mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-23 09:10:43 +00:00
Code Issues Releases Activity

Fix security issues in xorg client libraries.

Browse Source 
Most libraries were updated to newer versions, in some cases patches
were backported instead.

Most notably, x11/libX11 was updated to 1.6.0

Security:	CVE-2013-1981
		CVE-2013-1982
		CVE-2013-1983
		CVE-2013-1984
		CVE-2013-1985
		CVE-2013-1986
		CVE-2013-1987
		CVE-2013-1988
		CVE-2013-1989
		CVE-2013-1990
		CVE-2013-1991
		CVE-2013-1992
		CVE-2013-1993
		CVE-2013-1994
		CVE-2013-1995
		CVE-2013-1996
		CVE-2013-1997
		CVE-2013-1998
		CVE-2013-1999
		CVE-2013-2000
		CVE-2013-2001
		CVE-2013-2002
		CVE-2013-2003
		CVE-2013-2004
		CVE-2013-2005
		CVE-2013-2062
		CVE-2013-2063
		CVE-2013-2064
		CVE-2013-2066
This commit is contained in:
Niclas Zeising 2013-06-04 19:31:29 +00:00
parent d5ff26dc84
commit d516c8b663
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=319899
58 changed files with 1463 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graphics/libGL/Makefile
View File

@ -3,13 +3,13 @@
PORTNAME= libGL
PORTVERSION= ${MESAVERSION}
PORTREVISION= 3
PORTREVISION= 4
CATEGORIES= graphics
COMMENT= OpenGL library that renders using GLX or DRI
LIB_DEPENDS+= drm:${PORTSDIR}/graphics/libdrm \
expat.6:${PORTSDIR}/textproc/expat2
expat:${PORTSDIR}/textproc/expat2
USES= pkgconfig
USE_XORG= glproto x11 xext xxf86vm xdamage xfixes dri2proto:both

6
graphics/libGL/bsd.mesalib.mk
View File

@ -56,14 +56,16 @@ EXTRA_PATCHES+= ${PATCHDIR}/extra-configure \
${PATCHDIR}/extra-src-glsl_ir_constant_expression.cpp \
${PATCHDIR}/extra-src__gallium__include__pipe__p_config.h \
${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_array.c \
${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c
${PATCHDIR}/extra-src__mesa__drivers__dri__nouveau__nouveau_render_t.c \
${PATCHDIR}/extra-src_glx_XF86dri.c
.else
EXTRA_PATCHES+= ${PATCHDIR}/extra-configure-old \
${PATCHDIR}/extra-mach64_context.h-old \
${PATCHDIR}/extra-src__mesa__x86-64__glapi_x86-64.S \
${PATCHDIR}/extra-src__mesa__x86-64__xform4.S \
${PATCHDIR}/extra-src__mesa__x86__glapi_x86.S \
${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S
${PATCHDIR}/extra-src__mesa__x86__read_rgba_span_x86.S \
${PATCHDIR}/extra-src_glx_x11_XF86dri.c
CONFIGURE_ARGS+=--disable-glut --disable-glw
.endif

38
graphics/libGL/files/extra-src_glx_XF86dri.c Normal file
View File

@ -0,0 +1,38 @@
--- src/glx/XF86dri.c.orig 2012-10-24 19:03:59.000000000 +0000
+++ src/glx/XF86dri.c 2013-05-29 10:07:33.000000000 +0000
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int
}
if (rep.length) {
- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
@@ -300,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();

38
graphics/libGL/files/extra-src_glx_x11_XF86dri.c Normal file
View File

@ -0,0 +1,38 @@
--- src/glx/x11/XF86dri.c.orig 2009-06-17 18:35:16.000000000 +0000
+++ src/glx/x11/XF86dri.c 2013-05-29 10:09:37.000000000 +0000
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
#if defined(__GNUC__) && (__GNUC__ * 100 + __GNUC_MINOR__) >= 303
@@ -212,7 +213,11 @@ XF86DRIOpenConnection(Display * dpy, int
}
if (rep.length) {
- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
@@ -311,9 +316,11 @@ XF86DRIGetClientDriverName(Display * dpy
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();

