From 1d7e3d391539e3d00b567b40ae2e6f66a96d4301 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Thu, 6 Jun 2013 16:11:30 +0000 Subject: main/libxrandr: upgrade to 1.4.1 --- ...recated-Automake-INCLUDES-variable-with-A.patch | 36 ---- ...taWords-to-avoid-overflow-of-rep.length-b.patch | 221 --------------------- ...rflow-in-XRRQueryOutputProperty-CVE-2013-.patch | 60 ------ ...rflow-in-XRRQueryProviderProperty-CVE-201.patch | 55 ----- ...rflow-in-XRRGetOutputProperty-CVE-2013-19.patch | 81 -------- ...rflow-in-XRRGetProviderProperty-CVE-2013-.patch | 81 -------- ...-Property-always-initialize-returned-valu.patch | 74 ------- main/libxrandr/APKBUILD | 42 +--- 8 files changed, 6 insertions(+), 644 deletions(-) delete mode 100644 main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch delete mode 100644 main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch delete mode 100644 main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch delete mode 100644 main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch delete mode 100644 main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch delete mode 100644 main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch delete mode 100644 main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch diff --git a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch b/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch deleted file mode 100644 index 8c5eccb9fe..0000000000 --- a/main/libxrandr/0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 99a63d10cbbab7d69a52d25d78795a3278506ea9 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 18 Jan 2013 23:14:01 -0800 -Subject: [PATCH 1/7] Replace deprecated Automake INCLUDES variable with - AM_CPPFLAGS - -Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html - - - Support for the long-deprecated INCLUDES variable will be removed - altogether in Automake 1.14. The AM_CPPFLAGS variable should be - used instead. - -This variable was deprecated in Automake releases prior to 1.10, which is -the current minimum level required to build X. - -Signed-off-by: Alan Coopersmith ---- - src/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 7a47b9c..2113846 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -19,7 +19,7 @@ AM_CFLAGS = \ - $(MALLOC_ZERO_CFLAGS) \ - $(CWARNFLAGS) - --INCLUDES = -I$(top_srcdir)/include/X11/extensions -+AM_CPPFLAGS = -I$(top_srcdir)/include/X11/extensions - - libXrandr_la_LDFLAGS = -version-number 2:2:0 -no-undefined - --- -1.8.2.3 - diff --git a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch b/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch deleted file mode 100644 index 4104b444eb..0000000000 --- a/main/libxrandr/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch +++ /dev/null @@ -1,221 +0,0 @@ -From 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 3 May 2013 23:29:22 -0700 -Subject: [PATCH 2/7] Use _XEatDataWords to avoid overflow of rep.length bit - shifting - -rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds - -Signed-off-by: Alan Coopersmith ---- - configure.ac | 6 ++++++ - src/Xrandrint.h | 13 +++++++++++++ - src/XrrCrtc.c | 6 +++--- - src/XrrOutput.c | 2 +- - src/XrrProperty.c | 9 ++++----- - src/XrrProvider.c | 4 ++-- - src/XrrProviderProperty.c | 9 ++++----- - src/XrrScreen.c | 2 +- - 8 files changed, 34 insertions(+), 17 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 3f28bef..8466999 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION) - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto) - -+# Check for _XEatDataWords function that may be patched into older Xlib release -+SAVE_LIBS="$LIBS" -+LIBS="$RANDR_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - AC_CONFIG_FILES([Makefile - src/Makefile - man/Makefile -diff --git a/src/Xrandrint.h b/src/Xrandrint.h -index aed10e4..1687c29 100644 ---- a/src/Xrandrint.h -+++ b/src/Xrandrint.h -@@ -42,6 +42,19 @@ extern char XRRExtensionName[]; - - XExtDisplayInfo *XRRFindDisplay (Display *dpy); - -+#ifndef HAVE__XEATDATAWORDS -+#include /* for LONG64 on 64-bit platforms */ -+#include -+ -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - /* deliberately opaque internal data structure; can be extended, - but not reordered */ -diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c -index 04087c5..a704a52 100644 ---- a/src/XrrCrtc.c -+++ b/src/XrrCrtc.c -@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) - - xci = (XRRCrtcInfo *) Xmalloc(rbytes); - if (xci == NULL) { -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) - - if (!crtc_gamma) - { -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length); - goto out; - } - _XRead16 (dpy, crtc_gamma->red, rep.size * 2); -@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy, - int extraBytes = rep.length * 4 - CrtcTransformExtra; - extra = Xmalloc (extraBytes); - if (!extra) { -- _XEatData (dpy, extraBytes); -+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); - UnlockDisplay (dpy); - SyncHandle (); - return False; -diff --git a/src/XrrOutput.c b/src/XrrOutput.c -index f13a932..4df894e 100644 ---- a/src/XrrOutput.c -+++ b/src/XrrOutput.c -@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) - - xoi = (XRROutputInfo *) Xmalloc(rbytes); - if (xoi == NULL) { -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 4c3fdb0..2b065b2 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) - - props = (Atom *) Xmalloc (rbytes); - if (props == NULL) { -- _XEatData (dpy, nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - *nprop = 0; -@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) - - prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); - if (prop_info == NULL) { -- _XEatData (dpy, nbytes); -+ _XEatDataWords(dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - * This part of the code should never be reached. If it is, - * the server sent back a property with an invalid format. - */ -- nbytes = rep.length << 2; -- _XEatData(dpy, (unsigned long) nbytes); -+ _XEatDataWords(dpy, rep.length); - UnlockDisplay(dpy); - SyncHandle(); - return(BadImplementation); - } - if (! *prop) { -- _XEatData(dpy, (unsigned long) nbytes); -+ _XEatDataWords(dpy, rep.length); - UnlockDisplay(dpy); - SyncHandle(); - return(BadAlloc); -diff --git a/src/XrrProvider.c b/src/XrrProvider.c -index fcd06ff..309e321 100644 ---- a/src/XrrProvider.c -+++ b/src/XrrProvider.c -@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window) - xrpr = (XRRProviderResources *) Xmalloc(rbytes); - - if (xrpr == NULL) { -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi - - xpi = (XRRProviderInfo *)Xmalloc(rbytes); - if (xpi == NULL) { -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c -index c8c08e9..2d90a0a 100644 ---- a/src/XrrProviderProperty.c -+++ b/src/XrrProviderProperty.c -@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop) - - props = (Atom *) Xmalloc (rbytes); - if (props == NULL) { -- _XEatData (dpy, nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - *nprop = 0; -@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) - - prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); - if (prop_info == NULL) { -- _XEatData (dpy, nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; -@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, - * This part of the code should never be reached. If it is, - * the server sent back a property with an invalid format. - */ -- nbytes = rep.length << 2; -- _XEatData(dpy, (unsigned long) nbytes); -+ _XEatDataWords(dpy, rep.length); - UnlockDisplay(dpy); - SyncHandle(); - return(BadImplementation); - } - if (! *prop) { -- _XEatData(dpy, (unsigned long) nbytes); -+ _XEatDataWords(dpy, rep.length); - UnlockDisplay(dpy); - SyncHandle(); - return(BadAlloc); -diff --git a/src/XrrScreen.c b/src/XrrScreen.c -index f830913..08710b6 100644 ---- a/src/XrrScreen.c -+++ b/src/XrrScreen.c -@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll) - if (xrsr == NULL || wire_names == NULL) { - if (xrsr) Xfree (xrsr); - if (wire_names) Xfree (wire_names); -- _XEatData (dpy, (unsigned long) nbytes); -+ _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); - SyncHandle (); - return NULL; --- -1.8.2.3 - diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch deleted file mode 100644 index 0d07f5459d..0000000000 --- a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 12 Apr 2013 21:44:59 -0700 -Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty() - [CVE-2013-1986 1/4] - -rep.length is a CARD32, while rbytes was a signed int, so - rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); -could result in integer overflow, leading to an undersized malloc -and reading data off the connection and writing it past the end of -the allocated buffer. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith ---- - src/XrrProperty.