--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/lib/libXxf86vm/CVE-2013-2001.patch Wed May 15 13:44:02 2013 -0700
@@ -0,0 +1,222 @@
+From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:24:12 -0700
+Subject: [PATCH:libXxf86vm 1/3] Use _XEatDataWords to avoid overflow of
+ length calculations
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ configure.ac | 6 ++++++
+ src/XF86VMode.c | 35 +++++++++++++++++++++++++----------
+ 2 files changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d8a23b0..b637788 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XXF86VM_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 1b907f4..bd54937 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
+
+ /* THIS IS NOT AN X CONSORTIUM STANDARD */
+
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
+ #include <X11/Xlibint.h>
+ #include <X11/extensions/xf86vmproto.h>
+ #include <X11/extensions/xf86vmode.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ #ifdef DEBUG
+ #include <stdio.h>
+@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ if (modeline->privsize > 0) {
+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ if (modeline->private == NULL) {
+- _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+ result = False;
+ } else
+ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
+ sizeof(XF86VidModeModeInfo *)
+ +sizeof(XF86VidModeModeInfo)))) {
+- if (majorVersion < 2)
+- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
+- else
+- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return False;
+@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (oldxmdline.privsize > 0) {
+ if (!(modelines[i]->private =
+ Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
+- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, oldxmdline.privsize);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ oldxmdline.privsize * sizeof(INT32));
+@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (xmdline.privsize > 0) {
+ if (!(modelines[i]->private =
+ Xcalloc(xmdline.privsize, sizeof(INT32)))) {
+- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, xmdline.privsize);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ xmdline.privsize * sizeof(INT32));
+@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
+ monitor->hsync = monitor->vsync = NULL;
+ }
+ if (result == False) {
+- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
++ _XEatDataWords(dpy, rep.length);
+ Xfree(monitor->vendor);
+ monitor->vendor = NULL;
+ Xfree(monitor->model);
+@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+
+ dotclocks = Xcalloc(rep.clocks, sizeof(int));
+ if (dotclocks == NULL) {
+- _XEatData(dpy, (rep.clocks) * 4);
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
+ result = False;
+ }
+ else {
+--
+1.7.9.2
+
+From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:33:32 -0700
+Subject: [PATCH:libXxf86vm 2/3] memory corruption in
+ XF86VidModeGetGammaRamp() [CVE-2013-2001]
+
+We trusted the server not to return more data than the client said it had
+allocated room for, and would overflow the provided buffers if it did.
+
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/XF86VMode.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index bd54937..a32564e 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
+ XExtDisplayInfo *info = find_display (dpy);
+ xXF86VidModeGetGammaRampReq *req;
+ xXF86VidModeGetGammaRampReply rep;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+
+@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
+ req->screen = screen;
+ req->size = size;
+ if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
+- UnlockDisplay (dpy);
+- SyncHandle ();
+- return False;
++ result = False;
+ }
+- if(rep.size) {
+- _XRead(dpy, (char*)red, rep.size << 1);
+- _XRead(dpy, (char*)green, rep.size << 1);
+- _XRead(dpy, (char*)blue, rep.size << 1);
++ else if (rep.size) {
++ if (rep.size <= size) {
++ _XRead(dpy, (char*)red, rep.size << 1);
++ _XRead(dpy, (char*)green, rep.size << 1);
++ _XRead(dpy, (char*)blue, rep.size << 1);
++ }
++ else {
++ _XEatDataWords(dpy, rep.length);
++ result = False;
++ }
+ }
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool XF86VidModeGetGammaRampSize(
+--
+1.7.9.2
+
+From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 14:43:48 -0700
+Subject: [PATCH:libXxf86vm 3/3] avoid integer overflow in
+ XF86VidModeGetModeLine()
+
+rep.privsize is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(INT32) to come up with the total size to allocate & read to avoid
+integer overflow, though it would not result in buffer overflow as the same
+calculation was used for both allocation & reading from the network.
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/XF86VMode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index a32564e..fb94816 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ }
+
+ if (modeline->privsize > 0) {
+- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ if (modeline->privsize < (INT_MAX / sizeof(INT32)))
++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ else
++ modeline->private = NULL;
+ if (modeline->private == NULL) {
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+--
+1.7.9.2
+