Commit Graph

952 Commits

Author SHA1 Message Date
matthieu
dd04a74464 use the pkg-config support from bsd.xorg.mk to handle
libGLw and libepoxy .pc files rather than manually generating them
as root in postinstall. Spotted by natano@ ok natano@.
2016-10-08 19:09:34 +00:00
matthieu
f8928160a7 Fix package version in fontconfig.pc 2016-10-08 14:09:10 +00:00
matthieu
e61292a300 Avoid buffer underflow on empty strings.
If an empty string is received from an x-server, do not underrun the
buffer by accessing "rep.nameLen - 1" unconditionally, which could end
up being -1.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:11:05 +00:00
matthieu
1e4e5956d0 Protocol handling issues in libXv
The Xv query functions for adaptors and encodings suffer from out of boundary
accesses if a hostile X server sends a maliciously crafted response.

A previous fix already checks the received length against fixed values but
ignores additional length specifications which are stored inside the received
data.

These lengths are accessed in a for-loop. The easiest way to guarantee a
correct processing is by validating all lengths against the remaining size
left before accessing referenced memory.

This makes the previously applied check obsolete, therefore I removed it.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:09:40 +00:00
matthieu
ce0f69616f Out of boundary access and endless loop in libXtst
A lack of range checks in libXtst allows out of boundary accesses.
The checks have to be done in-place here, because it cannot be done
without in-depth knowledge of the read data.

If XRecordStartOfData, XRecordEndOfData, or XRecordClientDied
without a client sequence have attached data, an endless loop would
occur. The do-while-loop continues until the current index reaches
the end. But in these cases, the current index would not be
incremented, leading to an endless processing.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:08:08 +00:00
matthieu
26cabdb32f Validate lengths while parsing server data.
Individual lengths inside received server data can overflow
the previously reserved memory.

It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:05:13 +00:00
matthieu
9f957a9f79 Avoid OOB write in XRenderQueryFilters
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.

The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:03:48 +00:00
matthieu
aebb61b811 Avoid out of boundary accesses on illegal responses
The responses of the connected X server have to be properly checked
to avoid out of boundary accesses that could otherwise be triggered
by a malicious server.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:02:31 +00:00
matthieu
342b1570d2 Properly validate server responses
By validating length fields from server responses, out of boundary
accesses and endless loops can be mitigated.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 15:01:03 +00:00
matthieu
269364ad66 Integer overflow on illegal server response
The 32 bit field "rep.length" is not checked for validity, which allows
an integer overflow on 32 bit systems.

A malicious server could send INT_MAX as length, which gets multiplied
by the size of XRectangle. In that case the client won't read the whole
data from server, getting out of sync.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 14:59:47 +00:00
matthieu
89e55bbf5a Validation of server responses in XGetImage()
Check if enough bytes were received for specified image type and
geometry. Otherwise GetPixel and other functions could trigger an
out of boundary read later on.
From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
2016-10-04 14:58:26 +00:00
matthieu
bd2560e2ec The validation of server responses avoids out of boundary accesses.
From Tobias Stoeckmann / Xorg Securiry adrvisory Oct 4, 2016.
2016-10-04 14:56:37 +00:00
matthieu
c542153d63 revert pixman-vmx.c to the version of pixman-0.32.8.
gcc 4.2 is not able to compile the new version.
XXX switch back to 0.34 once macppc switches to clang.
2016-10-03 06:57:44 +00:00
matthieu
71be0511eb Fix installation of libXaw.so.15.0 link. 2016-10-02 19:11:16 +00:00
matthieu
321b9b9f5f regen 2016-10-02 17:17:04 +00:00
matthieu
b0eedeca6e Handle the libXaw.so.xx.y symlink in afterinstall: in Makefile.bsd-wrapper
No more diffs with upstreams in autoconf files;
owneship of links for non-root/noperm installs is handled too.
2016-10-02 17:16:31 +00:00
matthieu
f086547c98 regen 2016-10-02 10:30:28 +00:00
matthieu
d9e10c2579 Remove local patch for platforms without shared libs 2016-10-02 10:30:06 +00:00
matthieu
99edbe0a23 Reduce diffs with upstreams 2016-10-02 10:00:36 +00:00
tb
da27f01d12 Set owner and group of the XScreenSaver(3) manpage symlink.
Needed for noperm release.

