[X2Go-Commits] [nx-libs] 05/05: 40 patches, fixing several X.Org CVEs in NX.
git-admin at x2go.org
git-admin at x2go.org
Sat Feb 14 17:47:28 CET 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.5.0.x
in repository nx-libs.
commit 4587881130db36125c6b800e8f7e3fa0a3c5c9fb
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date: Sat Feb 14 16:40:07 2015 +0100
40 patches, fixing several X.Org CVEs in NX.
* Security fixes:
- Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
all patches from a CVE patch series appear here, then it means that
the affected file/code is not used in NX at build time.
- X.Org CVE-2011-2895:
1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
- X.Org CVE-2011-4028:
1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
- X.Org CVE-2013-4396:
1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
- X.Org CVE-2013-6462:
1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
- X.Org CVE-2014-0209:
1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
- X.Org CVE-2014-0210:
1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
- X.Org CVE-2014-0211:
1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
- X.Org CVE-2014-8092:
1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
- X.Org CVE-2014-8097:
1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
- X.Org CVE-2014-8095:
1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
- X.Org CVE-2014-8096:
1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
- X.Org CVE-2014-8099:
1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
- X.Org CVE-2014-8100:
1027-render-check-request-size-before-reading-it-CVE-2014.patch
1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
- X.Org CVE-2014-8102:
1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
- X.Org CVE-2014-8101:
1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
- X.Org CVE-2014-8093:
1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
1036-glx-Integer-overflow-protection-for-non-generated-re.patch
- X.Org CVE-2014-8098:
1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
1038-glx-Length-checking-for-non-generated-single-request.patch
1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
- Security fixes with no assigned CVE:
1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
---
debian/changelog | 67 +++
...ess-fix-for-CVE-2011-2895-From-xorg-lib-X.patch | 29 +
...1-4028-File-disclosure-vulnerability.-ups.patch | 29 +
...fter-free-in-dix-dixfonts.c-doImageText-C.patch | 74 +++
...62-unlimited-sscanf-overflows-stack-buffe.patch | 30 +
...09-integer-overflow-of-realloc-size-in-Fo.patch | 43 ++
...09-integer-overflow-of-realloc-size-in-le.patch | 46 ++
...10-unvalidated-length-in-_fs_recv_conn_se.patch | 73 +++
...-when-we-receive-an-FS_Error-from-the-fon.patch | 27 +
...10-unvalidated-lengths-when-reading-repli.patch | 158 +++++
...11-Integer-overflow-in-fs_get_reply-_fs_s.patch | 65 ++
...10-unvalidated-length-fields-in-fs_read_q.patch | 137 +++++
...11-integer-overflow-in-fs_read_extent_inf.patch | 48 ++
...11-integer-overflow-in-fs_alloc_glyphs-fr.patch | 34 ++
...10-unvalidated-length-fields-in-fs_read_e.patch | 38 ++
...10-unvalidated-length-fields-in-fs_read_g.patch | 75 +++
...10-unvalidated-length-fields-in-fs_read_l.patch | 61 ++
...10-unvalidated-length-fields-in-fs_read_l.patch | 112 ++++
...alloc-may-allow-unauthed-client-to-crash-.patch | 43 ++
...-overflow-in-ProcPutImage-CVE-2014-8092-1.patch | 42 ++
...er-overflow-in-GetHosts-CVE-2014-8092-2-4.patch | 53 ++
...-overflow-in-RegionSizeof-CVE-2014-8092-3.patch | 205 +++++++
...-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch | 46 ++
...ated-lengths-in-DbeSwapBuffers-calls-CVE-.patch | 80 +++
...ted-lengths-in-Xinput-extension-CVE-2014-.patch | 114 ++++
...lidated-length-in-SProcXCMiscGetXIDList-C.patch | 29 +
...ted-lengths-in-XVideo-extension-swapped-p.patch | 184 ++++++
...k-request-size-before-reading-it-CVE-2014.patch | 40 ++
...lidated-lengths-in-Render-extn.-swapped-p.patch | 146 +++++
...lidated-length-in-SProcXFixesSelectSelect.patch | 32 +
...idated-lengths-in-RandR-extension-swapped.patch | 45 ++
...-paranoid-about-variable-length-requests-.patch | 76 +++
...-strict-about-rejecting-invalid-image-siz.patch | 163 +++++
...nal-paranoia-in-__glXGetAnswerBuffer-__GL.patch | 41 ++
...safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch | 96 +++
...checking-for-GLXRender-requests-v2-CVE-20.patch | 132 +++++
...-overflow-protection-for-non-generated-re.patch | 215 +++++++
...el-length-checking-for-swapped-VendorPriv.patch | 53 ++
...checking-for-non-generated-single-request.patch | 413 +++++++++++++
...checking-for-RenderLarge-requests-v2-CVE-.patch | 290 +++++++++
...maining-request-length-into-varsize-v2-CV.patch | 622 ++++++++++++++++++++
debian/patches/series | 40 ++
42 files changed, 4346 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6d3a9f1..a85cdec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -121,6 +121,73 @@ nx-libs (2:3.5.0.29-0x2go2) UNRELEASED; urgency=medium
launched as x2goagent, use X2Go-specific paths for the keystrokes.cfg file.
(Fixes: #744).
+ [ Michael DePaulo ]
+ * Security fixes:
+ - Rebase loads of X.Org patches (mainly from RHEL-5) against NX. If not
+ all patches from a CVE patch series appear here, then it means that
+ the affected file/code is not used in NX at build time.