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 2b065b2..50382bf 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -31,6 +31,7 @@ - #include - #include - #include "Xrandrint.h" -+#include - - Atom * - XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) -@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRQueryOutputPropertyReply rep; - xRRQueryOutputPropertyReq *req; -- int rbytes, nbytes; -+ unsigned int rbytes, nbytes; - XRRPropertyInfo *prop_info; - - RRCheckExtension (dpy, info, NULL); -@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) - return NULL; - } - -- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); -- nbytes = rep.length << 2; -+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { -+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); -+ nbytes = rep.length << 2; -+ -+ prop_info = Xmalloc (rbytes); -+ } else -+ prop_info = NULL; - -- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); - if (prop_info == NULL) { - _XEatDataWords(dpy, rep.length); - UnlockDisplay (dpy); --- -1.8.2.3 - diff --git a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch deleted file mode 100644 index d55f91def0..0000000000 --- a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 12 Apr 2013 21:44:59 -0700 -Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty() - [CVE-2013-1986 2/4] - -Same problem as XRRQueryOutputProperty() that it was cloned from - -Signed-off-by: Alan Coopersmith ---- - src/XrrProviderProperty.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c -index 2d90a0a..dc699f6 100644 ---- a/src/XrrProviderProperty.c -+++ b/src/XrrProviderProperty.c -@@ -31,6 +31,7 @@ - #include - #include - #include "Xrandrint.h" -+#include - - Atom * - XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop) -@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRQueryProviderPropertyReply rep; - xRRQueryProviderPropertyReq *req; -- int rbytes, nbytes; -+ unsigned int rbytes, nbytes; - XRRPropertyInfo *prop_info; - - RRCheckExtension (dpy, info, NULL); -@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) - return NULL; - } - -- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); -- nbytes = rep.length << 2; -+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { -+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); -+ nbytes = rep.length << 2; -+ -+ prop_info = Xmalloc (rbytes); -+ } else -+ prop_info = NULL; - -- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); - if (prop_info == NULL) { - _XEatDataWords (dpy, rep.length); - UnlockDisplay (dpy); --- -1.8.2.3 - diff --git a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch deleted file mode 100644 index 225924c639..0000000000 --- a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 289a1927949e6f278c18d115772e454837702e35 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 4 May 2013 21:37:49 -0700 -Subject: [PATCH 5/7] integer overflow in XRRGetOutputProperty() [CVE-2013-1986 - 3/4] - -If the reported number of properties is too large, the calculations -to allocate memory for them may overflow, leaving us returning less -memory to the caller than implied by the value written to *nitems. - -(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) - -Signed-off-by: Alan Coopersmith ---- - src/XrrProperty.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 50382bf..707a28d 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRGetOutputPropertyReply rep; - xRRGetOutputPropertyReq *req; -- long nbytes, rbytes; -+ unsigned long nbytes, rbytes; - - RRCheckExtension (dpy, info, 1); - -@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - - *prop = (unsigned char *) NULL; - if (rep.propertyType != None) { -+ int format = rep.format; -+ -+ /* -+ * Protect against both integer overflow and just plain oversized -+ * memory allocation - no server should ever return this many props. -+ */ -+ if (rep.nItems >= (INT_MAX >> 4)) -+ format = -1; /* fall through to default error case */ -+ - /* - * One extra byte is malloced than is needed to contain the property - * data, but this last byte is null terminated and convenient for - * returning string properties, so the client doesn't then have to - * recopy the string to make it null terminated. - */ -- switch (rep.format) { -+ switch (format) { - case 8: - nbytes = rep.nItems; - rbytes = rep.nItems + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XReadPad (dpy, (char *) *prop, nbytes); - break; - - case 16: - nbytes = rep.nItems << 1; - rbytes = rep.nItems * sizeof (short) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead16Pad (dpy, (short *) *prop, nbytes); - break; - - case 32: - nbytes = rep.nItems << 2; - rbytes = rep.nItems * sizeof (long) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead32 (dpy, (long *) *prop, nbytes); - break; - --- -1.8.2.3 - diff --git a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch b/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch deleted file mode 100644 index cdc616a319..0000000000 --- a/main/libxrandr/0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 4 May 2013 21:37:49 -0700 -Subject: [PATCH 6/7] integer overflow in XRRGetProviderProperty() - [CVE-2013-1986 4/4] - -If the reported number of properties is too large, the calculations -to allocate memory for them may overflow, leaving us returning less -memory to the caller than implied by the value written to *nitems. - -(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) - -Signed-off-by: Alan Coopersmith ---- - src/XrrProviderProperty.