From 6e52b09136375e075ca4c879472b0c9b4ebc7334 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 6 Jun 2013 16:18:15 +0000 Subject: main/libxxf86vm: upgrade to 1.1.3 --- ...c-returns-NULL-you-don-t-need-to-Xfree-it.patch | 60 --------- ...e-error-handling-in-XF86VidModeGetMonitor.patch | 134 --------------------- ...lay-before-returning-alloc-error-in-XF86V.patch | 51 -------- ...lay-before-returning-alloc-error-in-XF86V.patch | 28 ----- ...lay-before-returning-alloc-error-in-XF86V.patch | 56 --------- ...taWords-to-avoid-overflow-of-length-calcu.patch | 125 ------------------- ...uption-in-XF86VidModeGetGammaRamp-CVE-201.patch | 62 ---------- ...nteger-overflow-in-XF86VidModeGetModeLine.patch | 34 ------ main/libxxf86vm/APKBUILD | 46 +------ 9 files changed, 6 insertions(+), 590 deletions(-) delete mode 100644 main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch delete mode 100644 main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch delete mode 100644 main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch delete mode 100644 main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch delete mode 100644 main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch delete mode 100644 main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch delete mode 100644 main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch delete mode 100644 main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch diff --git a/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch b/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch deleted file mode 100644 index cd5b67a977..0000000000 --- a/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ef95f1c3737d9efc7d97fb1784f80ef3540a846b Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 15:13:06 -0700 -Subject: [PATCH 1/8] When Xcalloc() returns NULL, you don't need to Xfree() it - -I have no words to explain how this ever happened. - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - src/XF86VMode.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index 4f19cf3..c0e50e6 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -256,7 +256,6 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, - if (modeline->privsize > 0) { - if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) { - _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); -- Xfree(modeline->private); - return False; - } - _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); -@@ -321,7 +320,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); - else - _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); -- Xfree(modelines); - return False; - } - mdinfptr = (XF86VidModeModeInfo *) ( -@@ -353,7 +351,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - if (!(modelines[i]->private = - Xcalloc(oldxmdline.privsize, sizeof(INT32)))) { - _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32)); -- Xfree(modelines[i]->private); - } else { - _XRead(dpy, (char*)modelines[i]->private, - oldxmdline.privsize * sizeof(INT32)); -@@ -384,7 +381,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - if (!(modelines[i]->private = - Xcalloc(xmdline.privsize, sizeof(INT32)))) { - _XEatData(dpy, (xmdline.privsize) * sizeof(INT32)); -- Xfree(modelines[i]->private); - } else { - _XRead(dpy, (char*)modelines[i]->private, - xmdline.privsize * sizeof(INT32)); -@@ -1039,7 +1035,6 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, - - if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) { - _XEatData(dpy, (rep.clocks) * 4); -- Xfree(dotclocks); - return False; - } - --- -1.8.2.3 - diff --git a/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch b/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch deleted file mode 100644 index 099ca99716..0000000000 --- a/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch +++ /dev/null @@ -1,134 +0,0 @@ -From a89b1ad3377bfef9bab52f15f98b00f6540d531a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 17:40:24 -0700 -Subject: [PATCH 2/8] Improve error handling in XF86VidModeGetMonitor() - -Ensure that when we return an error we unlock the display first, and -NULL out any pointers we freed in error cleanup. - -Instead of adding these fixes to every error check, instead combine -the error handling cleanup into a single copy. - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - src/XF86VMode.c | 82 +++++++++++++++++++++++++++------------------------------ - 1 file changed, 39 insertions(+), 43 deletions(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index c0e50e6..165f8ba 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -856,6 +856,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) - xXF86VidModeGetMonitorReq *req; - CARD32 syncrange; - int i; -+ Bool result = True; - - XF86VidModeCheckExtension (dpy, info, False); - -@@ -875,63 +876,58 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) - monitor->bandwidth = (float)rep.bandwidth / 1e6; - #endif - if (rep.vendorLength) { -- if (!