+
+ - X.Org CVE-2011-2895:
+ 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
+ - X.Org CVE-2011-4028:
+ 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
+ - X.Org CVE-2013-4396:
+ 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
+ - X.Org CVE-2013-6462:
+ 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
+ - X.Org CVE-2014-0209:
+ 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
+ 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
+ - X.Org CVE-2014-0210:
+ 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
+ 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
+ 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
+ 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
+ 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
+ 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
+ 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
+ - X.Org CVE-2014-0211:
+ 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
+ 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
+ 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
+ 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
+ - X.Org CVE-2014-8092:
+ 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
+ 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
+ 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
+ 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
+ - X.Org CVE-2014-8097:
+ 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
+ - X.Org CVE-2014-8095:
+ 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
+ - X.Org CVE-2014-8096:
+ 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
+ - X.Org CVE-2014-8099:
+ 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
+ - X.Org CVE-2014-8100:
+ 1027-render-check-request-size-before-reading-it-CVE-2014.patch
+ 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
+ - X.Org CVE-2014-8102:
+ 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
+ - X.Org CVE-2014-8101:
+ 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
+ - X.Org CVE-2014-8093:
+ 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
+ 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
+ 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
+ 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
+ 1036-glx-Integer-overflow-protection-for-non-generated-re.patch
+ - X.Org CVE-2014-8098:
+ 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
+ 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
+ 1038-glx-Length-checking-for-non-generated-single-request.patch
+ 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
+ 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
+
+ - Security fixes with no assigned CVE:
+ 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
+
+
[ Mihai Moldovan ]
* Change string "X2go" to "X2Go" where appropriate.
diff --git a/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch b/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
new file mode 100644
index 0000000..162bb21
--- /dev/null
+++ b/debian/patches/1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
@@ -0,0 +1,29 @@
+From af55da1e9c1a6a352b24823a8f7062c288ffbbc0 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 19:15:20 -0500
+Subject: [PATCH 01/40] LZW decompress: fix for CVE-2011-2895 From
+ xorg/lib/Xfont commit d11ee5886e9d9ec610051a206b135a4cdc1e09a0
+
+ Specially crafted LZW stream can crash an application using libXfont
+ that is used to open untrusted font files. With X server, this may
+ allow privilege escalation when exploited
+---
+ nx-X11/lib/font/fontfile/decompress.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
+index a4c5468..553b315 100644
+--- a/nx-X11/lib/font/fontfile/decompress.c
++++ b/nx-X11/lib/font/fontfile/decompress.c
+@@ -261,6 +261,8 @@ BufCompressedFill (BufFilePtr f)
+ */
+ while ( code >= 256 )
+ {
++ if (stackp - de_stack >= STACK_SIZE - 1)
++ return BUFFILEEOF;
+ *stackp++ = file->tab_suffix[code];
+ code = file->tab_prefix[code];
+ }
+--
+2.1.4
+
diff --git a/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch b/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
new file mode 100644
index 0000000..a5437ca
--- /dev/null
+++ b/debian/patches/1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
@@ -0,0 +1,29 @@
+From df4a3b7270539843ae76275485ca76efcdf361d9 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 19:16:38 -0500
+Subject: [PATCH 02/40] Fix CVE-2011-4028: File disclosure vulnerability.
+ upstream xorg/xserver commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34
+
+use O_NOFOLLOW to open the existing lock file, so symbolic links
+aren't followed, thus avoid revealing if it point to an existing
+file.
+---
+ nx-X11/programs/Xserver/os/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c
+index 9b2431a..79e49d5 100644
+--- a/nx-X11/programs/Xserver/os/utils.c
++++ b/nx-X11/programs/Xserver/os/utils.c
+@@ -483,7 +483,7 @@ LockServer(void)
+ /*
+ * Read the pid from the existing file
+ */
+- lfd = open(LockFile, O_RDONLY);
++ lfd = open(LockFile, O_RDONLY|O_NOFOLLOW);
+ if (lfd < 0) {
+ unlink(tmp);
+ FatalError("Can't read lock file %s\n", LockFile);
+--
+2.1.4
+
diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
new file mode 100644
index 0000000..8cb1d0d
--- /dev/null
+++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
@@ -0,0 +1,74 @@
+From 72790a55862f9a2232ba0cd7b072bbe3887cd820 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 20:01:27 -0500
+Subject: [PATCH 03/40] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396] from xorg/Xserver
+ http://lists.x.org/archives/xorg-announce/2013-October/002332.html
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+---
+ nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c
+index 193f555..42fd647 100644
+--- a/nx-X11/programs/Xserver/dix/dixfonts.c
++++ b/nx-X11/programs/Xserver/dix/dixfonts.c
+@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1571,6 +1572,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+@@ -1578,6 +1580,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ if (!data)
+ {
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1589,6 +1592,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ {
+ xfree(c->data);
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1602,6 +1606,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
+ FreeScratchGC(pGC);
+ xfree(c->data);
+ xfree(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+--
+2.1.4
+
diff --git a/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch b/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
new file mode 100644
index 0000000..1cc44d0
--- /dev/null
+++ b/debian/patches/1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
@@ -0,0 +1,30 @@
+From ac6694378e0ed4bdffa6e1318c9d4beda24a6b0e Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 20:12:25 -0500
+Subject: [PATCH 04/40] CVE-2013-6462: unlimited sscanf overflows stack buffer
+ in bdfReadCharacters() from xorg/lib/libXfont
+ http://lists.x.org/archives/xorg-announce/2014-January/002389.html
+
+Fixes cppcheck warning:
+ [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
+ scanf without field width limits can crash with huge input data.
+---
+ nx-X11/lib/font/bitmap/bdfread.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/bitmap/bdfread.c b/nx-X11/lib/font/bitmap/bdfread.c
+index a6f0c1e..bccabd7 100644
+--- a/nx-X11/lib/font/bitmap/bdfread.c
++++ b/nx-X11/lib/font/bitmap/bdfread.c
+@@ -344,7 +344,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ char charName[100];
+ int ignore;
+
+- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
++ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
+ bdfError("bad character name in BDF file\n");
+ goto BAILOUT; /* bottom of function, free and return error */
+ }
+--
+2.1.4
+
diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
new file mode 100644
index 0000000..8097e30
--- /dev/null
+++ b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
@@ -0,0 +1,43 @@
+From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 20:28:30 -0500
+Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in
+ FontFileAddEntry() from xorg/lib/libXfont commit
+ 2f5e57317339c526e6eaee1010b0e2ab8089c42e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+FontFileReadDirectory() opens a fonts.dir file, and reads over every
+line in an fscanf loop. For each successful entry read (font name,
+file name) a call is made to FontFileAddFontFile().
+
+FontFileAddFontFile() will add a font file entry (for the font name
+and file) each time it’s called, by calling FontFileAddEntry().
+FontFileAddEntry() will do the actual adding. If the table it has
+to add to is full, it will do a realloc, adding 100 more entries
+to the table size without checking to see if that will overflow the
+int used to store the size.
