Contains fixes for following issues:
CVE-2015-1802: bdfReadProperties: property count needs range check
CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read
CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct
those are the only archs that currently use gallium radeon drivers.
It should build anywhere that has the libdrm radeon headers
installed. And while that should really be everywhere it
isn't at the moment and won't be for release.
It isn't clear why the radeon winsys in Mesa 10.4 didn't have
the same problem.
Found the hard way by todd@ on alpha.
This is desirable as the chromium port now uses this extension to
obtain pci vendor/device ids for use in feature/extension blacklists.
Prompted by a mail from byrnet@, tested on r600g by krw@
The newly added os_get_total_physical_memory() was passing the length of
a pointer rather than the type which made the sysctl call fail on
non 64 bit archs. And it was passing the wrong pointer for the result.
Fixes for these problems have been submitted back upstream.
With 10.4.3 gpu compositing on chromium would result in a black window
on older Intel parts (ie x60s with 945gm) and at least some discrete
Radeon parts. These problems do not seem to occur on recent Intel
parts, though those have coherent memory and hardware contexts.
It isn't clear what changes in Mesa are involved in the problem
though it also occurs with the 10.3 branch.
libEGL against libgbm and libglapi.
The libgbm requirement comes from the drm EGL backend that was
enabled with the 10.2.3 update.
ok matthieu@ kettenis@
/etc/X11/app-defaults stays 1st in the libXt search path so, people
and ports can put customized versions there if needed.
If you didn't customize the versions in /etc/X11/app-defaults, they
should be removed to avoid future issues when one file changes.
discussed at g2k14 and ok ajacoutot@
As the functions check if the member pointers are NULL but not the
pointer to the struct itself.
Reworked version of a diff from ratchov@ who created it to prevent a
xserver crash on zaurus where there is no PCI.
'looks ok' matthieu@, ok deraadt@
gallium/targets/{r300,r600,radeonsi}/common/drm_target.c in the Mesa source
but cvs import ignores symlinks.
Change the directory we search for drm_target.c in to deal with this.
page directory. fixes the following X man 3 pages:
XTestCompareCurrentCursorWithWindow.man
XTestCompareCursorWithWindow.man XTestDiscard.man
XTestFakeButtonEvent.man XTestFakeKeyEvent.man
XTestFakeMotionEvent.man XTestFakeRelativeMotionEvent.man
XTestGrabControl.man XTestSetGContextOfGC.man
XTestSetVisualIDOfVisual.man
X Font Service Protocol & Font metadata file handling issues in libXfont
May 13, 2014
- CVE-2014-0209: integer overflow of allocations in font metadata file parsing
When a local user who is already authenticated to the X server adds
a new directory to the font path, the X server calls libXfont to open
the fonts.dir and fonts.alias files in that directory and add entries
to the font tables for every line in it. A large file (~2-4 gb) could
cause the allocations to overflow, and allow the remaining data read
from the file to overwrite other memory in the heap.
Affected functions: FontFileAddEntry(), lexAlias()
- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
When parsing replies received from the font server, these calls do not
check that the lengths and/or indexes returned by the font server are
within the size of the reply or the bounds of the memory allocated to
store the data, so could write past the bounds of allocated memory when
storing the returned data.
Affected functions: _fs_recv_conn_setup(), fs_read_open_font(),
fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(),
fs_read_list(), fs_read_list_info()
- CVE-2014-0211: integer overflows calculating memory needs for xfs replies
These calls do not check that their calculations for how much memory
is needed to handle the returned data have not overflowed, so can
result in allocating too little memory and then writing the returned
data past the end of the allocated buffer.
Affected functions: fs_get_reply(), fs_alloc_glyphs(),
fs_read_extent_info()
Reported by Ilja van Sprundel of IOActive
Fixes by Alan Coopersmith of Oracle
