main/libxext: upgrade to 1.3.2

author: Natanael Copa <ncopa@alpinelinux.org> 2013-06-06 16:07:08 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-06-06 16:07:08 +0000
commit: 4e33a14b02d793b6fef73624e3d50f095a7308ae (patch)
tree: a09988be930e17b7fa4b730399ccdecf9e6a9bec /main/libxext
parent: 4ad71042333aae7134222ccfa21ea6efd83b9ec5 (diff)
download: aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.bz2
aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.xz
8 files changed, 6 insertions, 735 deletions
diff --git a/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
deleted file mode 100644
index 58f29757e0..0000000000
--- a/main/libxext/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-From ca84a813716f9de691dc3f60390d83af4b5ae534 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 09:32:12 -0700
-Subject: [PATCH 1/7] Use _XEatDataWords to avoid overflow of rep.length bit
- shifting
-
-rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- COPYING         |  3 ++-
- configure.ac    |  6 ++++++
- src/Makefile.am |  1 +
- src/XEVI.c      |  4 +++-
- src/XMultibuf.c |  3 ++-
- src/XSecurity.c |  3 ++-
- src/XShape.c    |  3 ++-
- src/XSync.c     |  3 ++-
- src/Xcup.c      |  7 ++++---
- src/eat.h       | 40 ++++++++++++++++++++++++++++++++++++++++
- 10 files changed, 64 insertions(+), 9 deletions(-)
- create mode 100644 src/eat.h
-
-diff --git a/COPYING b/COPYING
-index 80622a0..e3a63ef 100644
---- a/COPYING
-+++ b/COPYING
-@@ -160,7 +160,8 @@ makes no representations about the suitability for any purpose
- of the information in this document.  This documentation is
- provided ``as is'' without express or implied warranty.
- 
--Copyright (c) 1999, 2005, 2006, Oracle and/or its affiliates. All rights reserved.
-+Copyright (c) 1999, 2005, 2006, 2013, Oracle and/or its affiliates.
-+All rights reserved.
- 
- Permission is hereby granted, free of charge, to any person obtaining a
- copy of this software and associated documentation files (the "Software"),
-diff --git a/configure.ac b/configure.ac
-index 63775de..fb9888d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -38,6 +38,12 @@ AC_SUBST(XEXT_SOREV)
- # Obtain compiler/linker options for depedencies
- PKG_CHECK_MODULES(XEXT, [xproto >= 7.0.13] [x11 >= 1.1.99.1] [xextproto >= 7.1.99])
- 
-+# Check for _XEatDataWords function that may be patched into older Xlib releases
-+SAVE_LIBS="$LIBS"
-+LIBS="$XEXT_LIBS"
-+AC_CHECK_FUNCS([_XEatDataWords])
-+LIBS="$SAVE_LIBS"
-+
- # Allow checking code with lint, sparse, etc.