+---
+ nx-X11/lib/font/fontfile/fontdir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c
+index 8f75d8b..899ff05 100644
+--- a/nx-X11/lib/font/fontfile/fontdir.c
++++ b/nx-X11/lib/font/fontfile/fontdir.c
+@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
+ if (table->sorted)
+ return (FontEntryPtr) 0; /* "cannot" happen */
+ if (table->used == table->size) {
++ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
++ /* If we've read so many entries we're going to ask for 2gb
++ or more of memory, something is so wrong with this font
++ directory that we should just give up before we overflow. */
++ return NULL;
+ newsize = table->size + 100;
+ entry = (FontEntryPtr) xrealloc(table->entries,
+ newsize * sizeof(FontEntryRec));
+--
+2.1.4
+
diff --git a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
new file mode 100644
index 0000000..522a967
--- /dev/null
+++ b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
@@ -0,0 +1,46 @@
+From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 20:53:14 -0500
+Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in
+ lexAlias() from xorg/lib/libXfont commit
+ 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
+
+lexAlias() reads from a file in a loop. It does this by starting with a
+64 byte buffer. If that size limit is hit, it does a realloc of the
+buffer size << 1, basically doubling the needed length every time the
+length limit is hit.
+
+Eventually, this will shift out to 0 (for a length of ~4gig), and that
+length will be passed on to realloc(). A length of 0 (with a valid
+pointer) causes realloc to free the buffer on most POSIX platforms,
+but the caller will still have a pointer to it, leading to use after
+free issues.
+---
+ nx-X11/lib/font/fontfile/dirfile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/nx-X11/lib/font/fontfile/dirfile.c b/nx-X11/lib/font/fontfile/dirfile.c
+index f390391..3a2fead 100644
+--- a/nx-X11/lib/font/fontfile/dirfile.c
++++ b/nx-X11/lib/font/fontfile/dirfile.c
+@@ -45,6 +45,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <errno.h>
++#include <limits.h>
+
+ static Bool AddFileNameAliases ( FontDirectoryPtr dir );
+ static int ReadFontAlias ( char *directory, Bool isFile,
+@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken)
+ int nsize;
+ char *nbuf;
+
++ if (tokenSize >= (INT_MAX >> 2))
++ /* Stop before we overflow */
++ return EALLOC;
+ nsize = tokenSize ? (tokenSize << 1) : 64;
+ nbuf = (char *) xrealloc(tokenBuf, nsize);
+ if (!nbuf)
+--
+2.1.4
+
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
new file mode 100644
index 0000000..b716272
--- /dev/null
+++ b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
@@ -0,0 +1,73 @@
+From 94c6de0649cd295044b1e4ff7265949c9c787519 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 21:03:33 -0500
+Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in
+ _fs_recv_conn_setup() from xorg/lib/libXfont commit
+ 891e084b26837162b12f841060086a105edde86d
+
+The connection setup reply from the font server can include a list
+of alternate servers to contact if this font server stops working.
+
+The reply specifies a total size of all the font server names, and
+then provides a list of names. _fs_recv_conn_setup() allocated the
+specified total size for copying the names to, but didn't check to
+make sure it wasn't copying more data to that buffer than the size
+it had allocated.
+---
+ nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index bac0b8e..0fdcc1d 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ int ret;
+ fsConnSetup *setup;
+ FSFpeAltPtr alts;
+- int i, alt_len;
++ unsigned int i, alt_len;
+ int setup_len;
+ char *alt_save, *alt_names;
+
+@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ }
+ if (setup->num_alternates)
+ {
++ size_t alt_name_len = setup->alternate_len << 2;
+ alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
+- sizeof (FSFpeAltRec) +
+- (setup->alternate_len << 2));
++ sizeof (FSFpeAltRec) + alt_name_len);
+ if (alts)
+ {
+ alt_names = (char *) (setup + 1);
+@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ {
+ alts[i].subset = alt_names[0];
+ alt_len = alt_names[1];
++ if (alt_len >= alt_name_len) {
++ /*
++ * Length is longer than setup->alternate_len
++ * told us to allocate room for, assume entire
++ * alternate list is corrupted.
++ */
++#ifdef DEBUG
++ fprintf (stderr,
++ "invalid alt list (length %lx >= %lx)\n",
++ (long) alt_len, (long) alt_name_len);
++#endif
++ free(alts);
++ return FSIO_ERROR;
++ }
+ alts[i].name = alt_save;
+ memcpy (alt_save, alt_names + 2, alt_len);
+ alt_save[alt_len] = '\0';
+ alt_save += alt_len + 1;
++ alt_name_len -= alt_len + 1;
+ alt_names += _fs_pad_length (alt_len + 2);
+ }
+ conn->numAlts = setup->num_alternates;
+--
+2.1.4
+
diff --git a/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch b/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
new file mode 100644
index 0000000..8e303b3
--- /dev/null
+++ b/debian/patches/1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
@@ -0,0 +1,27 @@
+From a2c7cd9fef2d7d108e224ab47e77130dc98b249d Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 21:33:30 -0500
+Subject: [PATCH 08/40] Don't crash when we receive an FS_Error from the font
+ server (Guillem Jover). from xorg/lib/libXfont commit
+ bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
+
+---
+ nx-X11/lib/font/fc/fserve.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 0fdcc1d..c159b2b 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -2366,7 +2366,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ _fs_free_props (&binfo->info);
+
+ rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
+- if (rep == 0)
++ if (!rep || rep->type == FS_Error)
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+--
+2.1.4
+
diff --git a/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch b/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
new file mode 100644
index 0000000..6b06b86
--- /dev/null
+++ b/debian/patches/1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
@@ -0,0 +1,158 @@
+From 50e80a06c84375e39af02b24f01a949cb565a49d Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 21:39:55 -0500
+Subject: [PATCH 09/40] CVE-2014-0210: unvalidated lengths when reading replies
+ from font server from xorg/lib/libXfont commit
+ cbb64aef35960b2882be721f4b8fbaa0fb649d12
+
+Functions to handle replies to font server requests were casting replies
+from the generic form to reply specific structs without first checking
+that the reply was at least as long as the struct being cast to.
+---
+ nx-X11/lib/font/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 6 deletions(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index c159b2b..ca10aa4 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -94,6 +94,12 @@ in this Software without prior written authorization from The Open Group.
+ (pci)->descent || \
+ (pci)->characterWidth)
+
++/*
++ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
++ * so this converts for doing size comparisons.
