Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 9 Dec 2017 16:59:15 +0000 (UTC)
From:      Niclas Zeising <zeising@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r455866 - in branches/2017Q4/x11-servers: xorg-nestserver xorg-server xorg-server/files xorg-vfbserver xwayland
Message-ID:  <201712091659.vB9GxFBc027270@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: zeising
Date: Sat Dec  9 16:59:14 2017
New Revision: 455866
URL: https://svnweb.freebsd.org/changeset/ports/455866

Log:
  MFH: r452027
  
  Fix security issues: CVE-2017-12176 through CVE-2017-12187 in xorg-server.
  Bump all the slaves due to not being sure where the shared code is used.
  
  Security:	7274e0cc-575f-41bc-8619-14a41b3c2ad0
  
  Approved by:	ports-secteam (eadler)
  PR:		223286

Added:
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12176
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12177
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12178
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12179
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12183
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218x
  branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218y
  branches/2017Q4/x11-servers/xorg-server/files/patch-os_io.c
     - copied unchanged from r452027, head/x11-servers/xorg-server/files/patch-os_io.c
Modified:
  branches/2017Q4/x11-servers/xorg-nestserver/Makefile
  branches/2017Q4/x11-servers/xorg-server/Makefile
  branches/2017Q4/x11-servers/xorg-vfbserver/Makefile
  branches/2017Q4/x11-servers/xwayland/Makefile
Directory Properties:
  branches/2017Q4/   (props changed)

Modified: branches/2017Q4/x11-servers/xorg-nestserver/Makefile
==============================================================================
--- branches/2017Q4/x11-servers/xorg-nestserver/Makefile	Sat Dec  9 16:53:36 2017	(r455865)
+++ branches/2017Q4/x11-servers/xorg-nestserver/Makefile	Sat Dec  9 16:59:14 2017	(r455866)
@@ -3,7 +3,7 @@
 
 PORTNAME=	xorg-nestserver
 PORTVERSION=	1.19.1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	2
 
 COMMENT=	Nesting X server from X.Org
@@ -27,8 +27,16 @@ CONFIGURE_ARGS+=--enable-xnest --disable-dmx --disable
 
 PLIST_FILES=	bin/Xnest man/man1/Xnest.1.gz
 
-EXTRA_PATCHES=	${MASTERDIR}/files/patch-CVE-2017-13721 \
-		${MASTERDIR}/files/patch-CVE-2017-13723
+EXTRA_PATCHES=	${MASTERDIR}/files/patch-CVE-2017-12176 \
+		${MASTERDIR}/files/patch-CVE-2017-12177 \
+		${MASTERDIR}/files/patch-CVE-2017-12178 \
+		${MASTERDIR}/files/patch-CVE-2017-12179 \
+		${MASTERDIR}/files/patch-CVE-2017-12183 \
+		${MASTERDIR}/files/patch-CVE-2017-1218x \
+		${MASTERDIR}/files/patch-CVE-2017-1218y \
+		${MASTERDIR}/files/patch-CVE-2017-13721 \
+		${MASTERDIR}/files/patch-CVE-2017-13723 \
+		${MASTERDIR}/files/patch-os_io.c
 
 do-install:
 	cd ${WRKSRC}/hw/xnest; DESTDIR=${STAGEDIR} ${MAKE} install

Modified: branches/2017Q4/x11-servers/xorg-server/Makefile
==============================================================================
--- branches/2017Q4/x11-servers/xorg-server/Makefile	Sat Dec  9 16:53:36 2017	(r455865)
+++ branches/2017Q4/x11-servers/xorg-server/Makefile	Sat Dec  9 16:59:14 2017	(r455866)
@@ -3,7 +3,7 @@
 
 PORTNAME?=	xorg-server
 PORTVERSION?=	1.18.4
-PORTREVISION?=	4
+PORTREVISION?=	5
 PORTEPOCH?=	1
 CATEGORIES=	x11-servers
 MASTER_SITES=	XORG/individual/xserver

