aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-06-06 16:11:30 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-06-06 16:11:30 +0000
commit1d7e3d391539e3d00b567b40ae2e6f66a96d4301 (patch)
treeb5c963e015e0c46a55181be9928c06be976c880a /main
parent35abd83d4097101fbeeb4a212526848d22ecfa55 (diff)
downloadaports-1d7e3d391539e3d00b567b40ae2e6f66a96d4301.tar.bz2
aports-1d7e3d391539e3d00b567b40ae2e6f66a96d4301.tar.xz
main/libxrandr: upgrade to 1.4.1
Diffstat (limited to 'main')
-rw-r--r--main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch36
-rw-r--r--main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch221
-rw-r--r--main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch60
-rw-r--r--main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch55
-rw-r--r--main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch81
-rw-r--r--main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch81
-rw-r--r--main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch74
-rw-r--r--main/libxrandr/APKBUILD42
8 files changed, 6 insertions, 644 deletions
diff --git a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
deleted file mode 100644
index 8c5eccb9fe..0000000000
--- a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 99a63d10cbbab7d69a52d25d78795a3278506ea9 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 18 Jan 2013 23:14:01 -0800
-Subject: [PATCH 1/7] Replace deprecated Automake INCLUDES variable with
- AM_CPPFLAGS
-
-Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
-
- - Support for the long-deprecated INCLUDES variable will be removed
- altogether in Automake 1.14. The AM_CPPFLAGS variable should be
- used instead.
-
-This variable was deprecated in Automake releases prior to 1.10, which is
-the current minimum level required to build X.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 7a47b9c..2113846 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -19,7 +19,7 @@ AM_CFLAGS = \
- $(MALLOC_ZERO_CFLAGS) \
- $(CWARNFLAGS)
-
--INCLUDES = -I$(top_srcdir)/include/X11/extensions
-+AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions
-
- libXrandr_la_LDFLAGS = -version-number 2:2:0 -no-undefined
-
---
-1.8.2.3
-
diff --git a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
deleted file mode 100644
index 4104b444eb..0000000000
--- a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 3 May 2013 23:29:22 -0700
-Subject: [PATCH 2/7] Use _XEatDataWords to avoid overflow of rep.length bit
- shifting
-
-rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- configure.ac | 6 ++++++
- src/Xrandrint.h | 13 +++++++++++++
- src/XrrCrtc.c | 6 +++---
- src/XrrOutput.c | 2 +-
- src/XrrProperty.c | 9 ++++-----
- src/XrrProvider.c | 4 ++--
- src/XrrProviderProperty.c | 9 ++++-----
- src/XrrScreen.c | 2 +-
- 8 files changed, 34 insertions(+), 17 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 3f28bef..8466999 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION)
- # Obtain compiler/linker options for depedencies
- PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto)
-
-+# Check for _XEatDataWords function that may be patched into older Xlib release
-+SAVE_LIBS="$LIBS"
-+LIBS="$RANDR_LIBS"
-+AC_CHECK_FUNCS([_XEatDataWords])
-+LIBS="$SAVE_LIBS"
-+
- AC_CONFIG_FILES([Makefile
- src/Makefile
- man/Makefile
-diff --git a/src/Xrandrint.h b/src/Xrandrint.h
-index aed10e4..1687c29 100644
---- a/src/Xrandrint.h
-+++ b/src/Xrandrint.h
-@@ -42,6 +42,19 @@ extern char XRRExtensionName[];
-
- XExtDisplayInfo *XRRFindDisplay (Display *dpy);
-
-+#ifndef HAVE__XEATDATAWORDS
-+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
-+#include <limits.h>
-+
-+static inline void _XEatDataWords(Display *dpy, unsigned long n)
-+{
-+# ifndef LONG64
-+ if (n >= (ULONG_MAX >> 2))
-+ _XIOError(dpy);
-+# endif
-+ _XEatData (dpy, n << 2);
-+}
-+#endif
-
- /* deliberately opaque internal data structure; can be extended,
- but not reordered */
-diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
-index 04087c5..a704a52 100644
---- a/src/XrrCrtc.c
-+++ b/src/XrrCrtc.c
-@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
-
- xci = (XRRCrtcInfo *) Xmalloc(rbytes);
- if (xci == NULL) {
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
-
- if (!crtc_gamma)
- {
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length);
- goto out;
- }
- _XRead16 (dpy, crtc_gamma->red, rep.size * 2);
-@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy,
- int extraBytes = rep.length * 4 - CrtcTransformExtra;
- extra = Xmalloc (extraBytes);
- if (!extra) {
-- _XEatData (dpy, extraBytes);
-+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
-diff --git a/src/XrrOutput.c b/src/XrrOutput.c
-index f13a932..4df894e 100644
---- a/src/XrrOutput.c
-+++ b/src/XrrOutput.c
-@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
-
- xoi = (XRROutputInfo *) Xmalloc(rbytes);
- if (xoi == NULL) {
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-diff --git a/src/XrrProperty.c b/src/XrrProperty.c
-index 4c3fdb0..2b065b2 100644
---- a/src/XrrProperty.c
-+++ b/src/XrrProperty.c
-@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
-
- props = (Atom *) Xmalloc (rbytes);
- if (props == NULL) {
-- _XEatData (dpy, nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- *nprop = 0;
-@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
-
- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
- if (prop_info == NULL) {
-- _XEatData (dpy, nbytes);
-+ _XEatDataWords(dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
- * This part of the code should never be reached. If it is,
- * the server sent back a property with an invalid format.