++ */
++#define LENGTHOF(r) (SIZEOF(r) >> 2)
++
+ extern void ErrorF(const char *f, ...);
+
+ static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+@@ -209,9 +215,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
+ rep->sequenceNumber,
+ conn->reqbuffer[i].opcode);
+ }
++
++#define _fs_reply_failed(rep, name, op) do { \
++ if (rep) { \
++ if (rep->type == FS_Error) \
++ fprintf (stderr, "Error: %d Request: %s\n", \
++ ((fsError *)rep)->request, #name); \
++ else \
++ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
++ #name, rep->length, op, LENGTHOF(name)); \
++ } \
++} while (0)
++
+ #else
+ #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
+ #define _fs_add_rep_log(conn,rep)
++#define _fs_reply_failed(rep,name,op)
+ #endif
+
+ static Bool
+@@ -693,13 +712,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int ret;
+
+ rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
+ return BadFontName;
+ }
+
+@@ -835,13 +856,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int ret;
+
+ rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXInfoReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
+ return BadFontName;
+ }
+
+@@ -962,13 +985,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FontInfoRec *fi = &bfont->pfont->info;
+
+ rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
+ return BadFontName;
+ }
+
+@@ -1833,13 +1858,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ unsigned long minchar, maxchar;
+
+ rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ err = AllocError;
++ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
+ goto bail;
+ }
+
+@@ -2243,12 +2270,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int err;
+
+ rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsListFontsReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
++ _fs_reply_failed (rep, fsListFontsReply, "<");
+ return AllocError;
+ }
+ data = (char *) rep + SIZEOF (fsListFontsReply);
+@@ -2366,12 +2395,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ _fs_free_props (&binfo->info);
+
+ rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ ((rep->nameLength != 0) &&
++ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ binfo->status = FS_LFWI_FINISHED;
+ err = AllocError;
++ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
+ goto done;
+ }
+ /*
+--
+2.1.4
+
diff --git a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
new file mode 100644
index 0000000..ba88342
--- /dev/null
+++ b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
@@ -0,0 +1,65 @@
+From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 21:43:42 -0500
+Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in
+ fs_get_reply/_fs_start_read from xorg/lib/libXfont commit
+ 0f1a5d372c143f91a602bdf10c917d7eabaee09b
+
+fs_get_reply() would take any reply size, multiply it by 4 and pass to
+_fs_start_read. If that size was bigger than the current reply buffer
+size, _fs_start_read would add it to the existing buffer size plus the
+buffer size increment constant and realloc the buffer to that result.
+
+This math could overflow, causing the code to allocate a smaller
+buffer than the amount it was about to read into that buffer from
+the network. It could also succeed, allowing the remote font server
+to cause massive allocations in the X server, possibly using up all
+the address space in a 32-bit X server, allowing the triggering of
+other bugs in code that fails to handle malloc failure properly.
+
+This patch protects against both problems, by disconnecting any
+font server trying to feed us more than (the somewhat arbitrary)
+64 mb in a single reply.
+---
+ nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index ca10aa4..7762653 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group.
+ */
+ #define LENGTHOF(r) (SIZEOF(r) >> 2)
+
++/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
++#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
++
+ extern void ErrorF(const char *f, ...);
+
+ static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error)
+
+ rep = (fsGenericReply *) buf;
+
++ /*
++ * Refuse to accept replies longer than a maximum reasonable length,
++ * before we pass to _fs_start_read, since it will try to resize the
++ * incoming connection buffer to this size. Also avoids integer overflow
++ * on 32-bit systems.
++ */
++ if (rep->length > MAX_REPLY_LENGTH)
++ {
++ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
++ " from font server\n", rep->length);
++ _fs_connection_died (conn);
++ *error = FSIO_ERROR;
++ return 0;
++ }
++
+ ret = _fs_start_read (conn, rep->length << 2, &buf);
+ if (ret != FSIO_READY)
+ {
+--
+2.1.4
+
diff --git a/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
new file mode 100644
index 0000000..96b7b97
--- /dev/null
+++ b/debian/patches/1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
@@ -0,0 +1,137 @@
+From c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:08:09 -0500
+Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_query_info() from xorg/lib/libXfont commit
+ 491291cabf78efdeec8f18b09e14726a9030cc8f
+
+fs_read_query_info() parses a reply from the font server. The reply
+contains embedded length fields, none of which are validated. This
+can cause out of bound reads in either fs_read_query_info() or in
+_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
+---
+ nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++-----
+ nx-X11/lib/font/fc/fserve.c | 40 ++++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 52 insertions(+), 7 deletions(-)
+
+diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
+index 9ff54f5..d41e0b8 100644
+--- a/nx-X11/lib/font/fc/fsconvert.c
++++ b/nx-X11/lib/font/fc/fsconvert.c
+@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
+ for (i = 0; i < nprops; i++, dprop++, is_str++)
+ {
+ memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
++ if ((local_off.name.position >= pi->data_len) ||
++ (local_off.name.length >
++ (pi->data_len - local_off.name.position)))
++ goto bail;
+ dprop->name = MakeAtom(&pdc[local_off.name.position],
+ local_off.name.length, 1);
+ if (local_off.type != PropTypeString) {
+@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
+ dprop->value = local_off.value.position;
+ } else {
+ *is_str = TRUE;
++ if ((local_off.value.position >= pi->data_len) ||
++ (local_off.value.length >
++ (pi->data_len - local_off.value.position)))
++ goto bail;
+ dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
+ local_off.value.length, 1);
+ if (dprop->value == BAD_RESOURCE)
+ {
+- xfree (pfi->props);
+- pfi->nprops = 0;
+- pfi->props = 0;
+- pfi->isStringProp = 0;
+- return -1;
++ bail:
++ xfree (pfi->props);
++ pfi->nprops = 0;
++ pfi->props = 0;
++ pfi->isStringProp = 0;
++ return -1;
+ }
+ }
+ off_adr += SIZEOF(fsPropOffset);
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 7762653..2a6f6c9 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -865,6 +865,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ fsQueryXInfoReply *rep;
+ char *buf;
++ long bufleft; /* length of reply left to use */
+ fsPropInfo *pi;
+ fsPropOffset *po;
+ pointer pd;
+@@ -895,7 +896,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+
+ buf = (char *) rep;
+ buf += SIZEOF(fsQueryXInfoReply);
+-
++
++ bufleft = rep->length << 2;
++ bufleft -= SIZEOF(fsQueryXInfoReply);
++
+ /* move the data over */
+ fsUnpack_XFontInfoHeader(rep, pInfo);
+
+@@ -903,19 +907,51 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ _fs_init_fontinfo(conn, pInfo);
+
+ /* Compute offsets into the reply */
++ if (bufleft < SIZEOF(fsPropInfo))
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
++ bufleft);
++#endif
++ goto bail;
++ }
+ pi = (fsPropInfo *) buf;
+ buf += SIZEOF (fsPropInfo);
++ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
+
++ if (bufleft < pi->data_len)
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
++ bufleft, pi->data_len);
++#endif
++ goto bail;
++ }
+ po = (fsPropOffset *) buf;
+ buf += pi->num_offsets * SIZEOF(fsPropOffset);
++ bufleft -= pi->data_len;
+
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
++ bufleft, pi->data_len);
++#endif
++ goto bail;
++ }
+ pd = (pointer) buf;
+ buf += pi->data_len;
++ bufleft -= pi->data_len;
+
+ /* convert the properties and step over the reply */
+ ret = _fs_convert_props(pi, po, pd, pInfo);
++ bail:
+ _fs_done_read (conn, rep->length << 2);
+-
++
+ if (ret == -1)
+ {
+ fs_cleanup_bfont (bfont);
+--
+2.1.4
+
diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
new file mode 100644
index 0000000..fc1dea6
--- /dev/null
+++ b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
@@ -0,0 +1,48 @@
+From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:19:01 -0500
+Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in
+ fs_read_extent_info() from xorg/lib/libXfont commit
+ c578408c1fd4db09e4e3173f8a9e65c81cc187c1
+
+fs_read_extent_info() parses a reply from the font server.