- XORG_WITH_LINT
- XORG_LINT_LIBRARY([Xext])
-diff --git a/src/Makefile.am b/src/Makefile.am
-index e236c33..b828547 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined
- libXext_la_LIBADD = $(XEXT_LIBS)
- 
- libXext_la_SOURCES = \
-+	eat.h \
- 	DPMS.c \
- 	MITMisc.c \
- 	XAppgroup.c \
-diff --git a/src/XEVI.c b/src/XEVI.c
-index eb09daa..0125c51 100644
---- a/src/XEVI.c
-+++ b/src/XEVI.c
-@@ -30,6 +30,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/Xext.h>
- #include <X11/extensions/extutil.h>
- #include <X11/Xutil.h>
-+#include "eat.h"
-+
- static XExtensionInfo *xevi_info;/* needs to move to globals.c */
- static const char *xevi_extension_name = EVINAME;
- #define XeviCheckExtension(dpy,i,val) \
-@@ -171,7 +173,7 @@ Status XeviGetVisualInfo(
-     xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
-     xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
-     if (!*evi_return || !temp_xInfo || !temp_conflict) {
--        _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3);
-+	_XEatDataWords(dpy, rep.length);
- 	UnlockDisplay(dpy);
- 	SyncHandle();
- 	if (evi_return)
-diff --git a/src/XMultibuf.c b/src/XMultibuf.c
-index 7a746ba..43d56d3 100644
---- a/src/XMultibuf.c
-+++ b/src/XMultibuf.c
-@@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/multibufproto.h>
- #include <X11/extensions/multibuf.h>
-+#include "eat.h"
- 
- static XExtensionInfo _multibuf_info_data;
- static XExtensionInfo *multibuf_info = &_multibuf_info_data;
-@@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes (
- 	attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes);
- 	nbytes = rep.length << 2;
- 	if (! attr->buffers) {
--	    _XEatData(dpy, (unsigned long) nbytes);
-+	    _XEatDataWords(dpy, rep.length);
- 	    UnlockDisplay(dpy);
- 	    SyncHandle();
- 	    return (0);
-diff --git a/src/XSecurity.c b/src/XSecurity.c
-index f8c7da1..ab17755 100644
---- a/src/XSecurity.c
-+++ b/src/XSecurity.c
-@@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/securproto.h>
- #include <X11/extensions/security.h>
-+#include "eat.h"
- 
- static XExtensionInfo _Security_info_data;
- static XExtensionInfo *Security_info = &_Security_info_data;
-@@ -282,7 +283,7 @@ XSecurityGenerateAuthorization(
-     }
-     else
-     {
--	_XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3);
-+	_XEatDataWords(dpy, rep.length);
-     }
- 
-     UnlockDisplay (dpy);
-diff --git a/src/XShape.c b/src/XShape.c
-index 6e8fbae..3987876 100644
---- a/src/XShape.c
-+++ b/src/XShape.c
-@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/shape.h>
- #include <X11/extensions/shapeproto.h>
-+#include "eat.h"
- 
- static XExtensionInfo _shape_info_data;
- static XExtensionInfo *shape_info = &_shape_info_data;
-@@ -468,7 +469,7 @@ XRectangle *XShapeGetRectangles (
- 		Xfree (xrects);
- 	    if (rects)
- 		Xfree (rects);
--	    _XEatData (dpy, *count * sizeof (xRectangle));
-+	    _XEatDataWords (dpy, rep.length);
- 	    rects = NULL;
- 	    *count = 0;
- 	} else {
-diff --git a/src/XSync.c b/src/XSync.c
-index 5775293..3ca1308 100644
---- a/src/XSync.c
-+++ b/src/XSync.c
-@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/sync.h>
- #include <X11/extensions/syncproto.h>
-+#include "eat.h"
- 
- static XExtensionInfo _sync_info_data;
- static XExtensionInfo *sync_info = &_sync_info_data;
-@@ -364,7 +365,7 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
- 	{
- 	    if (list) Xfree((char *) list);
- 	    if (pWireSysCounter)   Xfree((char *) pWireSysCounter);
--	    _XEatData(dpy, (unsigned long) replylen);
-+	    _XEatDataWords(dpy, rep.length);
- 	    list = NULL;
- 	    goto bail;
- 	}
-diff --git a/src/Xcup.c b/src/Xcup.c
-index bb9e90f..1f1d625 100644
---- a/src/Xcup.c
-+++ b/src/Xcup.c
-@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/cupproto.h>
- #include <X11/extensions/Xext.h>
- #include <X11/extensions/extutil.h>
-+#include "eat.h"
- 
- static XExtensionInfo _xcup_info_data;
- static XExtensionInfo *xcup_info = &_xcup_info_data;
-@@ -144,7 +145,7 @@ XcupGetReservedColormapEntries(
- 	    rbufp = rbuf;
- 
- 	if (rbufp == NULL) {
--	    _XEatData (dpy, (unsigned long) nbytes);
-+	    _XEatDataWords(dpy, rep.length);
- 	    UnlockDisplay (dpy);
- 	    SyncHandle ();
- 	    return False;
-@@ -221,7 +222,7 @@ XcupStoreColors(