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176 (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12176)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12176	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12176)
@@ -0,0 +1,31 @@
+From 95f605b42d8bbb6bea2834a1abfc205981c5b803 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:15:46 -0500
+Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 0da431b..0fdfe11 100644
+--- dix/dispatch.c
++++ dix/dispatch.c
+@@ -3703,7 +3703,12 @@ ProcEstablishConnection(ClientPtr client)
+     prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
+     auth_proto = (char *) prefix + sz_xConnClientPrefix;
+     auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
+-    if ((prefix->majorVersion != X_PROTOCOL) ||
++
++    if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
++	pad_to_int32(prefix->nbytesAuthProto) +
++	pad_to_int32(prefix->nbytesAuthString))
++        reason = "Bad length";
++    else if ((prefix->majorVersion != X_PROTOCOL) ||
+         (prefix->minorVersion != X_PROTOCOL_REVISION))
+         reason = "Protocol version mismatch";
+     else
+-- 
+cgit v0.10.2
+

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177 (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12177)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12177	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12177)
@@ -0,0 +1,41 @@
+From cc41e5b581d287c56f8d7113a97a4882dcfdd696 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:09:14 -0500
+Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
+ (CVE-2017-12177)
+
+v2: Protect against integer overflow (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 23f7e16..f31766f 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
+     XdbeScreenVisualInfo *pScrVisInfo;
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
++    if (stuff->n > UINT32_MAX / sizeof(CARD32))
++        return BadLength;
++    REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
+ 
+     if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+         return BadAlloc;
+@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
+ 
+     swapl(&stuff->n);
+     if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+-        return BadAlloc;
++        return BadLength;
+     REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+ 
+     if (stuff->n != 0) {
+-- 
+cgit v0.10.2
+

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178 (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12178)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12178	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12178)
@@ -0,0 +1,29 @@
+From 6c15122163a2d2615db7e998e8d436815a08dec6 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Wed, 24 Dec 2014 16:22:18 -0500
+Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
+ (CVE-2017-12178)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index f2b7785..7286eff 100644
+--- Xi/xichangehierarchy.c
++++ Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+     if (!stuff->num_changes)
+         return rc;
+ 
+-    len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++    len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+ 
+     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+     while (stuff->num_changes--) {
+-- 
+cgit v0.10.2
+

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179 (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12179)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12179	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12179)
@@ -0,0 +1,52 @@
+From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:04:41 -0500
+Subject: Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer
+
+[jcristau: originally this patch fixed the same issue as commit
+ 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
+ addition of these checks]
+
+This addresses CVE-2017-12179
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
+
+
+--- Xi/xibarriers.c.orig	2016-07-15 18:17:45.000000000 +0200
++++ Xi/xibarriers.c	2017-10-13 18:26:09.226006000 +0200
+@@ -830,10 +830,15 @@
+     REQUEST(xXIBarrierReleasePointerReq);
+     int i;
+ 
+-    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+-
+     swaps(&stuff->length);
++    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++
+     swapl(&stuff->num_barriers);
++    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++        return BadLength;
++    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
++    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+     for (i = 0; i < stuff->num_barriers; i++, info++) {
+         swaps(&info->deviceid);
+         swapl(&info->barrier);
+@@ -854,6 +859,10 @@
+ 
+     REQUEST(xXIBarrierReleasePointerReq);
+     REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++        return BadLength;
++    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
+ 
+     info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+     for (i = 0; i < stuff->num_barriers; i++, info++) {

