libx11: Changes to 'ubuntu'
debian/changelog | 21
debian/patches/001_hide_xeatdatawords.diff | 36
debian/patches/CVE-2013-1981.patch | 2383 +++++++++++++++++++++++++++++
debian/patches/CVE-2013-1997.patch | 478 +++++
debian/patches/CVE-2013-2004.patch | 164 +
debian/patches/ftbfs_new_automake.patch | 16
debian/patches/series | 5
7 files changed, 3103 insertions(+)
New commits:
commit 11ffe670ac2bb7b9368c4cfeabe703d27db2de88
Author: Timo Aaltonen <tjaalton@ubuntu.com>
Date: Fri Sep 27 11:32:06 2013 +0300
import 1.5.0-1u2 changes
diff --git a/debian/changelog b/debian/changelog
index 475efe3..d1edaf1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+libx11 (2:1.5.0-1ubuntu2) saucy; urgency=low
+
+ * SECURITY UPDATE: denial of service and possible code execution via
+ incorrect memory size calculations
+ - debian/patches/CVE-2013-1981.patch: fix multiple integer overflows.
+ - CVE-2013-1981
+ * SECURITY UPDATE: denial of service and possible code execution via
+ incorrect length and bounds checking
+ - debian/patches/CVE-2013-1997.patch: properly calculate lengths.
+ - CVE-2013-1997
+ * SECURITY UPDATE: denial of service and possible code execution via
+ stack overflow from recursive #include
+ - debian/patches/CVE-2013-2004.patch: set limit on depth.
+ - CVE-2013-2004
+ * debian/patches/001_hide_xeatdatawords.diff: Hide _XEatDataWords by
+ default.
+ * debian/patches/ftbfs_new_automake.patch: fix ftbfs with newer
+ automake.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 05 Jun 2013 15:40:48 -0400
+
libx11 (2:1.5.0-1ubuntu1) raring; urgency=low
* Update symbols file for arm64
diff --git a/debian/patches/001_hide_xeatdatawords.diff b/debian/patches/001_hide_xeatdatawords.diff
new file mode 100644
index 0000000..9f9b7c9
--- /dev/null
+++ b/debian/patches/001_hide_xeatdatawords.diff
@@ -0,0 +1,36 @@
+Description: Hide _XEatDataWords by default.
+Origin: Debian unstable package
+
+Index: libx11/include/X11/Xlibint.h
+===================================================================
+--- libx11.orig/include/X11/Xlibint.h
++++ libx11/include/X11/Xlibint.h
+@@ -892,10 +892,12 @@ extern void _XEatData(
+ Display* /* dpy */,
+ unsigned long /* n */
+ ) _XLIB_COLD;
++#ifdef XLIB_WANT_XEATDATAWORDS
+ extern void _XEatDataWords(
+ Display* /* dpy */,
+ unsigned long /* n */
+-) _XLIB_COLD;
++) _XLIB_COLD _X_HIDDEN;
++#endif
+ #if defined(__SUNPRO_C) /* Studio compiler alternative to "cold" attribute */
+ # pragma rarely_called(_XEatData, _XEatDataWords)
+ #endif
+Index: libx11/configure.ac
+===================================================================
+--- libx11.orig/configure.ac
++++ libx11/configure.ac
+@@ -76,6 +76,10 @@ PKG_PROG_PKG_CONFIG()
+
+ AC_SUBST(X11_EXTRA_DEPS)
+
++# Debian change: _XEatDataWords is not declared by default, to not affect other
++# X libs
++AC_DEFINE(XLIB_WANT_XEATDATAWORDS, 1, [Declare _XEatDataWords in Xlibint.h])
++
+ # Issue an error if xtrans.m4 was not found and XTRANS_CONNECTION_FLAGS macro
+ # was not expanded, since libX11 with no transport types is rather useless.