- 	nbytes = nentries * SIZEOF (xColorItem);
- 
- 	if (nentries != ncolors) {
--	    _XEatData (dpy, (unsigned long) nbytes);
-+	    _XEatDataWords(dpy, rep.length);
- 	    UnlockDisplay (dpy);
- 	    SyncHandle ();
- 	    return False;
-@@ -233,7 +234,7 @@ XcupStoreColors(
- 	    rbufp = rbuf;
- 
- 	if (rbufp == NULL) {
--	    _XEatData (dpy, (unsigned long) nbytes);
-+	    _XEatDataWords(dpy, rep.length);
- 	    UnlockDisplay (dpy);
- 	    SyncHandle ();
- 	    return False;
-diff --git a/src/eat.h b/src/eat.h
-new file mode 100644
-index 0000000..239532b
---- /dev/null
-+++ b/src/eat.h
-@@ -0,0 +1,40 @@
-+/*
-+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a
-+ * copy of this software and associated documentation files (the "Software"),
-+ * to deal in the Software without restriction, including without limitation
-+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
-+ * and/or sell copies of the Software, and to permit persons to whom the
-+ * Software is furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice (including the next
-+ * paragraph) shall be included in all copies or substantial portions of the
-+ * Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-+ * DEALINGS IN THE SOFTWARE.
-+ */
-+
-+#ifdef HAVE_CONFIG_H
-+# include "config.h"
-+#endif
-+
-+#ifndef HAVE__XEATDATAWORDS
-+#include <X11/Xmd.h>  /* for LONG64 on 64-bit platforms */
-+#include <limits.h>
-+
-+static inline void _XEatDataWords(Display *dpy, unsigned long n)
-+{
-+# ifndef LONG64
-+    if (n >= (ULONG_MAX >> 2))
-+        _XIOError(dpy);
-+# endif
-+    _XEatData (dpy, n << 2);
-+}
-+#endif
--- 
-1.8.2.3
-
diff --git a/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch b/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
deleted file mode 100644
index d974de57af..0000000000
--- a/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From d05f27a6f74cb419ad5a437f2e4690b17e7faee5 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 2/7] integer overflow in XcupGetReservedColormapEntries()
- [CVE-2013-1982 1/6]
-
-If the computed number of entries is large enough that it overflows when
-multiplied by the size of a xColorItem struct, or is treated as negative
-when compared to the size of the stack allocated buffer, then memory
-corruption can occur when more bytes are read from the X server than the
-size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Xcup.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/Xcup.c b/src/Xcup.c
-index 1f1d625..670f356 100644
---- a/src/Xcup.c
-+++ b/src/Xcup.c
-@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/cupproto.h>
- #include <X11/extensions/Xext.h>
- #include <X11/extensions/extutil.h>
-+#include <limits.h>
- #include "eat.h"
- 
- static XExtensionInfo _xcup_info_data;
-@@ -134,15 +135,19 @@ XcupGetReservedColormapEntries(
-     req->xcupReqType = X_XcupGetReservedColormapEntries;
-     req->screen = screen;
-     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
--	long nbytes;
-+	unsigned long nbytes;
- 	xColorItem* rbufp;
--	int nentries = rep.length / 3;
-+	unsigned int nentries = rep.length / 3;
- 
--	nbytes = nentries * SIZEOF (xColorItem);
--	if (nentries > TYP_RESERVED_ENTRIES)
--	    rbufp = (xColorItem*) Xmalloc (nbytes);
--	else
--	    rbufp = rbuf;
-+	if (nentries < (INT_MAX / SIZEOF (xColorItem))) {
-+	    nbytes = nentries * SIZEOF (xColorItem);
-+
-+	    if (nentries > TYP_RESERVED_ENTRIES)
-+		rbufp = Xmalloc (nbytes);
-+	    else
-+		rbufp = rbuf;
-+	} else
-+	    rbufp = NULL;
- 
- 	if (rbufp == NULL) {
- 	    _XEatDataWords(dpy, rep.length);
--- 
-1.8.2.3
-
diff --git a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
deleted file mode 100644
index 0be477d23d..0000000000
--- a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 082d70b19848059ba78c9d1c315114fb07e8c0ef Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 3/7] integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
-
-If the computed number of entries is large enough that it overflows when
-multiplied by the size of a xColorItem struct, or is treated as negative
-when compared to the size of the stack allocated buffer, then memory
-corruption can occur when more bytes are read from the X server than the
-size of the buffer we allocated to hold them.