158
security/vuxml/vuln.xml
View File

@ -51,6 +51,164 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="2eebebff-cd3b-11e2-8f09-001b38c3836c">
<topic>xorg -- protocol handling issues in X Window System client libraries</topic>
<affects>
<package>
<name>libX11</name>
<range><lt>1.6.0</lt></range>
</package>
<package>
<name>libXext</name>
<range><lt>1.3.2</lt></range>
</package>
<package>
<name>libXfixes</name>
<range><lt>5.0.1</lt></range>
</package>
<package>
<name>libXi</name>
<range><lt>1.7_1</lt></range>
</package>
<package>
<name>libXinerama</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libXp</name>
<range><lt>1.0.2</lt></range>
</package>
<package>
<name>libXrandr</name>
<range><lt>1.4.1</lt></range>
</package>
<package>
<name>libXrender</name>
<range><lt>0.9.7_1</lt></range>
</package>
<package>
<name>libXres</name>
<range><lt>1.0.7</lt></range>
</package>
<package>
<name>libXtst</name>
<range><lt>1.2.2</lt></range>
</package>
<package>
<name>libXv</name>
<range><lt>1.0.8</lt></range>
</package>
<package>
<name>libXvMC</name>
<range><lt>1.0.7_1</lt></range>
</package>
<package>
<name>libXxf86dga</name>
<range><lt>1.1.4</lt></range>
</package>
<package>
<name>libdmx</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libxcb</name>
<range><lt>1.9.1</lt></range>
</package>
<package>
<name>libGL</name>
<range>
<lt>7.6.1_4</lt>
<gt>7.8.0</gt><lt>8.0.5_4</lt>
</range>
</package>
<package>
<name>xf86-video-openchrome</name>
<range><lt>0.3.3</lt></range>
</package>
<package>
<name>libFS</name>
<range><lt>1.0.5</lt></range>
</package>
<package>
<name>libXxf86vm</name>
<range><lt>1.1.3</lt></range>
</package>
<package>
<name>libXt</name>
<range><lt>1.1.4</lt></range>
</package>
<package>
<name>libXcursor</name>
<range><lt>1.1.14</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>freedesktop.org reports:</p>
<blockquote cite="http://www.x.org/wiki/Development/Security/Advisory-2013-05-23">
<p>Ilja van Sprundel, a security researcher with IOActive, has
discovered a large number of issues in the way various X client
libraries handle the responses they receive from servers, and has
worked with X.Org's security team to analyze, confirm, and fix
these issues.</p>
<p>Most of these issues stem from the client libraries trusting the
server to send correct protocol data, and not verifying that the
values will not overflow or cause other damage. Most of the time X
clients &amp; servers are run by the same user, with the server
more privileged from the clients, so this is not a problem, but
there are scenarios in which a privileged client can be connected
to an unprivileged server, for instance, connecting a setuid X
client (such as a screen lock program) to a virtual X server (such
as Xvfb or Xephyr) which the user has modified to return invalid
data, potentially allowing the user to escalate their privileges.</p>
<p>The vulnerabilities include:</p>
<p>Integer overflows calculating memory needs for replies.</p>
<p>Sign extension issues calculating memory needs for replies.</p>
<p>Buffer overflows due to not validating length or offset values in
replies.</p>
<p>Integer overflows parsing user-specified files.</p>
<p>Unbounded recursion parsing user-specified files.</p>
<p>Memory corruption due to unchecked return values.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2013-1981</cvename>
<cvename>CVE-2013-1982</cvename>
<cvename>CVE-2013-1983</cvename>
<cvename>CVE-2013-1984</cvename>
<cvename>CVE-2013-1985</cvename>
<cvename>CVE-2013-1986</cvename>
<cvename>CVE-2013-1987</cvename>
<cvename>CVE-2013-1988</cvename>
<cvename>CVE-2013-1989</cvename>
<cvename>CVE-2013-1990</cvename>
<cvename>CVE-2013-1991</cvename>
<cvename>CVE-2013-1992</cvename>
<cvename>CVE-2013-1993</cvename>
<cvename>CVE-2013-1994</cvename>
<cvename>CVE-2013-1995</cvename>
<cvename>CVE-2013-1996</cvename>
<cvename>CVE-2013-1997</cvename>
<cvename>CVE-2013-1998</cvename>
<cvename>CVE-2013-1999</cvename>
<cvename>CVE-2013-2000</cvename>
<cvename>CVE-2013-2001</cvename>
<cvename>CVE-2013-2002</cvename>
<cvename>CVE-2013-2003</cvename>
<cvename>CVE-2013-2004</cvename>
<cvename>CVE-2013-2005</cvename>
<cvename>CVE-2013-2062</cvename>
<cvename>CVE-2013-2063</cvename>
<cvename>CVE-2013-2064</cvename>
<cvename>CVE-2013-2066</cvename>
</references>
<dates>
<discovery>2013-05-23</discovery>
<entry>2013-06-04</entry>
</dates>
</vuln>
<vuln vid="e3f64457-cccd-11e2-af76-206a8a720317">
<topic>krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]</topic>
<affects>

2
x11-drivers/xorg-drivers/Makefile
View File

@ -10,8 +10,6 @@ EXTRACT_ONLY= # none
MAINTAINER= x11@FreeBSD.org
COMMENT= X.org drivers meta-port
.MAKE.FreeBSD_UL= yes
VIDEODIR= ${PREFIX}/lib/xorg/modules/drivers
INPUTDIR= ${PREFIX}/lib/xorg/modules/input

2
x11-fonts/libFS/Makefile
View File

@ -1,7 +1,7 @@
# $FreeBSD$
PORTNAME= libFS
PORTVERSION= 1.0.4
PORTVERSION= 1.0.5
CATEGORIES= x11-fonts
MAINTAINER= x11@FreeBSD.org

4
x11-fonts/libFS/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libFS-1.0.4.tar.bz2) = 7073761e7594d43180a922605fb64cce60e5ccb8c06f8efa24f2d4621f5e8315
SIZE (xorg/lib/libFS-1.0.4.tar.bz2) = 291155
SHA256 (xorg/lib/libFS-1.0.5.tar.bz2) = 22eb3005dd8053aef7ff82758da5dd59ca9738410bcf847e675780e3a1f96107
SIZE (xorg/lib/libFS-1.0.5.tar.bz2) = 303806

2
x11-toolkits/libXt/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXt
PORTVERSION= 1.1.3
PORTVERSION= 1.1.4
PORTEPOCH= 1
CATEGORIES= x11-toolkits

4
x11-toolkits/libXt/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXt-1.1.3.tar.bz2) = 8db593c3fc5ffc4e9cd854ba50af1eac9b90d66521ba17802b8f1e0d2d7f05bd
SIZE (xorg/lib/libXt-1.1.3.tar.bz2) = 734679
SHA256 (xorg/lib/libXt-1.1.4.tar.bz2) = 843a97a988f5654872682a4120486d987d853a71651515472f55519ffae2dd57
SIZE (xorg/lib/libXt-1.1.4.tar.bz2) = 762331

2
x11/libX11/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libX11
PORTVERSION= 1.5.0
PORTVERSION= 1.6.0
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libX11/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libX11-1.5.0.tar.bz2) = c382efd7e92bfc3cef39a4b7f1ecf2744ba4414a705e3bc1e697f75502bd4d86
SIZE (xorg/lib/libX11-1.5.0.tar.bz2) = 2322265
SHA256 (xorg/lib/libX11-1.6.0.tar.bz2) = 53131412343ec252307fe14903deaf54c356f9414d72d49180c2091dcd7019fa
SIZE (xorg/lib/libX11-1.6.0.tar.bz2) = 2373718