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c -index dc699f6..6989580 100644 ---- a/src/XrrProviderProperty.c -+++ b/src/XrrProviderProperty.c -@@ -257,7 +257,7 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRGetProviderPropertyReply rep; - xRRGetProviderPropertyReq *req; -- long nbytes, rbytes; -+ unsigned long nbytes, rbytes; - - RRCheckExtension (dpy, info, 1); - -@@ -282,34 +282,40 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, - - *prop = (unsigned char *) NULL; - if (rep.propertyType != None) { -+ int format = rep.format; -+ -+ /* -+ * Protect against both integer overflow and just plain oversized -+ * memory allocation - no server should ever return this many props. -+ */ -+ if (rep.nItems >= (INT_MAX >> 4)) -+ format = -1; /* fall through to default error case */ -+ - /* - * One extra byte is malloced than is needed to contain the property - * data, but this last byte is null terminated and convenient for - * returning string properties, so the client doesn't then have to - * recopy the string to make it null terminated. - */ -- switch (rep.format) { -+ switch (format) { - case 8: - nbytes = rep.nItems; - rbytes = rep.nItems + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XReadPad (dpy, (char *) *prop, nbytes); - break; - - case 16: - nbytes = rep.nItems << 1; - rbytes = rep.nItems * sizeof (short) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead16Pad (dpy, (short *) *prop, nbytes); - break; - - case 32: - nbytes = rep.nItems << 2; - rbytes = rep.nItems * sizeof (long) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead32 (dpy, (long *) *prop, nbytes); - break; - --- -1.8.2.3 - diff --git a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch deleted file mode 100644 index 659b9c1752..0000000000 --- a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch +++ /dev/null @@ -1,74 +0,0 @@ -From c90f74497dbcb96854346435349c6e2207b530c5 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 4 May 2013 21:47:50 -0700 -Subject: [PATCH 7/7] Make XRRGet*Property() always initialize returned values - -Avoids memory corruption and other errors when callers access them -without checking to see if the calls returned an error value. - -Callers are still required to check for errors, this just reduces the -damage when they don't. - -(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) - -Signed-off-by: Alan Coopersmith ---- - src/XrrProperty.c | 8 +++++++- - src/XrrProviderProperty.c | 8 +++++++- - 2 files changed, 14 insertions(+), 2 deletions(-) - -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 707a28d..2096c56 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - xRRGetOutputPropertyReq *req; - unsigned long nbytes, rbytes; - -+ /* Always initialize return values, in case callers fail to initialize -+ them and fail to check the return code for an error. */ -+ *actual_type = None; -+ *actual_format = 0; -+ *nitems = *bytes_after = 0L; -+ *prop = (unsigned char *) NULL; -+ - RRCheckExtension (dpy, info, 1); - - LockDisplay (dpy); -@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - return ((xError *)&rep)->errorCode; - } - -- *prop = (unsigned char *) NULL; - if (rep.propertyType != None) { - int format = rep.format; - -diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c -index 6989580..34cc082 100644 ---- a/src/XrrProviderProperty.c -+++ b/src/XrrProviderProperty.c -@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, - xRRGetProviderPropertyReq *req; - unsigned long nbytes, rbytes; - -+ /* Always initialize return values, in case callers fail to initialize -+ them and fail to check the return code for an error. */ -+ *actual_type = None; -+ *actual_format = 0; -+ *nitems = *bytes_after = 0L; -+ *prop = (unsigned char *) NULL; -+ - RRCheckExtension (dpy, info, 1); - - LockDisplay (dpy); -@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, - return ((xError *)&rep)->errorCode; - } - -- *prop = (unsigned char *) NULL; - if (rep.propertyType != None) { - int format = rep.format; - --- -1.8.2.3 - diff --git a/main/libxrandr/APKBUILD