-
-The requirement to match the number of colors specified by the caller makes
-this much harder to hit than the one in XcupGetReservedColormapEntries()
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Xcup.c | 25 +++++++++++--------------
- 1 file changed, 11 insertions(+), 14 deletions(-)
-
-diff --git a/src/Xcup.c b/src/Xcup.c
-index 670f356..cdc64c2 100644
---- a/src/Xcup.c
-+++ b/src/Xcup.c
-@@ -219,24 +219,21 @@ XcupStoreColors(
-     }
- 
-     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
--	long nbytes;
-+	unsigned long nbytes;
- 	xColorItem* rbufp;
- 	xColorItem* cs;
--	int nentries = rep.length / 3;
--
--	nbytes = nentries * SIZEOF (xColorItem);
-+	unsigned int nentries = rep.length / 3;
- 
--	if (nentries != ncolors) {
--	    _XEatDataWords(dpy, rep.length);
--	    UnlockDisplay (dpy);
--	    SyncHandle ();
--	    return False;
--	}
-+	if ((nentries == ncolors) &&
-+	    (nentries < (INT_MAX / SIZEOF (xColorItem)))) {
-+	    nbytes = nentries * SIZEOF (xColorItem);
- 
--	if (ncolors > 256)
--	    rbufp = (xColorItem*) Xmalloc (nbytes);
--	else
--	    rbufp = rbuf;
-+	    if (ncolors > 256)
-+		rbufp = Xmalloc (nbytes);
-+	    else
-+		rbufp = rbuf;
-+	} else
-+	    rbufp = NULL;
- 
- 	if (rbufp == NULL) {
- 	    _XEatDataWords(dpy, rep.length);
--- 
-1.8.2.3
-
diff --git a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
deleted file mode 100644
index 75c50e0025..0000000000
--- a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 4/7] several integer overflows in XdbeGetVisualInfo()
- [CVE-2013-1982 3/6]
-
-If the number of screens or visuals reported by the server is large enough
-that it overflows when multiplied by the size of the appropriate struct,
-then memory corruption can occur when more bytes are read from the X server
-than the size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/Xdbe.c | 27 +++++++++++++++++----------
- 1 file changed, 17 insertions(+), 10 deletions(-)
-
-diff --git a/src/Xdbe.c b/src/Xdbe.c
-index 4b5fa18..016886c 100644
---- a/src/Xdbe.c
-+++ b/src/Xdbe.c
-@@ -39,6 +39,8 @@
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/Xdbe.h>
- #include <X11/extensions/dbeproto.h>
-+#include <limits.h>
-+#include "eat.h"
- 
- static XExtensionInfo _dbe_info_data;
- static XExtensionInfo *dbe_info = &_dbe_info_data;
-@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
-        *num_screens = rep.m;
- 
-     /* allocate list of visual information to be returned */
--    if (!(scrVisInfo =
--        (XdbeScreenVisualInfo *)Xmalloc(
--        (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
-+    if ((*num_screens > 0) && (*num_screens < 65536))
-+        scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
-+    else
-+        scrVisInfo = NULL;
-+    if (scrVisInfo == NULL) {
-+        _XEatDataWords(dpy, rep.length);
-         UnlockDisplay (dpy);
-         SyncHandle ();
-         return NULL;
-@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
- 
-     for (i = 0; i < *num_screens; i++)
-     {
--        int nbytes;
-         int j;
--        long c;
-+        unsigned long c;
- 
--        _XRead32 (dpy, &c, sizeof(CARD32));
--        scrVisInfo[i].count = c;
-+        _XRead32 (dpy, (long *) &c, sizeof(CARD32));
- 
--        nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
-+        if (c < 65536) {