8
x11/libX11/pkg-plist
View File

@ -94,15 +94,9 @@ lib/X11/locale/iso8859-9e/XLC_LOCALE
lib/X11/locale/ja.JIS/Compose
lib/X11/locale/ja.JIS/XI18N_OBJS
lib/X11/locale/ja.JIS/XLC_LOCALE
lib/X11/locale/ja.S90/Compose
lib/X11/locale/ja.S90/XI18N_OBJS
lib/X11/locale/ja.S90/XLC_LOCALE
lib/X11/locale/ja.SJIS/Compose
lib/X11/locale/ja.SJIS/XI18N_OBJS
lib/X11/locale/ja.SJIS/XLC_LOCALE
lib/X11/locale/ja.U90/Compose
lib/X11/locale/ja.U90/XI18N_OBJS
lib/X11/locale/ja.U90/XLC_LOCALE
lib/X11/locale/ja/Compose
lib/X11/locale/ja/XI18N_OBJS
lib/X11/locale/ja/XLC_LOCALE
@ -234,9 +228,7 @@ libdata/pkgconfig/x11.pc
@dirrm lib/X11/locale/ko_KR.UTF-8
@dirrm lib/X11/locale/ko
@dirrm lib/X11/locale/ja_JP.UTF-8
@dirrm lib/X11/locale/ja.U90
@dirrm lib/X11/locale/ja.SJIS
@dirrm lib/X11/locale/ja.S90
@dirrm lib/X11/locale/ja.JIS
@dirrm lib/X11/locale/ja
@dirrm lib/X11/locale/iso8859-9e

2
x11/libXcursor/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXcursor
PORTVERSION= 1.1.13
PORTVERSION= 1.1.14
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXcursor/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXcursor-1.1.13.tar.bz2) = f78827de4a1b7ce8cceca24a9ab9d1b1d2f6a61362f505166ffc19b07c0bad8f
SIZE (xorg/lib/libXcursor-1.1.13.tar.bz2) = 302525
SHA256 (xorg/lib/libXcursor-1.1.14.tar.bz2) = 9bc6acb21ca14da51bda5bc912c8955bc6e5e433f0ab00c5e8bef842596c33df
SIZE (xorg/lib/libXcursor-1.1.14.tar.bz2) = 311896

2
x11/libXext/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXext
PORTVERSION= 1.3.1
PORTVERSION= 1.3.2
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libXext/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXext-1.3.1.tar.bz2) = 56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859
SIZE (xorg/lib/libXext-1.3.1.tar.bz2) = 372728
SHA256 (xorg/lib/libXext-1.3.2.tar.bz2) = f829075bc646cdc085fa25d98d5885d83b1759ceb355933127c257e8e50432e0
SIZE (xorg/lib/libXext-1.3.2.tar.bz2) = 378901

3
x11/libXfixes/Makefile
View File

@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= libXfixes
PORTVERSION= 5.0
PORTREVISION= 2
PORTVERSION= 5.0.1
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXfixes/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXfixes-5.0.tar.bz2) = 537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3
SIZE (xorg/lib/libXfixes-5.0.tar.bz2) = 253777
SHA256 (xorg/lib/libXfixes-5.0.1.tar.bz2) = 63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767
SIZE (xorg/lib/libXfixes-5.0.1.tar.bz2) = 291978

1
x11/libXi/Makefile
View File

@ -3,6 +3,7 @@
PORTNAME= libXi
PORTVERSION= 1.7.1
PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= x11

63
x11/libXi/files/patch-src_XGMotion.c Normal file
View File

@ -0,0 +1,63 @@
From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGMotion.c b/src/XGMotion.c
index 5feac85..a4c75b6 100644
--- src/XGMotion.c
+++ src/XGMotion.c
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceTimeCoord *
XGetDeviceMotionEvents(
@@ -74,7 +75,7 @@ XGetDeviceMotionEvents(
xGetDeviceMotionEventsReply rep;
XDeviceTimeCoord *tc;
int *data, *bufp, *readp, *savp;
- long size, size2;
+ unsigned long size;
int i, j;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -104,10 +105,21 @@ XGetDeviceMotionEvents(
SyncHandle();
return (NULL);
}
- size = rep.length << 2;
- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- savp = readp = (int *)Xmalloc(size);
- bufp = (int *)Xmalloc(size2);
+ if (rep.length < (INT_MAX >> 2)) {
+ size = rep.length << 2;
+ savp = readp = Xmalloc(size);
+ } else {
+ size = 0;
+ savp = readp = NULL;
+ }
+ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
+ if (rep.nEvents <
+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
+ size_t bsize = rep.nEvents *
+ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+ bufp = Xmalloc(bsize);
+ } else
+ bufp = NULL;
if (!bufp || !savp) {
Xfree(bufp);
Xfree(savp);
--
cgit v0.9.0.2-2-gbebe