b/main/libxrandr/APKBUILD index e4228018d5..84d96a634e 100644 --- a/main/libxrandr/APKBUILD +++ b/main/libxrandr/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=libxrandr -pkgver=1.4.0 -pkgrel=1 +pkgver=1.4.1 +pkgrel=0 pkgdesc="X11 RandR extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,15 +9,8 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="xproto randrproto libx11-dev libxext-dev libxrender-dev" -makedepends="$depends_dev libtool autoconf automake util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXrandr-$pkgver.tar.bz2 - 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch - 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch - 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch - 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch - 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch - 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch - 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch " @@ -29,8 +22,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -47,27 +38,6 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="0c843636124cc1494e3d87df16957672 libXrandr-1.4.0.tar.bz2 -d40ab63148e3a7c31f3548097c48d507 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch -f79a519bdf980c7ef92e18aa3a2c16ca 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch -41e672b46e9e3d25c8eb2e86cea29ed1 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch -e2bb9968f01fc41f53e6457f60bdfae0 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch -7d65549f48058f8f9bf9e527d03bbb08 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch -486e84c4089b4f5120cbbc605e732f5b 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch -0883bd4a4e0360e54968f9e4887c03c8 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" -sha256sums="033ad0ac2f012afb05268660f6d78705c85f84689f92fa7b47ce12959b15f5c3 libXrandr-1.4.0.tar.bz2 -fc55395c3a275b9c2bce1cd17caf3963b57afb424e95504cf84ed3ab3bf58e19 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch -7ca77f1f0e5f7a1febc76e2957c3705d6378c1af6944616735bacc194bc81097 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch -847f2b8da4e9d9346d273fd541830a0d6d457857cea576394c2117c5dcbcf356 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch -a537b5ca75a88c5b1ccc862775e4512fb57c4665eb6245c59b3160250ac02ba8 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch -2b84742ed038b96625cc0486e47e3b85e6bd9700a8095b7b65d9dc8a93087dfc 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch -8daabc77bfbcef87d7e52478306fd2774b0c3b59afc7d002d413c7fd6598b93c 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch -03b9c156b04cbe934978983e6a4fff427fd9230b39408b20bbdb4768a7a06bb4 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" -sha512sums="a97f2442c7f73786e5d3fae9a98b172ac1cb17b1584a7bad243128fc755b25a41cc7e32ceed10eb8eac733ff137b95504485967716f0122edf6682db6065a289 libXrandr-1.4.0.tar.bz2 -11584e52674a6d1216d5586f578962464f8e6942653a3bce7ddf3af27ea28d604e9ce989635b1db051147f5046ed0593601d74277a86c2776e84ff1c5350a9df 0001-Replace-deprecated-Automake-INCLUDES-variable-with-A.patch -ce19127f19d5b932b68de1f336335587bdda4db791b20d26488dcba00a9e303832c679033e59d1f2602f24c8519fe909c24199226ab2b651863b60a7a1e2a5c6 0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-b.patch -228c64d64c839682cb7523cd6dd9153d0acf76e7d9e88a7e73c24bc4536b9dcbf5a500d7fd33ba373f605a0e9d0a770899c1b44a25f9d7468db6de46d0702152 0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch -1784174229c46575431eb6a0e05ccac631c3d843ed2742cd89ec8f28866c0e10881ab1c1e30fab5831ba0cb066ece0debbbeb98c7bb4a528768dd8342f42f7b2 0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch -14d508d519ca972ee6e521597b16663e78b3f44bcbada97d6ba797cec2b09392daeaf673e02670af0d0f6f71ac5c8e8cb8aa75546ec46cb92ecb6f9190990bca 0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch -ec6996991010498de70ad69d55d8a7b2bb5f5f751af567d6be385166d485e145920356a9a3b87603be924121e0202251f6dca96c1af2bd6328961c5fa286d8d1 0006-integer-overflow-in-XRRGetProviderProperty-CVE-2013-.patch -0d7804c66749090a72bd52297948b7b27c51d77773e57d62e905a7b45d349a77c9857933d85a9e22ce9a2d249ed6ed492fc80040193652ddebe47bd7c558562e 0007-Make-XRRGet-Property-always-initialize-returned-valu.patch" +md5sums="8dbac4e972348dcbd3a0673ce2e37919 libXrandr-1.4.1.tar.bz2" +sha256sums="d914a0490fd0a2ea6c3194505b5b28c56e2a277d8f4648b0275ee0ee370fb905 libXrandr-1.4.1.tar.bz2" +sha512sums="73ceca5a1ff56e886a95fbfa250ccec49e5d847e3a6d1dd6bb38462ee30724e838706caa41caa536a87ed2811fdff8fa7d1120fde656a05699830ff978ebd1ad libXrandr-1.4.1.tar.bz2" -- cgit v1.2.3