-+            scrVisInfo[i].count = c;
-+            scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
-+        } else
-+            scrVisInfo[i].visinfo = NULL;
- 
-         /* if we can not allocate the list of visual/depth info
-          * then free the lists that we already allocate as well
-          * as the visual info list itself
-          */
--        if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
--            (unsigned)nbytes))) {
-+        if (scrVisInfo[i].visinfo == NULL) {
-             for (j = 0; j < i; j++) {
-                 Xfree ((char *)scrVisInfo[j].visinfo);
-             }
-             Xfree ((char *)scrVisInfo);
-+            _XEatDataWords(dpy, rep.length);
-             UnlockDisplay (dpy);
-             SyncHandle ();
-             return NULL;
--- 
-1.8.2.3
-
diff --git a/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch b/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
deleted file mode 100644
index e1aa4cc383..0000000000
--- a/main/libxext/0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 67ecdcf7e29de9fa78b421122620525ed2c7db88 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 5/7] integer overflow in XeviGetVisualInfo() [CVE-2013-1982
- 4/6]
-
-If the number of visuals or conflicts reported by the server is large
-enough that it overflows when multiplied by the size of the appropriate
-struct, then memory corruption can occur when more bytes are read from
-the X server than the size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XEVI.c | 25 ++++++++++++++++++-------
- 1 file changed, 18 insertions(+), 7 deletions(-)
-
-diff --git a/src/XEVI.c b/src/XEVI.c
-index 0125c51..5a95583 100644
---- a/src/XEVI.c
-+++ b/src/XEVI.c
-@@ -30,6 +30,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/Xext.h>
- #include <X11/extensions/extutil.h>
- #include <X11/Xutil.h>
-+#include <limits.h>
- #include "eat.h"
- 
- static XExtensionInfo *xevi_info;/* needs to move to globals.c */
-@@ -165,13 +166,20 @@ Status XeviGetVisualInfo(
- 	return BadAccess;
-     }
-     Xfree(temp_visual);
--    sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
--    sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
--    sz_conflict = rep.n_conflicts * sizeof(VisualID);
--    sz_xConflict = rep.n_conflicts * sz_VisualID32;
--    infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict);
--    xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
--    xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
-+    if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) {
-+	sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
-+	sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
-+	sz_conflict = rep.n_conflicts * sizeof(VisualID);
-+	sz_xConflict = rep.n_conflicts * sz_VisualID32;
-+	*evi_return = Xmalloc(sz_info + sz_conflict);
-+	temp_xInfo = Xmalloc(sz_xInfo);
-+	temp_conflict = Xmalloc(sz_xConflict);
-+    } else {
-+	sz_xInfo = sz_xConflict = 0;
-+	*evi_return = NULL;
-+	temp_xInfo = NULL;
-+	temp_conflict = NULL;
-+    }
-     if (!*evi_return || !temp_xInfo || !temp_conflict) {
- 	_XEatDataWords(dpy, rep.length);
- 	UnlockDisplay(dpy);
-@@ -188,6 +196,9 @@ Status XeviGetVisualInfo(
-     _XRead(dpy, (char *)temp_conflict, sz_xConflict);
-     UnlockDisplay(dpy);
-     SyncHandle();
-+    infoPtr = *evi_return;