(monitor->vendor = (char *)Xcalloc(rep.vendorLength + 1, 1))) { -- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + -- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); -- return False; -- } -+ monitor->vendor = Xcalloc(rep.vendorLength + 1, 1); -+ if (monitor->vendor == NULL) -+ result = False; - } else { - monitor->vendor = NULL; - } -- if (rep.modelLength) { -- if (!(monitor->model = Xcalloc(rep.modelLength + 1, 1))) { -- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + -- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); -- if (monitor->vendor) -- Xfree(monitor->vendor); -- return False; -- } -+ if (result && rep.modelLength) { -+ monitor->model = Xcalloc(rep.modelLength + 1, 1); -+ if (monitor->model == NULL) -+ result = False; - } else { - monitor->model = NULL; - } -- if (!(monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)))) { -- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + -- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); -- -- if (monitor->vendor) -- Xfree(monitor->vendor); -- if (monitor->model) -- Xfree(monitor->model); -- return False; -+ if (result) { -+ monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)); -+ monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)); -+ if ((monitor->hsync == NULL) || (monitor->vsync == NULL)) -+ result = False; -+ } else { -+ monitor->hsync = monitor->vsync = NULL; - } -- if (!(monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)))) { -+ if (result == False) { - _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + - ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); -- if (monitor->vendor) -- Xfree(monitor->vendor); -- if (monitor->model) -- Xfree(monitor->model); -+ Xfree(monitor->vendor); -+ monitor->vendor = NULL; -+ Xfree(monitor->model); -+ monitor->model = NULL; - Xfree(monitor->hsync); -- return False; -- } -- for (i = 0; i < rep.nhsync; i++) { -- _XRead(dpy, (char *)&syncrange, 4); -- monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; -- monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0; -+ monitor->hsync = NULL; -+ Xfree(monitor->vsync); -+ monitor->vsync = NULL; - } -- for (i = 0; i < rep.nvsync; i++) { -- _XRead(dpy, (char *)&syncrange, 4); -- monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; -- monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0; -+ else { -+ for (i = 0; i < rep.nhsync; i++) { -+ _XRead(dpy, (char *)&syncrange, 4); -+ monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; -+ monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0; -+ } -+ for (i = 0; i < rep.nvsync; i++) { -+ _XRead(dpy, (char *)&syncrange, 4); -+ monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0; -+ monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0; -+ } -+ if (rep.vendorLength) -+ _XReadPad(dpy, monitor->vendor, rep.vendorLength); -+ if (rep.modelLength) -+ _XReadPad(dpy, monitor->model, rep.modelLength); - } -- if (rep.vendorLength) -- _XReadPad(dpy, monitor->vendor, rep.vendorLength); -- if (rep.modelLength) -- _XReadPad(dpy, monitor->model, rep.modelLength); -- - UnlockDisplay(dpy); - SyncHandle(); -- return True; -+ return result; - } - - Bool --- -1.8.2.3 - diff --git a/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch deleted file mode 100644 index 3b6bc15b8a..0000000000 --- a/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8ed00bd0a7c44c7fece687e2566d920ea74ef809 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 17:52:12 -0700 -Subject: [PATCH 3/8] Unlock display before returning alloc error in - XF86VidModeGetModeLine() - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - src/XF86VMode.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index 165f8ba..28c79c1 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -203,6 +203,7 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, - xXF86OldVidModeGetModeLineReply oldrep; - xXF86VidModeGetModeLineReq *req; - int majorVersion, minorVersion; -+ Bool result = True; - - XF86VidModeCheckExtension (dpy, info, False); - XF86VidModeQueryVersion(dpy, &majorVersion, &minorVersion); -@@ -254,17 +255,18 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, - } - - if (modeline->privsize > 0) { -- if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) { -+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); -+ if (modeline->private == NULL) { - _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); -- return