61
x11/libXi/files/patch-src_XGetBMap.c Normal file
View File

@ -0,0 +1,61 @@
From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:26:52 +0000
Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold. HULK SMASH STACK!
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetBMap.c b/src/XGetBMap.c
index 211c9ca..002daba 100644
--- src/XGetBMap.c
+++ src/XGetBMap.c
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
{
int status = 0;
unsigned char mapping[256]; /* known fixed size */
- long nbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
register xGetDeviceButtonMappingReq *req;
@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
if (status == 1) {
- nbytes = (long)rep.length << 2;
- _XRead(dpy, (char *)mapping, nbytes);
-
- /* don't return more data than the user asked for. */
- if (rep.nElts)
- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
- status = rep.nElts;
+ if (rep.length <= (sizeof(mapping) >> 2)) {
+ unsigned long nbytes = rep.length << 2;
+ _XRead(dpy, (char *)mapping, nbytes);
+
+ /* don't return more data than the user asked for. */
+ if (rep.nElts)
+ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
+ status = rep.nElts;
+ } else {
+ _XEatDataWords(dpy, rep.length);
+ status = 0;
+ }
} else
status = 0;
UnlockDisplay(dpy);
--
cgit v0.9.0.2-2-gbebe

113
x11/libXi/files/patch-src_XGetDCtl.c Normal file
View File

@ -0,0 +1,113 @@
From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
index f73a4e8..51ed0ae 100644
--- src/XGetDCtl.c
+++ src/XGetDCtl.c
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceControl *
XGetDeviceControl(
@@ -68,8 +69,6 @@ XGetDeviceControl(
XDevice *dev,
int control)
{
- int size = 0;
- int nbytes, i;
XDeviceControl *Device = NULL;
XDeviceControl *Sav = NULL;
xDeviceState *d = NULL;
@@ -92,8 +91,12 @@ XGetDeviceControl(
goto out;
if (rep.length > 0) {
- nbytes = (long)rep.length << 2;
- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
+ unsigned long nbytes;
+ size_t size = 0;
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long) rep.length << 2;
+ d = Xmalloc(nbytes);
+ }
if (!d) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -111,33 +114,46 @@ XGetDeviceControl(
case DEVICE_RESOLUTION:
{
xDeviceResolutionState *r;
+ size_t val_size;
r = (xDeviceResolutionState *) d;
- size += sizeof(XDeviceResolutionState) +
- (3 * sizeof(int) * r->num_valuators);
+ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
+ goto out;
+ val_size = 3 * sizeof(int) * r->num_valuators;
+ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
+ goto out;
+ size += sizeof(XDeviceResolutionState) + val_size;
break;
}
case DEVICE_ABS_CALIB:
{
+ if (sizeof(xDeviceAbsCalibState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsCalibState);
break;
}
case DEVICE_ABS_AREA:
{
+ if (sizeof(xDeviceAbsAreaState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsAreaState);
break;
}
case DEVICE_CORE:
{
+ if (sizeof(xDeviceCoreState) > nbytes)
+ goto out;
size += sizeof(XDeviceCoreState);
break;
}
default:
+ if (d->length > nbytes)
+ goto out;
size += d->length;
break;
}
- Device = (XDeviceControl *) Xmalloc((unsigned)size);
+ Device = Xmalloc(size);
if (!Device)
goto out;
@@ -150,6 +166,7 @@ XGetDeviceControl(
int *iptr, *iptr2;
xDeviceResolutionState *r;
XDeviceResolutionState *R;
+ unsigned int i;
r = (xDeviceResolutionState *) d;
R = (XDeviceResolutionState *) Device;
--
cgit v0.9.0.2-2-gbebe

126
x11/libXi/files/patch-src_XGetDProp.c Normal file
View File

@ -0,0 +1,126 @@
From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 20:30:55 +0000
Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
If the number of items as reported by the Xserver is too large, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
--- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000
+++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000
@@ -38,6 +38,7 @@ in this Software without prior written a
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
int
XGetDeviceProperty(Display* dpy, XDevice* dev,
@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice
{
xGetDevicePropertyReq *req;
xGetDevicePropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
+ int ret = Success;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice
* data, but this last byte is null terminated and convenient for
* returning string properties, so the client doesn't then have to
* recopy the string to make it null terminated.
+ *
+ * Maximum item limits are set to both prevent integer overflow when
+ * calculating the amount of memory to malloc, and to limit how much
+ * memory will be used if a server provides an insanely high count.
*/
switch (rep.format) {
case 8:
- nbytes = rep.nItems;
- rbytes = rep.nItems + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XReadPad (dpy, (char *) *prop, nbytes);
+ if (rep.nItems < INT_MAX) {
+ nbytes = rep.nItems;
+ rbytes = rep.nItems + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XReadPad (dpy, (char *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 16:
- nbytes = rep.nItems << 1;
- rbytes = rep.nItems * sizeof (short) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead16Pad (dpy, (short *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (short))) {
+ nbytes = rep.nItems << 1;
+ rbytes = rep.nItems * sizeof (short) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead16Pad (dpy, (short *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 32:
- nbytes = rep.nItems << 2;
- rbytes = rep.nItems * sizeof (long) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead32 (dpy, (long *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (long))) {
+ nbytes = rep.nItems << 2;
+ rbytes = rep.nItems * sizeof (long) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead32 (dpy, (long *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
default:
@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadImplementation);
+ ret = BadImplementation;
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadAlloc);
+ _XEatDataWords(dpy, rep.length);
+ if (ret == Success)
+ ret = BadAlloc;
+ goto out;
}
(*prop)[rbytes - 1] = '\0';
}
@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice
*actual_format = rep.format;
*nitems = rep.nItems;
*bytes_after = rep.bytesAfter;
+ out:
UnlockDisplay (dpy);
SyncHandle ();
- return Success;
+ return ret;
}

