aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-27 13:40:42 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-27 14:06:57 +0000
commitdaf9b293c5e40e9edb1b89794e235f3dcbfe9917 (patch)
tree522f7bf0e5db70c20c9a57c614f7e0527f4f660c
parent9f6402e6a959d314a3a9d08b9bd824e5f3357f02 (diff)
downloadaports-daf9b293c5e40e9edb1b89794e235f3dcbfe9917.tar.bz2
aports-daf9b293c5e40e9edb1b89794e235f3dcbfe9917.tar.xz
ref #1931 fixes #1947
-rw-r--r--main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch42
-rw-r--r--main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch86
-rw-r--r--main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch298
-rw-r--r--main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch68
-rw-r--r--main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch34
-rw-r--r--main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch70
-rw-r--r--main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch120
-rw-r--r--main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch101
-rw-r--r--main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch52
-rw-r--r--main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch70
-rw-r--r--main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch59
-rw-r--r--main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch92
-rw-r--r--main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch135
-rw-r--r--main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch56
-rw-r--r--main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch94
-rw-r--r--main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch35
-rw-r--r--main/libxi/APKBUILD66
17 files changed, 1466 insertions, 12 deletions
diff --git a/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch b/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch
new file mode 100644
index 0000000000..b6b21ce2ac
--- /dev/null
+++ b/main/libxi/0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch
@@ -0,0 +1,42 @@
+From f32ad442c24f2407d3a14773201e9f8ec43a7bc6 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 29 Apr 2013 18:39:34 -0700
+Subject: [PATCH 1/3] Expand comment on the memory vs. reply ordering in
+ XIGetSelectedEvents()
+
+Unpacking from the wire involves un-interleaving the structs & masks,
+which wasn't obvious to me the first time I read it, so make notes
+before I forget again.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit bb82c72a1d69eaf60b7586570faf797df967f661)
+(cherry picked from commit 362c9058dcbeedacaae0190c279e076a5db1d564)
+---
+ src/XISelEv.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/XISelEv.c b/src/XISelEv.c
+index 3192b6b..bd5a29a 100644
+--- a/src/XISelEv.c
++++ b/src/XISelEv.c
+@@ -132,8 +132,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
+
+ _XRead(dpy, (char*)mask_in, reply.length * 4);
+
+- /* Memory layout of the XIEventMask for a 3 mask reply:
+- * [struct a][struct b][struct c][masks a][masks b][masks c]
++ /*
++ * This function takes interleaved xXIEventMask structs & masks off
++ * the wire, such as this 3 mask reply:
++ * [struct a][masks a][struct b][masks b][struct c][masks c]
++ * And generates a memory buffer to be returned to callers in which
++ * they are not interleaved, so that callers can treat the returned
++ * pointer as a simple array of XIEventMask structs, such as:
++ * [struct a][struct b][struct c][masks a][masks b][masks c]
+ */
+ len = reply.num_masks * sizeof(XIEventMask);
+
+--
+1.7.7.1
+
diff --git a/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch b/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch
new file mode 100644
index 0000000000..a41d773428
--- /dev/null
+++ b/main/libxi/0002-Copy-the-sequence-number-into-the-target-event-too-6.patch
@@ -0,0 +1,86 @@
+From 5594d848a60301243dff803bc0f5281405d28e5a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 17 May 2013 09:07:44 +1000
+Subject: [PATCH 2/3] Copy the sequence number into the target event too
+ (#64687)
+
+X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
+(cherry picked from commit 5d43d4914dcabb6de69859567061e99300e56ef4)
+
+Conflicts:
+ src/XExtInt.c
+(cherry picked from commit 768c64aaf9d89b1b94f873c68b6b5b38a3af79fa)
+
+Conflicts:
+
+ src/XExtInt.c
+---
+ src/XExtInt.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/src/XExtInt.c b/src/XExtInt.c
+index 63afb8f..c7e6128 100644
+--- a/src/XExtInt.c
++++ b/src/XExtInt.c
+@@ -891,6 +891,7 @@ static void xge_copy_to_cookie(xGenericEvent* ev,
+ cookie->type = ev->type;
+ cookie->evtype = ev->evtype;
+ cookie->extension = ev->extension;
++ cookie->serial = ev->sequenceNumber;
+ }
+
+ static Bool
+@@ -1355,6 +1356,7 @@ wireToDeviceEvent(xXIDeviceEvent *in, XGenericEventCookie* cookie)
+ out = next_block(&ptr_lib, sizeof(XIDeviceEvent));
+ out->display = cookie->display;
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+ out->send_event = ((in->type & 0x80) != 0);
+@@ -1569,6 +1571,7 @@ wireToDeviceChangedEvent(xXIDeviceChangedEvent *in, XGenericEventCookie *cookie)
+ cookie->data = out = malloc(sizeof(XIDeviceChangedEvent) + len);
+
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->display = cookie->display;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+@@ -1601,6 +1604,7 @@ wireToHierarchyChangedEvent(xXIHierarchyEvent *in, XGenericEventCookie *cookie)
+ out->info = (XIHierarchyInfo*)&out[1];
+ out->display = cookie->display;
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+ out->send_event = ((in->type & 0x80) != 0);
+@@ -1642,6 +1646,7 @@ wireToRawEvent(xXIRawEvent *in, XGenericEventCookie *cookie)
+
+ out = next_block(&ptr, sizeof(XIRawEvent));
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->display = cookie->display;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+@@ -1687,6 +1692,7 @@ wireToEnterLeave(xXIEnterEvent *in, XGenericEventCookie *cookie)
+ out->buttons.mask = (unsigned char*)&out[1];
+