-+    xInfoPtr = temp_xInfo;
-+    xConflictPtr = temp_conflict;
-     n_data = rep.n_info;
-     conflict = (VisualID *)(infoPtr + n_data);
-     while (n_data-- > 0) {
--- 
-1.8.2.3
-
diff --git a/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch b/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
deleted file mode 100644
index 01f40d7b56..0000000000
--- a/main/libxext/0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 6/7] integer overflow in XShapeGetRectangles() [CVE-2013-1982
- 5/6]
-
-If the number of rectangles reported by the server is large enough that
-it overflows when multiplied by the size of the appropriate struct, then
-memory corruption can occur when more bytes are read from the X server
-than the size of the buffer we allocated to hold them.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XShape.c | 24 ++++++++++++++----------
- 1 file changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/src/XShape.c b/src/XShape.c
-index 3987876..d025020 100644
---- a/src/XShape.c
-+++ b/src/XShape.c
-@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/shape.h>
- #include <X11/extensions/shapeproto.h>
-+#include <limits.h>
- #include "eat.h"
- 
- static XExtensionInfo _shape_info_data;
-@@ -443,7 +444,7 @@ XRectangle *XShapeGetRectangles (
-     xShapeGetRectanglesReply	    rep;
-     XRectangle			    *rects;
-     xRectangle			    *xrects;
--    int				    i;
-+    unsigned int		    i;
- 
-     ShapeCheckExtension (dpy, info, (XRectangle *)NULL);
- 
-@@ -461,20 +462,23 @@ XRectangle *XShapeGetRectangles (
-     *count = rep.nrects;
-     *ordering = rep.ordering;
-     rects = NULL;
--    if (*count) {
--	xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle));
--	rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle));
-+    if (rep.nrects) {
-+	if (rep.nrects < (INT_MAX / sizeof (XRectangle))) {
-+	    xrects = Xmalloc (rep.nrects * sizeof (xRectangle));
-+	    rects = Xmalloc (rep.nrects * sizeof (XRectangle));
-+	} else {
-+	    xrects = NULL;
-+	    rects = NULL;
-+	}
- 	if (!xrects || !rects) {
--	    if (xrects)
--		Xfree (xrects);
--	    if (rects)
--		Xfree (rects);
-+	    Xfree (xrects);
-+	    Xfree (rects);
- 	    _XEatDataWords (dpy, rep.length);
- 	    rects = NULL;
- 	    *count = 0;
- 	} else {
--	    _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle));
--	    for (i = 0; i < *count; i++) {
-+	    _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle));
-+	    for (i = 0; i < rep.nrects; i++) {
- 	    	rects[i].x = (short) cvtINT16toInt (xrects[i].x);
- 	    	rects[i].y = (short) cvtINT16toInt (xrects[i].y);
- 	    	rects[i].width = xrects[i].width;
--- 
-1.8.2.3
-
diff --git a/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch b/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
deleted file mode 100644
index 95382256d1..0000000000
--- a/main/libxext/0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 9 Mar 2013 14:40:33 -0800
-Subject: [PATCH 7/7] integer overflow in XSyncListSystemCounters()
- [CVE-2013-1982 6/6]
-
-If the number of counters or amount of data reported by the server is
-large enough that it overflows when multiplied by the size of the
-appropriate struct, then memory corruption can occur when more bytes
-are read from the X server than the size of the buffers we allocated
-to hold them.