94
x11/libXi/files/patch-src_XGetFCtl.c Normal file
View File

@ -0,0 +1,94 @@
From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
index 28fab4d..bb50bf3 100644
--- src/XGetFCtl.c
+++ src/XGetFCtl.c
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XFeedbackState *
XGetFeedbackControl(
@@ -68,8 +69,6 @@ XGetFeedbackControl(
XDevice *dev,
int *num_feedbacks)
{
- int size = 0;
- int nbytes, i;
XFeedbackState *Feedback = NULL;
XFeedbackState *Sav = NULL;
xFeedbackState *f = NULL;
@@ -91,9 +90,16 @@ XGetFeedbackControl(
goto out;
if (rep.length > 0) {
+ unsigned long nbytes;
+ size_t size = 0;
+ int i;
+
*num_feedbacks = rep.num_feedbacks;
- nbytes = (long)rep.length << 2;
- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
+
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = rep.length << 2;
+ f = Xmalloc(nbytes);
+ }
if (!f) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -102,6 +108,10 @@ XGetFeedbackControl(
_XRead(dpy, (char *)f, nbytes);
for (i = 0; i < *num_feedbacks; i++) {
+ if (f->length > nbytes)
+ goto out;
+ nbytes -= f->length;
+
switch (f->class) {
case KbdFeedbackClass:
size += sizeof(XKbdFeedbackState);
@@ -116,6 +126,8 @@ XGetFeedbackControl(
{
xStringFeedbackState *strf = (xStringFeedbackState *) f;
+ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
+ goto out;
size += sizeof(XStringFeedbackState) +
(strf->num_syms_supported * sizeof(KeySym));
}
@@ -130,10 +142,12 @@ XGetFeedbackControl(
size += f->length;
break;
}
+ if (size > INT_MAX)
+ goto out;
f = (xFeedbackState *) ((char *)f + f->length);
}
- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
+ Feedback = Xmalloc(size);
if (!Feedback)
goto out;
--
cgit v0.9.0.2-2-gbebe

53
x11/libXi/files/patch-src_XGetProp.c Normal file
View File

@ -0,0 +1,53 @@
From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
(limited to 'src/XGetProp.c')
--- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000
+++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XEventClass *
XGetDeviceDontPropagateList(
@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList(
}
*count = rep.count;
- if (*count) {
- rlen = rep.length << 2;
- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
+ if (rep.length != 0) {
+ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
+ list = Xmalloc(rep.length * sizeof(XEventClass));
if (list) {
- int i;
+ unsigned int i;
CARD32 ec;
/* read and assign each XEventClass separately because
@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList(
list[i] = (XEventClass) ec;
}
} else
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);

27
x11/libXi/files/patch-src_XIPassiveGrab.c Normal file
View File

@ -0,0 +1,27 @@
From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 07:37:23 +0000
Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
index ac17c01..53b4084 100644
--- src/XIPassiveGrab.c
+++ src/XIPassiveGrab.c
@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
return -1;
_XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
- for (i = 0; i < reply.num_modifiers; i++)
+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
{
modifiers_inout[i].status = failed_mods[i].status;
modifiers_inout[i].modifiers = failed_mods[i].modifiers;
--
cgit v0.9.0.2-2-gbebe

52
x11/libXi/files/patch-src_XIProperties.c Normal file
View File

@ -0,0 +1,52 @@
From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
If the number of items reported by the server is large enough that
it overflows when multiplied by the size of the appropriate item type,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XIProperties.c b/src/XIProperties.c
index 5e58fb6..32436d1 100644
--- src/XIProperties.c
+++ src/XIProperties.c
@@ -38,6 +38,7 @@
#include <X11/extensions/XInput2.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
Atom*
XIListProperties(Display* dpy, int deviceid, int *num_props_return)
@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
{
xXIGetPropertyReq *req;
xXIGetPropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
* recopy the string to make it null terminated.
*/
- nbytes = rep.num_items * rep.format/8;
- rbytes = nbytes + 1;
- *data = Xmalloc(rbytes);
+ if (rep.num_items < (INT_MAX / (rep.format/8))) {
+ nbytes = rep.num_items * rep.format/8;
+ rbytes = nbytes + 1;
+ *data = Xmalloc(rbytes);
+ }
if (!(*data)) {
_XEatDataWords(dpy, rep.length);
--
cgit v0.9.0.2-2-gbebe

85
x11/libXi/files/patch-src_XISelEv.c Normal file
View File

@ -0,0 +1,85 @@
From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XISelEv.c b/src/XISelEv.c
index f871222..0471bef 100644
--- src/XISelEv.c
+++ src/XISelEv.c
@@ -42,6 +42,7 @@ in this Software without prior written authorization from the author.
#include <X11/extensions/ge.h>
#include <X11/extensions/geproto.h>
#include "XIint.h"
+#include <limits.h>
int
XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
@@ -101,13 +102,14 @@ out:
XIEventMask*
XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
{
- int i, len = 0;
+ unsigned int i, len = 0;
unsigned char *mask;
XIEventMask *mask_out = NULL;
xXIEventMask *mask_in = NULL, *mi;
xXIGetSelectedEventsReq *req;
xXIGetSelectedEventsReply reply;
XExtDisplayInfo *info = XInput_find_display(dpy);
+ size_t rbytes;
*num_masks_return = -1;
LockDisplay(dpy);
@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
goto out;
}
- mask_in = Xmalloc(reply.length * 4);
- if (!mask_in)
+ if (reply.length < (INT_MAX >> 2)) {
+ rbytes = (unsigned long) reply.length << 2;
+ mask_in = Xmalloc(rbytes);
+ }
+ if (!mask_in) {
+ _XEatDataWords(dpy, reply.length);
goto out;
+ }
- _XRead(dpy, (char*)mask_in, reply.length * 4);
+ _XRead(dpy, (char*)mask_in, rbytes);
/*
* This function takes interleaved xXIEventMask structs & masks off
@@ -148,8 +155,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
for (i = 0, mi = mask_in; i < reply.num_masks; i++)
{
- len += mi->mask_len * 4;
- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4);
+ unsigned int mask_bytes = mi->mask_len * 4;
+ len += mask_bytes;
+ if (len > INT_MAX)
+ goto out;
+ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes)
+ goto out;
+ rbytes -= (sizeof(xXIEventMask) + mask_bytes);
+ mi = (xXIEventMask*)((char*)mi + mask_bytes);
mi++;
}
--
cgit v0.9.0.2-2-gbebe