False; -- } -- _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); -+ result = False; -+ } else -+ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); - } else { - modeline->private = NULL; - } - UnlockDisplay(dpy); - SyncHandle(); -- return True; -+ return result; - } - - Bool --- -1.8.2.3 - diff --git a/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch deleted file mode 100644 index 3be28ee5b8..0000000000 --- a/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 6c82906f25abcb0f8ec92bcdaf1872bd8b63ca5d Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 17:54:45 -0700 -Subject: [PATCH 4/8] Unlock display before returning alloc error in - XF86VidModeGetAllModeLines() - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - src/XF86VMode.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index 28c79c1..76276b6 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -322,6 +322,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); - else - _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); -+ UnlockDisplay(dpy); -+ SyncHandle(); - return False; - } - mdinfptr = (XF86VidModeModeInfo *) ( --- -1.8.2.3 - diff --git a/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch deleted file mode 100644 index b59be7bc1a..0000000000 --- a/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d0355b28dd53fba6fb29c350e090ed4a73d4c480 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 17:58:28 -0700 -Subject: [PATCH 5/8] Unlock display before returning alloc error in - XF86VidModeGetDotClocks() - -Signed-off-by: Alan Coopersmith -Reviewed-by: Peter Hutterer ---- - src/XF86VMode.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index 76276b6..1b907f4 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -1014,6 +1014,7 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, - xXF86VidModeGetDotClocksReq *req; - int i, *dotclocks; - CARD32 dotclk; -+ Bool result = True; - - XF86VidModeCheckExtension (dpy, info, False); - -@@ -1033,19 +1034,21 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, - *maxclocksPtr = rep.maxclocks; - *flagsPtr = rep.flags; - -- if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) { -+ dotclocks = Xcalloc(rep.clocks, sizeof(int)); -+ if (dotclocks == NULL) { - _XEatData(dpy, (rep.clocks) * 4); -- return False; -+ result = False; - } -- -- for (i = 0; i < rep.clocks; i++) { -- _XRead(dpy, (char*)&dotclk, 4); -- dotclocks[i] = dotclk; -+ else { -+ for (i = 0; i < rep.clocks; i++) { -+ _XRead(dpy, (char*)&dotclk, 4); -+ dotclocks[i] = dotclk; -+ } - } - *clocksPtr = dotclocks; - UnlockDisplay(dpy); - SyncHandle(); -- return True; -+ return result; - } - - Bool --- -1.8.2.3 - diff --git a/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch b/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch deleted file mode 100644 index b10d3b7135..0000000000 --- a/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 14:24:12 -0700 -Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length - calculations - -Signed-off-by: Alan Coopersmith ---- - configure.ac | 6 ++++++ - src/XF86VMode.c | 35 +++++++++++++++++++++++++---------- - 2 files changed, 31 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d8a23b0..b637788 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1]) - -+# Check for _XEatDataWords function that may be patched into older Xlib release -+SAVE_LIBS="$LIBS" -+LIBS="$XXF86VM_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - AC_CONFIG_FILES([Makefile - src/Makefile - man/Makefile -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index 1b907f4..bd54937 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY. - - /* THIS IS NOT AN X CONSORTIUM STANDARD */ - -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ - #include - #include - #include - #include - #include -+#include -+ -+#ifndef HAVE__XEATDATAWORDS -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - #ifdef DEBUG - #include -@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, - if (modeline->privsize > 0) { - modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); - if (modeline->private == NULL) { -- _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); -+ _XEatDataWords(dpy, rep.length - -+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); - result = False; - } else - _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); -@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount, - sizeof(XF86VidModeModeInfo *) - +sizeof(XF86VidModeModeInfo)))) { -- if (majorVersion < 2) -- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); -- else -- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); -+ _XEatDataWords(dpy, rep.length - -+ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2)); - UnlockDisplay(dpy); - SyncHandle(); - return False; -@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - if (oldxmdline.privsize > 0) { - if (!