- */
-- nbytes = rep.length << 2;
-- _XEatData(dpy, (unsigned long) nbytes);
-+ _XEatDataWords(dpy, rep.length);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadImplementation);
- }
- if (! *prop) {
-- _XEatData(dpy, (unsigned long) nbytes);
-+ _XEatDataWords(dpy, rep.length);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadAlloc);
-diff --git a/src/XrrProvider.c b/src/XrrProvider.c
-index fcd06ff..309e321 100644
---- a/src/XrrProvider.c
-+++ b/src/XrrProvider.c
-@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window)
- xrpr = (XRRProviderResources *) Xmalloc(rbytes);
-
- if (xrpr == NULL) {
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
-
- xpi = (XRRProviderInfo *)Xmalloc(rbytes);
- if (xpi == NULL) {
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
-index c8c08e9..2d90a0a 100644
---- a/src/XrrProviderProperty.c
-+++ b/src/XrrProviderProperty.c
-@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
-
- props = (Atom *) Xmalloc (rbytes);
- if (props == NULL) {
-- _XEatData (dpy, nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- *nprop = 0;
-@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
-
- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
- if (prop_info == NULL) {
-- _XEatData (dpy, nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
-@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
- * This part of the code should never be reached. If it is,
- * the server sent back a property with an invalid format.
- */
-- nbytes = rep.length << 2;
-- _XEatData(dpy, (unsigned long) nbytes);
-+ _XEatDataWords(dpy, rep.length);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadImplementation);
- }
- if (! *prop) {
-- _XEatData(dpy, (unsigned long) nbytes);
-+ _XEatDataWords(dpy, rep.length);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadAlloc);
-diff --git a/src/XrrScreen.c b/src/XrrScreen.c
-index f830913..08710b6 100644
---- a/src/XrrScreen.c
-+++ b/src/XrrScreen.c
-@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll)
- if (xrsr == NULL || wire_names == NULL) {
- if (xrsr) Xfree (xrsr);
- if (wire_names) Xfree (wire_names);
-- _XEatData (dpy, (unsigned long) nbytes);
-+ _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return NULL;
---
-1.8.2.3
-
diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
deleted file mode 100644
index 0d07f5459d..0000000000
--- a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 12 Apr 2013 21:44:59 -0700
-Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty()
- [CVE-2013-1986 1/4]
-
-rep.length is a CARD32, while rbytes was a signed int, so
- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
-could result in integer overflow, leading to an undersized malloc
-and reading data off the connection and writing it past the end of
-the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XrrProperty.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/XrrProperty.c b/src/XrrProperty.c
-index 2b065b2..50382bf 100644
---- a/src/XrrProperty.c
-+++ b/src/XrrProperty.c
-@@ -31,6 +31,7 @@
- #include <X11/extensions/render.h>
- #include <X11/extensions/Xrender.h>
- #include "Xrandrint.h"
-+#include <limits.h>
-
- Atom *
- XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
-@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
- XExtDisplayInfo *info = XRRFindDisplay(dpy);
- xRRQueryOutputPropertyReply rep;
- xRRQueryOutputPropertyReq *req;
-- int rbytes, nbytes;
-+ unsigned int rbytes, nbytes;
- XRRPropertyInfo *prop_info;
-
- RRCheckExtension (dpy, info, NULL);
-@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
- return NULL;
- }
-
-- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
-- nbytes = rep.length << 2;
-+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
-+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
-+ nbytes = rep.length << 2;
-+
-+ prop_info = Xmalloc (rbytes);
-+ } else
-+ prop_info = NULL;
-
-- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
- if (prop_info == NULL) {
- _XEatDataWords(dpy, rep.length);
- UnlockDisplay (dpy);
---
-1.8.2.3
-
diff --git a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
deleted file mode 100644
index d55f91def0..0000000000
--- a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 12 Apr 2013 21:44:59 -0700
-Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty()
- [CVE-2013-1986 2/4]
-
-Same problem as XRRQueryOutputProperty() that it was cloned from
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XrrProviderProperty.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
-index 2d90a0a..dc699f6 100644
---- a/src/XrrProviderProperty.c
-+++ b/src/XrrProviderProperty.c
-@@ -31,6 +31,7 @@
- #include <X11/extensions/render.h>
- #include <X11/extensions/Xrender.h>
- #include "Xrandrint.h"
-+#include <limits.h>
-
- Atom *
- XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
-@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
- XExtDisplayInfo *info = XRRFindDisplay(dpy);
- xRRQueryProviderPropertyReply rep;
- xRRQueryProviderPropertyReq *req;
-- int rbytes, nbytes;
-+ unsigned int rbytes, nbytes;
- XRRPropertyInfo *prop_info;
-
- RRCheckExtension (dpy, info, NULL);
-@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
- return NULL;
- }
-
-- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
-- nbytes = rep.length << 2;
-+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
-+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
-+ nbytes = rep.length << 2;
-+
-+ prop_info = Xmalloc (rbytes);
-+ } else
-+ prop_info = NULL;
-
-- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
- if (prop_info == NULL) {
- _XEatDataWords (dpy, rep.length);
- UnlockDisplay (dpy);
---
-1.8.2.3
-
diff --git a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
deleted file mode 100644
index 225924c639..0000000000
--- a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 289a1927949e6f278c18d115772e454837702e35 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 4 May 2013 21:37:49 -0700
-Subject: [PATCH 5/7] integer overflow in XRRGetOutputProperty() [CVE-2013-1986
- 3/4]
-
-If the reported number of properties is too large, the calculations
-to allocate memory for them may overflow, leaving us returning less
-memory to the caller than implied by the value written to *nitems.
-
-(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XrrProperty.c | 22 ++++++++++++++--------
- 1 file changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/src/XrrProperty.c b/src/XrrProperty.c
-index 50382bf..707a28d 100644
---- a/src/XrrProperty.c
-+++ b/src/XrrProperty.c
-@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
- XExtDisplayInfo *info = XRRFindDisplay(dpy);
- xRRGetOutputPropertyReply rep;
- xRRGetOutputPropertyReq *req;
-- long nbytes, rbytes;
-+ unsigned long nbytes, rbytes;
-
- RRCheckExtension (dpy, info, 1);
-
-@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
-
- *prop = (unsigned char *) NULL;
- if (rep.propertyType != None) {
-+ int format = rep.format;
-+
-+ /*
-+ * Protect against both integer overflow and just plain oversized
-+ * memory allocation - no server should ever return this many props.
-+ */
-+ if (rep.nItems >= (INT_MAX >> 4))
-+ format = -1; /* fall through to default error case */
-+
- /*
- * One extra byte is malloced than is needed to contain the property
- * data, but this last byte is null terminated and convenient for
- * returning string properties, so the client doesn't then have to
- * recopy the string to make it null terminated.
- */
-- switch (rep.format) {
-+ switch (format) {
- case 8:
- nbytes = rep.nItems;
- rbytes = rep.nItems + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XReadPad (dpy, (char *) *prop, nbytes);
- break;
-
- case 16:
- nbytes = rep.nItems << 1;
- rbytes = rep.nItems * sizeof (short) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XRead16Pad (dpy, (short *) *prop, nbytes);
- break;
-
- case 32:
- nbytes = rep.nItems << 2;
- rbytes = rep.nItems * sizeof (long) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XRead32 (dpy, (long *) *prop, nbytes);
- break;
-
---
-1.8.2.3
-
diff --git a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
deleted file mode 100644
index cdc616a319..0000000000
--- a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 4 May 2013 21:37:49 -0700
-Subject: [PATCH 6/7] integer overflow in XRRGetProviderProperty()
- [CVE-2013-1986 4/4]
-
-If the reported number of properties is too large, the calculations
-to allocate memory for them may overflow, leaving us returning less
-memory to the caller than implied by the value written to *nitems.