+ #
diff --git a/debian/patches/CVE-2013-1981.patch b/debian/patches/CVE-2013-1981.patch
new file mode 100644
index 0000000..3c068be
--- /dev/null
+++ b/debian/patches/CVE-2013-1981.patch
@@ -0,0 +1,2383 @@
+Description: fix denial of service and possible code execution via
+ incorrect memory size calculations
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=d7f04c340ade3834e603c23d543132e1ee4e0c63
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=9f5d83706543696fc944c1835a403938c06f2cc5
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=6df8a63d34b7514077188e2062a13774f920c085
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=5669a220816b7d58fcaf0c302ead16fbe5c87817
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39515b7c3ba8cae9021bf6695e378ae19487082f
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=1f6a3dbf699b85c0ea715ef21de7e7095a714e12
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=2cd62b5eb99ffbb2fce99f3c459455e630b35bf7
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=90fd5abac2faca86f9f100353a3c9c7b89f31484
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=076428918e6c35f66b9b55c3fa097ff06496d155
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=460e8a223b87d4fa0ea1e97823e998a770e0f2a2
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=164bf4dfe839b1cc75cdeee378a243d04a8200e4
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=79d8dc08eb98842173ce239b9dd60df0e9e9ae72
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=833f6b70bc789d33607f6dbfee9e0a4178ec4b59
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=a351b8103b2ba78882e1c309e85893ca3abe2073
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=0b0f5d4358c3de7563d6af03f0d2ce454702a06a
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=192bbb9e2fc45df4e17b35b6d14ea0eb418dbd39
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b2c86b582c58f50c7b14da01cf7ebd20ef12a6b2
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=d38527e25f8b6e2f1174ecc21260c5c5416f972e
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=12ad4c6432496897ff000eb7cfecd0fb4b290331
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=3fe4bea086149f06a142a8f1d575f627ec1e22c7
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=3131740513133a9ff7cb12123d29ceb18584fc38
+Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=2820100bf8ba130b94253f415e7fa5ac28bb2037
+
+Index: libx11-1.5.0/include/X11/Xlibint.h
+===================================================================
+--- libx11-1.5.0.orig/include/X11/Xlibint.h 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/include/X11/Xlibint.h 2013-05-29 16:01:59.904191987 -0400
+@@ -860,6 +860,15 @@
+ struct _XExten *next_flush; /* next in list of those with flushes */
+ } _XExtension;
+
++/* Temporary definition until we can depend on an xproto release with it */
++#ifdef _X_COLD
++# define _XLIB_COLD _X_COLD
++#elif defined(__GNUC__) && ((__GNUC__ * 100 + __GNUC_MINOR__) >= 403) /* 4.3+ */
++# define _XLIB_COLD __attribute__((__cold__))
++#else
++# define _XLIB_COLD /* nothing */
++#endif
++
+ /* extension hooks */
+
+ #ifdef DataRoutineIsProcedure
+@@ -882,7 +891,14 @@
+ extern void _XEatData(
+ Display* /* dpy */,
+ unsigned long /* n */
+-);
++) _XLIB_COLD;
++extern void _XEatDataWords(
++ Display* /* dpy */,
++ unsigned long /* n */
++) _XLIB_COLD;
++#if defined(__SUNPRO_C) /* Studio compiler alternative to "cold" attribute */
++# pragma rarely_called(_XEatData, _XEatDataWords)
++#endif
+ extern char *_XAllocScratch(
+ Display* /* dpy */,
+ unsigned long /* nbytes */
+Index: libx11-1.5.0/modules/im/ximcp/Makefile.am
+===================================================================
+--- libx11-1.5.0.orig/modules/im/ximcp/Makefile.am 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/modules/im/ximcp/Makefile.am 2013-05-29 16:01:59.904191987 -0400
+@@ -6,6 +6,7 @@
+ -I$(top_srcdir)/src/xcms \
+ -I$(top_srcdir)/src/xkb \
+ -I$(top_srcdir)/src/xlibi18n \
++ -I$(top_srcdir)/src \
+ -D_BSD_SOURCE -DXIM_t -DTRANS_CLIENT
+
+ AM_CFLAGS= \
+Index: libx11-1.5.0/modules/im/ximcp/imLcPrs.c