+The reply contains a 32bit number of elements field which is used
+to calculate a buffer length. There is an integer overflow in this
+calculation which can lead to memory corruption.
+---
+ nx-X11/lib/font/fc/fserve.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 2a6f6c9..639964c 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group.
+ #include "fservestr.h"
+ #include <X11/fonts/fontutil.h>
+ #include <errno.h>
++#include <limits.h>
+
+ #include <time.h>
+ #define Time_t time_t
+@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ numInfos *= 2;
+ haveInk = TRUE;
+ }
+- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos);
++ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXExtents16: numInfos (%d) >= %ld\n",
++ numInfos, (INT_MAX / sizeof(CharInfoRec)));
++#endif
++ pCI = NULL;
++ }
++ else
++ pCI = malloc(sizeof(CharInfoRec) * numInfos);
+
+ if (!pCI)
+ {
+--
+2.1.4
+
diff --git a/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
new file mode 100644
index 0000000..63ba2b9
--- /dev/null
+++ b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
@@ -0,0 +1,34 @@
+From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:23:51 -0500
+Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
+ from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
+
+fs_alloc_glyphs() is a malloc wrapper used by the font code.
+It contains a classic integer overflow in the malloc() call,
+which can cause memory corruption.
+---
+ nx-X11/lib/font/fc/fsconvert.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
+index d41e0b8..afa2c32 100644
+--- a/nx-X11/lib/font/fc/fsconvert.c
++++ b/nx-X11/lib/font/fc/fsconvert.c
+@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
+ FSGlyphPtr glyphs;
+ FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
+
+- glyphs = xalloc (sizeof (FSGlyphRec) + size);
++ if (size < (INT_MAX - sizeof (FSGlyphRec)))
++ glyphs = xalloc (sizeof (FSGlyphRec) + size);
++ else
++ glyphs = NULL;
++ if (glyphs == NULL)
++ return NULL;
+ glyphs->next = fsfont->glyphs;
+ fsfont->glyphs = glyphs;
+ return (pointer) (glyphs + 1);
+--
+2.1.4
+
diff --git a/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
new file mode 100644
index 0000000..9d65f8a
--- /dev/null
+++ b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
@@ -0,0 +1,38 @@
+From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:26:16 -0500
+Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_extent_info() from xorg/lib/libXfont commit
+ a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
+
+Looping over the extents in the reply could go past the end of the
+reply buffer if the reply indicated more extents than could fit in
+the specified reply length.
+---
+ nx-X11/lib/font/fc/fserve.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 639964c..79de4f3 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ #endif
+ pCI = NULL;
+ }
++ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
++ / LENGTHOF(fsXCharInfo))) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
++ numExtents, rep->length,
++ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
++#endif
++ pCI = NULL;
++ }
+ else
+ pCI = malloc(sizeof(CharInfoRec) * numInfos);
+
+--
+2.1.4
+
diff --git a/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
new file mode 100644
index 0000000..93e7d32
--- /dev/null
+++ b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
@@ -0,0 +1,75 @@
+From ece51493f1d970f45e53588e33a700464a42fbab Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:27:47 -0500
+Subject: [PATCH 15/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_glyphs() from xorg/lib/libXfont commit
+ 520683652564c2a4e42328ae23eef9bb63271565
+
+fs_read_glyphs() parses a reply from the font server. The reply
+contains embedded length fields, none of which are validated.
+This can cause out of bound reads when looping over the glyph
+bitmaps in the reply.
+---
+ nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 79de4f3..26218e5 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FontInfoPtr pfi = &pfont->info;
+ fsQueryXBitmaps16Reply *rep;
+ char *buf;
++ long bufleft; /* length of reply left to use */
+ fsOffset32 *ppbits;
+ fsOffset32 local_off;
+ char *off_adr;
+@@ -1947,9 +1948,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ buf = (char *) rep;
+ buf += SIZEOF (fsQueryXBitmaps16Reply);
+
++ bufleft = rep->length << 2;
++ bufleft -= SIZEOF (fsQueryXBitmaps16Reply);
++
++ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)
++ {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",
++ rep->num_chars, bufleft, SIZEOF (fsOffset32));
++#endif
++ err = AllocError;
++ goto bail;
++ }
+ ppbits = (fsOffset32 *) buf;
+ buf += SIZEOF (fsOffset32) * (rep->num_chars);
++ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);
+
++ if (bufleft < rep->nbytes)
++ {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",
++ rep->nbytes, bufleft);
++#endif
++ err = AllocError;
++ goto bail;
++ }
+ pbitmaps = (pointer ) buf;
+
+ if (blockrec->type == FS_LOAD_GLYPHS)
+@@ -2007,7 +2032,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ */
+ if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))
+ {
+- if (local_off.length)
++ if (local_off.length &&
++ (local_off.position < rep->nbytes) &&
++ (local_off.length <= (rep->nbytes - local_off.position)))
+ {
+ bits = allbits;
+ allbits += local_off.length;
+--
+2.1.4
+
diff --git a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
new file mode 100644
index 0000000..b5bc8c5
--- /dev/null
+++ b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
@@ -0,0 +1,61 @@
+From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:35:21 -0500
+Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_list() from xorg/lib/libXfont commit
+ 5fa73ac18474be3032ee7af9c6e29deab163ea39
+
+fs_read_list() parses a reply from the font server. The reply
+contains a list of strings with embedded length fields, none of
+which are validated. This can cause out of bound reads when looping
+over the strings in the reply.