83
x11/libXi/files/patch-src_XListDev.c Normal file
View File

@ -0,0 +1,83 @@
From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 08:16:22 +0000
Subject: sign extension issue in XListInputDevices() [CVE-2013-1995]
nptr is (signed) char, which can be negative, and will sign extend
when added to the int size, which means size can be subtracted from,
leading to allocating too small a buffer to hold the data being copied
from the X server's reply.
v2: check that string size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XListDev.c b/src/XListDev.c
index 1c14b96..b85ff3c 100644
--- src/XListDev.c
+++ src/XListDev.c
@@ -73,7 +73,7 @@ static int pad_to_xid(int base_size)
return ((base_size + padsize - 1)/padsize) * padsize;
}
-static int
+static size_t
SizeClassInfo(xAnyClassPtr *any, int num_classes)
{
int size = 0;
@@ -170,7 +170,7 @@ XListInputDevices(
register Display *dpy,
int *ndevices)
{
- int size;
+ size_t size;
xListInputDevicesReq *req;
xListInputDevicesReply rep;
xDeviceInfo *list, *slist = NULL;
@@ -178,7 +178,7 @@ XListInputDevices(
XDeviceInfo *clist = NULL;
xAnyClassPtr any, sav_any;
XAnyClassPtr Any;
- char *nptr, *Nptr;
+ unsigned char *nptr, *Nptr;
int i;
unsigned long rlen;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -217,9 +217,12 @@ XListInputDevices(
size += SizeClassInfo(&any, (int)list->num_classes);
}
- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
+ Nptr = ((unsigned char *)list) + rlen + 1;
+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
size += *nptr + 1;
nptr += (*nptr + 1);
+ if (nptr > Nptr)
+ goto out;
}
clist = (XDeviceInfoPtr) Xmalloc(size);
@@ -245,8 +248,8 @@ XListInputDevices(
}
clist = sclist;
- nptr = (char *)any;
- Nptr = (char *)Any;
+ nptr = (unsigned char *)any;
+ Nptr = (unsigned char *)Any;
for (i = 0; i < *ndevices; i++, clist++) {
clist->name = (char *)Nptr;
memcpy(Nptr, nptr + 1, *nptr);
@@ -256,6 +259,7 @@ XListInputDevices(
}
}
+ out:
XFree((char *)slist);
UnlockDisplay(dpy);
SyncHandle();
--
cgit v0.9.0.2-2-gbebe

63
x11/libXi/files/patch-src_XQueryDv.c Normal file
View File

@ -0,0 +1,63 @@
From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 27 Apr 2013 05:48:36 +0000
Subject: unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XQueryDv.c b/src/XQueryDv.c
index 69c285b..3836777 100644
--- src/XQueryDv.c
+++ src/XQueryDv.c
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceState *
XQueryDeviceState(
@@ -66,8 +67,8 @@ XQueryDeviceState(
XDevice *dev)
{
int i, j;
- int rlen;
- int size = 0;
+ unsigned long rlen;
+ size_t size = 0;
xQueryDeviceStateReq *req;
xQueryDeviceStateReply rep;
XDeviceState *state = NULL;
@@ -87,9 +88,11 @@ XQueryDeviceState(
if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
goto out;
- rlen = rep.length << 2;
- if (rlen > 0) {
- data = Xmalloc(rlen);
+ if (rep.length > 0) {
+ if (rep.length < (INT_MAX >> 2)) {
+ rlen = (unsigned long) rep.length << 2;
+ data = Xmalloc(rlen);
+ }
if (!data) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -97,6 +100,10 @@ XQueryDeviceState(
_XRead(dpy, data, rlen);
for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
+ if (any->length > rlen)
+ goto out;
+ rlen -= any->length;
+
switch (any->class) {
case KeyClass:
size += sizeof(XKeyState);
--
cgit v0.9.0.2-2-gbebe

2
x11/libXinerama/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXinerama
PORTVERSION= 1.1.2
PORTVERSION= 1.1.3
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libXinerama/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXinerama-1.1.2.tar.bz2) = a4e77c2fd88372e4ae365f3ca0434a23613da96c5b359b1a64bf43614ec06aac
SIZE (xorg/lib/libXinerama-1.1.2.tar.bz2) = 279682
SHA256 (xorg/lib/libXinerama-1.1.3.tar.bz2) = 7a45699f1773095a3f821e491cbd5e10c887c5a5fce5d8d3fced15c2ff7698e2
SIZE (xorg/lib/libXinerama-1.1.3.tar.bz2) = 278026

2
x11/libXp/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXp
PORTVERSION= 1.0.1
PORTVERSION= 1.0.2
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libXp/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXp-1.0.1.tar.bz2) = 71d1f260005616d646b8c8788365f2b7d93911dac57bb53b65753d9f9e6443d2
SIZE (xorg/lib/libXp-1.0.1.tar.bz2) = 300427
SHA256 (xorg/lib/libXp-1.0.2.tar.bz2) = 952fe5b5e90abd2cf04739aef3a9b63a253cd9309ed066a82bab7ca9112fd0b5
SIZE (xorg/lib/libXp-1.0.2.tar.bz2) = 298632

2
x11/libXrandr/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXrandr
PORTVERSION= 1.4.0
PORTVERSION= 1.4.1
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXrandr/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXrandr-1.4.0.tar.bz2) = 033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3
SIZE (xorg/lib/libXrandr-1.4.0.tar.bz2) = 306649
SHA256 (xorg/lib/libXrandr-1.4.1.tar.bz2) = d914a0490fd0a2ea6c3194505b5b28c56e2a277d8f4648b0275ee0ee370fb905
SIZE (xorg/lib/libXrandr-1.4.1.tar.bz2) = 312857