+===================================================================
+--- libx11-1.5.0.orig/modules/im/ximcp/imLcPrs.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/modules/im/ximcp/imLcPrs.c 2013-05-29 16:01:59.908191987 -0400
+@@ -41,6 +41,8 @@
+ #include "Ximint.h"
+ #include <sys/stat.h>
+ #include <stdio.h>
++#include <limits.h>
++#include "pathmax.h"
+
+ #define XLC_BUFSIZE 256
+
+@@ -304,9 +306,9 @@
+ TransFileName(Xim im, char *name)
+ {
+ char *home = NULL, *lcCompose = NULL;
+- char dir[XLC_BUFSIZE];
+- char *i = name, *ret, *j;
+- int l = 0;
++ char dir[XLC_BUFSIZE] = "";
++ char *i = name, *ret = NULL, *j;
++ size_t l = 0;
+
+ while (*i) {
+ if (*i == '%') {
+@@ -316,30 +318,51 @@
+ l++;
+ break;
+ case 'H':
+- home = getenv("HOME");
+- if (home)
+- l += strlen(home);
++ if (home == NULL)
++ home = getenv("HOME");
++ if (home) {
++ size_t Hsize = strlen(home);
++ if (Hsize > PATH_MAX)
++ /* your home directory length is ridiculous */
++ goto end;
++ l += Hsize;
++ }
+ break;
+ case 'L':
+ if (lcCompose == NULL)
+ lcCompose = _XlcFileName(im->core.lcd, COMPOSE_FILE);
+- if (lcCompose)
+- l += strlen(lcCompose);
++ if (lcCompose) {
++ size_t Lsize = strlen(lcCompose);
++ if (Lsize > PATH_MAX)
++ /* your compose pathname length is ridiculous */
++ goto end;
++ l += Lsize;
++ }
+ break;
+ case 'S':
+- xlocaledir(dir, XLC_BUFSIZE);
+- l += strlen(dir);
++ if (dir[0] == '\0')
++ xlocaledir(dir, XLC_BUFSIZE);
++ if (dir[0]) {
++ size_t Ssize = strlen(dir);
++ if (Ssize > PATH_MAX)
++ /* your locale directory path length is ridiculous */
++ goto end;
++ l += Ssize;
++ }
+ break;
+ }
+ } else {
+ l++;
+ }
+ i++;
++ if (l > PATH_MAX)
++ /* your expanded path length is ridiculous */
++ goto end;
+ }
+
+ j = ret = Xmalloc(l+1);
+ if (ret == NULL)
+- return ret;
++ goto end;
+ i = name;
+ while (*i) {
+ if (*i == '%') {
+@@ -371,6 +394,7 @@
+ }
+ }
+ *j = '\0';
++end:
+ Xfree(lcCompose);
+ return ret;
+ }
+@@ -674,6 +698,8 @@
+
+ if (fstat (fileno (fp), &st) != -1) {
+ unsigned long size = (unsigned long) st.st_size;
++ if (st.st_size >= INT_MAX)
++ return;
+ if (size <= sizeof tb) tbp = tb;
+ else tbp = malloc (size);
+
+Index: libx11-1.5.0/src/Context.c
+===================================================================
+--- libx11-1.5.0.orig/src/Context.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/Context.c 2013-05-29 16:01:59.908191987 -0400
+@@ -111,7 +111,7 @@
+ otable = db->table;
+ for (i = INITHASHMASK+1; (i + i) < db->numentries; )
+ i += i;
+- db->table = (TableEntry *) Xcalloc((unsigned)i, sizeof(TableEntry));
++ db->table = Xcalloc(i, sizeof(TableEntry));
+ if (!db->table) {
+ db->table = otable;
+ return;
+@@ -180,11 +180,11 @@
+ UnlockDisplay(display);
+ }
+ if (!db) {
+- db = (DB) Xmalloc(sizeof(DBRec));
++ db = Xmalloc(sizeof(DBRec));
+ if (!db)
+ return XCNOMEM;
+ db->mask = INITHASHMASK;
+- db->table = (TableEntry *)Xcalloc(db->mask + 1, sizeof(TableEntry));
++ db->table = Xcalloc(db->mask + 1, sizeof(TableEntry));
+ if (!db->table) {
+ Xfree((char *)db);
+ return XCNOMEM;
+@@ -210,7 +210,7 @@
+ return 0;
+ }
+ }
+- entry = (TableEntry) Xmalloc(sizeof(TableEntryRec));
++ entry = Xmalloc(sizeof(TableEntryRec));
+ if (!entry)
+ return XCNOMEM;
+ entry->rid = rid;
+Index: libx11-1.5.0/src/CrGC.c
+===================================================================
+--- libx11-1.5.0.orig/src/CrGC.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/CrGC.c 2013-05-29 16:01:59.908191987 -0400
+@@ -72,7 +72,7 @@
+ register _XExtension *ext;
+
+ LockDisplay(dpy);
+- if ((gc = (GC)Xmalloc (sizeof(struct _XGC))) == NULL) {
++ if ((gc = Xmalloc (sizeof(struct _XGC))) == NULL) {
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (NULL);
+Index: libx11-1.5.0/src/Depths.c
+===================================================================
+--- libx11-1.5.0.orig/src/Depths.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/Depths.c 2013-05-29 16:01:59.908191987 -0400
+@@ -49,7 +49,7 @@
+ register Depth *dp;
+ register int i;
+
+- depths = (int *) Xmalloc (count * sizeof(int));
++ depths = Xmalloc (count * sizeof(int));