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183 (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12183)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-12183	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-12183)
@@ -0,0 +1,95 @@
+From 61502107a30d64f991784648c3228ebc6694a032 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 11:43:05 -0500
+Subject: xfixes: unvalidated lengths (CVE-2017-12183)
+
+v2: Use before swap (Jeremy Huddleston Sequoia)
+
+v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index f009a78..6e84d71 100644
+--- xfixes/cursor.c
++++ xfixes/cursor.c
+@@ -281,6 +281,7 @@ int
+ SProcXFixesSelectCursorInput(ClientPtr client)
+ {
+     REQUEST(xXFixesSelectCursorInputReq);
++    REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
+     REQUEST(xXFixesSetCursorNameReq);
+     Atom atom;
+ 
+-    REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
++    REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
+     VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
+     tchar = (char *) &stuff[1];
+     atom = MakeAtom(tchar, stuff->nbytes, TRUE);
+@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+     int i;
+     CARD16 *in_devices = (CARD16 *) &stuff[1];
+ 
++    REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
++
+     swaps(&stuff->length);
+     swaps(&stuff->num_devices);
+     REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+diff --git a/xfixes/region.c b/xfixes/region.c
+index dd74d7f..f300d2b 100644
+--- xfixes/region.c
++++ xfixes/region.c
+@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
+     RegionPtr pSource, pDestination;
+ 
+     REQUEST(xXFixesCopyRegionReq);
++    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+ 
+     VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
+     VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
+@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
+     REQUEST(xXFixesCopyRegionReq);
+ 
+     swaps(&stuff->length);
+-    REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
++    REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+     swapl(&stuff->source);
+     swapl(&stuff->destination);
+     return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
+diff --git a/xfixes/saveset.c b/xfixes/saveset.c
+index eb3f658..aa365cf 100644
+--- xfixes/saveset.c
++++ xfixes/saveset.c
+@@ -62,6 +62,7 @@ int
+ SProcXFixesChangeSaveSet(ClientPtr client)
+ {
+     REQUEST(xXFixesChangeSaveSetReq);
++    REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
+index 8d1bd4c..8b45c53 100644
+--- xfixes/xfixes.c
++++ xfixes/xfixes.c
+@@ -160,6 +160,7 @@ static int
+ SProcXFixesQueryVersion(ClientPtr client)
+ {
+     REQUEST(xXFixesQueryVersionReq);
++    REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->majorVersion);
+-- 
+cgit v0.10.2
+

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218x)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218x	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218x)
@@ -0,0 +1,601 @@
+From d264da92f7f8129b8aad4f0114a6467fc38fc896 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Sun, 21 Dec 2014 01:10:03 -0500
+Subject: hw/xfree86: unvalidated lengths
+
+This addresses:
+CVE-2017-12180 in XFree86-VidModeExtension
+CVE-2017-12181 in XFree86-DGA
+CVE-2017-12182 in XFree86-DRI
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
+
+diff --git a/Xext/vidmode.c b/Xext/vidmode.c
+index ea3ad13..76055c8 100644
+--- Xext/vidmode.c
++++ Xext/vidmode.c
+@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
+     DEBUG_P("XF86VidModeAddModeline");
+ 
+     ver = ClientMajorVersion(client);
++
++    if (ver < 2) {
++        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
++    }
++    else {
++        REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
++    }
++
+     if (ver < 2) {
+         /* convert from old format */
+         stuff = &newstuff;
+@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
+            stuff->after_vsyncend, stuff->after_vtotal,
+            (unsigned long) stuff->after_flags);
+ 
+-    if (ver < 2) {
+-        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+-    }
+-    else {
+-        REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+-    }
+     if (len != stuff->privsize)
+         return BadLength;
+ 
+@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+     DEBUG_P("XF86VidModeDeleteModeline");
+ 
+     ver = ClientMajorVersion(client);
++
++    if (ver < 2) {
++        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
++    }
++    else {
++        REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
++    }
++
+     if (ver < 2) {
+         /* convert from old format */
+         stuff = &newstuff;
+@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+            stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+            (unsigned long) stuff->flags);
+ 
+-    if (ver < 2) {
+-        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+-    }
+-    else {
+-        REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+-    }
+     if (len != stuff->privsize) {
+         DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
+                "len = %d, length = %d\n",
+@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
+     DEBUG_P("XF86VidModeModModeline");
+ 
+     ver = ClientMajorVersion(client);
++
++    if (ver < 2) {
++        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
++    }
++    else {
++        REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
++    }
++
+     if (ver < 2) {
+         /* convert from old format */
+         stuff = &newstuff;
+@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
+            stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
+            stuff->vtotal, (unsigned long) stuff->flags);
+ 
+-    if (ver < 2) {
+-        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+-    }
+-    else {
+-        REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+-    }
+     if (len != stuff->privsize)
+         return BadLength;
+ 
+@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
+     DEBUG_P("XF86VidModeValidateModeline");
+ 
+     ver = ClientMajorVersion(client);
++
++    if (ver < 2) {
++        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
++        len = client->req_len -
++            bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
++    }
++    else {
++        REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
++    }
++
+     if (ver < 2) {
+         /* convert from old format */
+         stuff = &newstuff;
+@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
+            stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+            (unsigned long) stuff->flags);
+ 
+-    if (ver < 2) {
+-        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+-        len = client->req_len -
+-            bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+-    }
+-    else {
+-        REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+-    }
+     if (len != stuff->privsize)
+         return BadLength;
+ 
+@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
+     DEBUG_P("XF86VidModeSwitchToMode");
+ 
+     ver = ClientMajorVersion(client);
++
++    if (ver < 2) {
++        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
++    }
++    else {
++        REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
++        len =
++            client->req_len -
++            bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
++    }
++
+     if (ver < 2) {
+         /* convert from old format */
+         stuff = &newstuff;
+@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
+            stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+            (unsigned long) stuff->flags);
+ 
+-    if (ver < 2) {
+-        REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+-    }
+-    else {
+-        REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+-        len =
+-            client->req_len -
+-            bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+-    }
+     if (len != stuff->privsize)
+         return BadLength;
+ 
+@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
+     VidModePtr pVidMode;
+ 
+     REQUEST(xXF86VidModeSetGammaRampReq);
++    REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
+ 
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
+index c689dcb..039f38d 100644
+--- hw/xfree86/common/xf86DGA.c
++++ hw/xfree86/common/xf86DGA.c
+@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
+     char *deviceName;
+     int nameSize;
+ 
++    REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (!DGAAvailable(stuff->screen))
+         return DGAErrorBase + XF86DGANoDirectVideoMode;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
+ {
+     REQUEST(xXDGACloseFramebufferReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (!DGAAvailable(stuff->screen))
+         return DGAErrorBase + XF86DGANoDirectVideoMode;
+ 
+-    REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+-
+     DGACloseFramebuffer(stuff->screen);
+ 
+     return Success;
+@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
+     xXDGAModeInfo info;
+     XDGAModePtr mode;
+ 
++    REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.number = 0;
+@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
+     ClientPtr owner;
+     int size;
+ 
++    REQUEST_SIZE_MATCH(xXDGASetModeReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+     owner = DGA_GETCLIENT(stuff->screen);
+ 
+-    REQUEST_SIZE_MATCH(xXDGASetModeReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.offset = 0;
+@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
+ {
+     REQUEST(xXDGASetViewportReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGASetViewportReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+-
+     DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
+ 
+     return Success;
+@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
+ 
+     REQUEST(xXDGAInstallColormapReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+-
+     rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
+                                  client, DixInstallAccess);
+     if (rc != Success)
+@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
+ {
+     REQUEST(xXDGASelectInputReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGASelectInputReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+-
+     if (DGA_GETCLIENT(stuff->screen) == client)
+         DGASelectInput(stuff->screen, client, stuff->mask);
+ 
+@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
+ {
+     REQUEST(xXDGAFillRectangleReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+-
+     if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
+                                stuff->width, stuff->height, stuff->color))
+         return BadMatch;
+@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
+ {
+     REQUEST(xXDGACopyAreaReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+-
+     if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
+                                stuff->width, stuff->height, stuff->dstx,
+                                stuff->dsty))
+@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
+ {
+     REQUEST(xXDGACopyTransparentAreaReq);
+ 
++    REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+-
+     if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
+                                     stuff->width, stuff->height, stuff->dstx,
+                                     stuff->dsty, stuff->key))
+@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
+     REQUEST(xXDGAGetViewportStatusReq);
+     xXDGAGetViewportStatusReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
+     REQUEST(xXDGASyncReq);
+     xXDGASyncReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXDGASyncReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGASyncReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
+     xXDGAChangePixmapModeReply rep;
+     int x, y;
+ 
++    REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
+     REQUEST(xXDGACreateColormapReq);
+     int result;
+ 
++    REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+-
+     if (!stuff->mode)
+         return BadValue;
+ 
+@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
+     int num, offset, flags;
+     char *name;
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
+ 
+     REQUEST(xXF86DGADirectVideoReq);
+ 
++    REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+-    REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+ 
+     if (!DGAAvailable(stuff->screen))
+         return DGAErrorBase + XF86DGANoDirectVideoMode;
+@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
+     REQUEST(xXF86DGAGetViewPortSizeReq);
+     xXF86DGAGetViewPortSizeReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
+ {
+     REQUEST(xXF86DGASetViewPortReq);
+ 
++    REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+-
+     if (!DGAAvailable(stuff->screen))
+         return DGAErrorBase + XF86DGANoDirectVideoMode;
+ 
+@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
+     REQUEST(xXF86DGAGetVidPageReq);
+     xXF86DGAGetVidPageReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
+ {
+     REQUEST(xXF86DGASetVidPageReq);
+ 
++    REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+-
+     /* silently fail */
+ 
+     return Success;
+@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
+ 
+     REQUEST(xXF86DGAInstallColormapReq);
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+-
+     if (!DGAActive(stuff->screen))
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
+     REQUEST(xXF86DGAQueryDirectVideoReq);
+     xXF86DGAQueryDirectVideoReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+     rep.type = X_Reply;
+     rep.length = 0;
+     rep.sequenceNumber = client->sequence;
+@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
+     REQUEST(xXF86DGAViewPortChangedReq);
+     xXF86DGAViewPortChangedReply rep;
+ 
++    REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
++
+     if (stuff->screen >= screenInfo.numScreens)
+         return BadValue;
+ 
+     if (DGA_GETCLIENT(stuff->screen) != client)
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+-    REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+-
+     if (!DGAActive(stuff->screen))
+         return DGAErrorBase + XF86DGADirectNotActivated;
+ 
+diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
+index 68f8b7e..65f368e 100644
+--- hw/xfree86/dri/xf86dri.c
++++ hw/xfree86/dri/xf86dri.c
+@@ -570,6 +570,7 @@ static int
+ SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
+ {
+     REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
++    REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
+     swaps(&stuff->length);
+     swapl(&stuff->screen);
+     return ProcXF86DRIQueryDirectRenderingCapable(client);
+-- 
+cgit v0.10.2
+