(modelines[i]->private = - Xcalloc(oldxmdline.privsize, sizeof(INT32)))) { -- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32)); -+ _XEatDataWords(dpy, oldxmdline.privsize); - } else { - _XRead(dpy, (char*)modelines[i]->private, - oldxmdline.privsize * sizeof(INT32)); -@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, - if (xmdline.privsize > 0) { - if (!(modelines[i]->private = - Xcalloc(xmdline.privsize, sizeof(INT32)))) { -- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32)); -+ _XEatDataWords(dpy, xmdline.privsize); - } else { - _XRead(dpy, (char*)modelines[i]->private, - xmdline.privsize * sizeof(INT32)); -@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) - monitor->hsync = monitor->vsync = NULL; - } - if (result == False) { -- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + -- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); -+ _XEatDataWords(dpy, rep.length); - Xfree(monitor->vendor); - monitor->vendor = NULL; - Xfree(monitor->model); -@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, - - dotclocks = Xcalloc(rep.clocks, sizeof(int)); - if (dotclocks == NULL) { -- _XEatData(dpy, (rep.clocks) * 4); -+ _XEatDataWords(dpy, rep.length - -+ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2)); - result = False; - } - else { --- -1.8.2.3 - diff --git a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch deleted file mode 100644 index 71dca30fda..0000000000 --- a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 14:33:32 -0700 -Subject: [PATCH 7/8] memory corruption in XF86VidModeGetGammaRamp() - [CVE-2013-2001] - -We trusted the server not to return more data than the client said it had -allocated room for, and would overflow the provided buffers if it did. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XF86VMode.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index bd54937..a32564e 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp ( - XExtDisplayInfo *info = find_display (dpy); - xXF86VidModeGetGammaRampReq *req; - xXF86VidModeGetGammaRampReply rep; -+ Bool result = True; - - XF86VidModeCheckExtension (dpy, info, False); - -@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp ( - req->screen = screen; - req->size = size; - if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { -- UnlockDisplay (dpy); -- SyncHandle (); -- return False; -+ result = False; - } -- if(rep.size) { -- _XRead(dpy, (char*)red, rep.size << 1); -- _XRead(dpy, (char*)green, rep.size << 1); -- _XRead(dpy, (char*)blue, rep.size << 1); -+ else if (rep.size) { -+ if (rep.size <= size) { -+ _XRead(dpy, (char*)red, rep.size << 1); -+ _XRead(dpy, (char*)green, rep.size << 1); -+ _XRead(dpy, (char*)blue, rep.size << 1); -+ } -+ else { -+ _XEatDataWords(dpy, rep.length); -+ result = False; -+ } - } - - UnlockDisplay(dpy); - SyncHandle(); -- return True; -+ return result; - } - - Bool XF86VidModeGetGammaRampSize( --- -1.8.2.3 - diff --git a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch deleted file mode 100644 index f879c5b116..0000000000 --- a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 13 Apr 2013 14:43:48 -0700 -Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine() - -rep.privsize is a CARD32 and needs to be bounds checked before multiplying -by sizeof(INT32) to come up with the total size to allocate & read to avoid -integer overflow, though it would not result in buffer overflow as the same -calculation was used for both allocation & reading from the network. - -Signed-off-by: Alan Coopersmith ---- - src/XF86VMode.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/XF86VMode.c b/src/XF86VMode.c -index a32564e..fb94816 100644 ---- a/src/XF86VMode.c -+++ b/src/XF86VMode.c -@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, - } - - if (modeline->privsize > 0) { -- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); -+ if (modeline->privsize < (INT_MAX / sizeof(INT32))) -+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); -+ else -+ modeline->private = NULL; - if (modeline->private == NULL) { - _XEatDataWords(dpy, rep.length - - ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); --- -1.8.2.3 - diff --git a/main/libxxf86vm/APKBUILD b/main/libxxf86vm/APKBUILD index fec2991790..474b6a97f9 100644 --- a/main/libxxf86vm/APKBUILD +++ b/main/libxxf86vm/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxxf86vm -pkgver=1.1.2 -pkgrel=1 +pkgver=1.1.3 +pkgrel=0 pkgdesc="X11 XFree86 video mode extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,16 +9,8 