1
x11/libXrender/Makefile
View File

@ -3,6 +3,7 @@
PORTNAME= libXrender
PORTVERSION= 0.9.7
PORTREVISION= 1
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

70
x11/libXrender/files/patch-src_Filter.c Normal file
View File

@ -0,0 +1,70 @@
--- src/Filter.c.orig 2013-06-03 19:11:25.000000000 +0000
+++ src/Filter.c 2013-06-03 19:11:31.000000000 +0000
@@ -25,6 +25,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawa
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName;
if (!RenderHasExtension (info))
return NULL;
@@ -60,26 +61,36 @@ XRenderQueryFilters (Display *dpy, Drawa
SyncHandle ();
return NULL;
}
- /*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
/*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
- _XEatData (dpy, (unsigned long) rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;

114
x11/libXrender/files/patch-src_Xrender.c Normal file
View File

@ -0,0 +1,114 @@
--- src/Xrender.c.orig 2013-06-03 19:11:25.000000000 +0000
+++ src/Xrender.c 2013-06-03 19:11:34.000000000 +0000
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,24 +459,35 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
if (xri) Xfree (xri);
if (xData) Xfree (xData);
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return 0;
@@ -832,7 +844,7 @@ XRenderQueryPictIndexValues(Display *d
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -848,18 +860,25 @@ XRenderQueryPictIndexValues(Display *d
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;

2
x11/libXres/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXres
PORTVERSION= 1.0.6
PORTVERSION= 1.0.7
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXres/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXres-1.0.6.tar.bz2) = ff8661c925e8b182f98ae98f02bbd93c55259ef7f34a92c1a126b6074ebde890
SIZE (xorg/lib/libXres-1.0.6.tar.bz2) = 282035
SHA256 (xorg/lib/libXres-1.0.7.tar.bz2) = 26899054aa87f81b17becc68e8645b240f140464cf90c42616ebb263ec5fa0e5
SIZE (xorg/lib/libXres-1.0.7.tar.bz2) = 282925

2
x11/libXtst/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXtst
PORTVERSION= 1.2.1
PORTVERSION= 1.2.2
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXtst/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXtst-1.2.1.tar.bz2) = 7eea3e66e392aca3f9dad6238198753c28e1c32fa4903cbb7739607a2504e5e0
SIZE (xorg/lib/libXtst-1.2.1.tar.bz2) = 313147
SHA256 (xorg/lib/libXtst-1.2.2.tar.bz2) = ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9
SIZE (xorg/lib/libXtst-1.2.2.tar.bz2) = 321784

2
x11/libXv/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXv
PORTVERSION= 1.0.7
PORTVERSION= 1.0.8
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libXv/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXv-1.0.7.tar.bz2) = 5d664aeb641f8c867331a0c6b4574a5e7e420f00bf5fcefd874e8d003ea59010
SIZE (xorg/lib/libXv-1.0.7.tar.bz2) = 285379
SHA256 (xorg/lib/libXv-1.0.8.tar.bz2) = 4f00eb5347390909cea4e53a69425839d2a6a44e0e0613321d59e7e4aeaf73d7
SIZE (xorg/lib/libXv-1.0.8.tar.bz2) = 308065

1
x11/libXv/pkg-plist
View File

@ -4,3 +4,4 @@ lib/libXv.la
lib/libXv.so
lib/libXv.so.1
libdata/pkgconfig/xv.pc
@dirrmtry include/X11/extensions

1
x11/libXvMC/Makefile
View File

@ -3,6 +3,7 @@
PORTNAME= libXvMC
PORTVERSION= 1.0.7
PORTREVISION= 1
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

166
x11/libXvMC/files/patch-src_XvMC.c Normal file
View File

@ -0,0 +1,166 @@
--- src/XvMC.c.orig 2012-03-08 05:31:17.000000000 +0000
+++ src/XvMC.c 2013-06-03 19:17:33.000000000 +0000
@@ -16,6 +16,7 @@
#include <sys/time.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
static XExtensionInfo _xvmc_info_data;
static XExtensionInfo *xvmc_info = &_xvmc_info_data;
@@ -111,8 +112,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(D
}
if(rep.num > 0) {
- surface_info =
- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
+ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
if(surface_info) {
xvmcSurfaceInfo sinfo;
@@ -134,7 +135,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(D
surface_info[i].flags = sinfo.flags;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -172,8 +173,8 @@ XvImageFormatValues * XvMCListSubpicture
}
if(rep.num > 0) {
- ret =
- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
+ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
if(ret) {
xvImageFormatInfo Info;
@@ -207,7 +208,7 @@ XvImageFormatValues * XvMCListSubpicture
ret[i].scanline_order = Info.scanline_order;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -273,12 +274,13 @@ Status _xvmc_create_context (
context->flags = rep.flags_return;
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -354,12 +356,13 @@ Status _xvmc_create_surface (
}
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -444,12 +447,13 @@ Status _xvmc_create_subpicture (
subpicture->component_order[3] = rep.component_order[3];
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -484,7 +488,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
XExtDisplayInfo *info = xvmc_find_display(dpy);
xvmcGetDRInfoReply rep;
xvmcGetDRInfoReq *req;
- char *tmpBuf = NULL;
CARD32 magic;
#ifdef HAVE_SHMAT
@@ -495,6 +498,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
here.tz_dsttime = 0;
#endif
+ *name = NULL;
+ *busID = NULL;
+
XvMCCheckExtension (dpy, info, BadImplementation);
LockDisplay (dpy);
@@ -553,33 +559,33 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
#endif
if (rep.length > 0) {
+ unsigned long realSize = 0;
+ char *tmpBuf = NULL;
- int realSize = rep.length << 2;
-
- tmpBuf = (char *) Xmalloc(realSize);
- if (tmpBuf) {
- *name = (char *) Xmalloc(rep.nameLen);
- if (*name) {
- *busID = (char *) Xmalloc(rep.busIDLen);
- if (! *busID) {
- XFree(*name);
- XFree(tmpBuf);
- }
- } else {
- XFree(tmpBuf);
+ if (rep.length < (INT_MAX >> 2)) {
+ realSize = rep.length << 2;
+ if (realSize >= (rep.nameLen + rep.busIDLen)) {
+ tmpBuf = Xmalloc(realSize);
+ *name = Xmalloc(rep.nameLen);
+ *busID = Xmalloc(rep.busIDLen);
}
}
if (*name && *busID && tmpBuf) {
-
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
+ (*name)[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+ (*busID)[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
-
} else {
+ XFree(*name);
+ *name = NULL;
+ XFree(*busID);
+ *busID = NULL;
+ XFree(tmpBuf);
- _XEatData(dpy, realSize);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return -1;