-
-(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XrrProviderProperty.c | 22 ++++++++++++++--------
- 1 file changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
-index dc699f6..6989580 100644
---- a/src/XrrProviderProperty.c
-+++ b/src/XrrProviderProperty.c
-@@ -257,7 +257,7 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
- XExtDisplayInfo *info = XRRFindDisplay(dpy);
- xRRGetProviderPropertyReply rep;
- xRRGetProviderPropertyReq *req;
-- long nbytes, rbytes;
-+ unsigned long nbytes, rbytes;
-
- RRCheckExtension (dpy, info, 1);
-
-@@ -282,34 +282,40 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
-
- *prop = (unsigned char *) NULL;
- if (rep.propertyType != None) {
-+ int format = rep.format;
-+
-+ /*
-+ * Protect against both integer overflow and just plain oversized
-+ * memory allocation - no server should ever return this many props.
-+ */
-+ if (rep.nItems >= (INT_MAX >> 4))
-+ format = -1; /* fall through to default error case */
-+
- /*
- * One extra byte is malloced than is needed to contain the property
- * data, but this last byte is null terminated and convenient for
- * returning string properties, so the client doesn't then have to
- * recopy the string to make it null terminated.
- */
-- switch (rep.format) {
-+ switch (format) {
- case 8:
- nbytes = rep.nItems;
- rbytes = rep.nItems + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XReadPad (dpy, (char *) *prop, nbytes);
- break;
-
- case 16:
- nbytes = rep.nItems << 1;
- rbytes = rep.nItems * sizeof (short) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XRead16Pad (dpy, (short *) *prop, nbytes);
- break;
-
- case 32:
- nbytes = rep.nItems << 2;
- rbytes = rep.nItems * sizeof (long) + 1;
-- if (rbytes > 0 &&
-- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
-+ if (rbytes > 0 && (*prop = Xmalloc (rbytes)))
- _XRead32 (dpy, (long *) *prop, nbytes);
- break;
-
---
-1.8.2.3
-
diff --git a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
deleted file mode 100644
index 659b9c1752..0000000000
--- a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From c90f74497dbcb96854346435349c6e2207b530c5 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 4 May 2013 21:47:50 -0700
-Subject: [PATCH 7/7] Make XRRGet*Property() always initialize returned values
-
-Avoids memory corruption and other errors when callers access them
-without checking to see if the calls returned an error value.
-
-Callers are still required to check for errors, this just reduces the
-damage when they don't.
-
-(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XrrProperty.c | 8 +++++++-
- src/XrrProviderProperty.c | 8 +++++++-
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/src/XrrProperty.c b/src/XrrProperty.c
-index 707a28d..2096c56 100644
---- a/src/XrrProperty.c
-+++ b/src/XrrProperty.c
-@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
- xRRGetOutputPropertyReq *req;
- unsigned long nbytes, rbytes;
-
-+ /* Always initialize return values, in case callers fail to initialize
-+ them and fail to check the return code for an error. */
-+ *actual_type = None;
-+ *actual_format = 0;
-+ *nitems = *bytes_after = 0L;
-+ *prop = (unsigned char *) NULL;
-+
- RRCheckExtension (dpy, info, 1);
-
- LockDisplay (dpy);
-@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
- return ((xError *)&rep)->errorCode;
- }
-
-- *prop = (unsigned char *) NULL;
- if (rep.propertyType != None) {
- int format = rep.format;
-
-diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
-index 6989580..34cc082 100644
---- a/src/XrrProviderProperty.c
-+++ b/src/XrrProviderProperty.c
-@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
- xRRGetProviderPropertyReq *req;
- unsigned long nbytes, rbytes;
-
-+ /* Always initialize return values, in case callers fail to initialize
-+ them and fail to check the return code for an error. */
-+ *actual_type = None;
-+ *actual_format = 0;
-+ *nitems = *bytes_after = 0L;
-+ *prop = (unsigned char *) NULL;
-+
- RRCheckExtension (dpy, info, 1);
-
- LockDisplay (dpy);
-@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
- return ((xError *)&rep)->errorCode;
- }
-
-- *prop = (unsigned char *) NULL;
- if (rep.propertyType != None) {
- int format = rep.format;
-
---
-1.8.2.3
-
diff --git a/main/libxrandr/APKBUILD b/main/libxrandr/APKBUILD
index e4228018d5..84d96a634e 100644
--- a/main/libxrandr/APKBUILD