+ if (!depths) return NULL;
+ for (i = 0, dp = scr->depths; i < count; i++, dp++)
+ depths[i] = dp->depth;
+Index: libx11-1.5.0/src/FSWrap.c
+===================================================================
+--- libx11-1.5.0.orig/src/FSWrap.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/FSWrap.c 2013-05-29 16:01:59.908191987 -0400
+@@ -112,7 +112,7 @@
+ if (!*ptr)
+ break;
+ }
+- if (!(list = (char **) Xmalloc((unsigned)sizeof(char *) * (*num + 1)))) {
++ if (!(list = Xmalloc(sizeof(char *) * (*num + 1)))) {
+ Xfree(psave);
+ return (char **)NULL;
+ }
+@@ -133,7 +133,7 @@
+ if (string_list == NULL || list_count <= 0)
+ return (char **) NULL;
+
+- string_list_ret = (char **) Xmalloc(sizeof(char *) * list_count);
++ string_list_ret = Xmalloc(sizeof(char *) * list_count);
+ if (string_list_ret == NULL)
+ return (char **) NULL;
+
+@@ -142,7 +142,7 @@
+ for (length = 0; count-- > 0; list_src++)
+ length += strlen(*list_src) + 1;
+
+- dst = (char *) Xmalloc(length);
++ dst = Xmalloc(length);
+ if (dst == NULL) {
+ Xfree(string_list_ret);
+ return (char **) NULL;
+Index: libx11-1.5.0/src/Font.c
+===================================================================
+--- libx11-1.5.0.orig/src/Font.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/Font.c 2013-05-29 16:01:59.908191987 -0400
+@@ -31,6 +31,7 @@
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+
+ #if defined(XF86BIGFONT) && !defined(MUSTCOPY)
+ #define USE_XF86BIGFONT
+@@ -183,7 +184,8 @@
+ unsigned long seq)
+ {
+ register XFontStruct *fs;
+- register long nbytes;
++ unsigned long nbytes;
++ unsigned long reply_left; /* unused data words left in reply buffer */
+ xQueryFontReply reply;
+ register xResourceReq *req;
+ register _XExtension *ext;
+@@ -211,9 +213,10 @@
+ }
+ if (seq)
+ DeqAsyncHandler(dpy, &async);
+- if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
+- _XEatData(dpy, (unsigned long)(reply.nFontProps * SIZEOF(xFontProp) +
+- reply.nCharInfos * SIZEOF(xCharInfo)));
++ reply_left = reply.length -
++ ((SIZEOF(xQueryFontReply) - SIZEOF(xReply)) >> 2);
++ if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+ fs->ext_data = NULL;
+@@ -261,16 +264,19 @@
+ */
+ fs->properties = NULL;
+ if (fs->n_properties > 0) {
+- nbytes = reply.nFontProps * sizeof(XFontProp);
+- fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
++ /* nFontProps is a CARD16 */
+ nbytes = reply.nFontProps * SIZEOF(xFontProp);
++ if ((nbytes >> 2) <= reply_left) {
++ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
++ fs->properties = Xmalloc (pbytes);
++ }
+ if (! fs->properties) {
+ Xfree((char *) fs);
+- _XEatData(dpy, (unsigned long)
+- (nbytes + reply.nCharInfos * SIZEOF(xCharInfo)));
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+ _XRead32 (dpy, (long *)fs->properties, nbytes);
++ reply_left -= (nbytes >> 2);
+ }
+ /*
+ * If no characters in font, then it is a bad font, but
+@@ -279,12 +285,18 @@
+ /* have to unpack charinfos on some machines (CRAY) */
+ fs->per_char = NULL;
+ if (reply.nCharInfos > 0){
+- nbytes = reply.nCharInfos * sizeof(XCharStruct);
+- if (! (fs->per_char = (XCharStruct *) Xmalloc ((unsigned) nbytes))) {
++ /* nCharInfos is a CARD32 */
++ if (reply.nCharInfos < (INT_MAX / sizeof(XCharStruct))) {
++ nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
++ if ((nbytes >> 2) <= reply_left) {
++ size_t cibytes = reply.nCharInfos * sizeof(XCharStruct);
++ fs->per_char = Xmalloc (cibytes);
++ }
++ }
++ if (! fs->per_char) {
+ if (fs->properties) Xfree((char *) fs->properties);
+ Xfree((char *) fs);
+- _XEatData(dpy, (unsigned long)
+- (reply.nCharInfos * SIZEOF(xCharInfo)));
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+
+@@ -306,7 +318,6 @@
+ }
+ }
+ #else
+- nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
+ _XRead16 (dpy, (char *)fs->per_char, nbytes);
+ #endif
+ }
+@@ -354,7 +365,7 @@
+ if (pData)
+ return (XF86BigfontCodes *) pData->private_data;
+
+- pData = (XExtData *) Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
++ pData = Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
+ if (!pData) {
+ /* Out of luck. */
+ return (XF86BigfontCodes *) NULL;