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->display = cookie->display;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+@@ -1729,6 +1735,7 @@ wireToPropertyEvent(xXIPropertyEvent *in, XGenericEventCookie *cookie)
+ cookie->data = out;
+
+ out->type = in->type;
++ out->serial = in->sequenceNumber;
+ out->extension = in->extension;
+ out->evtype = in->evtype;
+ out->send_event = ((in->type & 0x80) != 0);
+--
+1.7.7.1
+
diff --git a/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
new file mode 100644
index 0000000000..4d3ae7627b
--- /dev/null
+++ b/main/libxi/0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
@@ -0,0 +1,298 @@
+From eb0cf9b0ba0ad213954a15c757932b8005bff99e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 1 May 2013 23:58:39 -0700
+Subject: [PATCH 3/3] Use _XEatDataWords to avoid overflow of rep.length bit
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 59b8e1388a687f871831ac5a9e0ac11de75e2516)
+(cherry picked from commit 4579fadd11883c62db486ecc64c40342c2ab5506)
+---
+ configure.ac | 6 ++++++
+ src/XGMotion.c | 2 +-
+ src/XGetDCtl.c | 2 +-
+ src/XGetDProp.c | 5 ++---
+ src/XGetFCtl.c | 2 +-
+ src/XGetKMap.c | 2 +-
+ src/XGetMMap.c | 2 +-
+ src/XGetProp.c | 4 +---
+ src/XGtSelect.c | 2 +-
+ src/XIProperties.c | 7 +++----
+ src/XIint.h | 19 +++++++++++++++++++
+ src/XListDProp.c | 2 +-
+ src/XListDev.c | 2 +-
+ src/XOpenDev.c | 2 +-
+ src/XQueryDv.c | 2 +-
+ 15 files changed, 41 insertions(+), 20 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9d5d5eb..3ffdef3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -28,6 +28,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XI, [xproto >= 7.0.13] [x11 >= 1.2.99.1] [xextproto >= 7.0.3] [xext >= 1.0.99.1] [inputproto >= 1.9.99.902])
+
++# Check for _XEatDataWords function that may be patched into older Xlib releases
++SAVE_LIBS="$LIBS"
++LIBS="$XI_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Check for xmlto and asciidoc for man page conversion
+ # (only needed by people building tarballs)
+ if test "$have_xmlto" = yes && test "$have_asciidoc" = yes; then
+diff --git a/src/XGMotion.c b/src/XGMotion.c
+index aee6671..f3b6751 100644
+--- a/src/XGMotion.c
++++ b/src/XGMotion.c
+@@ -109,7 +109,7 @@ XGetDeviceMotionEvents(
+ Xfree(bufp);
+ Xfree(savp);
+ *nEvents = 0;
+- _XEatData(dpy, (unsigned long)size);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (NULL);
+diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
+index 729b0a0..a1e49ee 100644
+--- a/src/XGetDCtl.c
++++ b/src/XGetDCtl.c
+@@ -91,7 +91,7 @@ XGetDeviceControl(
+ nbytes = (long)rep.length << 2;
+ d = (xDeviceState *) Xmalloc((unsigned)nbytes);
+ if (!d) {
+- _XEatData(dpy, (unsigned long)nbytes);
++ _XEatDataWords(dpy, rep.length);
+ goto out;
+ }
+ sav = d;
+diff --git a/src/XGetDProp.c b/src/XGetDProp.c
+index 5d44f91..f9e8f0c 100644
+--- a/src/XGetDProp.c
++++ b/src/XGetDProp.c
+@@ -112,14 +112,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- nbytes = rep.length << 2;
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadImplementation);
+ }
+ if (! *prop) {
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadAlloc);
+diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
+index 3d64404..5a05397 100644
+--- a/src/XGetFCtl.c
++++ b/src/XGetFCtl.c
+@@ -91,7 +91,7 @@ XGetFeedbackControl(
+ nbytes = (long)rep.length << 2;
+ f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
+ if (!f) {
+- _XEatData(dpy, (unsigned long)nbytes);
++ _XEatDataWords(dpy, rep.length);
+ goto out;
+ }
+ sav = f;
+diff --git a/src/XGetKMap.c b/src/XGetKMap.c
+index 4596ff0..0f1d077 100644
+--- a/src/XGetKMap.c
++++ b/src/XGetKMap.c
+@@ -95,7 +95,7 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
+ if (mapping)
+ _XRead(dpy, (char *)mapping, nbytes);
+ else
+- _XEatData(dpy, (unsigned long)nbytes);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay(dpy);
+diff --git a/src/XGetMMap.c b/src/XGetMMap.c
+index a4bf094..a9b5950 100644
+--- a/src/XGetMMap.c
++++ b/src/XGetMMap.c
+@@ -89,7 +89,7 @@ XGetDeviceModifierMapping(
+ if (res->modifiermap)
+ _XReadPad(dpy, (char *)res->modifiermap, nbytes);
+ else
+- _XEatData(dpy, (unsigned long)nbytes);
++ _XEatDataWords(dpy, rep.length);
+ res->max_keypermod = rep.numKeyPerModifier;
+ }
+
+diff --git a/src/XGetProp.c b/src/XGetProp.c
+index 7ccf9fe..ca6f657 100644
+--- a/src/XGetProp.c
++++ b/src/XGetProp.c
+@@ -65,7 +65,6 @@ XGetDeviceDontPropagateList(
+ int *count)
+ {
+ XEventClass *list = NULL;
+- int rlen;
+ xGetDeviceDontPropagateListReq *req;
+ xGetDeviceDontPropagateListReply rep;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+@@ -87,7 +86,6 @@ XGetDeviceDontPropagateList(
+ *count = rep.count;
+
+ if (*count) {
+- rlen = rep.length << 2;
+ list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
+ if (list) {
+ int i;
+@@ -102,7 +100,7 @@ XGetDeviceDontPropagateList(
+ list[i] = (XEventClass) ec;
+ }
+ } else
+- _XEatData(dpy, (unsigned long)rlen);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay(dpy);
+diff --git a/src/XGtSelect.c b/src/XGtSelect.c
+index dea8c4c..495e40b 100644
+--- a/src/XGtSelect.c
++++ b/src/XGtSelect.c
+@@ -101,7 +101,7 @@ XGetSelectedExtensionEvents(
+ (XEventClass *) Xmalloc(*this_client_count *
+ sizeof(XEventClass));
+ if (!*this_client_list) {
+- _XEatData(dpy, (unsigned long)tlen + alen);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (Success);
+diff --git a/src/XIProperties.c b/src/XIProperties.c
+index 83a7a68..5e58fb6 100644
+--- a/src/XIProperties.c
++++ b/src/XIProperties.c
+@@ -64,7 +64,7 @@ XIListProperties(Display* dpy, int deviceid, int *num_props_return)
+ props = (Atom*)Xmalloc(rep.num_properties * sizeof(Atom));
+ if (!props)
+ {
+- _XEatData(dpy, rep.num_properties << 2);
++ _XEatDataWords(dpy, rep.length);
+ goto cleanup;
+ }
+
+@@ -203,8 +203,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- nbytes = rep.length << 2;