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="xf86vidmodeproto libx11-dev libxext-dev" -makedepends="$depends_dev libtool autoconf automake util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86vm-$pkgver.tar.bz2 - 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch - 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch - 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch - 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch - 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch - 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch - 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch - 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch " _builddir="$srcdir"/libXxf86vm-$pkgver @@ -29,8 +21,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -45,30 +35,6 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="ffd93bcedd8b2b5aeabf184e7b91f326 libXxf86vm-1.1.2.tar.bz2 -0147e68657e82274c85d9a76360f2f7e 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch -93ea0ba28daa2b9a0446b21e317c454e 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch -becbb6759243d4f5e7d87d611501b2e8 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch -7cc84f83f064d575c8628f45afec2691 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch -d16fbe7f3656d1c65aa74f4a45a8bbcd 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch -722b2379320147190135f00eb12782c5 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch -569c6902f1b15289b02d2f7a644a34cc 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch -a86c5904529d2ccfd92c12aef547136e 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" -sha256sums="a564172fb866b1b587bbccb7d041088931029845245e0d15c32ca7f1bb48fc84 libXxf86vm-1.1.2.tar.bz2 -b457de56462689eff9b2d5b61e07e767bcfe85b2e1c6317cf97fe0a420d95409 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch -a5f97c643cb7a09c9fdb10c99445d968de038f49ad7ab145094a816991f09ec9 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch -442d8fffc438a6e22114d77775df86bd8166e57f404f510d4e85824a8e8446bb 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch -30b41220a8399c7961be7f5b0be83a18fb357100ca94b03e898f4a7b7cc0d00d 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch -3e82f5d621c2d7e4fa7010cb28c5c2e35fd668fd9acc6db5a1a00c9c63067d19 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch -e0e3298f6be09483b376a3da0ba5944befc9d46b1cb2b6e1c043c2eb832bcc91 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch -531c281d602c67b1c702cecb35f948a97ee67fcbd429e723239ff240c69a8594 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch -62e4c96728c0adea4b5c2c9ce4c1089ffe6b57a5466a2789832681bc56d8cd47 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" -sha512sums="594243f2d0275a3036754e5cfd3f440f2faae78f6c836e6787129d54a559af0ceba6fefe18d98d6908aa75ea322875a188a3b3ffee7e3deec1168c7656e7a96a libXxf86vm-1.1.2.tar.bz2 -4b40e349407a105d07a54b72077b9a7d6371db743b377cbe246d7d21f7894b549fd2ebf77b0acac6520e513829491c07b3b76891d2fe450baf294caa7be72db3 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch -09a8cd3b934b4c46c2143c50cde25e70b0800afcafa265c00f2118f4ce0f74eaffb8cede5027b1d065469da874f27adf2efb18500bb7b4fca70a911096f7db48 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch -38260b81f4e052587a2f38a1d15202511070b7c9985ea374d732abd982953c98d1fbc96b56bd3b57afdae3728f5607e6cb83ee2b43a871c36f4d9366df058ca2 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch -f2a891c4aec0c2d640f92cf63a05f6655531089735c59d9b184b5ef460a850f6cf4f8dfce582cced12dd9d7b14f6e91e590bf9feef37ba714561b696b0e67485 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch -f54396628ff1ab4c31396960b3ee79311a00bd6147d1f76128f9c3f9dbe81bbfeaa7e37e4c1c7686cadfa2901e95e75e06e8f1c297a90f2287a0c4e22382beab 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch -a4a260efeb52f00ddf2adb476f241a88b6809bda75e3b5477ca15caba24e2b9f0fa9fc6cf070fb2f3ba64f7b5d1b9372727533e80d61c1ae3da035952aa87741 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch -e54a46c0c0d54b08daa62578a814ed1dafaa66d5b2e13e2f50dc0dfb11dc061dc505e7001c39ce579f9f4d2ce29dd6b53c40109800c1692d7102f1c5b0583b24 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch -43e2e04e1da133e986ec717e294a7f4fad803d7ff8cafa9a120649cfec30dc986516f0bd7389781cf0dfcda84c59dce63831c47f58f6d25ee6b488cced742d59 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch" +md5sums="e46f6ee4f4567349a3189044fe1bb712 libXxf86vm-1.1.3.tar.bz2" +sha256sums="da5e86c32ee2069b9e6d820e4c2e4242d4877cb155a2b2fbf2675a1480ec37b8 libXxf86vm-1.1.3.tar.bz2" +sha512sums="7cd5491b79920f9c1d134f2815f14d45b0a29cf5f99d866c35418b6f84ce6b48e702db3472bd7c6158804e573f2384ad4ebee78e5ea8f07afec2e34489d99ed4 libXxf86vm-1.1.3.tar.bz2" -- cgit v1.2.3