+@@ -434,7 +445,8 @@
+ unsigned long seq)
+ {
+ register XFontStruct *fs;
+- register long nbytes;
++ unsigned long nbytes;
++ unsigned long reply_left; /* unused data left in reply buffer */
+ xXF86BigfontQueryFontReply reply;
+ register xXF86BigfontQueryFontReq *req;
+ register _XExtension *ext;
+@@ -487,13 +499,10 @@
+ DeqAsyncHandler(dpy, &async2);
+ if (seq)
+ DeqAsyncHandler(dpy, &async1);
+- if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
+- _XEatData(dpy,
+- reply.nFontProps * SIZEOF(xFontProp)
+- + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
+- ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
+- + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
+- : 0));
++ reply_left = reply.length -
++ ((SIZEOF(xXF86BigfontQueryFontReply) - SIZEOF(xReply)) >> 2);
++ if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+ fs->ext_data = NULL;
+@@ -519,23 +528,33 @@
+ */
+ fs->properties = NULL;
+ if (fs->n_properties > 0) {
+- nbytes = reply.nFontProps * sizeof(XFontProp);
+- fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
++ /* nFontProps is a CARD16 */
+ nbytes = reply.nFontProps * SIZEOF(xFontProp);
++ if ((nbytes >> 2) <= reply_left) {
++ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
++ fs->properties = Xmalloc (pbytes);
++ }
+ if (! fs->properties) {
+ Xfree((char *) fs);
+- _XEatData(dpy,
+- nbytes
+- + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
+- ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
+- + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
+- : 0));
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+ _XRead32 (dpy, (long *)fs->properties, nbytes);
++ reply_left -= (nbytes >> 2);
+ }
+
+ fs->per_char = NULL;
++#ifndef LONG64
++ /* compares each part to half the maximum, which should be far more than
++ any real font needs, so the combined total doesn't overflow either */
++ if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) ||
++ reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) {
++ Xfree((char *) fs->properties);
++ Xfree((char *) fs);
++ _XEatDataWords(dpy, reply_left);
++ return (XFontStruct *)NULL;
++ }
++#endif
+ if (reply.nCharInfos > 0) {
+ /* fprintf(stderr, "received font metrics, nCharInfos = %d, nUniqCharInfos = %d, shmid = %d\n", reply.nCharInfos, reply.nUniqCharInfos, reply.shmid); */
+ if (reply.shmid == (CARD32)(-1)) {
+@@ -545,18 +564,18 @@
+
+ nbytes = reply.nUniqCharInfos * SIZEOF(xCharInfo)
+ + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16);
+- pUniqCI = (xCharInfo *) Xmalloc (nbytes);
++ pUniqCI = Xmalloc (nbytes);
+ if (!pUniqCI) {
+ if (fs->properties) Xfree((char *) fs->properties);
+ Xfree((char *) fs);
+- _XEatData(dpy, nbytes);
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+- if (! (fs->per_char = (XCharStruct *) Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
++ if (! (fs->per_char = Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
+ Xfree((char *) pUniqCI);
+ if (fs->properties) Xfree((char *) fs->properties);
+ Xfree((char *) fs);
+- _XEatData(dpy, nbytes);
++ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+ _XRead16 (dpy, (char *) pUniqCI, nbytes);
+@@ -579,7 +598,7 @@
+ XEDataObject fs_union;
+ char *addr;
+
+- pData = (XExtData *) Xmalloc(sizeof(XExtData));
++ pData = Xmalloc(sizeof(XExtData));
+ if (!pData) {
+ if (fs->properties) Xfree((char *) fs->properties);
+ Xfree((char *) fs);
+@@ -611,6 +630,7 @@
+ if (!(extcodes->serverCapabilities & CAP_VerifiedLocal)) {
+ struct shmid_ds buf;
+ if (!(shmctl(reply.shmid, IPC_STAT, &buf) >= 0
++ && reply.nCharInfos < (LONG_MAX / sizeof(XCharStruct))
+ && buf.shm_segsz >= reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct) + sizeof(CARD32)
+ && *(CARD32 *)(addr + reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct)) == extcodes->serverSignature)) {
+ shmdt(addr);
+Index: libx11-1.5.0/src/FontInfo.c
+===================================================================
+--- libx11-1.5.0.orig/src/FontInfo.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/FontInfo.c 2013-05-29 16:02:26.668191731 -0400
+@@ -28,6 +28,7 @@