Copied: branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y (from r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218y)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/x11-servers/xorg-server/files/patch-CVE-2017-1218y	Sat Dec  9 16:59:14 2017	(r455866, copy of r452027, head/x11-servers/xorg-server/files/patch-CVE-2017-1218y)
@@ -0,0 +1,139 @@
+From c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 09:57:23 -0500
+Subject: Unvalidated lengths
+
+v2: Add overflow check and remove unnecessary check (Julien Cristau)
+
+This addresses:
+CVE-2017-12184 in XINERAMA
+CVE-2017-12185 in MIT-SCREEN-SAVER
+CVE-2017-12186 in X-Resource
+CVE-2017-12187 in RENDER
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
+
+diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
+index 209df29..844ea49 100644
+--- Xext/panoramiX.c
++++ Xext/panoramiX.c
+@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
+     xPanoramiXGetScreenSizeReply rep;
+     int rc;
+ 
++    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+     if (stuff->screen >= PanoramiXNumScreens)
+         return BadMatch;
+ 
+-    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+     rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+     if (rc != Success)
+         return rc;
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 750b8b9..45ac4d2 100644
+--- Xext/saver.c
++++ Xext/saver.c
+@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
+         PanoramiXRes *draw;
+         int rc, i;
+ 
++        REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
++
+         rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+                                       XRC_DRAWABLE, client, DixWriteAccess);
+         if (rc != Success)
+diff --git a/Xext/xres.c b/Xext/xres.c
+index ae779df..bc54133 100644
+--- Xext/xres.c
++++ Xext/xres.c
+@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
+     ConstructResourceBytesCtx    ctx;
+ 
+     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++    if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
++        return BadLength;
+     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+                        stuff->numSpecs * sizeof(ctx.specs[0]));
+ 
+@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
+     int c;
+     xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
+ 
+-    swapl(&stuff->numSpecs);
+     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++    swapl(&stuff->numSpecs);
+     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+                        stuff->numSpecs * sizeof(specs[0]));
+ 
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index 8a35b7b..4d412b8 100644
+--- Xext/xvdisp.c
++++ Xext/xvdisp.c
+@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
+ {
+     REQUEST(xvShmPutImageReq);
+     PanoramiXRes *draw, *gc, *port;
+-    Bool send_event = stuff->send_event;
++    Bool send_event;
+     Bool isRoot;
+     int result, i, x, y;
+ 
+     REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ 
++    send_event = stuff->send_event;
++

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712091659.vB9GxFBc027270>