+- _XEatData(dpy, nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadImplementation);
+@@ -222,7 +221,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
+ *data = Xmalloc(rbytes);
+
+ if (!(*data)) {
+- _XEatData(dpy, nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return(BadAlloc);
+diff --git a/src/XIint.h b/src/XIint.h
+index b27f04a..5de4913 100644
+--- a/src/XIint.h
++++ b/src/XIint.h
+@@ -5,7 +5,12 @@
+
+ #ifndef _XIINT_H_
+ #define _XIINT_H_
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
+ #include <X11/extensions/XI.h>
++#include <config.h>
+
+ extern XExtDisplayInfo *XInput_find_display(Display *);
+
+@@ -65,4 +70,18 @@ next_block(void **ptr, int size) {
+ return ret;
+ }
+
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
++
+ #endif
+diff --git a/src/XListDProp.c b/src/XListDProp.c
+index 66b9eca..a87164d 100644
+--- a/src/XListDProp.c
++++ b/src/XListDProp.c
+@@ -65,7 +65,7 @@ XListDeviceProperties(Display* dpy, XDevice* dev, int *nprops_return)
+ props = (Atom*)Xmalloc(rep.nAtoms * sizeof(Atom));
+ if (!props)
+ {
+- _XEatData(dpy, rep.nAtoms << 2);
++ _XEatDataWords(dpy, rep.length);
+ goto cleanup;
+ }
+
+diff --git a/src/XListDev.c b/src/XListDev.c
+index c544ae0..ad8f548 100644
+--- a/src/XListDev.c
++++ b/src/XListDev.c
+@@ -187,7 +187,7 @@ XListInputDevices(
+ list = (xDeviceInfo *) Xmalloc(rlen);
+ slist = list;
+ if (!slist) {
+- _XEatData(dpy, (unsigned long)rlen);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (XDeviceInfo *) NULL;
+diff --git a/src/XOpenDev.c b/src/XOpenDev.c
+index b50d5b0..e09ccbd 100644
+--- a/src/XOpenDev.c
++++ b/src/XOpenDev.c
+@@ -98,7 +98,7 @@ XOpenDevice(
+ if (rlen - dlen > 0)
+ _XEatData(dpy, (unsigned long)rlen - dlen);
+ } else
+- _XEatData(dpy, (unsigned long)rlen);
++ _XEatDataWords(dpy, rep.length);
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+diff --git a/src/XQueryDv.c b/src/XQueryDv.c
+index 637d5cf..9ef0190 100644
+--- a/src/XQueryDv.c
++++ b/src/XQueryDv.c
+@@ -88,7 +88,7 @@ XQueryDeviceState(
+ if (rlen > 0) {
+ data = Xmalloc(rlen);
+ if (!data) {
+- _XEatData(dpy, (unsigned long)rlen);
++ _XEatDataWords(dpy, rep.length);
+ goto out;
+ }
+ _XRead(dpy, data, rlen);
+--
+1.7.7.1
+
diff --git a/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch b/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch
new file mode 100644
index 0000000000..c42dbd13f9
--- /dev/null
+++ b/main/libxi/0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch
@@ -0,0 +1,68 @@
+From 4384e622471dbdab88dd5dae28f9eecbfe79ddd8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:26:52 -0800
+Subject: [PATCH 04/16] Stack buffer overflow in XGetDeviceButtonMapping()
+ [CVE-2013-1998 1/3]
+
+We copy the entire reply sent by the server into the fixed size
+mapping[] array on the stack, even if the server says it's a larger
+size than the mapping array can hold. HULK SMASH STACK!
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit f3e08e4fbe40016484ba795feecf1a742170ffc1)
+(cherry picked from commit d7537ad6fba36af4536c576220c135a63507789c)
+---
+ src/XGetBMap.c | 21 +++++++++++++--------
+ 1 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/XGetBMap.c b/src/XGetBMap.c
+index 610795b..a37c714 100644
+--- a/src/XGetBMap.c
++++ b/src/XGetBMap.c
+@@ -56,6 +56,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ #ifdef MIN /* some systems define this in <sys/param.h> */
+ #undef MIN
+@@ -71,7 +72,6 @@ XGetDeviceButtonMapping(
+ {
+ int status = 0;
+ unsigned char mapping[256]; /* known fixed size */
+- long nbytes;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+ register xGetDeviceButtonMappingReq *req;
+@@ -88,13 +88,18 @@ XGetDeviceButtonMapping(
+
+ status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
+ if (status == 1) {
+- nbytes = (long)rep.length << 2;
+- _XRead(dpy, (char *)mapping, nbytes);
+-
+- /* don't return more data than the user asked for. */
+- if (rep.nElts)
+- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
+- status = rep.nElts;
++ if (rep.length <= (sizeof(mapping) >> 2)) {
++ unsigned long nbytes = rep.length << 2;
++ _XRead(dpy, (char *)mapping, nbytes);
++
++ /* don't return more data than the user asked for. */
++ if (rep.nElts)
++ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
++ status = rep.nElts;
++ } else {
++ _XEatDataWords(dpy, rep.length);
++ status = 0;
++ }
+ } else
+ status = 0;
+ UnlockDisplay(dpy);
+--
+1.7.7.1
+
diff --git a/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch b/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch
new file mode 100644
index 0000000000..76a7024a2d
--- /dev/null
+++ b/main/libxi/0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch
@@ -0,0 +1,34 @@
+From 894a5825df6b9389f677ecdf5950c712f2a2c890 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 23:37:23 -0800
+Subject: [PATCH 05/16] memory corruption in _XIPassiveGrabDevice()
+ [CVE-2013-1998 2/3]
+
+If the server returned more modifiers than the caller asked for,
+we'd just keep copying past the end of the array provided by the
+caller, writing over who-knows-what happened to be there.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 91434737f592e8f5cc1762383882a582b55fc03a)
+(cherry picked from commit f0c0f2ff06c8f9ec36f3f344dda4bec71ca5698b)
+---
+ src/XIPassiveGrab.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
+index 34f1bf3..c64f6ae 100644
+--- a/src/XIPassiveGrab.c
++++ b/src/XIPassiveGrab.c
+@@ -85,7 +85,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
+ return -1;
+ _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
+
+- for (i = 0; i < reply.num_modifiers; i++)
++ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
+ {
+ modifiers_inout[i].status = failed_mods[i].status;
+ modifiers_inout[i].modifiers = failed_mods[i].modifiers;
+--
+1.7.7.1
+
diff --git a/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch b/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch
new file mode 100644
index 0000000000..7b8680a6d4
--- /dev/null
+++ b/main/libxi/0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch
@@ -0,0 +1,70 @@
+From ba6b8bc3413b4818d5c507421193eaa63e8a1ebe Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 26 Apr 2013 22:48:36 -0700
+Subject: [PATCH 06/16] unvalidated lengths in XQueryDeviceState()
+ [CVE-2013-1998 3/3]
+
+If the lengths given for each class state in the reply add up to more
+than the rep.length, we could read past the end of the buffer allocated
+to hold the data read from the server.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 5398ac0797f7516f2c9b8f2869a6c6d071437352)
+(cherry picked from commit 2736e93eb52109e5bab5bd14395142cc750f2614)
+---
+ src/XQueryDv.c | 17 ++++++++++++-----
+ 1 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/XQueryDv.c b/src/XQueryDv.c
+index 9ef0190..e9cdc55 100644
+--- a/src/XQueryDv.c
++++ b/src/XQueryDv.c
+@@ -56,6 +56,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XDeviceState *
+ XQueryDeviceState(
+@@ -63,8 +64,8 @@ XQueryDeviceState(
+ XDevice *dev)
+ {
+ int i, j;
+- int rlen;
+- int size = 0;
++ unsigned long rlen;
++ size_t size = 0;
+ xQueryDeviceStateReq *req;
+ xQueryDeviceStateReply rep;
+ XDeviceState *state = NULL;
+@@ -84,9 +85,11 @@ XQueryDeviceState(
+ if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
+ goto out;
+
+- rlen = rep.length << 2;
+- if (rlen > 0) {
+- data = Xmalloc(rlen);
++ if (rep.length > 0) {
++ if (rep.length < (INT_MAX >> 2)) {
++ rlen = (unsigned long) rep.length << 2;
++ data = Xmalloc(rlen);
++ }
+ if (!data) {
+ _XEatDataWords(dpy, rep.length);
+ goto out;
+@@ -94,6 +97,10 @@ XQueryDeviceState(
+ _XRead(dpy, data, rlen);
+
+ for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
++ if (any->length > rlen)
++ goto out;
++ rlen -= any->length;
++
+ switch (any->class) {
+ case KeyClass:
+ size += sizeof(XKeyState);
+--
+1.7.7.1
+
diff --git a/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch b/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch
new file mode 100644
index 0000000000..5b7fa2532d
--- /dev/null
+++ b/main/libxi/0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch
@@ -0,0 +1,120 @@
+From 36d6ecb9bcbe8554ab01fe4a24a19462072fdd64 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 07/16] integer overflow in XGetDeviceControl() [CVE-2013-1984
+ 1/8]
+
+If the number of valuators reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate struct, then
+memory corruption can occur when more bytes are copied from the X server
+reply than the size of the buffer we allocated to hold them.
+
+v2: check that reply size fits inside the data read from the server, so
+we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec)
+(cherry picked from commit e7ebe26edd40996a9b36b0c7a068728781eb41bb)
+---
+ src/XGetDCtl.c | 31 ++++++++++++++++++++++++-------
+ 1 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
+index a1e49ee..66a7100 100644
+--- a/src/XGetDCtl.c
++++ b/src/XGetDCtl.c
+@@ -57,6 +57,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XDeviceControl *
+ XGetDeviceControl(
+@@ -64,8 +65,6 @@ XGetDeviceControl(
+ XDevice *dev,
+ int control)
+ {
+- int size = 0;
+- int nbytes, i;
+ XDeviceControl *Device = NULL;
+ XDeviceControl *Sav = NULL;
+ xDeviceState *d = NULL;
+@@ -88,8 +87,12 @@ XGetDeviceControl(
+ goto out;
+
+ if (rep.length > 0) {
+- nbytes = (long)rep.length << 2;
+- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
++ unsigned long nbytes;
++ size_t size = 0;
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = (unsigned long) rep.length << 2;
++ d = Xmalloc(nbytes);
++ }
+ if (!d) {
+ _XEatDataWords(dpy, rep.length);
+ goto out;
+@@ -107,33 +110,46 @@ XGetDeviceControl(
+ case DEVICE_RESOLUTION:
+ {
+ xDeviceResolutionState *r;
++ size_t val_size;
+
+ r = (xDeviceResolutionState *) d;
+- size += sizeof(XDeviceResolutionState) +
+- (3 * sizeof(int) * r->num_valuators);
++ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
++ goto out;
++ val_size = 3 * sizeof(int) * r->num_valuators;
++ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
++ goto out;
++ size += sizeof(XDeviceResolutionState) + val_size;
+ break;
+ }
+ case DEVICE_ABS_CALIB:
+ {
++ if (sizeof(xDeviceAbsCalibState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceAbsCalibState);
+ break;
+ }
+ case DEVICE_ABS_AREA:
+ {
++ if (sizeof(xDeviceAbsAreaState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceAbsAreaState);
+ break;
+ }
+ case DEVICE_CORE:
+ {
++ if (sizeof(xDeviceCoreState) > nbytes)
++ goto out;
+ size += sizeof(XDeviceCoreState);
+ break;
+ }
+ default:
++ if (d->length > nbytes)
++ goto out;
+ size += d->length;
+ break;
+ }
+
+- Device = (XDeviceControl *) Xmalloc((unsigned)size);
++ Device = Xmalloc(size);
+ if (!Device)
+ goto out;
+
+@@ -146,6 +162,7 @@ XGetDeviceControl(
+ int *iptr, *iptr2;
+ xDeviceResolutionState *r;
+ XDeviceResolutionState *R;
++ unsigned int i;
+
+ r = (xDeviceResolutionState *) d;
+ R = (XDeviceResolutionState *) Device;
+--
+1.7.7.1
+
diff --git a/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch b/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch
new file mode 100644
index 0000000000..b6cb05711a
--- /dev/null
+++ b/main/libxi/0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch
@@ -0,0 +1,101 @@
+From 72afdb4d4c2bcc9064defd95680308f123c67afc Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 08/16] integer overflow in XGetFeedbackControl()
+ [CVE-2013-1984 2/8]
+
+If the number of feedbacks reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate struct, or
+if the total size of all the feedback structures overflows when added
+together, then memory corruption can occur when more bytes are copied from
+the X server reply than the size of the buffer we allocated to hold them.
+
+v2: check that reply size fits inside the data read from the server, so
+ we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 322ee3576789380222d4403366e4fd12fb24cb6a)
+(cherry picked from commit bb14753444842d74de61293ba61863b6c8e12e22)
+---
+ src/XGetFCtl.c | 24 +++++++++++++++++++-----
+ 1 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
+index 5a05397..e896c79 100644
+--- a/src/XGetFCtl.c
++++ b/src/XGetFCtl.c
+@@ -57,6 +57,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XFeedbackState *
+ XGetFeedbackControl(
+@@ -64,8 +65,6 @@ XGetFeedbackControl(
+ XDevice *dev,
+ int *num_feedbacks)
+ {
+- int size = 0;
+- int nbytes, i;
+ XFeedbackState *Feedback = NULL;
+ XFeedbackState *Sav = NULL;
+ xFeedbackState *f = NULL;
+@@ -87,9 +86,16 @@ XGetFeedbackControl(
+ goto out;
+
+ if (rep.length > 0) {
++ unsigned long nbytes;
++ size_t size = 0;
++ int i;
++
+ *num_feedbacks = rep.num_feedbacks;
+- nbytes = (long)rep.length << 2;
+- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
++
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = rep.length << 2;
++ f = Xmalloc(nbytes);
++ }
+ if (!f) {
+ _XEatDataWords(dpy, rep.length);
+ goto out;
+@@ -98,6 +104,10 @@ XGetFeedbackControl(
+ _XRead(dpy, (char *)f, nbytes);
+
+ for (i = 0; i < *num_feedbacks; i++) {
++ if (f->length > nbytes)
++ goto out;
++ nbytes -= f->length;
++
+ switch (f->class) {
+ case KbdFeedbackClass:
+ size += sizeof(XKbdFeedbackState);
+@@ -112,6 +122,8 @@ XGetFeedbackControl(
+ {
+ xStringFeedbackState *strf = (xStringFeedbackState *) f;
+
++ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
++ goto out;
+ size += sizeof(XStringFeedbackState) +
+ (strf->num_syms_supported * sizeof(KeySym));
+ }
+@@ -126,10 +138,12 @@ XGetFeedbackControl(
+ size += f->length;
+ break;
+ }
++ if (size > INT_MAX)
++ goto out;
+ f = (xFeedbackState *) ((char *)f + f->length);
+ }
+
+- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
++ Feedback = Xmalloc(size);
+ if (!Feedback)
+ goto out;
+
+--
+1.7.7.1
+
diff --git a/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch b/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch
new file mode 100644
index 0000000000..768b48be6f
--- /dev/null
+++ b/main/libxi/0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch
@@ -0,0 +1,52 @@
+From b098d40cbd8b5e093e032063eefbf8d62daa7ce9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 09/16] integer overflow in XGetDeviceDontPropagateList()
+ [CVE-2013-1984 3/8]
+
+If the number of event classes reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are copied from the
+X server reply than the size of the buffer we allocated to hold them.
+
+V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff)
+(cherry picked from commit 843e1e83de77df8e7e2fc0e992955871498e8432)
+---
+ src/XGetProp.c | 8 +++++---
+ 1 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/XGetProp.c b/src/XGetProp.c
+index ca6f657..1ddc4a3 100644
+--- a/src/XGetProp.c
++++ b/src/XGetProp.c
+@@ -57,6 +57,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XEventClass *
+ XGetDeviceDontPropagateList(
+@@ -85,10 +86,11 @@ XGetDeviceDontPropagateList(
+ }
+ *count = rep.count;
+
+- if (*count) {
+- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
++ if (rep.length != 0) {
++ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
++ list = Xmalloc(rep.length * sizeof(XEventClass));
+ if (list) {
+- int i;
++ unsigned int i;
+ CARD32 ec;
+
+ /* read and assign each XEventClass separately because
+--
+1.7.7.1
+
diff --git a/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch b/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch
new file mode 100644
index 0000000000..a54f186bbe
--- /dev/null
+++ b/main/libxi/0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch
@@ -0,0 +1,70 @@
+From f51b6a628679cad8e116fa4380ea7fb492b91901 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 10/16] integer overflow in XGetDeviceMotionEvents()
+ [CVE-2013-1984 4/8]
+
+If the number of events or axes reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are copied from the
+X server reply than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit bb922ed4253b35590f0369f32a917ff89ade0830)
+(cherry picked from commit b273909309cfdde0369ee728b17c15984eb84e49)
+---
+ src/XGMotion.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/XGMotion.c b/src/XGMotion.c
+index f3b6751..def83a1 100644
+--- a/src/XGMotion.c
++++ b/src/XGMotion.c
+@@ -56,6 +56,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ XDeviceTimeCoord *
+ XGetDeviceMotionEvents(
+@@ -71,7 +72,7 @@ XGetDeviceMotionEvents(
+ xGetDeviceMotionEventsReply rep;
+ XDeviceTimeCoord *tc;
+ int *data, *bufp, *readp, *savp;
+- long size, size2;
++ unsigned long size;
+ int i, j;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+@@ -101,10 +102,21 @@ XGetDeviceMotionEvents(
+ SyncHandle();
+ return (NULL);
+ }
+- size = rep.length << 2;
+- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+- savp = readp = (int *)Xmalloc(size);
+- bufp = (int *)Xmalloc(size2);
++ if (rep.length < (INT_MAX >> 2)) {
++ size = rep.length << 2;
++ savp = readp = Xmalloc(size);
++ } else {
++ size = 0;
++ savp = readp = NULL;
++ }
++ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
++ if (rep.nEvents <
++ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
++ size_t bsize = rep.nEvents *
++ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
++ bufp = Xmalloc(bsize);
++ } else
++ bufp = NULL;
+ if (!bufp || !savp) {
+ Xfree(bufp);
+ Xfree(savp);
+--
+1.7.7.1
+
diff --git a/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch
new file mode 100644
index 0000000000..739b5ce401
--- /dev/null
+++ b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch
@@ -0,0 +1,59 @@
+From dcb6742eea1e709aa1cc6d5cbbcfb5b060bb067c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 11/16] integer overflow in XIGetProperty() [CVE-2013-1984
+ 5/8]
+
+If the number of items reported by the server is large enough that
+it overflows when multiplied by the size of the appropriate item type,
+then memory corruption can occur when more bytes are copied from the
+X server reply than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 242f92b490a695fbab244af5bad11b71f897c732)
+(cherry picked from commit 6d992e2b31f58e716e63f9a1e5d910a66f51a11b)
+---
+ src/XIProperties.c | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/XIProperties.c b/src/XIProperties.c
+index 5e58fb6..32436d1 100644
+--- a/src/XIProperties.c
++++ b/src/XIProperties.c
+@@ -38,6 +38,7 @@
+ #include <X11/extensions/XInput2.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ Atom*
+ XIListProperties(Display* dpy, int deviceid, int *num_props_return)
+@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
+ {
+ xXIGetPropertyReq *req;
+ xXIGetPropertyReply rep;
+- long nbytes, rbytes;
++ unsigned long nbytes, rbytes;
+
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
+ * recopy the string to make it null terminated.
+ */
+
+- nbytes = rep.num_items * rep.format/8;
+- rbytes = nbytes + 1;
+- *data = Xmalloc(rbytes);
++ if (rep.num_items < (INT_MAX / (rep.format/8))) {
++ nbytes = rep.num_items * rep.format/8;
++ rbytes = nbytes + 1;
++ *data = Xmalloc(rbytes);
++ }
+
+ if (!(*data)) {
+ _XEatDataWords(dpy, rep.length);
+--
+1.7.7.1
+
diff --git a/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch b/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch
new file mode 100644
index 0000000000..f67862a23f
--- /dev/null
+++ b/main/libxi/0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch
@@ -0,0 +1,92 @@
+From 98861f0e2b4d7045430e7839a3aca12c6beaed56 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 22:55:23 -0800
+Subject: [PATCH 12/16] integer overflow in XIGetSelectedEvents()
+ [CVE-2013-1984 6/8]
+
+If the number of events or masks reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+or the sizes overflow as they are totaled up, then memory corruption can
+occur when more bytes are copied from the X server reply than the size
+of the buffer we allocated to hold them.
+
+v2: check that reply size fits inside the data read from the server,
+ so that we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845)
+(cherry picked from commit cabe9d3f00a28aa05dcb14c114196a30278b5e22)
+---
+ src/XISelEv.c | 25 +++++++++++++++++++------
+ 1 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/src/XISelEv.c b/src/XISelEv.c
+index bd5a29a..008ec60 100644
+--- a/src/XISelEv.c
++++ b/src/XISelEv.c
+@@ -39,6 +39,7 @@ in this Software without prior written authorization from the author.
+ #include <X11/extensions/ge.h>
+ #include <X11/extensions/geproto.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ int
+ XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
+@@ -98,13 +99,14 @@ out:
+ XIEventMask*
+ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
+ {
+- int i, len = 0;
++ unsigned int i, len = 0;
+ unsigned char *mask;
+ XIEventMask *mask_out = NULL;
+ xXIEventMask *mask_in = NULL, *mi;
+ xXIGetSelectedEventsReq *req;
+ xXIGetSelectedEventsReply reply;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
++ size_t rbytes;
+
+ *num_masks_return = -1;
+ LockDisplay(dpy);
+@@ -126,11 +128,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
+ goto out;
+ }
+
+- mask_in = Xmalloc(reply.length * 4);
+- if (!mask_in)
++ if (reply.length < (INT_MAX >> 2)) {
++ rbytes = (unsigned long) reply.length << 2;
++ mask_in = Xmalloc(rbytes);
++ }
++ if (!mask_in) {
++ _XEatDataWords(dpy, reply.length);
+ goto out;
++ }
+
+- _XRead(dpy, (char*)mask_in, reply.length * 4);
++ _XRead(dpy, (char*)mask_in, rbytes);
+
+ /*
+ * This function takes interleaved xXIEventMask structs & masks off
+@@ -145,8 +152,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
+
+ for (i = 0, mi = mask_in; i < reply.num_masks; i++)
+ {
+- len += mi->mask_len * 4;
+- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4);
++ unsigned int mask_bytes = mi->mask_len * 4;
++ len += mask_bytes;
++ if (len > INT_MAX)
++ goto out;
++ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes)
++ goto out;
++ rbytes -= (sizeof(xXIEventMask) + mask_bytes);
++ mi = (xXIEventMask*)((char*)mi + mask_bytes);
+ mi++;
+ }
+
+--
+1.7.7.1
+
diff --git a/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch b/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch
new file mode 100644
index 0000000000..560f3d8d57
--- /dev/null
+++ b/main/libxi/0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch
@@ -0,0 +1,135 @@
+From 873f86cb8b8fb5a1efabd8b39a50242ef093136f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 10 Mar 2013 13:30:55 -0700
+Subject: [PATCH 13/16] Avoid integer overflow in XGetDeviceProperties()
+ [CVE-2013-1984 7/8]
+
+If the number of items as reported by the Xserver is too large, it
+could overflow the calculation for the size of the buffer to copy the
+reply into, causing memory corruption.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c)
+(cherry picked from commit 7be9dcc311e29ed326e53117904648cb51ee21df)
+---
+ src/XGetDProp.c | 61 +++++++++++++++++++++++++++++++++---------------------
+ 1 files changed, 37 insertions(+), 24 deletions(-)
+
+diff --git a/src/XGetDProp.c b/src/XGetDProp.c
+index f9e8f0c..3691122 100644
+--- a/src/XGetDProp.c
++++ b/src/XGetDProp.c
+@@ -38,6 +38,7 @@ in this Software without prior written authorization from the author.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ int
+ XGetDeviceProperty(Display* dpy, XDevice* dev,
+@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
+ {
+ xGetDevicePropertyReq *req;
+ xGetDevicePropertyReply rep;
+- long nbytes, rbytes;
++ unsigned long nbytes, rbytes;
++ int ret = Success;
+
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
+ * data, but this last byte is null terminated and convenient for
+ * returning string properties, so the client doesn't then have to
+ * recopy the string to make it null terminated.
++ *
++ * Maximum item limits are set to both prevent integer overflow when
++ * calculating the amount of memory to malloc, and to limit how much
++ * memory will be used if a server provides an insanely high count.
+ */
+ switch (rep.format) {
+ case 8:
+- nbytes = rep.nItems;
+- rbytes = rep.nItems + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XReadPad (dpy, (char *) *prop, nbytes);
++ if (rep.nItems < INT_MAX) {
++ nbytes = rep.nItems;
++ rbytes = rep.nItems + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XReadPad (dpy, (char *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ case 16:
+- nbytes = rep.nItems << 1;
+- rbytes = rep.nItems * sizeof (short) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XRead16Pad (dpy, (short *) *prop, nbytes);
++ if (rep.nItems < (INT_MAX / sizeof (short))) {
++ nbytes = rep.nItems << 1;
++ rbytes = rep.nItems * sizeof (short) + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XRead16Pad (dpy, (short *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ case 32:
+- nbytes = rep.nItems << 2;
+- rbytes = rep.nItems * sizeof (long) + 1;
+- if (rbytes > 0 &&
+- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
+- _XRead32 (dpy, (long *) *prop, nbytes);
++ if (rep.nItems < (INT_MAX / sizeof (long))) {
++ nbytes = rep.nItems << 2;
++ rbytes = rep.nItems * sizeof (long) + 1;
++ if ((*prop = Xmalloc (rbytes)))
++ _XRead32 (dpy, (long *) *prop, nbytes);
++ else
++ ret = BadAlloc;
++ }
+ break;
+
+ default:
+@@ -112,16 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
+ * This part of the code should never be reached. If it is,
+ * the server sent back a property with an invalid format.
+ */
+- _XEatDataWords(dpy, rep.length);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return(BadImplementation);
++ ret = BadImplementation;
+ }
+ if (! *prop) {
+ _XEatDataWords(dpy, rep.length);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return(BadAlloc);
++ if (ret == Success)
++ ret = BadAlloc;
++ goto out;
+ }
+ (*prop)[rbytes - 1] = '\0';
+ }
+@@ -130,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
+ *actual_format = rep.format;
+ *nitems = rep.nItems;
+ *bytes_after = rep.bytesAfter;
++ out:
+ UnlockDisplay (dpy);
+ SyncHandle ();
+
+- return Success;
++ return ret;
+ }
+
+--
+1.7.7.1
+
diff --git a/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch b/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch
new file mode 100644
index 0000000000..a5cd33fe15
--- /dev/null
+++ b/main/libxi/0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch
@@ -0,0 +1,56 @@
+From cce662bb80060b6e45d32186d9bbdccf8ea1172d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 10 Mar 2013 00:22:14 -0800
+Subject: [PATCH 14/16] Avoid integer overflow in XListInputDevices()
+ [CVE-2013-1984 8/8]
+
+If the length of the reply as reported by the Xserver is too long, it
+could overflow the calculation for the size of the buffer to copy the
+reply into, causing memory corruption.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit ef82512288d8ca36ac0beeb289f158195b0a8cae)
+(cherry picked from commit f888a17af24945e2b583625c7d85ebed1518fc05)
+---
+ src/XListDev.c | 10 ++++++----
+ 1 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/XListDev.c b/src/XListDev.c
+index ad8f548..d8abddb 100644
+--- a/src/XListDev.c
++++ b/src/XListDev.c
+@@ -57,6 +57,7 @@ SOFTWARE.
+ #include <X11/extensions/XInput.h>
+ #include <X11/extensions/extutil.h>
+ #include "XIint.h"
++#include <limits.h>
+
+ static int
+ SizeClassInfo(xAnyClassPtr *any, int num_classes)
+@@ -164,7 +165,7 @@ XListInputDevices(
+ XAnyClassPtr Any;
+ char *nptr, *Nptr;
+ int i;
+- long rlen;
++ unsigned long rlen;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+
+ LockDisplay(dpy);
+@@ -183,9 +184,10 @@ XListInputDevices(
+
+ if ((*ndevices = rep.ndevices)) { /* at least 1 input device */
+ size = *ndevices * sizeof(XDeviceInfo);
+- rlen = rep.length << 2; /* multiply length by 4 */
+- list = (xDeviceInfo *) Xmalloc(rlen);
+- slist = list;
++ if (rep.length < (INT_MAX >> 2)) {
++ rlen = rep.length << 2; /* multiply length by 4 */
++ slist = list = Xmalloc(rlen);
++ }
+ if (!slist) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+--
+1.7.7.1
+
diff --git a/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch b/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch
new file mode 100644
index 0000000000..6e8187a90a
--- /dev/null
+++ b/main/libxi/0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch
@@ -0,0 +1,94 @@
+From 28a91c1944be8c8e8185eac5d75095ebd39339a6 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 10 Mar 2013 00:16:22 -0800
+Subject: [PATCH 15/16] sign extension issue in XListInputDevices()
+ [CVE-2013-1995]
+
+nptr is (signed) char, which can be negative, and will sign extend
+when added to the int size, which means size can be subtracted from,
+leading to allocating too small a buffer to hold the data being copied
+from the X server's reply.
+
+v2: check that string size fits inside the data read from the server,
+ so that we don't read out of bounds either
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 81b4df8ac6aa1520c41c3526961014a6f115cc46)
+(cherry picked from commit 62c1e47de0448242a0dd1f5226be93f92a06824f)
+
+Conflicts:
+
+ src/XListDev.c
+---
+ src/XListDev.c | 16 ++++++++++------
+ 1 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/XListDev.c b/src/XListDev.c
+index d8abddb..7f4538c 100644
+--- a/src/XListDev.c
++++ b/src/XListDev.c
+@@ -59,7 +59,7 @@ SOFTWARE.
+ #include "XIint.h"
+ #include <limits.h>
+
+-static int
++static size_t
+ SizeClassInfo(xAnyClassPtr *any, int num_classes)
+ {
+ int size = 0;
+@@ -155,7 +155,7 @@ XListInputDevices(
+ register Display *dpy,
+ int *ndevices)
+ {
+- int size;
++ size_t size;
+ xListInputDevicesReq *req;
+ xListInputDevicesReply rep;
+ xDeviceInfo *list, *slist = NULL;
+@@ -163,7 +163,7 @@ XListInputDevices(
+ XDeviceInfo *clist = NULL;
+ xAnyClassPtr any, sav_any;
+ XAnyClassPtr Any;
+- char *nptr, *Nptr;
++ unsigned char *nptr, *Nptr;
+ int i;
+ unsigned long rlen;
+ XExtDisplayInfo *info = XInput_find_display(dpy);
+@@ -202,9 +202,12 @@ XListInputDevices(
+ size += SizeClassInfo(&any, (int)list->num_classes);
+ }
+
+- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
++ Nptr = ((unsigned char *)list) + rlen + 1;
++ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
+ size += *nptr + 1;
+ nptr += (*nptr + 1);
++ if (nptr > Nptr)
++ goto out;
+ }
+
+ clist = (XDeviceInfoPtr) Xmalloc(size);
+@@ -230,8 +233,8 @@ XListInputDevices(
+ }
+
+ clist = sclist;
+- nptr = (char *)any;
+- Nptr = (char *)Any;
++ nptr = (unsigned char *)any;
++ Nptr = (unsigned char *)Any;
+ for (i = 0; i < *ndevices; i++, clist++) {
+ clist->name = (char *)Nptr;
+ memcpy(Nptr, nptr + 1, *nptr);
+@@ -241,6 +244,7 @@ XListInputDevices(
+ }
+ }
+
++ out:
+ XFree((char *)slist);
+ UnlockDisplay(dpy);
+ SyncHandle();
+--
+1.7.7.1
+
diff --git a/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch b/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch
new file mode 100644
index 0000000000..35aa49a3c8
--- /dev/null
+++ b/main/libxi/0016-Don-t-overwrite-the-cookies-serial-number.patch
@@ -0,0 +1,35 @@
+From d548f53eb7a79a244f458d7d4c306defe82ab1b7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 21 May 2013 12:23:05 +1000
+Subject: [PATCH 16/16] Don't overwrite the cookies serial number
+
+serial != sequenceNumber, see _XSetLastRequestRead()
+
+cookie->serial is already set at this point, setting it again directly from
+the sequenceNumber of the event causes a bunch of weird issues such as
+scrollbars and text drag-n-drop breaking.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=965347
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9)
+(cherry picked from commit 49307ef3e8b4a24b501729f0a9551d10cc53b9c5)
+---
+ src/XExtInt.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+diff --git a/src/XExtInt.c b/src/XExtInt.c
+index c7e6128..5fc7afc 100644
+--- a/src/XExtInt.c
++++ b/src/XExtInt.c
+@@ -891,7 +891,6 @@ static void xge_copy_to_cookie(xGenericEvent* ev,
+ cookie->type = ev->type;
+ cookie->evtype = ev->evtype;
+ cookie->extension = ev->extension;
+- cookie->serial = ev->sequenceNumber;
+ }
+
+ static Bool
+--
+1.7.7.1
+
diff --git a/main/libxi/APKBUILD b/main/libxi/APKBUILD
index c2c4ff10ff..a9d7032681 100644
--- a/main/libxi/APKBUILD
+++ b/main/libxi/APKBUILD
@@ -1,36 +1,78 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxi
pkgver=1.4.5
-pkgrel=0
+pkgrel=1
pkgdesc="X11 Input extension library"
url="http://xorg.freedesktop.org"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
+depends_dev="inputproto libx11-dev libxext-dev"
makedepends="
- inputproto
- libx11-dev
- libxext-dev
- pkgconfig
+ $depends_dev
xextproto
xproto
+ autoconf automake libtool util-macros
+ "
+source="http://xorg.freedesktop.org/releases/individual/lib/libXi-$pkgver.tar.bz2
+ 0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch
+ 0002-Copy-the-sequence-number-into-the-target-event-too-6.patch
+ 0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+ 0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch
+ 0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch
+ 0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch
+ 0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch
+ 0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch
+ 0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch
+ 0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch
+ 0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch
+ 0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch
+ 0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch
+ 0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch
+ 0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch
+ 0016-Don-t-overwrite-the-cookies-serial-number.patch
"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXi-$pkgver.tar.bz2"
-depends_dev="inputproto libx11-dev libxext-dev"
+
+_builddir="$srcdir"/libXi-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoconf && autoheader \
+ && automake --add-missing
+}
-build ()
-{
- cd "$srcdir"/libXi-$pkgver
+build() {
+ cd "$_builddir"
./configure --prefix=/usr --sysconfdir=/etc || return 1
make || return 1
}
package() {
- cd "$srcdir"/libXi-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-md5sums="82dcdc76388116800a2c3ad969f510a4 libXi-1.4.5.tar.bz2"
+md5sums="82dcdc76388116800a2c3ad969f510a4 libXi-1.4.5.tar.bz2
+c0c052c5a0b6ff9b50f413cdc4bc8f5c 0001-Expand-comment-on-the-memory-vs.-reply-ordering-in-X.patch
+3a9c4bf6da4faee8aea8a3c17f1250a7 0002-Copy-the-sequence-number-into-the-target-event-too-6.patch
+2030ba2ffa05fc0003b8624d05768b22 0003-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+cb0fbf3cdfef06a12db6ee8deaf1bdfe 0004-Stack-buffer-overflow-in-XGetDeviceButtonMapping-CVE.patch
+b29c53b3c77685c7a9e92ff164069a4c 0005-memory-corruption-in-_XIPassiveGrabDevice-CVE-2013-1.patch
+81780c4a48c3f16a3d08056e4b0f96a2 0006-unvalidated-lengths-in-XQueryDeviceState-CVE-2013-19.patch
+67cbebc59c86f8895a6d3f5ca2449e60 0007-integer-overflow-in-XGetDeviceControl-CVE-2013-1984-.patch
+901ddbf2c247fa31108f8b79c2228199 0008-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch
+380f49370c6acab49a15d5be5ff629ad 0009-integer-overflow-in-XGetDeviceDontPropagateList-CVE-.patch
+11d6ff63524ffdbdbc64faa3cf6e7919 0010-integer-overflow-in-XGetDeviceMotionEvents-CVE-2013-.patch
+1a8a8af65af071ed2d03d89fe65d3f85 0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch
+3d72dcd08c560d21efc8fa7a78b0d8e6 0012-integer-overflow-in-XIGetSelectedEvents-CVE-2013-198.patch
+057cf9b49f542ce5f5e006f3d4155bc4 0013-Avoid-integer-overflow-in-XGetDeviceProperties-CVE-2.patch
+bace284f9d20dee5fe6caf287fbfc024 0014-Avoid-integer-overflow-in-XListInputDevices-CVE-2013.patch
+40a7631fc06edd14c8ba9405c16ce1c6 0015-sign-extension-issue-in-XListInputDevices-CVE-2013-1.patch
+3e3bff61d4f9aabb5346dc4e47819921 0016-Don-t-overwrite-the-cookies-serial-number.patch"