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+
+ #if defined(XF86BIGFONT) && !defined(MUSTCOPY)
+ #define USE_XF86BIGFONT
+@@ -45,10 +46,11 @@
+ int *actualCount, /* RETURN */
+ XFontStruct **info) /* RETURN */
+ {
+- register long nbytes;
++ unsigned long nbytes;
++ unsigned long reply_left; /* unused data left in reply buffer */
+ register int i;
+ register XFontStruct *fs;
+- register int size = 0;
++ unsigned int size = 0;
+ XFontStruct *finfo = NULL;
+ char **flist = NULL;
+ xListFontsWithInfoReply reply;
+@@ -67,51 +69,44 @@
+ if (!_XReply (dpy, (xReply *) &reply,
+ ((SIZEOF(xListFontsWithInfoReply) -
+ SIZEOF(xGenericReply)) >> 2), xFalse)) {
+- for (j=(i-1); (j >= 0); j--) {
+- Xfree(flist[j]);
+- if (finfo[j].properties) Xfree((char *) finfo[j].properties);
+- }
+- if (flist) Xfree((char *) flist);
+- if (finfo) Xfree((char *) finfo);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return ((char **) NULL);
++ reply.nameLength = 0; /* avoid trying to read more replies */
++ reply_left = 0;
++ goto badmem;
+ }
+- if (reply.nameLength == 0)
++ reply_left = reply.length -
++ ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply)) >> 2);
++ if (reply.nameLength == 0) {
++ _XEatDataWords(dpy, reply_left);
+ break;
++ }
++ if (reply.nReplies >= (INT_MAX - i)) /* avoid overflowing size */
++ goto badmem;
+ if ((i + reply.nReplies) >= size) {
+ size = i + reply.nReplies + 1;
+
++ if (size >= (INT_MAX / sizeof(XFontStruct)))
++ goto badmem;
++
+ if (finfo) {
+- XFontStruct * tmp_finfo = (XFontStruct *)
+- Xrealloc ((char *) finfo,
+- (unsigned) (sizeof(XFontStruct) * size));
+- char ** tmp_flist = (char **)
+- Xrealloc ((char *) flist,
+- (unsigned) (sizeof(char *) * (size+1)));
+-
+- if ((! tmp_finfo) || (! tmp_flist)) {
+- /* free all the memory that we allocated */
+- for (j=(i-1); (j >= 0); j--) {
+- Xfree(flist[j]);
+- if (finfo[j].properties)
+- Xfree((char *) finfo[j].properties);
+- }
+- if (tmp_flist) Xfree((char *) tmp_flist);
+- else Xfree((char *) flist);
+- if (tmp_finfo) Xfree((char *) tmp_finfo);
+- else Xfree((char *) finfo);
+- goto clearwire;
+- }
+- finfo = tmp_finfo;
+- flist = tmp_flist;
++ XFontStruct * tmp_finfo;
++ char ** tmp_flist;
++
++ tmp_finfo = Xrealloc (finfo, sizeof(XFontStruct) * size);
++ if (tmp_finfo)
++ finfo = tmp_finfo;
++ else
++ goto badmem;
++
++ tmp_flist = Xrealloc (flist, sizeof(char *) * (size+1));
++ if (tmp_flist)
++ flist = tmp_flist;
++ else
++ goto badmem;
+ }
+ else {
+- if (! (finfo = (XFontStruct *)
+- Xmalloc((unsigned) (sizeof(XFontStruct) * size))))
++ if (! (finfo = Xmalloc(sizeof(XFontStruct) * size)))
+ goto clearwire;
+- if (! (flist = (char **)
+- Xmalloc((unsigned) (sizeof(char *) * (size+1))))) {
++ if (! (flist = Xmalloc(sizeof(char *) * (size+1)))) {
+ Xfree((char *) finfo);
+ goto clearwire;
+ }
+@@ -159,24 +154,27 @@
+ #endif /* MUSTCOPY */
+
+ fs->n_properties = reply.nFontProps;
++ fs->properties = NULL;
+ if (fs->n_properties > 0) {
+- nbytes = reply.nFontProps * sizeof(XFontProp);
+- if (! (fs->properties = (XFontProp *) Xmalloc((unsigned) nbytes)))
+- goto badmem;
++ /* nFontProps is a CARD16 */
+ nbytes = reply.nFontProps * SIZEOF(xFontProp);
++ if ((nbytes >> 2) <= reply_left) {
++ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
++ fs->properties = Xmalloc (pbytes);
++ }
++ if (! fs->properties)
++ goto badmem;
+ _XRead32 (dpy, (long *)fs->properties, nbytes);
++ reply_left -= (nbytes >> 2);
++ }
+
+- } else
+- fs->properties = NULL;
+-
+- j = reply.nameLength + 1;
++ /* nameLength is a CARD8 */
++ nbytes = reply.nameLength + 1;
+ if (!i)
+- j++; /* make first string 1 byte longer, to match XListFonts */
+- flist[i] = (char *) Xmalloc ((unsigned int) j);
++ nbytes++; /* make first string 1 byte longer, to match XListFonts */
++ flist[i] = Xmalloc (nbytes);
+ if (! flist[i]) {
+ if (finfo[i].properties) Xfree((char *) finfo[i].properties);
+- nbytes = (reply.nameLength + 3) & ~3;
+- _XEatData(dpy, (unsigned long) nbytes);
+ goto badmem;
+ }
+ if (!i) {
+@@ -198,27 +196,25 @@
+ badmem:
+ /* Free all memory allocated by this function. */
+ for (j=(i-1); (j >= 0); j--) {
