPIF(swaps(&any->type));
+ SWAPIF(swaps(&any->length));
+
+- required_len += any->length;
+- if ((stuff->length * 4) < required_len)
++ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
+ return BadLength;
+
++#define CHANGE_SIZE_MATCH(type) \
++ do { \
++ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
++ rc = BadLength; \
++ goto unwind; \
++ } \
++ } while(0)
++
+ switch (any->type) {
+ case XIAddMaster:
+ {
+ xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
+
++ /* Variable length, due to appended name string */
++ if (len < sizeof(xXIAddMasterInfo)) {
++ rc = BadLength;
++ goto unwind;
++ }
+ SWAPIF(swaps(&c->name_len));
++ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
++ rc = BadLength;
++ goto unwind;
++ }
+
+ rc = add_master(client, c, flags);
+ if (rc != Success)
+@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ {
+ xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+
++ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
+ rc = remove_master(client, r, flags);
+ if (rc != Success)
+ goto unwind;
+@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ {
+ xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+
++ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
+ rc = detach_slave(client, c, flags);
+ if (rc != Success)
+ goto unwind;
+@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ {
+ xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+
++ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
+ rc = attach_slave(client, c, flags);
+ if (rc != Success)
+ goto unwind;
+@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ break;
+ }
+
++ len -= any->length * 4;
+ any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+ }
+
+diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
+index 3c90d58..306dd39 100644
+--- Xi/xigetclientpointer.c
++++ Xi/xigetclientpointer.c
+@@ -50,6 +50,7 @@ int
+ SProcXIGetClientPointer(ClientPtr client)
+ {
+ REQUEST(xXIGetClientPointerReq);
++ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->win);
+diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
+index 63d95bc..e2a2ae3 100644
+--- Xi/xigrabdev.c
++++ Xi/xigrabdev.c
+@@ -47,6 +47,11 @@ int
+ SProcXIGrabDevice(ClientPtr client)
+ {
+ REQUEST(xXIGrabDeviceReq);
++ /*
++ * Check here for at least the length of the struct we swap, then
++ * let ProcXIGrabDevice check the full size after we swap mask_len.
++ */
++ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
+ unsigned int pointer_mode;
+
+ REQUEST(xXIGrabDeviceReq);
+- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
++ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
+
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
+ if (ret != Success)
+@@ -131,6 +136,7 @@ int
+ SProcXIUngrabDevice(ClientPtr client)
+ {
+ REQUEST(xXIUngrabDeviceReq);
++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
+ TimeStamp time;
+
+ REQUEST(xXIUngrabDeviceReq);
++ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
+
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
+ if (ret != Success)
+--- Xi/xipassivegrab.c.orig 2012-05-17 19:09:01.000000000 +0200
++++ Xi/xipassivegrab.c 2014-12-10 10:32:35.379412598 +0100
+@@ -50,9 +50,10 @@
+ SProcXIPassiveGrabDevice(ClientPtr client)
+ {
+ int i;
+- xXIModifierInfo *mods;
++ uint32_t *mods;
+
+ REQUEST(xXIPassiveGrabDeviceReq);
++ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+@@ -63,12 +64,12 @@
+ swaps(&stuff->mask_len);
+ swaps(&stuff->num_modifiers);
+
+- mods = (xXIModifierInfo *) &stuff[1];
++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
++ mods = (uint32_t *) &stuff[1] + stuff->mask_len;
+
+ for (i = 0; i < stuff->num_modifiers; i++, mods++) {
+- swapl(&mods->base_mods);
+- swapl(&mods->latched_mods);
+- swapl(&mods->locked_mods);
++ swapl(mods);
+ }
+
+ return ProcXIPassiveGrabDevice(client);
+@@ -88,7 +89,8 @@
+ int mask_len;
+
+ REQUEST(xXIPassiveGrabDeviceReq);
+- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
++ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
++ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
+
+ if (stuff->deviceid == XIAllDevices)
+ dev = inputInfo.all_devices;
+@@ -250,6 +252,7 @@
+ uint32_t *modifiers;
+
+ REQUEST(xXIPassiveUngrabDeviceReq);
++ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->grab_window);
+@@ -257,6 +260,8 @@
+ swapl(&stuff->detail);
+ swaps(&stuff->num_modifiers);
+
++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
++ ((uint32_t) stuff->num_modifiers) << 2);
+ modifiers = (uint32_t *) &stuff[1];
+
+ for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
+@@ -275,7 +280,8 @@
+ int i, rc;
+
+ REQUEST(xXIPassiveUngrabDeviceReq);
+- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
++ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
++ ((uint32_t) stuff->num_modifiers) << 2);
+
+ if (stuff->deviceid == XIAllDevices)
+ dev = inputInfo.all_devices;
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 463607d..8e8e4b0 100644
+--- Xi/xiproperty.c
++++ Xi/xiproperty.c
+@@ -1013,10 +1013,9 @@ int
+ SProcXListDeviceProperties(ClientPtr client)
+ {
+ REQUEST(xListDevicePropertiesReq);
++ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
+
+ swaps(&stuff->length);
+-
+- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
+ return (ProcXListDeviceProperties(client));
+ }
+
+@@ -1037,10 +1036,10 @@ int
+ SProcXDeleteDeviceProperty(ClientPtr client)
+ {
+ REQUEST(xDeleteDevicePropertyReq);
++ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->property);
+- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
+ return (ProcXDeleteDeviceProperty(client));
+ }
+
+@@ -1048,13 +1047,13 @@ int
+ SProcXGetDeviceProperty(ClientPtr client)
+ {
+ REQUEST(xGetDevicePropertyReq);
++ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->property);
+ swapl(&stuff->type);
+ swapl(&stuff->longOffset);
+ swapl(&stuff->longLength);
+- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
+ return (ProcXGetDeviceProperty(client));
+ }
+
+@@ -1253,11 +1252,10 @@ int
+ SProcXIListProperties(ClientPtr client)
+ {
+ REQUEST(xXIListPropertiesReq);
++ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+-
+- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
+ return (ProcXIListProperties(client));
+ }
+
+@@ -1279,11 +1277,11 @@ int
+ SProcXIDeleteProperty(ClientPtr client)
+ {
+ REQUEST(xXIDeletePropertyReq);
++ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+ swapl(&stuff->property);
+- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
+ return (ProcXIDeleteProperty(client));
+ }
+
+@@ -1291,6 +1289,7 @@ int
+ SProcXIGetProperty(ClientPtr client)
+ {
+ REQUEST(xXIGetPropertyReq);
++ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
+ swapl(&stuff->type);
+ swapl(&stuff->offset);
+ swapl(&stuff->len);
+- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
+ return (ProcXIGetProperty(client));
+ }
+
+diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
+index 4e544f0..67a9a4f 100644
+--- Xi/xiquerydevice.c
++++ Xi/xiquerydevice.c
+@@ -54,6 +54,7 @@ int
+ SProcXIQueryDevice(ClientPtr client)
+ {
+ REQUEST(xXIQueryDeviceReq);
++ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
+