+++ b/main/libxrandr/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxrandr
-pkgver=1.4.0
-pkgrel=1
+pkgver=1.4.1
+pkgrel=0
pkgdesc="X11 RandR extension library"
url="http://xorg.freedesktop.org/"
arch="all"
@@ -9,15 +9,8 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="xproto randrproto libx11-dev libxext-dev libxrender-dev"
-makedepends="$depends_dev libtool autoconf automake util-macros"
+makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2
- 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
- 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
- 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
- 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
- 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
- 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
- 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch
"
@@ -29,8 +22,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
- libtoolize --force && aclocal && autoheader && autoconf \
- && automake --add-missing
}
build() {
@@ -47,27 +38,6 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2
-d40ab63148e3a7c31f3548097c48d507 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
-f79a519bdf980c7ef92e18aa3a2c16ca 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-41e672b46e9e3d25c8eb2e86cea29ed1 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
-e2bb9968f01fc41f53e6457f60bdfae0 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
-7d65549f48058f8f9bf9e527d03bbb08 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
-486e84c4089b4f5120cbbc605e732f5b 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
-0883bd4a4e0360e54968f9e4887c03c8 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"
-sha256sums="033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3 libXrandr-1.4.0.tar.bz2
-fc55395c3a275b9c2bce1cd17caf3963b57afb424e95504cf84ed3ab3bf58e19 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
-7ca77f1f0e5f7a1febc76e2957c3705d6378c1af6944616735bacc194bc81097 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-847f2b8da4e9d9346d273fd541830a0d6d457857cea576394c2117c5dcbcf356 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
-a537b5ca75a88c5b1ccc862775e4512fb57c4665eb6245c59b3160250ac02ba8 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
-2b84742ed038b96625cc0486e47e3b85e6bd9700a8095b7b65d9dc8a93087dfc 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
-8daabc77bfbcef87d7e52478306fd2774b0c3b59afc7d002d413c7fd6598b93c 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
-03b9c156b04cbe934978983e6a4fff427fd9230b39408b20bbdb4768a7a06bb4 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"
-sha512sums="a97f2442c7f73786e5d3fae9a98b172ac1cb17b1584a7bad243128fc755b25a41cc7e32ceed10eb8eac733ff137b95504485967716f0122edf6682db6065a289 libXrandr-1.4.0.tar.bz2
-11584e52674a6d1216d5586f578962464f8e6942653a3bce7ddf3af27ea28d604e9ce989635b1db051147f5046ed0593601d74277a86c2776e84ff1c5350a9df 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch
-ce19127f19d5b932b68de1f336335587bdda4db791b20d26488dcba00a9e303832c679033e59d1f2602f24c8519fe909c24199226ab2b651863b60a7a1e2a5c6 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-228c64d64c839682cb7523cd6dd9153d0acf76e7d9e88a7e73c24bc4536b9dcbf5a500d7fd33ba373f605a0e9d0a770899c1b44a25f9d7468db6de46d0702152 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch
-1784174229c46575431eb6a0e05ccac631c3d843ed2742cd89ec8f28866c0e10881ab1c1e30fab5831ba0cb066ece0debbbeb98c7bb4a528768dd8342f42f7b2 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
-14d508d519ca972ee6e521597b16663e78b3f44bcbada97d6ba797cec2b09392daeaf673e02670af0d0f6f71ac5c8e8cb8aa75546ec46cb92ecb6f9190990bca 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch
-ec6996991010498de70ad69d55d8a7b2bb5f5f751af567d6be385166d485e145920356a9a3b87603be924121e0202251f6dca96c1af2bd6328961c5fa286d8d1 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch
-0d7804c66749090a72bd52297948b7b27c51d77773e57d62e905a7b45d349a77c9857933d85a9e22ce9a2d249ed6ed492fc80040193652ddebe47bd7c558562e 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch"
+md5sums="8dbac4e972348dcbd3a0673ce2e37919 libXrandr-1.4.1.tar.bz2"
+sha256sums="d914a0490fd0a2ea6c3194505b5b28c56e2a277d8f4648b0275ee0ee370fb905 libXrandr-1.4.1.tar.bz2"
+sha512sums="73ceca5a1ff56e886a95fbfa250ccec49e5d847e3a6d1dd6bb38462ee30724e838706caa41caa536a87ed2811fdff8fa7d1120fde656a05699830ff978ebd1ad libXrandr-1.4.1.tar.bz2"