+---
+ nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 26218e5..60d9017 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
+ fsListFontsReply *rep;
+ char *data;
++ long dataleft; /* length of reply left to use */
+ int length,
+ i,
+ ret;
+@@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ return AllocError;
+ }
+ data = (char *) rep + SIZEOF (fsListFontsReply);
++ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
+
+ err = Successful;
+ /* copy data into FontPathRecord */
+ for (i = 0; i < rep->nFonts; i++)
+ {
++ if (dataleft < 1)
++ break;
+ length = *(unsigned char *)data++;
++ dataleft--; /* used length byte */
++ if (length > dataleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFonts: name length (%d) > dataleft (%ld)\n",
++ length, dataleft);
++#endif
++ err = BadFontName;
++ break;
++ }
+ err = AddFontNamesName(blist->names, data, length);
+ if (err != Successful)
+ break;
+ data += length;
++ dataleft -= length;
+ }
+ _fs_done_read (conn, rep->length << 2);
+ return err;
+--
+2.1.4
+
diff --git a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
new file mode 100644
index 0000000..d92c4ee
--- /dev/null
+++ b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
@@ -0,0 +1,112 @@
+From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333 at gmail.com>
+Date: Sun, 8 Feb 2015 22:38:32 -0500
+Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_list_info() from xorg/lib/libXfont commit
+ d338f81df1e188eb16e1d6aeea7f4800f89c1218
+
+fs_read_list_info() parses a reply from the font server. The reply
+contains a number of additional data items with embedded length or
+count fields, none of which are validated. This can cause out of
+bound reads when looping over these items in the reply.
+---
+ nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 60d9017..6ba3ad4 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
+ fsListFontsWithXInfoReply *rep;
+ char *buf;
++ long bufleft;
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ fsPropInfo *pi;
+ fsPropOffset *po;
+@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ }
+
+ buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
+-
++ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply);
++
+ /*
+ * The original FS implementation didn't match
+ * the spec, version 1 was respecified to match the FS.
+@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ */
+ if (conn->fsMajorVersion <= 1)
+ {
++ if (rep->nameLength > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
++ (int) rep->nameLength, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
+ memcpy (binfo->name, buf, rep->nameLength);
+ buf += _fs_pad_length (rep->nameLength);
++ bufleft -= _fs_pad_length (rep->nameLength);
+ }
+ pi = (fsPropInfo *) buf;
++ if (SIZEOF (fsPropInfo) > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n",
++ (int) SIZEOF (fsPropInfo), bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= SIZEOF (fsPropInfo);
+ buf += SIZEOF (fsPropInfo);
+ po = (fsPropOffset *) buf;
++ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n",
++ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset);
+ buf += pi->num_offsets * SIZEOF (fsPropOffset);
+ pd = (pointer) buf;
++ if (pi->data_len > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n",
++ pi->data_len, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= pi->data_len;
+ buf += pi->data_len;
+ if (conn->fsMajorVersion > 1)
+ {
++ if (rep->nameLength > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
++ (int) rep->nameLength, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
+ memcpy (binfo->name, buf, rep->nameLength);
+ buf += _fs_pad_length (rep->nameLength);
++ bufleft -= _fs_pad_length (rep->nameLength);
+ }
+
+ #ifdef DEBUG
+--
+2.1.4
+
diff --git a/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch b/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
new file mode 100644
index 0000000..3177ee9
--- /dev/null
+++ b/debian/patches/1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
@@ -0,0 +1,43 @@
+From 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 17 Jan 2014 18:54:03 -0800
+Subject: [PATCH 18/40] unchecked malloc may allow unauthed client to crash
+ Xserver [CVE-2014-8091]
+
+authdes_ezdecode() calls malloc() using a length provided by the
+connection handshake sent by a newly connected client in order
+to authenticate to the server, so should be treated as untrusted.
+
+It didn't check if malloc() failed before writing to the newly
+allocated buffer, so could lead to a server crash if the server
+fails to allocate memory (up to UINT16_MAX bytes, since the len
+field is a CARD16 in the X protocol).
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ os/rpcauth.c
+---
+ nx-X11/programs/Xserver/os/rpcauth.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/os/rpcauth.c b/nx-X11/programs/Xserver/os/rpcauth.c
+index 3c5cb59..a12931e 100644
+--- a/nx-X11/programs/Xserver/os/rpcauth.c
++++ b/nx-X11/programs/Xserver/os/rpcauth.c
+@@ -78,6 +78,10 @@ authdes_ezdecode(char *inmsg, int len)
+ SVCXPRT xprt;
+
+ temp_inmsg = (char *) xalloc(len);
++ if (temp_inmsg == NULL) {
++ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
++ return NULL;
++ }
+ memmove(temp_inmsg, inmsg, len);
+
+ memset((char *)&msg, 0, sizeof(msg));
+--
+2.1.4
+
diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
new file mode 100644
index 0000000..05d4919
--- /dev/null
+++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
@@ -0,0 +1,42 @@
+From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Wed, 22 Jan 2014 21:11:16 -0800
+Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
+ 1/4]
+
+ProcPutImage() calculates a length field from a width, left pad and depth
+specified by the client (if the specified format is XYPixmap).
+
+The calculations for the total amount of memory the server needs for the
+pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
+on 32-bit systems (since the length is stored in a long int variable).
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ dix/dispatch.c
+---
+ nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
+index 6941456..5ad2f5a 100644
+--- a/nx-X11/programs/Xserver/dix/dispatch.c
++++ b/nx-X11/programs/Xserver/dix/dispatch.c
+@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
+
+ tmpImage = (char *)&stuff[1];
+ lengthProto = length;
+-
++ if (lengthProto >= (INT32_MAX / stuff->height))
++ return BadLength;
++
+ if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
+ (sizeof(xPutImageReq) >> 2)) != client->req_len)
+ return BadLength;
+--
+2.1.4
+
diff --git a/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
new file mode 100644
index 0000000..619794f
--- /dev/null
+++ b/debian/patches/1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
@@ -0,0 +1,53 @@
+From d4c76981f7fddb364166464c571ed8d3de3086cd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Mon, 6 Jan 2014 23:30:14 -0800
+Subject: [PATCH 20/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
+
+GetHosts() iterates over all the hosts it has in memory, and copies
+them to a buffer. The buffer length is calculated by iterating over
+all the hosts and adding up all of their combined length. There is a
+potential integer overflow, if there are lots and lots of hosts (with
+a combined length of > ~4 gig). This should be possible by repeatedly
+calling ProcChangeHosts() on 64bit machines with enough memory.