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index e9bdd42..7ec0c85 100644
+--- Xi/xiquerypointer.c
++++ Xi/xiquerypointer.c
+@@ -63,6 +63,8 @@ int
+ SProcXIQueryPointer(ClientPtr client)
+ {
+ REQUEST(xXIQueryPointerReq);
++ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+ swapl(&stuff->win);
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index 45a996e..168579f 100644
+--- Xi/xiselectev.c
++++ Xi/xiselectev.c
+@@ -114,6 +114,7 @@ int
+ SProcXISelectEvents(ClientPtr client)
+ {
+ int i;
++ int len;
+ xXIEventMask *evmask;
+
+ REQUEST(xXISelectEventsReq);
+@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
+ swapl(&stuff->win);
+ swaps(&stuff->num_masks);
+
++ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
+ evmask = (xXIEventMask *) &stuff[1];
+ for (i = 0; i < stuff->num_masks; i++) {
++ if (len < bytes_to_int32(sizeof(xXIEventMask)))
++ return BadLength;
++ len -= bytes_to_int32(sizeof(xXIEventMask));
+ swaps(&evmask->deviceid);
+ swaps(&evmask->mask_len);
++ if (len < evmask->mask_len)
++ return BadLength;
++ len -= evmask->mask_len;
+ evmask =
+ (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
+ }
+diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
+index 38ff51e..24d4a53 100644
+--- Xi/xisetclientpointer.c
++++ Xi/xisetclientpointer.c
+@@ -51,10 +51,11 @@ int
+ SProcXISetClientPointer(ClientPtr client)
+ {
+ REQUEST(xXISetClientPointerReq);
++ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
++
+ swaps(&stuff->length);
+ swapl(&stuff->win);
+ swaps(&stuff->deviceid);
+- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+ return (ProcXISetClientPointer(client));
+ }
+
+diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
+index 372ec24..96a9a16 100644
+--- Xi/xisetdevfocus.c
++++ Xi/xisetdevfocus.c
+@@ -44,6 +44,8 @@ int
+ SProcXISetFocus(ClientPtr client)
+ {
+ REQUEST(xXISetFocusReq);
++ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+ swapl(&stuff->focus);
+@@ -56,6 +58,8 @@ int
+ SProcXIGetFocus(ClientPtr client)
+ {
+ REQUEST(xXIGetFocusReq);
++ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->deviceid);
+
+diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
+index 3f051f7..780758a 100644
+--- Xi/xiwarppointer.c
++++ Xi/xiwarppointer.c
+@@ -56,6 +56,8 @@ int
+ SProcXIWarpPointer(ClientPtr client)
+ {
+ REQUEST(xXIWarpPointerReq);
++ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
++
+ swaps(&stuff->length);
+ swapl(&stuff->src_win);
+ swapl(&stuff->dst_win);
+diff --git a/include/dix.h b/include/dix.h
+index e0c6ed8..21176a8 100644
+--- include/dix.h
++++ include/dix.h
+@@ -74,6 +74,10 @@ SOFTWARE.
+ if ((sizeof(req) >> 2) > client->req_len )\
+ return(BadLength)
+
++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
++ return(BadLength)
++
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+ ((n >> 2) >= client->req_len) || \
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8096 b/x11-servers/xorg-server/files/patch-CVE-2014-8096
new file mode 100644
index 000000000000..789801aa3d9d
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8096
@@ -0,0 +1,27 @@
+From 7553082b9b883b5f130044f3d53bce2f0b660e52 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 17:18:54 -0800
+Subject: [PATCH 08/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
+ [CVE-2014-8096]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/xcmisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
+index 034bfb6..1e91010 100644
+--- Xext/xcmisc.c
++++ Xext/xcmisc.c
+@@ -167,6 +167,7 @@ static int
+ SProcXCMiscGetXIDList(ClientPtr client)
+ {
+ REQUEST(xXCMiscGetXIDListReq);
++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->count);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097 b/x11-servers/xorg-server/files/patch-CVE-2014-8097
new file mode 100644
index 000000000000..19964c2274e4
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097
@@ -0,0 +1,73 @@
+From 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:12:04 -0800
+Subject: [PATCH 06/40] dbe: unvalidated lengths in DbeSwapBuffers calls
+ [CVE-2014-8097]
+
+ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
+from a buffer. The length is never validated, which can lead to out of
+bound reads, and possibly returning the data read from out of bounds to
+the misbehaving client via an X Error packet.
+
+SProcDbeSwapBuffers() swaps data (for correct endianness) before
+handing it off to the real proc. While doing the swapping, the
+length field is not validated, which can cause memory corruption.
+
+v2: reorder checks to avoid compilers optimizing out checks for overflow
+that happen after we'd already have done the overflowing multiplications.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dbe/dbe.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 527588c..df2ad5c 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
+ DbeSwapInfoPtr swapInfo;
+ xDbeSwapInfo *dbeSwapInfo;
+ int error;
+- register int i, j;
+- int nStuff;
++ unsigned int i, j;
++ unsigned int nStuff;
+
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ nStuff = stuff->n; /* use local variable for performance. */
+
+ if (nStuff == 0) {
++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+ return Success;
+ }
+
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+
+ /* Get to the swap info appended to the end of the request. */
+ dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
+@@ -914,13 +916,16 @@ static int
+ SProcDbeSwapBuffers(ClientPtr client)
+ {
+ REQUEST(xDbeSwapBuffersReq);
+- register int i;
++ unsigned int i;
+ xDbeSwapInfo *pSwapInfo;
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+
+ swapl(&stuff->n);
++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+ pSwapInfo = (xDbeSwapInfo *) stuff + 1;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
new file mode 100644
index 000000000000..70b898717ba1
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
@@ -0,0 +1,50 @@
+From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Tue, 9 Dec 2014 09:30:57 -0800
+Subject: [PATCH 36/40] dbe: Call to DDX SwapBuffers requires address of int,
+ not unsigned int [CVE-2014-8097 pt. 2]
+
+When the local types used to walk the DBE request were changed, this
+changed the type of the parameter passed to the DDX SwapBuffers API,
+but there wasn't a matching change in the API definition.
+
+At this point, with the API frozen, I just stuck a new variable in
+with the correct type. Because we've already bounds-checked nStuff to
+be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
+fit in a signed int without overflow.
+
+Signed-off-by: Keith Packard <keithp@keithp.com
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ dbe/dbe.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index df2ad5c..e5d928d 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
+ int error;
+ unsigned int i, j;
+ unsigned int nStuff;
++ int nStuff_i; /* DDX API requires int for nStuff */
+
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ nStuff = stuff->n; /* use local variable for performance. */
+@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
+ * could deal with cross-screen synchronization.