ok matthieu
2016-10-02 09:28:53 +00:00
tb
c3666a91f0 chown -h symbolic links in conf.d. Needed for noperm release.
There are a few remaining symlinks that will be fixed later.

ok matthieu
2016-10-02 09:19:28 +00:00
matthieu
cb8938ecc4 Update to pixman 0.34.0. 2016-10-01 10:17:43 +00:00
matthieu
02593ff9e1 pixman: upstreams tarballs contain an empty ChangeLog.
So remove what we have here. Less gratuitous local changes.
2016-09-25 10:31:16 +00:00
matthieu
3e22cb884a Update to libXfont 1.5.2 2016-09-02 11:00:05 +00:00
matthieu
778b53e347 Update to xcb-proto/libxcb 1.12. "Just commit it" naddy@ 2016-09-02 10:09:43 +00:00
jsg
e0e6b146d2 remove sparc 2016-09-01 10:37:40 +00:00
deraadt
1667ad0b71 extra space 2016-08-09 19:40:13 +00:00
matthieu
6219851df2 Update to fontconfig 2.12.1.
Tested by krw@, dcoppa@, ok dcoppa@.
2016-08-09 18:57:41 +00:00
tedu
1cfa6ba9b5 just dump the major. freetype changes probably extend beyond just the
obviously visible symbol additions.
2016-08-09 17:41:23 +00:00
dcoppa
739881e349 Re-add binary files using 'cvs add -kb' 2016-08-09 08:16:45 +00:00
dcoppa
662d4e30c2 Remove binary files 2016-08-09 08:13:56 +00:00
dcoppa
1d43045a90 Update to freetype-doc-2.6.5 2016-08-09 07:53:52 +00:00
dcoppa
7513b427d4 Update to FreeType 2.6.5
ok matthieu@
2016-08-09 07:16:08 +00:00
matthieu
0d928c6a2e Update to libXi 1.7.6 2016-08-06 09:56:28 +00:00
matthieu
7a95b9000b Update to libXfixes 5.0.2. No functional changes. 2016-08-06 09:51:36 +00:00
kettenis
4159a76ad9 Disable the code that allocates W|X memory. There is fallback code that
gets used if allocating W|X memory fails, which is probably a bit slower.
However, that is much better than commit a W^X violation which currently
gets you killed.

ok jca@
2016-07-25 20:12:06 +00:00
dcoppa
84ff959861 Update to freetype-doc-2.6.3 2016-05-30 08:28:23 +00:00
dcoppa
bd5c5e0b0d "javascript" renamed to "js" 2016-05-30 08:22:54 +00:00
dcoppa
fc2035f145 "javascript" renamed to "js" 2016-05-30 08:22:04 +00:00
dcoppa
558b65489d bump freetype major 2016-05-29 12:29:25 +00:00
dcoppa
04fa58073a Bump following freetype update.
Suggested by sthen@

ok sthen@, naddy@, matthieu@
2016-05-29 11:59:59 +00:00
dcoppa
ebfdec871f Update to FreeType 2.6.3
ok sthen@, naddy@, matthieu@
2016-05-29 11:57:09 +00:00
jsg
363dd58b73 Merge Mesa 11.2.2 2016-05-29 10:40:19 +00:00
jsg
f8d9379ca7 Import Mesa 11.2.2 2016-05-29 10:11:54 +00:00
kettenis
3c6443a9bb Make sure we authenticate before calling loader_get_driver_for_fd(). This
function invokes some drm ioctls that require the client to be authenticated.

tested by espie@
ok jsg@
2016-04-20 12:23:56 +00:00
jsg
b96f098cef remove XENOCARA_BUILD_PIXMAN all platforms now build pixman 2016-04-01 03:15:15 +00:00
jsg
92b7ec9f80 Merge libdrm 2.4.67 2016-03-20 10:41:29 +00:00
jsg
b8626cd659 Import libdrm 2.4.67 2016-03-20 10:19:44 +00:00
jsg
d29159d31f test some more __ARM_ARCH_* builtin defines 2016-03-18 14:38:03 +00:00
matthieu
fc89427fc0 Enable atomics operations for fontconfig on mips64 and mips64el.
ok kettenis@
2016-03-13 20:23:35 +00:00