+- Xfree(flist[j]);
+- if (finfo[j].properties) Xfree((char *) finfo[j].properties);
++ if (j == 0)
++ flist[j]--; /* was incremented above */
++ Xfree(flist[j]);
++ if (finfo[j].properties) Xfree((char *) finfo[j].properties);
+ }
+ if (flist) Xfree((char *) flist);
+ if (finfo) Xfree((char *) finfo);
+
+ clearwire:
+ /* Clear the wire. */
+- do {
+- if (reply.nFontProps)
+- _XEatData(dpy, (unsigned long)
+- (reply.nFontProps * SIZEOF(xFontProp)));
+- nbytes = (reply.nameLength + 3) & ~3;
+- _XEatData(dpy, (unsigned long) nbytes);
+- }
+- while (_XReply(dpy,(xReply *) &reply, ((SIZEOF(xListFontsWithInfoReply) -
+- SIZEOF(xGenericReply)) >> 2),
+- xFalse) && (reply.nameLength != 0));
+-
++ _XEatDataWords(dpy, reply_left);
++ while ((reply.nameLength != 0) &&
++ _XReply(dpy, (xReply *) &reply,
++ ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply))
++ >> 2), xTrue));
+ UnlockDisplay(dpy);
+ SyncHandle();
++ *info = NULL;
++ *actualCount = 0;
+ return (char **) NULL;
+ }
+
+Index: libx11-1.5.0/src/GetAtomNm.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetAtomNm.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetAtomNm.c 2013-05-29 16:01:59.908191987 -0400
+@@ -46,7 +46,7 @@
+ for (idx = TABLESIZE; --idx >= 0; ) {
+ if ((e = *table++) && (e->atom == atom)) {
+ idx = strlen(EntryName(e)) + 1;
+- if ((name = (char *)Xmalloc(idx)))
++ if ((name = Xmalloc(idx)))
+ strcpy(name, EntryName(e));
+ return name;
+ }
+@@ -73,12 +73,12 @@
+ SyncHandle();
+ return(NULL);
+ }
+- if ((name = (char *) Xmalloc(rep.nameLength+1))) {
++ if ((name = Xmalloc(rep.nameLength + 1))) {
+ _XReadPad(dpy, name, (long)rep.nameLength);
+ name[rep.nameLength] = '\0';
+ _XUpdateAtomCache(dpy, name, atom, 0, -1, 0);
+ } else {
+- _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3);
++ _XEatDataWords(dpy, rep.length);
+ name = (char *) NULL;
+ }
+ UnlockDisplay(dpy);
+@@ -124,7 +124,7 @@
+ _XGetAsyncReply(dpy, (char *)&replbuf, rep, buf, len,
+ (SIZEOF(xGetAtomNameReply) - SIZEOF(xReply)) >> 2,
+ False);
+- state->names[state->idx] = (char *) Xmalloc(repl->nameLength+1);
++ state->names[state->idx] = Xmalloc(repl->nameLength + 1);
+ _XGetAsyncData(dpy, state->names[state->idx], buf, len,
+ SIZEOF(xGetAtomNameReply), repl->nameLength,
+ repl->length << 2);
+@@ -170,13 +170,13 @@
+ }
+ if (missed >= 0) {
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+- if ((names_return[missed] = (char *) Xmalloc(rep.nameLength+1))) {
++ if ((names_return[missed] = Xmalloc(rep.nameLength + 1))) {
+ _XReadPad(dpy, names_return[missed], (long)rep.nameLength);
+ names_return[missed][rep.nameLength] = '\0';
+ _XUpdateAtomCache(dpy, names_return[missed], atoms[missed],
+ 0, -1, 0);
+ } else {
+- _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3);
++ _XEatDataWords(dpy, rep.length);
+ async_state.status = 0;
+ }
+ }
+Index: libx11-1.5.0/src/GetDflt.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetDflt.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetDflt.c 2013-05-29 16:01:59.908191987 -0400
+@@ -52,30 +52,7 @@
+ #include "Xlibint.h"
+ #include <X11/Xos.h>
+ #include <X11/Xresource.h>
+-
+-#ifndef X_NOT_POSIX
+-#ifdef _POSIX_SOURCE
+-#include <limits.h>
+-#else
+-#define _POSIX_SOURCE
+-#include <limits.h>
+-#undef _POSIX_SOURCE
+-#endif
+-#endif
+-#ifndef PATH_MAX
+-#ifdef WIN32
+-#define PATH_MAX 512
+-#else
+-#include <sys/param.h>
+-#endif
+-#ifndef PATH_MAX
+-#ifdef MAXPATHLEN
+-#define PATH_MAX MAXPATHLEN
+-#else
+-#define PATH_MAX 1024
+-#endif
+-#endif
+-#endif
++#include "pathmax.h"
+
+ #ifdef XTHREADS
+ #include <X11/Xthreads.h>
+Index: libx11-1.5.0/src/GetHints.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetHints.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetHints.c 2013-05-29 16:01:59.908191987 -0400
+@@ -128,7 +128,7 @@
+ return(NULL);
+ }
+ /* static copies not allowed in library, due to reentrancy constraint*/
+- if ((hints = (XWMHints *) Xcalloc (1, (unsigned) sizeof(XWMHints)))) {
++ if ((hints = Xcalloc (1, sizeof(XWMHints)))) {
+ hints->flags = prop->flags;
+ hints->input = (prop->input ? True : False);
