--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/lib/libXxf86vm/CVE-2013-2001.patch	Wed May 15 13:44:02 2013 -0700
@@ -0,0 +1,222 @@
+From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:24:12 -0700
+Subject: [PATCH:libXxf86vm 1/3] Use _XEatDataWords to avoid overflow of
+ length calculations
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ configure.ac    |    6 ++++++
+ src/XF86VMode.c |   35 +++++++++++++++++++++++++----------
+ 2 files changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d8a23b0..b637788 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XXF86VM_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ 		src/Makefile
+ 		man/Makefile
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 1b907f4..bd54937 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
+ 
+ /* THIS IS NOT AN X CONSORTIUM STANDARD */
+ 
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
+ #include <X11/Xlibint.h>
+ #include <X11/extensions/xf86vmproto.h>
+ #include <X11/extensions/xf86vmode.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ #ifdef DEBUG
+ #include <stdio.h>
+@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+     if (modeline->privsize > 0) {
+ 	modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ 	if (modeline->private == NULL) {
+-	    _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
++	    _XEatDataWords(dpy, rep.length -
++		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+ 	    result = False;
+ 	} else
+ 	    _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+     if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
+                                           sizeof(XF86VidModeModeInfo *)
+                                           +sizeof(XF86VidModeModeInfo)))) {
+-	if (majorVersion < 2)
+-            _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
+-	else
+-            _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
++	_XEatDataWords(dpy, rep.length -
++	    ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
+ 	UnlockDisplay(dpy);
+ 	SyncHandle();
+         return False;
+@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ 		if (oldxmdline.privsize > 0) {
+ 	            if (!(modelines[i]->private =
+ 			    Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
+-			_XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
++			_XEatDataWords(dpy, oldxmdline.privsize);
+ 		    } else {
+ 			_XRead(dpy, (char*)modelines[i]->private,
+ 			     oldxmdline.privsize * sizeof(INT32));
+@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ 		if (xmdline.privsize > 0) {
+ 		    if (!(modelines[i]->private =
+ 			    Xcalloc(xmdline.privsize, sizeof(INT32)))) {
+-			_XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
++			_XEatDataWords(dpy, xmdline.privsize);
+ 		    } else {
+ 			_XRead(dpy, (char*)modelines[i]->private,
+ 			     xmdline.privsize * sizeof(INT32));
+@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
+ 	monitor->hsync = monitor->vsync = NULL;
+     }
+     if (result == False) {
+-	_XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+-		  ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
++	_XEatDataWords(dpy, rep.length);
+ 	Xfree(monitor->vendor);
+ 	monitor->vendor = NULL;
+ 	Xfree(monitor->model);
+@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+ 
+     dotclocks = Xcalloc(rep.clocks, sizeof(int));
+     if (dotclocks == NULL) {
+-        _XEatData(dpy, (rep.clocks) * 4);
++        _XEatDataWords(dpy, rep.length -
++	    ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
+         result = False;
+     }
+     else {
+-- 
+1.7.9.2
+
+From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:33:32 -0700
+Subject: [PATCH:libXxf86vm 2/3] memory corruption in
+ XF86VidModeGetGammaRamp() [CVE-2013-2001]
+
+We trusted the server not to return more data than the client said it had
+allocated room for, and would overflow the provided buffers if it did.
+
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/XF86VMode.c |   21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index bd54937..a32564e 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
+     XExtDisplayInfo *info = find_display (dpy);
+     xXF86VidModeGetGammaRampReq *req;
+     xXF86VidModeGetGammaRampReply rep;
++    Bool result = True;
+ 
+     XF86VidModeCheckExtension (dpy, info, False);
+ 
+@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
+     req->screen = screen;
+     req->size = size;
+     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
+-        UnlockDisplay (dpy);
+-        SyncHandle ();
+-        return False;
++        result = False;
+     }
+-    if(rep.size) {
+-	_XRead(dpy, (char*)red, rep.size << 1);
+-	_XRead(dpy, (char*)green, rep.size << 1);
+-	_XRead(dpy, (char*)blue, rep.size << 1);
++    else if (rep.size) {
++	if (rep.size <= size) {
++	    _XRead(dpy, (char*)red, rep.size << 1);
++	    _XRead(dpy, (char*)green, rep.size << 1);
++	    _XRead(dpy, (char*)blue, rep.size << 1);
++	}
++	else {
++	    _XEatDataWords(dpy, rep.length);
++	    result = False;
++	}
+     }
+ 
+     UnlockDisplay(dpy);
+     SyncHandle();
+-    return True;
++    return result;
+ }
+ 
+ Bool XF86VidModeGetGammaRampSize(
+-- 
+1.7.9.2
+
+From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:43:48 -0700
+Subject: [PATCH:libXxf86vm 3/3] avoid integer overflow in
+ XF86VidModeGetModeLine()
+
+rep.privsize is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(INT32) to come up with the total size to allocate & read to avoid
+integer overflow, though it would not result in buffer overflow as the same
+calculation was used for both allocation & reading from the network.
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/XF86VMode.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index a32564e..fb94816 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+     }
+ 
+     if (modeline->privsize > 0) {
+-	modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++	if (modeline->privsize < (INT_MAX / sizeof(INT32)))
++	    modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++	else
++	    modeline->private = NULL;
+ 	if (modeline->private == NULL) {
+ 	    _XEatDataWords(dpy, rep.length -
+ 		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+-- 
+1.7.9.2
+