+ */
+
+- while (nStuff > 0) {
++ nStuff_i = nStuff;
++ while (nStuff_i > 0) {
+ pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
+- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
++ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
+ if (error != Success) {
+ free(swapInfo);
+ return error;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
new file mode 100644
index 000000000000..658fa963992b
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
@@ -0,0 +1,59 @@
+From 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:39 -0500
+Subject: [PATCH 22/40] glx: Fix image size computation for EXT_texture_integer
+ [CVE-2014-8098 1/8]
+
+Without this we'd reject the request with BadLength. Note that some old
+versions of Mesa had a bug in the same place, and would _send_ zero
+bytes of image data; these will now be rejected, correctly.
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/rensize.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/glx/rensize.c b/glx/rensize.c
+index ba22d10..9ff73c7 100644
+--- glx/rensize.c
++++ glx/rensize.c
+@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ case GL_ALPHA:
+ case GL_LUMINANCE:
+ case GL_INTENSITY:
++ case GL_RED_INTEGER_EXT:
++ case GL_GREEN_INTEGER_EXT:
++ case GL_BLUE_INTEGER_EXT:
++ case GL_ALPHA_INTEGER_EXT:
++ case GL_LUMINANCE_INTEGER_EXT:
+ elementsPerGroup = 1;
+ break;
+ case GL_422_EXT:
+@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
+ case GL_DEPTH_STENCIL_MESA:
+ case GL_YCBCR_MESA:
+ case GL_LUMINANCE_ALPHA:
++ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
+ elementsPerGroup = 2;
+ break;
+ case GL_RGB:
+ case GL_BGR:
++ case GL_RGB_INTEGER_EXT:
++ case GL_BGR_INTEGER_EXT:
+ elementsPerGroup = 3;
+ break;
+ case GL_RGBA:
+ case GL_BGRA:
++ case GL_RGBA_INTEGER_EXT:
++ case GL_BGRA_INTEGER_EXT:
+ case GL_ABGR_EXT:
+ elementsPerGroup = 4;
+ break;
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
new file mode 100644
index 000000000000..bbbc5b60ebd1
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
@@ -0,0 +1,75 @@
+From be09e0c988ffdb0371293af49fb4ea8f49ed324a Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Mon, 10 Nov 2014 12:13:41 -0500
+Subject: [PATCH 24/40] glx: Length checking for GLXRender requests (v2)
+ [CVE-2014-8098 2/8]
+
+v2:
+Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index ea42e2a..ddd9119 100644
+--- glx/glxcmds.c
++++ glx/glxcmds.c
+@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ left = (req->length << 2) - sz_xGLXRenderReq;
+ while (left > 0) {
+ __GLXrenderSizeData entry;
+- int extra;
++ int extra = 0;
+ __GLXdispatchRenderProcPtr proc;
+ int err;
+
+@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if (left < cmdlen)
++ return BadLength;
++
+ /*
+ ** Check for core opcodes and grab entry data.
+ */
+@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ return __glXError(GLXBadRenderRequest);
+ }
+
++ if (cmdlen < entry.bytes) {
++ return BadLength;
++ }
++
+ if (entry.varsize) {
+ /* variable size command */
+ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
+ if (extra < 0) {
+ return BadLength;
+ }
+- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
+- return BadLength;
+- }
+ }
+- else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry.bytes)) {
+- return BadLength;
+- }
+- }
+- if (left < cmdlen) {
++
++ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
+ return BadLength;
+ }
+
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
new file mode 100644
index 000000000000..0f54277f803c
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
@@ -0,0 +1,153 @@
+From a33a939e6abb255b14d8dbc85fcbd2c55b958bae Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:43 -0500
+Subject: [PATCH 26/40] glx: Length checking for RenderLarge requests (v2)
+ [CVE-2014-8098 3/8]
+
+This is a half-measure until we start passing request length into the
+varsize function, but it's better than the nothing we had before.
+
+v2: Verify that there's at least a large render header's worth of
+dataBytes (Julien Cristau)
+
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 23 deletions(-)
+
+--- glx/glxcmds.c.orig 2014-12-10 14:30:17.826442820 +0100
++++ glx/glxcmds.c 2014-12-10 14:32:34.472432537 +0100
+@@ -2032,6 +2032,8 @@
+
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
++
+ req = (xGLXRenderLargeReq *) pc;
+ if (client->swapped) {
+ __GLX_SWAP_SHORT(&req->length);
+@@ -2047,12 +2049,14 @@
+ __glXResetLargeCommandStatus(cl);
+ return error;
+ }
++ if (safe_pad(req->dataBytes) < 0)
++ return BadLength;
+ dataBytes = req->dataBytes;
+
+ /*
+ ** Check the request length.
+ */
+- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
+ client->errorValue = req->length;
+ /* Reset in case this isn't 1st request. */
+ __glXResetLargeCommandStatus(cl);
+@@ -2062,7 +2066,7 @@
+
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData entry;
+- int extra;
++ int extra = 0;
+ size_t cmdlen;
+ int err;
+
+@@ -2075,13 +2079,17 @@
+ return __glXError(GLXBadLargeRequest);
+ }
+
++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
++ return BadLength;
++
+ hdr = (__GLXrenderLargeHeader *) pc;
+ if (client->swapped) {
+ __GLX_SWAP_INT(&hdr->length);
+ __GLX_SWAP_INT(&hdr->opcode);
+ }
+- cmdlen = hdr->length;
+ opcode = hdr->opcode;
++ if ((cmdlen = safe_pad(hdr->length)) < 0)
++ return BadLength;
+
+ /*
+ ** Check for core opcodes and grab entry data.
+@@ -2103,17 +2111,13 @@
+ if (extra < 0) {
+ return BadLength;
+ }
+- /* large command's header is 4 bytes longer, so add 4 */
+- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
+- return BadLength;
+- }
+ }
+- else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
+- return BadLength;
+- }
++
++ /* the +4 is safe because we know entry.bytes is small */
++ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
++ return BadLength;
+ }
++
+ /*
+ ** Make enough space in the buffer, then copy the entire request.
+ */
+@@ -2143,6 +2147,7 @@
+ ** We are receiving subsequent (i.e. not the first) requests of a
+ ** multi request command.
+ */
++ int bytesSoFar; /* including this packet */
+
+ /*
+ ** Check the request number and the total request count.
+@@ -2161,11 +2166,18 @@
+ /*
+ ** Check that we didn't get too much data.
+ */
+- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
++ client->errorValue = dataBytes;
++ __glXResetLargeCommandStatus(cl);
++ return __glXError(GLXBadLargeRequest);
++ }
++
++ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
++
+ memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
+ cl->largeCmdBytesSoFar += dataBytes;
+ cl->largeCmdRequestsSoFar++;
+@@ -2177,17 +2189,16 @@
+ ** This is the last request; it must have enough bytes to complete
+ ** the command.
+ */
+- /* NOTE: the two pad macros have been added below; they are needed
+- ** because the client library pads the total byte count, but not
+- ** the per-request byte counts. The Protocol Encoding says the
+- ** total byte count should not be padded, so a proposal will be
+- ** made to the ARB to relax the padding constraint on the total
+- ** byte count, thus preserving backward compatibility. Meanwhile,
+- ** the padding done below fixes a bug that did not allow
+- ** large commands of odd sizes to be accepted by the server.
++ /* NOTE: the pad macro below is needed because the client library
++ ** pads the total byte count, but not the per-request byte counts.
++ ** The Protocol Encoding says the total byte count should not be
++ ** padded, so a proposal will be made to the ARB to relax the
++ ** padding constraint on the total byte count, thus preserving
++ ** backward compatibility. Meanwhile, the padding done below
++ ** fixes a bug that did not allow large commands of odd sizes to
++ ** be accepted by the server.
+ */
+- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
+- __GLX_PAD(cl->largeCmdBytesTotal)) {
++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
new file mode 100644
index 000000000000..3a89be2990f2
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
@@ -0,0 +1,51 @@
+From c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:44 -0500
+Subject: [PATCH 27/40] glx: Top-level length checking for swapped
+ VendorPrivate requests [CVE-2014-8098 4/8]
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmdsswap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 5d179f3..9ec1222 100644
+--- glx/glxcmdsswap.c
++++ glx/glxcmdsswap.c
+@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ xGLXVendorPrivateReq *req;
+ GLint vendorcode;
+ __GLXdispatchVendorPrivProcPtr proc;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
+
+ req = (xGLXVendorPrivateReq *) pc;
+ __GLX_SWAP_SHORT(&req->length);
+@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
+ int
+ __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ xGLXVendorPrivateWithReplyReq *req;
+ GLint vendorcode;
+ __GLXdispatchVendorPrivProcPtr proc;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
+
+ req = (xGLXVendorPrivateWithReplyReq *) pc;
+ __GLX_SWAP_SHORT(&req->length);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
new file mode 100644
index 000000000000..1a043b808113
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
@@ -0,0 +1,45 @@
+From 44ba149f28ece93c2fbfc9cc980588de5322dd4b Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:46 -0500
+Subject: [PATCH 29/40] glx: Length-checking for non-generated vendor private
+ requests [CVE-2014-8098 6/8]
+
+Reviewed-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/indirect_program.c | 2 ++
+ glx/swap_interval.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/glx/indirect_program.c b/glx/indirect_program.c
+index cda139e..5caee7b 100644
+--- glx/indirect_program.c
++++ glx/indirect_program.c
+@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
+ __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
+ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
++
+ pc += __GLX_VENDPRIV_HDR_SIZE;
+ if (cx != NULL) {
+ GLenum target;
+diff --git a/glx/swap_interval.c b/glx/swap_interval.c
+index 17bc992..2320550 100644
+--- glx/swap_interval.c
++++ glx/swap_interval.c
+@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
+ __GLXcontext *cx;
+ GLint interval;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
++
+ cx = __glXLookupContextByTag(cl, tag);
+
+ if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
new file mode 100644
index 000000000000..518b71d1f885
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
@@ -0,0 +1,553 @@
+From 984583a497c813df5827ae22483133e704fee79c Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:47 -0500
+Subject: [PATCH 30/40] glx: Length checking for non-generated single requests
+ (v2) [CVE-2014-8098 7/8]
+
+v2:
+Fix single versus vendor-private length checking for ARB_imaging subset
+extensions. (Julien Cristau)
+
+v3:
+Fix single versus vendor-private length checking for ARB_imaging subset
+extensions. (Julien Cristau)
+
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/indirect_texture_compression.c | 4 ++++
+ glx/single2.c | 23 +++++++++++++++-----
+ glx/single2swap.c | 19 ++++++++++++----
+ glx/singlepix.c | 44 +++++++++++++++++++++++++-------------
+ glx/singlepixswap.c | 34 ++++++++++++++++++++++++-----
+ 5 files changed, 95 insertions(+), 29 deletions(-)
+
+diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
+index cda7656..1ebf7f3 100644
+--- glx/indirect_texture_compression.c
++++ glx/indirect_texture_compression.c
+@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
+ __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
+ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+ pc += __GLX_SINGLE_HDR_SIZE;
+ if (cx != NULL) {
+ const GLenum target = *(GLenum *) (pc + 0);
+@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
+ __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
+ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+ pc += __GLX_SINGLE_HDR_SIZE;
+ if (cx != NULL) {
+ const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
+--- glx/single2.c.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/single2.c 2014-12-10 14:44:06.961670320 +0100
+@@ -49,11 +49,14 @@
+ int
+ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ GLsizei size;
+ GLenum type;
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -80,10 +83,13 @@
+ int
+ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLsizei size;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -108,7 +114,7 @@
+ int
+ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ xGLXRenderModeReply reply;
+ __GLXcontext *cx;
+ GLint nitems = 0, retBytes = 0, retval, newModeCheck;
+@@ -116,6 +122,8 @@
+ GLenum newMode;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -192,7 +200,6 @@
+ ** selection array, as per the API for glRenderMode itself.
+ */
+ noChangeAllowed:;
+- client = cl->client;
+ reply.length = nitems;
+ reply.type = X_Reply;
+ reply.sequenceNumber = client->sequence;
+@@ -209,9 +216,12 @@
+ int
+ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -225,10 +235,12 @@
+ int
+ __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+- ClientPtr client;
+ int error;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -319,7 +331,7 @@
+ int
+ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLenum name;
+ const char *string;
+@@ -329,6 +341,8 @@
+ char *buf = NULL, *buf1 = NULL;
+ GLint length = 0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ /* If the client has the opposite byte order, swap the contextTag and
+ * the name.
+ */
+@@ -345,7 +359,6 @@
+ pc += __GLX_SINGLE_HDR_SIZE;
+ name = *(GLenum *) (pc + 0);
+ string = (const char *) CALL_GetString(GET_DISPATCH(), (name));
+- client = cl->client;
+
+ if (string == NULL)
+ string = "";
+--- glx/single2swap.c.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/single2swap.c 2014-12-10 14:46:06.475406737 +0100
+@@ -45,6 +45,7 @@
+ int
+ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ GLsizei size;
+ GLenum type;
+
+@@ -52,6 +53,8 @@
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -81,12 +84,15 @@
+ int
+ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLsizei size;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -113,7 +119,7 @@
+ int
+ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ xGLXRenderModeReply reply;
+ GLint nitems = 0, retBytes = 0, retval, newModeCheck;
+@@ -124,6 +130,8 @@
+ __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -204,7 +212,6 @@
+ ** selection array, as per the API for glRenderMode itself.
+ */
+ noChangeAllowed:;
+- client = cl->client;
+ reply.length = nitems;
+ reply.type = X_Reply;
+ reply.sequenceNumber = client->sequence;
+@@ -226,11 +233,14 @@
+ int
+ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ int error;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -245,12 +255,14 @@
+ int
+ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+- ClientPtr client;
+ int error;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -262,7 +274,6 @@
+ cx->hasUnflushedCommands = GL_FALSE;
+
+ /* Send empty reply packet to indicate finish is finished */
+- client = cl->client;
+ __GLX_BEGIN_REPLY(0);
+ __GLX_PUT_RETVAL(0);
+ __GLX_SWAP_REPLY_HEADER();
+--- glx/singlepix.c.orig 2014-12-10 15:49:35.025115139 +0100
++++ glx/singlepix.c 2014-12-10 15:53:21.967098978 +0100
+@@ -55,6 +55,8 @@
+ int error;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -107,6 +109,8 @@
+ char *answer, answerBuffer[200];
+ GLint width = 0, height = 0, depth = 1;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -169,6 +173,8 @@
+ GLubyte answerBuffer[200];
+ char *answer;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -231,15 +237,13 @@
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+
+- if (compsize < 0)
++ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+- if (compsize2 < 0)
++ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
+- compsize = __GLX_PAD(compsize);
+- compsize2 = __GLX_PAD(compsize2);
+
+ CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
+- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
+ __glXClearErrorOccured();
+ CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
+ *(GLenum *) (pc + 4),
+@@ -265,7 +269,8 @@
+ __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -273,7 +278,8 @@
+ __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -343,7 +349,8 @@
+ __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -351,7 +358,8 @@
+ __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -411,7 +419,8 @@
+ __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -419,7 +428,8 @@
+ __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -471,7 +481,8 @@
+ __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -479,7 +490,8 @@
+ __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -540,7 +552,8 @@
+ __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -548,6 +561,7 @@
+ __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++ ClientPtr client = cl->client;
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+--- glx/singlepixswap.c.orig 2014-12-10 15:49:35.025115139 +0100
++++ glx/singlepixswap.c 2014-12-10 15:55:47.558406617 +0100
+@@ -57,6 +57,8 @@
+ int error;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -122,6 +124,8 @@
+ char *answer, answerBuffer[200];
+ GLint width = 0, height = 0, depth = 1;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -197,6 +201,8 @@
+
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -266,15 +272,13 @@
+ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+ compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+
+- if (compsize < 0)
++ if ((compsize = safe_pad(compsize)) < 0)
+ return BadLength;
+- if (compsize2 < 0)
++ if ((compsize2 = safe_pad(compsize2)) < 0)
+ return BadLength;
+- compsize = __GLX_PAD(compsize);
+- compsize2 = __GLX_PAD(compsize2);
+
+ CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
+- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
++ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
+ __glXClearErrorOccured();
+ CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
+ *(GLenum *) (pc + 4),
+@@ -302,7 +306,9 @@
+ __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -310,7 +316,9 @@
+ __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -388,7 +396,9 @@
+ __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -396,7 +406,9 @@
+ __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -463,7 +475,9 @@
+ __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -471,7 +485,9 @@
+ __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -529,7 +545,9 @@
+ __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -537,7 +555,9 @@
+ __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+
+@@ -605,7 +625,9 @@
+ __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+
+@@ -613,6 +635,8 @@
+ __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
+ {
+ const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++ ClientPtr client = cl->client;
+
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+ return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
new file mode 100644
index 000000000000..defe212095d3
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
@@ -0,0 +1,964 @@
+From e883c170c15493ab3637c0a01890f5a7ca4e16a5 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 10 Nov 2014 12:13:48 -0500
+Subject: [PATCH 31/40] glx: Pass remaining request length into ->varsize (v2)
+ [CVE-2014-8098 8/8]
+
+v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Andy Ritger <aritger@nvidia.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ glx/glxcmds.c | 7 +-
+ glx/glxserver.h | 2 +-
+ glx/indirect_reqsize.c | 142 +++++++++++++++++++-------------------
+ glx/indirect_reqsize.h | 181 ++++++++++++++++++++++++++++++-------------------
+ glx/rensize.c | 27 +++++---
+ 5 files changed, 205 insertions(+), 154 deletions(-)
+
+--- glx/glxcmds.c.orig 2014-12-10 15:58:29.877078381 +0100
++++ glx/glxcmds.c 2014-12-10 16:02:02.578063888 +0100
+@@ -1990,7 +1990,8 @@
+ if (entry.varsize) {
+ /* variable size command */
+ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+- client->swapped);
++ client->swapped,
++ left - __GLX_RENDER_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+@@ -2067,6 +2068,7 @@
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData entry;
+ int extra = 0;
++ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ size_t cmdlen;
+ int err;
+
+@@ -2107,7 +2109,8 @@
+ ** will be in the 1st request, so it's okay to do this.
+ */
+ extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
+- client->swapped);
++ client->swapped,
++ left - __GLX_RENDER_LARGE_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+--- glx/glxserver.h.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/glxserver.h 2014-12-10 14:55:50.575337222 +0100
+@@ -167,7 +167,7 @@
+ /*
+ * Tables for computing the size of each rendering command.
+ */
+-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
+
+ typedef struct {
+ int bytes;
+--- glx/indirect_reqsize.c.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/indirect_reqsize.c 2014-12-10 15:28:31.264202211 +0100
+@@ -31,24 +31,22 @@
+ #include "indirect_size.h"
+ #include "indirect_reqsize.h"
+
+-#define __GLX_PAD(x) (((x) + 3) & ~3)
+-
+ #if defined(__CYGWIN__) || defined(__MINGW32__)
+ #undef HAVE_ALIAS
+ #endif
+ #ifdef HAVE_ALIAS
+ #define ALIAS2(from,to) \
+- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+ __attribute__ ((alias( # to )));
+ #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
+ #else
+ #define ALIAS(from,to) \
+- GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+- { return __glX ## to ## ReqSize( pc, swap ); }
++ GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
++ { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
+ #endif
+
+ int
+-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 0);
+ GLenum type = *(GLenum *) (pc + 4);
+@@ -60,11 +58,11 @@
+ }
+
+ compsize = __glCallLists_size(type);
+- return __GLX_PAD((compsize * n));
++ return safe_pad(safe_mul(compsize, n));
+ }
+
+ int
+-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -88,7 +86,7 @@
+ }
+
+ int
+-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 0);
+ GLsizei compsize;
+@@ -98,11 +96,11 @@
+ }
+
+ compsize = __glFogfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -112,11 +110,11 @@
+ }
+
+ compsize = __glLightfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 0);
+ GLsizei compsize;
+@@ -126,11 +124,11 @@
+ }
+
+ compsize = __glLightModelfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -140,11 +138,11 @@
+ }
+
+ compsize = __glMaterialfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -164,7 +162,7 @@
+ }
+
+ int
+-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -174,11 +172,11 @@
+ }
+
+ compsize = __glTexParameterfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -206,7 +204,7 @@
+ }
+
+ int
+-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -236,7 +234,7 @@
+ }
+
+ int
+-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -246,11 +244,11 @@
+ }
+
+ compsize = __glTexEnvfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -260,11 +258,11 @@
+ }
+
+ compsize = __glTexGendv_size(pname);
+- return __GLX_PAD((compsize * 8));
++ return safe_pad(safe_mul(compsize, 8));
+ }
+
+ int
+-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -274,11 +272,11 @@
+ }
+
+ compsize = __glTexGenfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei mapsize = *(GLsizei *) (pc + 4);
+
+@@ -286,11 +284,11 @@
+ mapsize = bswap_32(mapsize);
+ }
+
+- return __GLX_PAD((mapsize * 4));
++ return safe_pad(safe_mul(mapsize, 4));
+ }
+
+ int
+-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei mapsize = *(GLsizei *) (pc + 4);
+
+@@ -298,11 +296,11 @@
+ mapsize = bswap_32(mapsize);
+ }
+
+- return __GLX_PAD((mapsize * 2));
++ return safe_pad(safe_mul(mapsize, 2));
+ }
+
+ int
+-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -330,7 +328,7 @@
+ }
+
+ int
+-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 0);
+
+@@ -338,11 +336,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 4) + (n * 4));
++ return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
+ }
+
+ int
+-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -370,7 +368,7 @@
+ }
+
+ int
+-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -400,7 +398,7 @@
+ }
+
+ int
+-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -428,7 +426,7 @@
+ }
+
+ int
+-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -438,11 +436,11 @@
+ }
+
+ compsize = __glColorTableParameterfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -470,7 +468,7 @@
+ }
+
+ int
+-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -498,7 +496,7 @@
+ }
+
+ int
+-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = 0;
+@@ -528,7 +526,7 @@
+ }
+
+ int
+-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 4);
+ GLsizei compsize;
+@@ -538,11 +536,11 @@
+ }
+
+ compsize = __glConvolutionParameterfv_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = *(GLint *) (pc + 8);
+@@ -579,7 +577,7 @@
+ }
+
+ int
+-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLint row_length = *(GLint *) (pc + 4);
+ GLint image_height = *(GLint *) (pc + 8);
+@@ -613,7 +611,7 @@
+ }
+
+ int
+-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei imageSize = *(GLsizei *) (pc + 20);
+
+@@ -621,11 +619,11 @@
+ imageSize = bswap_32(imageSize);
+ }
+
+- return __GLX_PAD(imageSize);
++ return safe_pad(imageSize);
+ }
+
+ int
+-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei imageSize = *(GLsizei *) (pc + 24);
+
+@@ -633,11 +631,11 @@
+ imageSize = bswap_32(imageSize);
+ }
+
+- return __GLX_PAD(imageSize);
++ return safe_pad(imageSize);
+ }
+
+ int
+-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei imageSize = *(GLsizei *) (pc + 28);
+
+@@ -645,11 +643,11 @@
+ imageSize = bswap_32(imageSize);
+ }
+
+- return __GLX_PAD(imageSize);
++ return safe_pad(imageSize);
+ }
+
+ int
+-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei imageSize = *(GLsizei *) (pc + 36);
+
+@@ -657,11 +655,11 @@
+ imageSize = bswap_32(imageSize);
+ }
+
+- return __GLX_PAD(imageSize);
++ return safe_pad(imageSize);
+ }
+
+ int
+-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei len = *(GLsizei *) (pc + 8);
+
+@@ -669,11 +667,11 @@
+ len = bswap_32(len);
+ }
+
+- return __GLX_PAD(len);
++ return safe_pad(len);
+ }
+
+ int
+-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 0);
+
+@@ -681,11 +679,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 4));
++ return safe_pad(safe_mul(n, 4));
+ }
+
+ int
+-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *) (pc + 0);
+ GLsizei compsize;
+@@ -695,11 +693,11 @@
+ }
+
+ compsize = __glPointParameterfvEXT_size(pname);
+- return __GLX_PAD((compsize * 4));
++ return safe_pad(safe_mul(compsize, 4));
+ }
+
+ int
+-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei num = *(GLsizei *) (pc + 8);
+
+@@ -707,11 +705,11 @@
+ num = bswap_32(num);
+ }
+
+- return __GLX_PAD((num * 32));
++ return safe_pad(safe_mul(num, 32));
+ }
+
+ int
+-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei num = *(GLsizei *) (pc + 8);
+
+@@ -719,11 +717,11 @@
+ num = bswap_32(num);
+ }
+
+- return __GLX_PAD((num * 16));
++ return safe_pad(safe_mul(num, 16));
+ }
+
+ int
+-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -731,11 +729,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 8));
++ return safe_pad(safe_mul(n, 8));
+ }
+
+ int
+-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -743,11 +741,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 16));
++ return safe_pad(safe_mul(n, 16));
+ }
+
+ int
+-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -755,11 +753,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 24));
++ return safe_pad(safe_mul(n, 24));
+ }
+
+ int
+-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -767,11 +765,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 12));
++ return safe_pad(safe_mul(n, 12));
+ }
+
+ int
+-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -779,11 +777,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 6));
++ return safe_pad(safe_mul(n, 6));
+ }
+
+ int
+-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *) (pc + 4);
+
+@@ -791,11 +789,11 @@
+ n = bswap_32(n);
+ }
+
+- return __GLX_PAD((n * 32));
++ return safe_pad(safe_mul(n, 32));
+ }
+
+ int
+-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLsizei len = *(GLsizei *) (pc + 4);
+
+@@ -803,7 +801,7 @@
+ len = bswap_32(len);
+ }
+
+- return __GLX_PAD(len);
++ return safe_pad(len);
+ }
+
+ ALIAS(Fogiv, Fogfv)
+--- glx/indirect_reqsize.h.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/indirect_reqsize.h 2014-12-10 15:45:48.967149775 +0100
+@@ -36,128 +36,169 @@
+ #define PURE
+ #endif
+
+-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
+- Bool swap);
+-extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
+- Bool swap);
+-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
+- Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
++ Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
+- Bool swap);
+-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
++ Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
+- Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
++ Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *
+- pc, Bool swap);
++ pc, Bool swap,
++ int reqlen);
+ extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc,
+- Bool swap);
++ Bool swap, int reqlen);
+
+ #undef PURE
+
+--- glx/rensize.c.orig 2012-05-17 19:09:02.000000000 +0200
++++ glx/rensize.c 2014-12-10 14:55:50.580336482 +0100
+@@ -52,7 +52,7 @@
+ }
+
+ int
+-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint order, k;
+@@ -68,7 +68,7 @@
+ }
+
+ int
+-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint order, k;
+@@ -92,7 +92,7 @@
+ }
+
+ int
+-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder, k;
+@@ -110,7 +110,7 @@
+ }
+
+ int
+-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder, k;
+@@ -342,13 +342,14 @@
+ }
+
+ int
+-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
+ __GLXdispatchDrawArraysComponentHeader *compHeader;
+ GLint numVertexes = hdr->numVertexes;
+ GLint numComponents = hdr->numComponents;
+ GLint arrayElementSize = 0;
++ GLint x, size;
+ int i;
+
+ if (swap) {
+@@ -357,6 +358,13 @@
+ }
+
+ pc += sizeof(__GLXdispatchDrawArraysHeader);
++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
++
++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
++ numComponents);
++ if (size < 0 || reqlen < 0 || reqlen < size)
++ return -1;
++
+ compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
+
+ for (i = 0; i < numComponents; i++) {
+@@ -400,17 +408,18 @@
+ return -1;
+ }
+
+- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
++ return -1;
+
+ pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
+ }
+
+- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+- (numVertexes * arrayElementSize));
++ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
+ }
+
+ int
+-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8099 b/x11-servers/xorg-server/files/patch-CVE-2014-8099
new file mode 100644
index 000000000000..dfc1b68a7f35
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8099
@@ -0,0 +1,179 @@
+From 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:23:17 -0800
+Subject: [PATCH 09/40] Xv: unvalidated lengths in XVideo extension swapped
+ procs [CVE-2014-8099]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ Xext/xvdisp.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index 86f982a..c2d0fc9 100644
+--- Xext/xvdisp.c
++++ Xext/xvdisp.c
+@@ -1121,6 +1121,7 @@ static int
+ SProcXvQueryExtension(ClientPtr client)
+ {
+ REQUEST(xvQueryExtensionReq);
++ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
+ swaps(&stuff->length);
+ return XvProcVector[xv_QueryExtension] (client);
+ }
+@@ -1129,6 +1130,7 @@ static int
+ SProcXvQueryAdaptors(ClientPtr client)
+ {
+ REQUEST(xvQueryAdaptorsReq);
++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+ return XvProcVector[xv_QueryAdaptors] (client);
+@@ -1138,6 +1140,7 @@ static int
+ SProcXvQueryEncodings(ClientPtr client)
+ {
+ REQUEST(xvQueryEncodingsReq);
++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_QueryEncodings] (client);
+@@ -1147,6 +1150,7 @@ static int
+ SProcXvGrabPort(ClientPtr client)
+ {
+ REQUEST(xvGrabPortReq);
++ REQUEST_SIZE_MATCH(xvGrabPortReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->time);
+@@ -1157,6 +1161,7 @@ static int
+ SProcXvUngrabPort(ClientPtr client)
+ {
+ REQUEST(xvUngrabPortReq);
++ REQUEST_SIZE_MATCH(xvUngrabPortReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->time);
+@@ -1167,6 +1172,7 @@ static int
+ SProcXvPutVideo(ClientPtr client)
+ {
+ REQUEST(xvPutVideoReq);
++ REQUEST_SIZE_MATCH(xvPutVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1186,6 +1192,7 @@ static int
+ SProcXvPutStill(ClientPtr client)
+ {
+ REQUEST(xvPutStillReq);
++ REQUEST_SIZE_MATCH(xvPutStillReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1205,6 +1212,7 @@ static int
+ SProcXvGetVideo(ClientPtr client)
+ {
+ REQUEST(xvGetVideoReq);
++ REQUEST_SIZE_MATCH(xvGetVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1224,6 +1232,7 @@ static int
+ SProcXvGetStill(ClientPtr client)
+ {
+ REQUEST(xvGetStillReq);
++ REQUEST_SIZE_MATCH(xvGetStillReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1243,6 +1252,7 @@ static int
+ SProcXvPutImage(ClientPtr client)
+ {
+ REQUEST(xvPutImageReq);
++ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1266,6 +1276,7 @@ static int
+ SProcXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
++ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1293,6 +1304,7 @@ static int
+ SProcXvSelectVideoNotify(ClientPtr client)
+ {
+ REQUEST(xvSelectVideoNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
+ swaps(&stuff->length);
+ swapl(&stuff->drawable);
+ return XvProcVector[xv_SelectVideoNotify] (client);
+@@ -1302,6 +1314,7 @@ static int
+ SProcXvSelectPortNotify(ClientPtr client)
+ {
+ REQUEST(xvSelectPortNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_SelectPortNotify] (client);
+@@ -1311,6 +1324,7 @@ static int
+ SProcXvStopVideo(ClientPtr client)
+ {
+ REQUEST(xvStopVideoReq);
++ REQUEST_SIZE_MATCH(xvStopVideoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->drawable);
+@@ -1321,6 +1335,7 @@ static int
+ SProcXvSetPortAttribute(ClientPtr client)
+ {
+ REQUEST(xvSetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->attribute);
+@@ -1332,6 +1347,7 @@ static int
+ SProcXvGetPortAttribute(ClientPtr client)
+ {
+ REQUEST(xvGetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->attribute);
+@@ -1342,6 +1358,7 @@ static int
+ SProcXvQueryBestSize(ClientPtr client)
+ {
+ REQUEST(xvQueryBestSizeReq);
++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swaps(&stuff->vid_w);
+@@ -1355,6 +1372,7 @@ static int
+ SProcXvQueryPortAttributes(ClientPtr client)
+ {
+ REQUEST(xvQueryPortAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_QueryPortAttributes] (client);
+@@ -1364,6 +1382,7 @@ static int
+ SProcXvQueryImageAttributes(ClientPtr client)
+ {
+ REQUEST(xvQueryImageAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ swapl(&stuff->id);
+@@ -1376,6 +1395,7 @@ static int
+ SProcXvListImageFormats(ClientPtr client)
+ {
+ REQUEST(xvListImageFormatsReq);
++ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->port);
+ return XvProcVector[xv_ListImageFormats] (client);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
new file mode 100644
index 000000000000..a2ae0541e95e
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
@@ -0,0 +1,30 @@
+From b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Tue, 28 Oct 2014 10:30:04 +0100
+Subject: [PATCH 13/40] render: check request size before reading it
+ [CVE-2014-8100 1/2]
+
+Otherwise we may be reading outside of the client request.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ render/render.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- render/render.c.orig 2014-12-10 16:06:01.737046585 +0100
++++ render/render.c 2014-12-10 16:07:49.285040265 +0100
+@@ -271,10 +271,11 @@
+
+ REQUEST(xRenderQueryVersionReq);
+
++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+ pRenderClient->major_version = stuff->majorVersion;
+ pRenderClient->minor_version = stuff->minorVersion;
+
+- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+ memset(&rep, 0, sizeof(xRenderQueryVersionReply));
+ rep.type = X_Reply;
+ rep.length = 0;
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
new file mode 100644
index 000000000000..e4d6503b87de
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
@@ -0,0 +1,140 @@
+From 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:51:29 -0800
+Subject: [PATCH 14/40] render: unvalidated lengths in Render extn. swapped
+ procs [CVE-2014-8100 2/2]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ render/render.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/render/render.c b/render/render.c
+index 200e0c8..723f380 100644
+--- render/render.c
++++ render/render.c
+@@ -1995,7 +1995,7 @@ static int
+ SProcRenderQueryVersion(ClientPtr client)
+ {
+ REQUEST(xRenderQueryVersionReq);
+-
++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+ swaps(&stuff->length);
+ swapl(&stuff->majorVersion);
+ swapl(&stuff->minorVersion);
+@@ -2006,6 +2006,7 @@ static int
+ SProcRenderQueryPictFormats(ClientPtr client)
+ {
+ REQUEST(xRenderQueryPictFormatsReq);
++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
+ swaps(&stuff->length);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+@@ -2014,6 +2015,7 @@ static int
+ SProcRenderQueryPictIndexValues(ClientPtr client)
+ {
+ REQUEST(xRenderQueryPictIndexValuesReq);
++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->format);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2029,6 +2031,7 @@ static int
+ SProcRenderCreatePicture(ClientPtr client)
+ {
+ REQUEST(xRenderCreatePictureReq);
++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
+ swaps(&stuff->length);
+ swapl(&stuff->pid);
+ swapl(&stuff->drawable);
+@@ -2042,6 +2045,7 @@ static int
+ SProcRenderChangePicture(ClientPtr client)
+ {
+ REQUEST(xRenderChangePictureReq);
++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
+ swaps(&stuff->length);
+ swapl(&stuff->picture);
+ swapl(&stuff->mask);
+@@ -2053,6 +2057,7 @@ static int
+ SProcRenderSetPictureClipRectangles(ClientPtr client)
+ {
+ REQUEST(xRenderSetPictureClipRectanglesReq);
++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
+ swaps(&stuff->length);
+ swapl(&stuff->picture);
+ swaps(&stuff->xOrigin);
+@@ -2065,6 +2070,7 @@ static int
+ SProcRenderFreePicture(ClientPtr client)
+ {
+ REQUEST(xRenderFreePictureReq);
++ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
+ swaps(&stuff->length);
+ swapl(&stuff->picture);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2074,6 +2080,7 @@ static int
+ SProcRenderComposite(ClientPtr client)
+ {
+ REQUEST(xRenderCompositeReq);
++ REQUEST_SIZE_MATCH(xRenderCompositeReq);
+ swaps(&stuff->length);
+ swapl(&stuff->src);
+ swapl(&stuff->mask);
+@@ -2093,6 +2100,7 @@ static int
+ SProcRenderScale(ClientPtr client)
+ {
+ REQUEST(xRenderScaleReq);
++ REQUEST_SIZE_MATCH(xRenderScaleReq);
+ swaps(&stuff->length);
+ swapl(&stuff->src);
+ swapl(&stuff->dst);
+@@ -2193,6 +2201,7 @@ static int
+ SProcRenderCreateGlyphSet(ClientPtr client)
+ {
+ REQUEST(xRenderCreateGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
+ swaps(&stuff->length);
+ swapl(&stuff->gsid);
+ swapl(&stuff->format);
+@@ -2203,6 +2212,7 @@ static int
+ SProcRenderReferenceGlyphSet(ClientPtr client)
+ {
+ REQUEST(xRenderReferenceGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
+ swaps(&stuff->length);
+ swapl(&stuff->gsid);
+ swapl(&stuff->existing);
+@@ -2213,6 +2223,7 @@ static int
+ SProcRenderFreeGlyphSet(ClientPtr client)
+ {
+ REQUEST(xRenderFreeGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
+ swaps(&stuff->length);
+ swapl(&stuff->glyphset);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
+ xGlyphInfo *gi;
+
+ REQUEST(xRenderAddGlyphsReq);
++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->glyphset);
+ swapl(&stuff->nglyphs);
+@@ -2261,6 +2273,7 @@ static int
+ SProcRenderFreeGlyphs(ClientPtr client)
+ {
+ REQUEST(xRenderFreeGlyphsReq);
++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
+ swaps(&stuff->length);
+ swapl(&stuff->glyphset);
+ SwapRestL(stuff);
+@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+ int size;
+
+ REQUEST(xRenderCompositeGlyphsReq);
++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+
+ switch (stuff->renderReqType) {
+ default:
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8101 b/x11-servers/xorg-server/files/patch-CVE-2014-8101
new file mode 100644
index 000000000000..d7fcb8d30a6e
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8101
@@ -0,0 +1,51 @@
+From 3df2fcf12499ebdb26b9b67419ea485a42041f33 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 19:38:09 -0800
+Subject: [PATCH 12/40] randr: unvalidated lengths in RandR extension swapped
+ procs [CVE-2014-8101]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ randr/rrsdispatch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
+index 08c3b6a..47558cf 100644
+--- randr/rrsdispatch.c
++++ randr/rrsdispatch.c
+@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
+ {
+ REQUEST(xRRQueryVersionReq);
+
++ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
+ swaps(&stuff->length);
+ swapl(&stuff->majorVersion);
+ swapl(&stuff->minorVersion);
+@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
+ {
+ REQUEST(xRRGetScreenInfoReq);
+
++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+ return (*ProcRandrVector[stuff->randrReqType]) (client);
+@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
+ {
+ REQUEST(xRRSelectInputReq);
+
++ REQUEST_SIZE_MATCH(xRRSelectInputReq);
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+ swaps(&stuff->enable);
+@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
+ {
+ REQUEST(xRRConfigureOutputPropertyReq);
+
++ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
+ swaps(&stuff->length);
+ swapl(&stuff->output);
+ swapl(&stuff->property);
+--
+2.1.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8102 b/x11-servers/xorg-server/files/patch-CVE-2014-8102
new file mode 100644
index 000000000000..46f4ead5312d
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8102
@@ -0,0 +1,27 @@
+From a0ece23a8bd300c8be10812d368dc8058c97c63e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 26 Jan 2014 20:02:20 -0800
+Subject: [PATCH 15/40] xfixes: unvalidated length in
+ SProcXFixesSelectSelectionInput [CVE-2014-8102]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ xfixes/select.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xfixes/select.c b/xfixes/select.c
+index c088ed3..e964d58 100644
+--- xfixes/select.c
++++ xfixes/select.c
+@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
+ {
+ REQUEST(xXFixesSelectSelectionInputReq);
+
++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+ swapl(&stuff->selection);
+--
+2.1.2
+