-
-V2: Make sure we don't walk past the end of the reply when converting
-data from wire format to the structures returned to the caller.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XSync.c | 32 +++++++++++++++++++++++++-------
- 1 file changed, 25 insertions(+), 7 deletions(-)
-
-diff --git a/src/XSync.c b/src/XSync.c
-index 3ca1308..ce4ab44 100644
---- a/src/XSync.c
-+++ b/src/XSync.c
-@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
- #include <X11/extensions/extutil.h>
- #include <X11/extensions/sync.h>
- #include <X11/extensions/syncproto.h>
-+#include <limits.h>
- #include "eat.h"
- 
- static XExtensionInfo _sync_info_data;
-@@ -352,19 +353,28 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
-     if (rep.nCounters > 0)
-     {
- 	xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter;
-+	xSyncSystemCounter *pLastWireSysCounter;
- 	XSyncCounter counter;
--	int replylen;
-+	unsigned int replylen;
- 	int i;
- 
--	list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
--	replylen = rep.length << 2;
--	pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter));
--        /* +1 to leave room for last counter read-ahead */
-+	if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter)))
-+	    list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
-+	if (rep.length < (INT_MAX >> 2)) {
-+	    replylen = rep.length << 2;
-+	    pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter));
-+	    /* +1 to leave room for last counter read-ahead */
-+	    pLastWireSysCounter = (xSyncSystemCounter *)
-+		((char *)pWireSysCounter) + replylen;
-+	} else {
-+	    replylen = 0;
-+	    pWireSysCounter = NULL;
-+	}
- 
- 	if ((!list) || (!pWireSysCounter))
- 	{
--	    if (list) Xfree((char *) list);
--	    if (pWireSysCounter)   Xfree((char *) pWireSysCounter);
-+	    Xfree(list);
-+	    Xfree(pWireSysCounter);
- 	    _XEatDataWords(dpy, rep.length);
- 	    list = NULL;
- 	    goto bail;
-@@ -388,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
- 	    pNextWireSysCounter = (xSyncSystemCounter *)
- 		(((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) +
- 				     pWireSysCounter->name_length + 3) & ~3));
-+	    /* Make sure we haven't gone too far */
-+	    if (pNextWireSysCounter > pLastWireSysCounter) {
-+		Xfree(list);
-+		Xfree(pWireSysCounter);
-+		list = NULL;
-+		goto bail;
-+	    }
-+
- 	    counter = pNextWireSysCounter->counter;
- 
- 	    list[i].name = ((char *)pWireSysCounter) +
--- 
-1.8.2.3
-
diff --git a/main/libxext/APKBUILD b/main/libxext/APKBUILD
index b5cbc1d92a..90c3921f33 100644
--- a/main/libxext/APKBUILD
+++ b/main/libxext/APKBUILD
@@ -1,24 +1,16 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxext
-pkgver=1.3.1
-pkgrel=1
+pkgver=1.3.2
+pkgrel=0
 pkgdesc="X11 miscellaneous extensions library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 depends=
 depends_dev="xextproto libx11-dev libxau-dev"
-makedepends="$depends_dev xproto
-	libtool autoconf automake util-macros"
+makedepends="$depends_dev xproto"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://xorg.freedesktop.org/releases/individual/lib/libXext-$pkgver.tar.bz2
-	0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-	0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
-	0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
-	0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
-	0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
-	0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
-	0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch
 	"
 
 
@@ -30,8 +22,6 @@ prepare() {
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
 		esac
 	done
-	libtoolize --force && aclocal && autoheader && autoconf \
-		&& automake --add-missing
 }
 
 build() {
@@ -45,27 +35,6 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
-md5sums="71251a22bc47068d60a95f50ed2ec3cf  libXext-1.3.1.tar.bz2
-e8571e1188293644413df6beb332c209  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-3ae33cae5c48fa8cfaa2669a2f474377  0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
-be5437299e95d870d0c2555e994f9e99  0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
-f10d0d95cd02a31b42ebd9c71b098e00  0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
-30d0d1e0d7e47444d767101c789129c6  0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
-0684b2e3ac5875c1642a77ba6194ec81  0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
-1c60dbeb9032d3823616e7fcf1162c15  0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"
-sha256sums="56229c617eb7bfd6dec40d2805bc4dfb883dfe80f130d99b9a2beb632165e859  libXext-1.3.1.tar.bz2
-a403c890692475a9e1a99c50bae893c150695a75f8ba7f415da2a165a54b1a14  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-46b3466a51fa040f39ae7e3fbf7d4d590dd6f3c246990cb5fb91eb40a547e156  0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
-b1c4b9308e140458a1e010b874d68fdc646ebf9c16b8adf573bbe05ab3e266a1  0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
-1ddc2cd6d47b77247fc67831d81b33df287b9042bffec4fceeb1014ea08462be  0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
-f25b13702696eb15bbcc903e6900a08f61ab39a9e79972ff1666dc32671082cb  0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
-438dec8cc7e02d70318631b8c094a238a88a049eea8187a83f1b34cf859de333  0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
-660c78e986fc227845dea5aeef00d91e328a52e3268a852160fe4056d4c13c1f  0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"
-sha512sums="e8536d5a93ae6718c459c013abef0660085b4014fa5db7614f847e75dc4ea87a6235593201c144c424c9f809c8f1275eeadd858fd8915ca34ea1713cf367110a  libXext-1.3.1.tar.bz2
-3944b42305c7686e815bf11f996a48ed605f6f6cbac525e44dd42f0a6e1f9d7ed03b53bf0cc540fd0e1528128a1895ab8683f659d04670cf4c98fe784763ec50  0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch
-10f5c15281aa9d5e6e18511243e020f3d943bd7421defc2c0e5c68cca36d2e0fdd55f1cc58955ba8f2e2ba5983c18ff6610d5b2b2e6a0877f23f446bf2a6c4ed  0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch
-dfc93f726ae0298c2b3ff43be24509904882de8d87e450e0292b32358211e961be72bca0d7af50afb955fa5ac4679598eb72526c9436d6f3fb0973b3ab6c2f08  0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch
-26699071127642cf32763be2823fcf57e4bfa7766f60c432154e569f5fb91cf7bb8fb9bd9033190fec0c74cc62aad75f73418d48a7218fe37792ca0584a990e3  0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
-6019357b85646c1c97426d03be5146a0af7a05e90af5fcee713cd2f5cd228b3634f896c76d66e174d55ea095f083b5afbb53ae4ea266979c9cdbb2813a4e5013  0005-integer-overflow-in-XeviGetVisualInfo-CVE-2013-1982-.patch
-4701c06782c7fb69b4eae19a7e6e1d88f8243fc3353f8be72d820bfa36761ad98ee0e5359e55c4e45a1fbf440cfd63e6d2732dd6d68564da3c707e85184e5a41  0006-integer-overflow-in-XShapeGetRectangles-CVE-2013-198.patch
-741a7716aa955c618b526f063919b7268e467f65d125a13dc72f4fd237550e2085e176f08375e8f01829341f9e967963d6d82f95bbc1cda80831c5c0691dbc91  0007-integer-overflow-in-XSyncListSystemCounters-CVE-2013.patch"
+md5sums="4376101e51bb2c6c44d9ab14344e85ad  libXext-1.3.2.tar.bz2"
+sha256sums="f829075bc646cdc085fa25d98d5885d83b1759ceb355933127c257e8e50432e0  libXext-1.3.2.tar.bz2"
+sha512sums="5ed612f2c5e902648eb0438bfb8d9d6440a5baa19d95eb1253b51fe9ad8dcf903a7ee68a9455044d17ce0d486e421df0f98a069ab5ad1a49364f157bdf64efe7  libXext-1.3.2.tar.bz2"
author	Natanael Copa <ncopa@alpinelinux.org>	2013-06-06 16:07:08 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-06-06 16:07:08 +0000
commit	4e33a14b02d793b6fef73624e3d50f095a7308ae (patch)
tree	a09988be930e17b7fa4b730399ccdecf9e6a9bec /main/libxext
parent	4ad71042333aae7134222ccfa21ea6efd83b9ec5 (diff)
download	aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.bz2 aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.xz