From ffec5e9271bb8ae29fe71515d2eeb26427bf8237 Mon Sep 17 00:00:00 2001
From: matthieu <matthieu@openbsd.org>
Date: Thu, 3 Nov 2016 10:55:16 +0000
Subject: [PATCH] Update to libXrender 0.9.10

---
 lib/libXrender/ChangeLog          | 56 +++++++++++++++++++++++++++++++
 lib/libXrender/compile            |  2 +-
 lib/libXrender/configure          | 20 +++++------
 lib/libXrender/configure.ac       |  2 +-
 lib/libXrender/doc/libXrender.txt |  5 ++-
 5 files changed, 72 insertions(+), 13 deletions(-)

diff --git a/lib/libXrender/ChangeLog b/lib/libXrender/ChangeLog
index 06d256e5d..79abcb8f1 100644
--- a/lib/libXrender/ChangeLog
+++ b/lib/libXrender/ChangeLog
@@ -1,3 +1,59 @@
+commit 845716f8f14963d338e5a8d5d2424baafc90fb30
+Author: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date:   Tue Oct 4 21:24:55 2016 +0200
+
+    libXrender 0.9.10
+    
+    Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
+
+commit 9362c7ddd1af3b168953d0737877bc52d79c94f4
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date:   Sun Sep 25 21:43:09 2016 +0200
+
+    Validate lengths while parsing server data.
+    
+    Individual lengths inside received server data can overflow
+    the previously reserved memory.
+    
+    It is therefore important to validate every single length
+    field to not overflow the previously agreed sum of all invidual
+    length fields.
+    
+    v2: consume remaining bytes in the reply buffer on error.
+    
+    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+    Reviewed-by: Matthieu Herrb@laas.fr
+
+commit 8fad00b0b647ee662ce4737ca15be033b7a21714
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date:   Sun Sep 25 21:42:09 2016 +0200
+
+    Avoid OOB write in XRenderQueryFilters
+    
+    The memory for filter names is reserved right after receiving the reply.
+    After that, filters are iterated and each individual filter name is
+    stored in that reserved memory.
+    
+    The individual name lengths are not checked for validity, which means
+    that a malicious server can reserve less memory than it will write to
+    during each iteration.
+    
+    v2: consume remaining bytes in reply buffer on error.
+    
+    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit b2df5bc42f64b45e44dbad61f3386bcb5ec1383d
+Author: Lauri Kasanen <cand@gmx.com>
+Date:   Mon May 18 19:41:03 2015 +0300
+
+    Fix documentation to explicitly mention premultiplied alpha
+    
+    Before this patch, it wasn't mentioned in this file at all, which
+    is a monumental oversight.
+    
+    Signed-off-by: Lauri Kasanen <cand@gmx.com>
+
 commit bb890936bcc6053cb7a46cd9225c257ff1be389f
 Author: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date:   Thu Apr 30 22:29:55 2015 -0700
diff --git a/lib/libXrender/compile b/lib/libXrender/compile
index a85b723c7..531136b06 100644
--- a/lib/libXrender/compile
+++ b/lib/libXrender/compile
@@ -3,7 +3,7 @@
 
 scriptversion=2012-10-14.11; # UTC
 
-# Copyright (C) 1999-2014 Free Software Foundation, Inc.
+# Copyright (C) 1999-2013 Free Software Foundation, Inc.
 # Written by Tom Tromey <tromey@cygnus.com>.
 #
 # This program is free software; you can redistribute it and/or modify
diff --git a/lib/libXrender/configure b/lib/libXrender/configure
index b1929e8a5..791aac495 100644
--- a/lib/libXrender/configure
+++ b/lib/libXrender/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libXrender 0.9.9.
+# Generated by GNU Autoconf 2.69 for libXrender 0.9.10.
 #
 # Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libXrender'
 PACKAGE_TARNAME='libXrender'
-PACKAGE_VERSION='0.9.9'
-PACKAGE_STRING='libXrender 0.9.9'
+PACKAGE_VERSION='0.9.10'
+PACKAGE_STRING='libXrender 0.9.10'
 PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg'
 PACKAGE_URL=''
 
@@ -1351,7 +1351,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures libXrender 0.9.9 to adapt to many kinds of systems.
+\`configure' configures libXrender 0.9.10 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1421,7 +1421,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libXrender 0.9.9:";;
+     short | recursive ) echo "Configuration of libXrender 0.9.10:";;
    esac
   cat <<\_ACEOF
 
@@ -1545,7 +1545,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libXrender configure 0.9.9
+libXrender configure 0.9.10
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1869,7 +1869,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libXrender $as_me 0.9.9, which was
+It was created by libXrender $as_me 0.9.10, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2698,7 +2698,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libXrender'
- VERSION='0.9.9'
+ VERSION='0.9.10'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -18238,7 +18238,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libXrender $as_me 0.9.9, which was
+This file was extended by libXrender $as_me 0.9.10, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -18304,7 +18304,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-libXrender config.status 0.9.9
+libXrender config.status 0.9.10
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/lib/libXrender/configure.ac b/lib/libXrender/configure.ac
index ff83023a9..e5b82b10b 100644
--- a/lib/libXrender/configure.ac
+++ b/lib/libXrender/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
 # digit in the version number to track changes which don't affect the
 # protocol, so Xrender version l.n.m corresponds to protocol version l.n
 #
-AC_INIT(libXrender, [0.9.9],
+AC_INIT(libXrender, [0.9.10],
 	[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h])
diff --git a/lib/libXrender/doc/libXrender.txt b/lib/libXrender/doc/libXrender.txt
index 27cc75d72..753ee9886 100644
--- a/lib/libXrender/doc/libXrender.txt
+++ b/lib/libXrender/doc/libXrender.txt
@@ -84,7 +84,8 @@ as a separate argument which marks the valid entries.
 2.4 Colors
 
 The core protocol XColor type doesn't include an alpha component, so Xrender
-has a separate type.
+has a separate type. Note that XRender expects premultiplied alpha in all
+cases except with the gradient operations.
 
 	typedef struct {
 	    unsigned short   red;
@@ -526,6 +527,8 @@ conceptually built.
 7.1 Composite
 
 XRenderComposite exposes the RenderComposite protocol request directly.
+If a format with alpha is used, make sure it is premultiplied into the
+color channels.
 
 	void
 	XRenderComposite (Display   *dpy,