2
x11/libXxf86dga/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXxf86dga
PORTVERSION= 1.1.3
PORTVERSION= 1.1.4
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXxf86dga/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXxf86dga-1.1.3.tar.bz2) = 551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994
SIZE (xorg/lib/libXxf86dga-1.1.3.tar.bz2) = 290347
SHA256 (xorg/lib/libXxf86dga-1.1.4.tar.bz2) = 8eecd4b6c1df9a3704c04733c2f4fa93ef469b55028af5510b25818e2456c77e
SIZE (xorg/lib/libXxf86dga-1.1.4.tar.bz2) = 280216

20
x11/libXxf86dga/files/patch-src_XF86DGA2.c
View File

@ -1,20 +0,0 @@
--- src/XF86DGA2.c.orig 2013-03-25 20:23:42.796859881 +0100
+++ src/XF86DGA2.c 2013-03-25 20:23:17.997856725 +0100
@@ -21,6 +21,8 @@
#include <X11/extensions/extutil.h>
#include <stdio.h>
+#include <stdint.h>
+
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
@@ -928,7 +930,7 @@
if ((pMap->fd = open(name, O_RDWR)) < 0)
return False;
pMap->virtual = mmap(NULL, size, PROT_READ | PROT_WRITE,
- MAP_FILE | MAP_SHARED, pMap->fd, (off_t)base);
+ MAP_FILE | MAP_SHARED, pMap->fd, (off_t)(uintptr_t)base);
if (pMap->virtual == (void *)-1)
return False;
mprotect(pMap->virtual, size, PROT_READ | PROT_WRITE);

2
x11/libXxf86vm/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libXxf86vm
PORTVERSION= 1.1.2
PORTVERSION= 1.1.3
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libXxf86vm/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXxf86vm-1.1.2.tar.bz2) = a564172fb866b1b587bbccb7d041088931029845245e0d15c32ca7f1bb48fc84
SIZE (xorg/lib/libXxf86vm-1.1.2.tar.bz2) = 284717
SHA256 (xorg/lib/libXxf86vm-1.1.3.tar.bz2) = da5e86c32ee2069b9e6d820e4c2e4242d4877cb155a2b2fbf2675a1480ec37b8
SIZE (xorg/lib/libXxf86vm-1.1.3.tar.bz2) = 284279

2
x11/libdmx/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libdmx
PORTVERSION= 1.1.2
PORTVERSION= 1.1.3
CATEGORIES= x11
MAINTAINER= x11@FreeBSD.org

4
x11/libdmx/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libdmx-1.1.2.tar.bz2) = a7870b648a8768d65432af76dd11581ff69f3955118540d5967eb1eef43838ba
SIZE (xorg/lib/libdmx-1.1.2.tar.bz2) = 290694
SHA256 (xorg/lib/libdmx-1.1.3.tar.bz2) = c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201
SIZE (xorg/lib/libdmx-1.1.3.tar.bz2) = 290859

4
x11/libxcb/Makefile
View File

@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= libxcb
PORTVERSION= 1.9
PORTVERSION= 1.9.1
CATEGORIES= x11 python
MASTER_SITES= http://xcb.freedesktop.org/dist/
@ -13,7 +13,6 @@ LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/COPYING
BUILD_DEPENDS= ${LOCALBASE}/lib/libcheck.a:${PORTSDIR}/devel/libcheck \
xsltproc:${PORTSDIR}/textproc/libxslt \
xcb-proto>=1.7:${PORTSDIR}/x11/xcb-proto \
${LOCALBASE}/libdata/pkgconfig/pthread-stubs.pc:${PORTSDIR}/devel/libpthread-stubs
RUN_DEPENDS= ${LOCALBASE}/libdata/pkgconfig/pthread-stubs.pc:${PORTSDIR}/devel/libpthread-stubs
@ -22,6 +21,7 @@ CONFIGURE_ARGS+= --disable-build-docs --without-doxygen --enable-xinput
USE_BZIP2= yes
USES= pathfix
USE_GNOME= libxslt:build
USE_GMAKE= yes
USE_LDCONFIG= yes
USE_XORG= xau xdmcp

4
x11/libxcb/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (libxcb-1.9.tar.bz2) = 8857e62b3aae2976c7e10043643e45a85964fd1dcb4469dfde0d04d3d1b12c96
SIZE (libxcb-1.9.tar.bz2) = 387612
SHA256 (libxcb-1.9.1.tar.bz2) = d44a5ff4eb0b9569e6f7183b51fdaf6f58da90e7d6bfc36b612d7263f83e362f
SIZE (libxcb-1.9.1.tar.bz2) = 373312