+ hints->initial_state = cvtINT32toInt (prop->initialState);
+@@ -203,8 +203,7 @@
+ /* static copies not allowed in library, due to reentrancy constraint*/
+
+ nitems /= NumPropIconSizeElements;
+- if (! (hp = hints = (XIconSize *)
+- Xcalloc ((unsigned) nitems, (unsigned) sizeof(XIconSize)))) {
++ if (! (hp = hints = Xcalloc (nitems, sizeof(XIconSize)))) {
+ if (prop) Xfree ((char *) prop);
+ return 0;
+ }
+@@ -317,14 +316,14 @@
+
+ if ( (actual_type == XA_STRING) && (actual_format == 8) ) {
+ len_name = strlen((char *) data);
+- if (! (classhint->res_name = Xmalloc((unsigned) (len_name+1)))) {
++ if (! (classhint->res_name = Xmalloc(len_name + 1))) {
+ Xfree((char *) data);
+ return (0);
+ }
+ strcpy(classhint->res_name, (char *) data);
+ if (len_name == nitems) len_name--;
+ len_class = strlen((char *) (data+len_name+1));
+- if (! (classhint->res_class = Xmalloc((unsigned) (len_class+1)))) {
++ if (! (classhint->res_class = Xmalloc(len_class + 1))) {
+ Xfree(classhint->res_name);
+ classhint->res_name = (char *) NULL;
+ Xfree((char *) data);
+Index: libx11-1.5.0/src/GetImage.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetImage.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetImage.c 2013-05-29 16:01:59.912191986 -0400
+@@ -30,6 +30,7 @@
+ #include "Xlibint.h"
+ #include <X11/Xutil.h> /* for XDestroyImage */
+ #include "ImUtil.h"
++#include <limits.h>
+
+ #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
+
+@@ -56,7 +57,7 @@
+ xGetImageReply rep;
+ register xGetImageReq *req;
+ char *data;
+- long nbytes;
++ unsigned long nbytes;
+ XImage *image;
+ LockDisplay(dpy);
+ GetReq (GetImage, req);
+@@ -78,10 +79,13 @@
+ return (XImage *)NULL;
+ }
+
+- nbytes = (long)rep.length << 2;
+- data = (char *) Xmalloc((unsigned) nbytes);
++ if (rep.length < (INT_MAX >> 2)) {
++ nbytes = (unsigned long)rep.length << 2;
++ data = Xmalloc(nbytes);
++ } else
++ data = NULL;
+ if (! data) {
+- _XEatData(dpy, (unsigned long) nbytes);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (XImage *) NULL;
+Index: libx11-1.5.0/src/GetMoEv.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetMoEv.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetMoEv.c 2013-05-29 16:01:59.912191986 -0400
+@@ -28,6 +28,7 @@
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+
+ XTimeCoord *XGetMotionEvents(
+ register Display *dpy,
+@@ -39,7 +40,6 @@
+ xGetMotionEventsReply rep;
+ register xGetMotionEventsReq *req;
+ XTimeCoord *tc = NULL;
+- long nbytes;
+ LockDisplay(dpy);
+ GetReq(GetMotionEvents, req);
+ req->window = w;
+@@ -52,26 +52,22 @@
+ return (NULL);
+ }
+
+- if (rep.nEvents) {
+- if (! (tc = (XTimeCoord *)
+- Xmalloc( (unsigned)
+- (nbytes = (long) rep.nEvents * sizeof(XTimeCoord))))) {
+- _XEatData (dpy, (unsigned long) nbytes);
+- UnlockDisplay(dpy);
+- SyncHandle();
+- return (NULL);
+- }
++ if (rep.nEvents && (rep.nEvents < (INT_MAX / sizeof(XTimeCoord))))
++ tc = Xmalloc(rep.nEvents * sizeof(XTimeCoord));
++ if (tc == NULL) {
++ /* server returned either no events or a bad event count */
++ *nEvents = 0;
++ _XEatDataWords (dpy, rep.length);
+ }
+-
+- *nEvents = rep.nEvents;
+- nbytes = SIZEOF (xTimecoord);
++ else
+ {
+ register XTimeCoord *tcptr;
+- register int i;
++ unsigned int i;
+ xTimecoord xtc;
+
++ *nEvents = (int) rep.nEvents;
+ for (i = rep.nEvents, tcptr = tc; i > 0; i--, tcptr++) {
+- _XRead (dpy, (char *) &xtc, nbytes);
++ _XRead (dpy, (char *) &xtc, SIZEOF (xTimecoord));
+ tcptr->time = xtc.time;
+ tcptr->x = cvtINT16toShort (xtc.x);
+ tcptr->y = cvtINT16toShort (xtc.y);
+Index: libx11-1.5.0/src/GetPntMap.c
+===================================================================
+--- libx11-1.5.0.orig/src/GetPntMap.c 2013-05-29 16:01:59.924191986 -0400
++++ libx11-1.5.0/src/GetPntMap.c 2013-05-29 16:01:59.912191986 -0400
+@@ -29,6 +29,7 @@
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+
+ #ifdef MIN /* some systems define this in <sys/param.h> */
+ #undef MIN
+@@ -42,7 +43,7 @@
+
+ {
+ unsigned char mapping[256]; /* known fixed size */
+- long nbytes, remainder = 0;
++ unsigned long nbytes, remainder = 0;
+ xGetPointerMappingReply rep;
Reply to: