aboutsummaryrefslogtreecommitdiff
path: root/x11-servers
diff options
context:
space:
mode:
authorKoop Mast <kwm@FreeBSD.org>2017-10-13 19:14:53 +0000
committerKoop Mast <kwm@FreeBSD.org>2017-10-13 19:14:53 +0000
commit05d144d76117f0272982e85c1183f63ee936f8fc (patch)
treec19ab3b37eeac16d99c57b1000e4200c92ae2131 /x11-servers
parentc4c4223e978b96a20cad785d541bd1ad7b1c5e9c (diff)
downloadports-05d144d76117f0272982e85c1183f63ee936f8fc.tar.gz
ports-05d144d76117f0272982e85c1183f63ee936f8fc.zip
Notes
Diffstat (limited to 'x11-servers')
-rw-r--r--x11-servers/xorg-nestserver/Makefile14
-rw-r--r--x11-servers/xorg-server/Makefile2
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1217631
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1217741
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1217829
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1217952
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1218395
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1218x601
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1218y139
-rw-r--r--x11-servers/xorg-server/files/patch-os_io.c34
-rw-r--r--x11-servers/xorg-vfbserver/Makefile14
-rw-r--r--x11-servers/xwayland/Makefile14
12 files changed, 1056 insertions, 10 deletions
diff --git a/x11-servers/xorg-nestserver/Makefile b/x11-servers/xorg-nestserver/Makefile
index 717b4f3f4857..4b9e8587cfce 100644
--- a/x11-servers/xorg-nestserver/Makefile
+++ b/x11-servers/xorg-nestserver/Makefile
@@ -3,7 +3,7 @@
PORTNAME= xorg-nestserver
PORTVERSION= 1.19.1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 2
COMMENT= Nesting X server from X.Org
@@ -27,8 +27,16 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable-xephyr --disable-xvfb \
PLIST_FILES= bin/Xnest man/man1/Xnest.1.gz
-EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
- ${MASTERDIR}/files/patch-CVE-2017-13723
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \
+ ${MASTERDIR}/files/patch-CVE-2017-12177 \
+ ${MASTERDIR}/files/patch-CVE-2017-12178 \
+ ${MASTERDIR}/files/patch-CVE-2017-12179 \
+ ${MASTERDIR}/files/patch-CVE-2017-12183 \
+ ${MASTERDIR}/files/patch-CVE-2017-1218x \
+ ${MASTERDIR}/files/patch-CVE-2017-1218y \
+ ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723 \
+ ${MASTERDIR}/files/patch-os_io.c
do-install:
cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index eb62331dab11..7d712814fee1 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -3,7 +3,7 @@
PORTNAME?= xorg-server
PORTVERSION?= 1.18.4
-PORTREVISION?= 4
+PORTREVISION?= 5
PORTEPOCH?= 1
CATEGORIES= x11-servers
MASTER_SITES= XORG/individual/xserver
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12176 b/x11-servers/xorg-server/files/patch-CVE-2017-12176
new file mode 100644
index 000000000000..c5c6fb85c136
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-12176
@@ -0,0 +1,31 @@
+From 95f605b42d8bbb6bea2834a1abfc205981c5b803 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:15:46 -0500
+Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 0da431b..0fdfe11 100644
+--- dix/dispatch.c
++++ dix/dispatch.c
+@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
+ prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
+ auth_proto = (char *) prefix + sz_xConnClientPrefix;
+ auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
+- if ((prefix->majorVersion != X_PROTOCOL) ||
++
++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
++ pad_to_int32(prefix->nbytesAuthProto) +
++ pad_to_int32(prefix->nbytesAuthString))
++ reason = "Bad length";
++ else if ((prefix->majorVersion != X_PROTOCOL) ||
+ (prefix->minorVersion != X_PROTOCOL_REVISION))
+ reason = "Protocol version mismatch";
+ else
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12177 b/x11-servers/xorg-server/files/patch-CVE-2017-12177
new file mode 100644
index 000000000000..65033f566dc9
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-12177
@@ -0,0 +1,41 @@
+From cc41e5b581d287c56f8d7113a97a4882dcfdd696 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:09:14 -0500
+Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
+ (CVE-2017-12177)
+
+v2: Protect against integer overflow (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 23f7e16..f31766f 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
+ XdbeScreenVisualInfo *pScrVisInfo;
+
+ REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
++ if (stuff->n > UINT32_MAX / sizeof(CARD32))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
+
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
+@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
+
+ swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+- return BadAlloc;
++ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12178 b/x11-servers/xorg-server/files/patch-CVE-2017-12178
new file mode 100644
index 000000000000..d2b3474f0500
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-12178
@@ -0,0 +1,29 @@
+From 6c15122163a2d2615db7e998e8d436815a08dec6 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Wed, 24 Dec 2014 16:22:18 -0500
+Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
+ (CVE-2017-12178)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index f2b7785..7286eff 100644
+--- Xi/xichangehierarchy.c
++++ Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12179 b/x11-servers/xorg-server/files/patch-CVE-2017-12179
new file mode 100644
index 000000000000..7787fc117d69
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-12179
@@ -0,0 +1,52 @@
+From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:04:41 -0500
+Subject: Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer
+
+[jcristau: originally this patch fixed the same issue as commit
+ 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
+ addition of these checks]
+
+This addresses CVE-2017-12179
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
+
+
+--- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200
++++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200
+@@ -830,10 +830,15 @@
+ REQUEST(xXIBarrierReleasePointerReq);
+ int i;
+
+- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+-
+ swaps(&stuff->length);
++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++
+ swapl(&stuff->num_barriers);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
++ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
+ swaps(&info->deviceid);
+ swapl(&info->barrier);
+@@ -854,6 +859,10 @@
+
+ REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12183 b/x11-servers/xorg-server/files/patch-CVE-2017-12183
new file mode 100644
index 000000000000..5ccc3760e022
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-12183
@@ -0,0 +1,95 @@
+From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 11:43:05 -0500
+Subject: xfixes: unvalidated lengths (CVE-2017-12183)
+
+v2: Use before swap (Jeremy Huddleston Sequoia)
+
+v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index f009a78..6e84d71 100644
+--- xfixes/cursor.c
++++ xfixes/cursor.c
+@@ -281,6 +281,7 @@ int
+ SProcXFixesSelectCursorInput(ClientPtr client)
+ {
+ REQUEST(xXFixesSelectCursorInputReq);
++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
+ REQUEST(xXFixesSetCursorNameReq);
+ Atom atom;
+
+- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
+ VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
+ tchar = (char *) &stuff[1];
+ atom = MakeAtom(tchar, stuff->nbytes, TRUE);
+@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+ int i;
+ CARD16 *in_devices = (CARD16 *) &stuff[1];
+
++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->num_devices);
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+diff --git a/xfixes/region.c b/xfixes/region.c
+index dd74d7f..f300d2b 100644
+--- xfixes/region.c
++++ xfixes/region.c
+@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
+ RegionPtr pSource, pDestination;
+
+ REQUEST(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+
+ VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
+ VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
+@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
+ REQUEST(xXFixesCopyRegionReq);
+
+ swaps(&stuff->length);
+- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+ swapl(&stuff->source);
+ swapl(&stuff->destination);
+ return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
+diff --git a/xfixes/saveset.c b/xfixes/saveset.c
+index eb3f658..aa365cf 100644
+--- xfixes/saveset.c
++++ xfixes/saveset.c
+@@ -62,6 +62,7 @@ int
+ SProcXFixesChangeSaveSet(ClientPtr client)
+ {
+ REQUEST(xXFixesChangeSaveSetReq);
++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
+index 8d1bd4c..8b45c53 100644
+--- xfixes/xfixes.c
++++ xfixes/xfixes.c
+@@ -160,6 +160,7 @@ static int
+ SProcXFixesQueryVersion(ClientPtr client)
+ {
+ REQUEST(xXFixesQueryVersionReq);
++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->majorVersion);
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-1218x b/x11-servers/xorg-server/files/patch-CVE-2017-1218x
new file mode 100644
index 000000000000..264f6298ab18
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-1218x
@@ -0,0 +1,601 @@
+From d264da92f7f8129b8aad4f0114a6467fc38fc896 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Sun, 21 Dec 2014 01:10:03 -0500
+Subject: hw/xfree86: unvalidated lengths
+
+This addresses:
+CVE-2017-12180 in XFree86-VidModeExtension
+CVE-2017-12181 in XFree86-DGA
+CVE-2017-12182 in XFree86-DRI
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
+
+diff --git a/Xext/vidmode.c b/Xext/vidmode.c
+index ea3ad13..76055c8 100644
+--- Xext/vidmode.c
++++ Xext/vidmode.c
+@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeAddModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
+ stuff->after_vsyncend, stuff->after_vtotal,
+ (unsigned long) stuff->after_flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeDeleteModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+- }
+ if (len != stuff->privsize) {
+ DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
+ "len = %d, length = %d\n",
+@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeModModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
+ stuff->vtotal, (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeValidateModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
++ len = client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+- len = client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ DEBUG_P("XF86VidModeSwitchToMode");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
+ VidModePtr pVidMode;
+
+ REQUEST(xXF86VidModeSetGammaRampReq);
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
+
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
+index c689dcb..039f38d 100644
+--- hw/xfree86/common/xf86DGA.c
++++ hw/xfree86/common/xf86DGA.c
+@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
+ char *deviceName;
+ int nameSize;
+
++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
+ {
+ REQUEST(xXDGACloseFramebufferReq);
+
++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+-
+ DGACloseFramebuffer(stuff->screen);
+
+ return Success;
+@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
+ xXDGAModeInfo info;
+ XDGAModePtr mode;
+
++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.number = 0;
+@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
+ ClientPtr owner;
+ int size;
+
++ REQUEST_SIZE_MATCH(xXDGASetModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+ owner = DGA_GETCLIENT(stuff->screen);
+
+- REQUEST_SIZE_MATCH(xXDGASetModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.offset = 0;
+@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
+ {
+ REQUEST(xXDGASetViewportReq);
+
++ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+-
+ DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
+
+ return Success;
+@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXDGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+-
+ rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
+ client, DixInstallAccess);
+ if (rc != Success)
+@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
+ {
+ REQUEST(xXDGASelectInputReq);
+
++ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+-
+ if (DGA_GETCLIENT(stuff->screen) == client)
+ DGASelectInput(stuff->screen, client, stuff->mask);
+
+@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
+ {
+ REQUEST(xXDGAFillRectangleReq);
+
++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+-
+ if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
+ stuff->width, stuff->height, stuff->color))
+ return BadMatch;
+@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+-
+ if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty))
+@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyTransparentAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+-
+ if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty, stuff->key))
+@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
+ REQUEST(xXDGAGetViewportStatusReq);
+ xXDGAGetViewportStatusReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
+ REQUEST(xXDGASyncReq);
+ xXDGASyncReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGASyncReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASyncReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
+ xXDGAChangePixmapModeReply rep;
+ int x, y;
+
++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
+ REQUEST(xXDGACreateColormapReq);
+ int result;
+
++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+-
+ if (!stuff->mode)
+ return BadValue;
+
+@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
+ int num, offset, flags;
+ char *name;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
+
+ REQUEST(xXF86DGADirectVideoReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
+ REQUEST(xXF86DGAGetViewPortSizeReq);
+ xXF86DGAGetViewPortSizeReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetViewPortReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+-
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
+ REQUEST(xXF86DGAGetVidPageReq);
+ xXF86DGAGetVidPageReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetVidPageReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+-
+ /* silently fail */
+
+ return Success;
+@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXF86DGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
+ REQUEST(xXF86DGAQueryDirectVideoReq);
+ xXF86DGAQueryDirectVideoReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
+ REQUEST(xXF86DGAViewPortChangedReq);
+ xXF86DGAViewPortChangedReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
+index 68f8b7e..65f368e 100644
+--- hw/xfree86/dri/xf86dri.c
++++ hw/xfree86/dri/xf86dri.c
+@@ -570,6 +570,7 @@ static int
+ SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
+ {
+ REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
+ swaps(&stuff->length);
+ swapl(&stuff->screen);
+ return ProcXF86DRIQueryDirectRenderingCapable(client);
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-1218y b/x11-servers/xorg-server/files/patch-CVE-2017-1218y
new file mode 100644
index 000000000000..fe02768869ca
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2017-1218y
@@ -0,0 +1,139 @@
+From c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 09:57:23 -0500
+Subject: Unvalidated lengths
+
+v2: Add overflow check and remove unnecessary check (Julien Cristau)
+
+This addresses:
+CVE-2017-12184 in XINERAMA
+CVE-2017-12185 in MIT-SCREEN-SAVER
+CVE-2017-12186 in X-Resource
+CVE-2017-12187 in RENDER
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
+
+diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
+index 209df29..844ea49 100644
+--- Xext/panoramiX.c
++++ Xext/panoramiX.c
+@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
+ xPanoramiXGetScreenSizeReply rep;
+ int rc;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= PanoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 750b8b9..45ac4d2 100644
+--- Xext/saver.c
++++ Xext/saver.c
+@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
+ PanoramiXRes *draw;
+ int rc, i;
+
++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
++
+ rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (rc != Success)
+diff --git a/Xext/xres.c b/Xext/xres.c
+index ae779df..bc54133 100644
+--- Xext/xres.c
++++ Xext/xres.c
+@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
+ ConstructResourceBytesCtx ctx;
+
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(ctx.specs[0]));
+
+@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
+ int c;
+ xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
+
+- swapl(&stuff->numSpecs);
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ swapl(&stuff->numSpecs);
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(specs[0]));
+
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index 8a35b7b..4d412b8 100644
+--- Xext/xvdisp.c
++++ Xext/xvdisp.c
+@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
+ PanoramiXRes *draw, *gc, *port;
+- Bool send_event = stuff->send_event;
++ Bool send_event;
+ Bool isRoot;
+ int result, i, x, y;
+
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+
++ send_event = stuff->send_event;
++
+ result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (result != Success)
+diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
+index 1f1022e..63caec9 100644
+--- hw/dmx/dmxpict.c
++++ hw/dmx/dmxpict.c
+@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
+ filter = (char *) (stuff + 1);
+ params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
+ nparams = ((XFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
+
+ XRenderSetPictureFilter(dmxScreen->beDisplay,
+ pPictPriv->pict, filter, params, nparams);
+diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
+index d8b2593..95f6e10 100644
+--- pseudoramiX/pseudoramiX.c
++++ pseudoramiX/pseudoramiX.c
+@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
+
+ TRACE;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= pseudoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/render/render.c b/render/render.c
+index bfacaa0..3a41e33 100644
+--- render/render.c
++++ render/render.c
+@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
+ name = (char *) (stuff + 1);
+ params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
+ nparams = ((xFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
++
+ result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
+ return result;
+ }
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-server/files/patch-os_io.c b/x11-servers/xorg-server/files/patch-os_io.c
new file mode 100644
index 000000000000..dfe999e21b3e
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-os_io.c
@@ -0,0 +1,34 @@
+From e751722a7b0c5b595794e60b054ade0b3f6cdb4d Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Fri, 7 Jul 2017 17:04:03 +0200
+Subject: os: Make sure big requests have sufficient length.
+
+A client can send a big request where the 32B "length" field has value
+0. When the big request header is removed and the length corrected,
+the value will underflow to 0xFFFFFFFF. Functions processing the
+request later will think that the client sent much more data and may
+touch memory beyond the receive buffer.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
+
+diff --git a/os/io.c b/os/io.c
+index f80580c..70f07f3 100644
+--- os/io.c
++++ os/io.c
+@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
+ if (!gotnow)
+ AvailableInput = oc;
+ if (move_header) {
++ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
++ YieldControlDeath();
++ return -1;
++ }
++
+ request = (xReq *) oci->bufptr;
+ oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
+ *(xReq *) oci->bufptr = *request;
+--
+cgit v0.10.2
+
diff --git a/x11-servers/xorg-vfbserver/Makefile b/x11-servers/xorg-vfbserver/Makefile
index cee1d3aebd7f..b01b06fbd308 100644
--- a/x11-servers/xorg-vfbserver/Makefile
+++ b/x11-servers/xorg-vfbserver/Makefile
@@ -3,7 +3,7 @@
PORTNAME= xorg-vfbserver
PORTVERSION= 1.19.1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
COMMENT= X virtual framebuffer server from X.Org
@@ -25,8 +25,16 @@ CONFIGURE_ARGS+=--enable-xvfb --disable-dmx --disable-xephyr --disable-xnest \
PLIST_FILES= bin/Xvfb man/man1/Xvfb.1.gz
-EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
- ${MASTERDIR}/files/patch-CVE-2017-13723
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \
+ ${MASTERDIR}/files/patch-CVE-2017-12177 \
+ ${MASTERDIR}/files/patch-CVE-2017-12178 \
+ ${MASTERDIR}/files/patch-CVE-2017-12179 \
+ ${MASTERDIR}/files/patch-CVE-2017-12183 \
+ ${MASTERDIR}/files/patch-CVE-2017-1218x \
+ ${MASTERDIR}/files/patch-CVE-2017-1218y \
+ ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723 \
+ ${MASTERDIR}/files/patch-os_io.c
do-install:
cd ${WRKSRC}/hw/vfb; DESTDIR=${STAGEDIR} ${MAKE} install
diff --git a/x11-servers/xwayland/Makefile b/x11-servers/xwayland/Makefile
index 2887933a6dbb..4da41f23a644 100644
--- a/x11-servers/xwayland/Makefile
+++ b/x11-servers/xwayland/Makefile
@@ -2,7 +2,7 @@
PORTNAME= xwayland
PORTVERSION= 1.19.1
-PORTREVISION= 1
+PORTREVISION= 2
COMMENT= X Clients under Wayland
@@ -29,8 +29,16 @@ CONFIGURE_ARGS+= --disable-docs --disable-devel-docs \
PLIST_FILES= bin/Xwayland
-EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-13721 \
- ${MASTERDIR}/files/patch-CVE-2017-13723
+EXTRA_PATCHES= ${MASTERDIR}/files/patch-CVE-2017-12176 \
+ ${MASTERDIR}/files/patch-CVE-2017-12177 \
+ ${MASTERDIR}/files/patch-CVE-2017-12178 \
+ ${MASTERDIR}/files/patch-CVE-2017-12179 \
+ ${MASTERDIR}/files/patch-CVE-2017-12183 \
+ ${MASTERDIR}/files/patch-CVE-2017-1218x \
+ ${MASTERDIR}/files/patch-CVE-2017-1218y \
+ ${MASTERDIR}/files/patch-CVE-2017-13721 \
+ ${MASTERDIR}/files/patch-CVE-2017-13723 \
+ ${MASTERDIR}/files/patch-os_io.c
do-install:
cd ${WRKSRC}/hw/xwayland; DESTDIR=${STAGEDIR} ${MAKE_CMD} install
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-01 14:32:27 +0000