+
+This patch caps the list at 1mb, because multi-megabyte hostname
+lists for X access control are insane.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ os/access.c
+---
+ nx-X11/programs/Xserver/os/access.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/os/access.c b/nx-X11/programs/Xserver/os/access.c
+index b6a70a7..0e9d138 100644
+--- a/nx-X11/programs/Xserver/os/access.c
++++ b/nx-X11/programs/Xserver/os/access.c
+@@ -1719,6 +1719,10 @@ GetHosts (
+ {
+ nHosts++;
+ n += (((host->len + 3) >> 2) << 2) + sizeof(xHostEntry);
++ /* Could check for INT_MAX, but in reality having more than 1mb of
++ hostnames in the access list is ridiculous */
++ if (n >= 1048576)
++ break;
+ }
+ if (n)
+ {
+@@ -1730,6 +1734,8 @@ GetHosts (
+ for (host = validhosts; host; host = host->next)
+ {
+ len = host->len;
++ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
++ break;
+ ((xHostEntry *)ptr)->family = host->family;
+ ((xHostEntry *)ptr)->length = len;
+ ptr += sizeof(xHostEntry);
+--
+2.1.4
+
diff --git a/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch b/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
new file mode 100644
index 0000000..a189cd5
--- /dev/null
+++ b/debian/patches/1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
@@ -0,0 +1,205 @@
+From ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Wed, 22 Jan 2014 22:37:15 -0800
+Subject: [PATCH 21/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
+ 3/4]
+
+RegionSizeof contains several integer overflows if a large length
+value is passed in. Once we fix it to return 0 on overflow, we
+also have to fix the callers to handle this error condition
+
+v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
+v3: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+
+Conflicts:
+ dix/region.c
+ include/regionstr.h
+---
+ nx-X11/programs/Xserver/include/regionstr.h | 10 +++++---
+ nx-X11/programs/Xserver/mi/miregion.c | 39 ++++++++++++++++++++---------
+ 2 files changed, 34 insertions(+), 15 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h
+index 000bf3f..cf41170 100644
+--- a/nx-X11/programs/Xserver/include/regionstr.h
++++ b/nx-X11/programs/Xserver/include/regionstr.h
+@@ -53,6 +53,9 @@ SOFTWARE.
+
+ typedef struct _Region RegionRec, *RegionPtr;
+
++#include <stddef.h>
++#include <limits.h>
++
+ #include "miscstruct.h"
+
+ /* Return values from RectIn() */
+@@ -93,7 +96,7 @@ extern RegDataRec miBrokenData;
+ #define REGION_BOX(reg,i) (®ION_BOXPTR(reg)[i])
+ #define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects)
+ #define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1)
+-#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)))
++#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0)
+
+ /* Keith recommends weaning the region code of pScreen argument */
+ #define REG_pScreen screenInfo.screens[0]
+@@ -257,9 +260,10 @@ extern RegDataRec miBrokenData;
+ } \
+ else \
+ { \
++ size_t rgnSize; \
+ (_pReg)->extents = miEmptyBox; \
+- if (((_size) > 1) && ((_pReg)->data = \
+- (RegDataPtr)xalloc(REGION_SZOF(_size)))) \
++ if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \
++ ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \
+ { \
+ (_pReg)->data->size = (_size); \
+ (_pReg)->data->numRects = 0; \
+diff --git a/nx-X11/programs/Xserver/mi/miregion.c b/nx-X11/programs/Xserver/mi/miregion.c
+index df33248..5ec4ec5 100644
+--- a/nx-X11/programs/Xserver/mi/miregion.c
++++ b/nx-X11/programs/Xserver/mi/miregion.c
+@@ -172,7 +172,6 @@ Equipment Corporation.
+ ((r1)->y1 <= (r2)->y1) && \
+ ((r1)->y2 >= (r2)->y2) )
+
+-#define xallocData(n) (RegDataPtr)xalloc(REGION_SZOF(n))
+ #define xfreeData(reg) if ((reg)->data && (reg)->data->size) xfree((reg)->data)
+
+ #define RECTALLOC_BAIL(pReg,n,bail) \
+@@ -209,8 +208,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
+ #define DOWNSIZE(reg,numRects) \
+ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
+ { \
+- RegDataPtr NewData; \
+- NewData = (RegDataPtr)xrealloc((reg)->data, REGION_SZOF(numRects)); \
++ size_t NewSize = REGION_SZOF(numRects); \
++ RegDataPtr NewData = \
++ (NewSize > 0) ? (RegDataPtr)xrealloc((reg)->data, NewSize) : NULL; \
+ if (NewData) \
+ { \
+ NewData->size = (numRects); \
+@@ -337,7 +337,7 @@ miRegionCreate(rect, size)
+ int size;
+ {
+ register RegionPtr pReg;
+-
++ size_t newSize;
+ pReg = (RegionPtr)xalloc(sizeof(RegionRec));
+ if (!pReg)
+ return &miBrokenRegion;
+@@ -349,7 +349,9 @@ miRegionCreate(rect, size)
+ else
+ {
+ pReg->extents = miEmptyBox;
+- if ((size > 1) && (pReg->data = xallocData(size)))
++ newSize = REGION_SZOF(size);
++ if ((size > 1) && (newSize > 0) &&
++ (pReg->data = xalloc(newSize)))
+ {
+ pReg->data->size = size;
+ pReg->data->numRects = 0;
+@@ -371,6 +373,8 @@ miRegionInit(pReg, rect, size)
+ BoxPtr rect;
+ int size;
+ {
++ size_t newSize;
++
+ if (rect)
+ {
+ pReg->extents = *rect;
+@@ -379,7 +383,9 @@ miRegionInit(pReg, rect, size)
+ else
+ {
+ pReg->extents = miEmptyBox;
+- if ((size > 1) && (pReg->data = xallocData(size)))
++ newSize = REGION_SZOF(size);
++ if ((size > 1) && (newSize > 0) &&
++ (pReg->data = xalloc(newSize)))
+ {
+ pReg->data->size = size;
+ pReg->data->numRects = 0;
+@@ -423,11 +429,13 @@ miRectAlloc(
+ int n)
+ {
+ RegDataPtr data;
++ size_t rgnSize;
+
+ if (!pRgn->data)
+ {
+ n++;
+- pRgn->data = xallocData(n);
++ rgnSize = REGION_SZOF(n);
++ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL;
+ if (!pRgn->data)
+ return miRegionBreak (pRgn);
+ pRgn->data->numRects = 1;
+@@ -435,7 +443,8 @@ miRectAlloc(
+ }
+ else if (!pRgn->data->size)
+ {
+- pRgn->data = xallocData(n);
++ rgnSize = REGION_SZOF(n);
++ pRgn->data = (rgnSize > 0) ? xalloc(rgnSize) : NULL;
+ if (!pRgn->data)
+ return miRegionBreak (pRgn);
+ pRgn->data->numRects = 0;
+@@ -449,7 +458,8 @@ miRectAlloc(
+ n = 250;
+ }
+ n += pRgn->data->numRects;
+- data = (RegDataPtr)xrealloc(pRgn->data, REGION_SZOF(n));
++ rgnSize = REGION_SZOF(n);
++ data = (rgnSize > 0) ? xrealloc(pRgn->data, rgnSize) : NULL;
+ if (!data)
+ return miRegionBreak (pRgn);
+ pRgn->data = data;
+@@ -476,8 +486,10 @@ miRegionCopy(dst, src)
+ }
+ if (!dst->data || (dst->data->size < src->data->numRects))
+ {
++ size_t newSize = REGION_SZOF(src->data->numRects);
+ xfreeData(dst);
+- dst->data = xallocData(src->data->numRects);
++
++ dst->data = newSize > 0 ? xalloc(newSize) : NULL;
+ if (!dst->data)
+ return miRegionBreak (dst);
+ dst->data->size = src->data->numRects;
+@@ -1667,6 +1679,7 @@ miRectsToRegion(nrects, prect, ctype)
+ register BoxPtr pBox;
+ register int i;
+ int x1, y1, x2, y2;
++ size_t newSize;
+
+ pRgn = miRegionCreate(NullBox, 0);
+ if (REGION_NAR (pRgn))
+@@ -1691,7 +1704,8 @@ miRectsToRegion(nrects, prect, ctype)
+ }
+ return pRgn;
+ }
+- pData = xallocData(nrects);
++ newSize = REGION_SZOF(nrects);
++ pData = newSize > 0 ? xalloc(newSize) : NULL;
+ if (!pData)
+ {
+ miRegionBreak (pRgn);
+@@ -2206,8 +2220,9 @@ miRegionDataCopy(
+ }
+ if (!dst->data || (dst->data->size < src->data->numRects))
+ {
++ size_t newSize = REGION_SZOF(src->data->numRects);
+ xfreeData(dst);
+- dst->data = xallocData(src->data->numRects);
++ dst->data = newSize > 0 ? xalloc(newSize) : NULL;
+ if (!dst->data)
+ return miRegionBreak (dst);
+ }
+--
+2.1.4
+
diff --git a/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch b/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
new file mode 100644
index 0000000..3dddcb0
--- /dev/null
+++ b/debian/patches/1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
@@ -0,0 +1,46 @@
+From 82d7279ebfa04f319e68145b3adbf65716e59584 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Wed, 22 Jan 2014 23:44:46 -0800
+Subject: [PATCH 22/40] dix: integer overflow in REQUEST_FIXED_SIZE()
+ [CVE-2014-8092 4/4]
+
+Force use of 64-bit integers when evaluating data provided by clients
+in 32-bit fields which can overflow when added or multiplied during
+checks.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+RHEL5: add #include <stdint.h> for uint64_t
+v3: backport to nx-libs 3.6.x (Mike DePaulo)
+---
+ nx-X11/programs/Xserver/include/dix.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
+index 1b8fc42..d82979c 100644
+--- a/nx-X11/programs/Xserver/include/dix.h
++++ b/nx-X11/programs/Xserver/include/dix.h
+@@ -50,6 +50,8 @@ SOFTWARE.
+ #ifndef DIX_H
+ #define DIX_H
+
++#include <stdint.h>
++
+ #include "gc.h"
+ #include "window.h"
+ #include "input.h"
+@@ -73,7 +75,8 @@ SOFTWARE.
+
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
++ ((n >> 2) >= client->req_len) || \
++ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
+ return(BadLength)
+
+ #define LEGAL_NEW_RESOURCE(id,client)\
+--
+2.1.4
+
diff --git a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
new file mode 100644
index 0000000..5b9beb1
--- /dev/null
+++ b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
@@ -0,0 +1,80 @@
+From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Wed, 22 Jan 2014 23:12:04 -0800
+Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls
+ [CVE-2014-8097]
+
+ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
+from a buffer. The length is never validated, which can lead to out of
+bound reads, and possibly returning the data read from out of bounds to
+the misbehaving client via an X Error packet.
+
+SProcDbeSwapBuffers() swaps data (for correct endianness) before
+handing it off to the real proc. While doing the swapping, the
+length field is not validated, which can cause memory corruption.
+
+v2: reorder checks to avoid compilers optimizing out checks for overflow
+that happen after we'd already have done the overflowing multiplications.
+v3: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ dbe/dbe.c
+---
+ nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c
+index c0d6131..5a1e9b0 100644
+--- a/nx-X11/programs/Xserver/dbe/dbe.c
++++ b/nx-X11/programs/Xserver/dbe/dbe.c
+@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client)
+ DbeSwapInfoPtr swapInfo;
+ xDbeSwapInfo *dbeSwapInfo;
+ int error;
+- register int i, j;
+- int nStuff;
++ unsigned int i, j;
++ unsigned int nStuff;
+
+
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client)
+
+ if (nStuff == 0)
+ {
++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+ return(Success);
+ }
+
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+
+ /* Get to the swap info appended to the end of the request. */
+ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
+@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client)
+ ClientPtr client;
+ {
+ REQUEST(xDbeSwapBuffersReq);
+- register int i, n;
++ unsigned int i, n;
+ xDbeSwapInfo *pSwapInfo;
+
+
+@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client)
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+
+ swapl(&stuff->n, n);
++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0)
+ {
+--
+2.1.4
+
diff --git a/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
new file mode 100644
index 0000000..884fa43
--- /dev/null
+++ b/debian/patches/1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
@@ -0,0 +1,114 @@
+From fde1375e373137ac52d0530b819bf9df64ab14c1 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 10:54:41 -0800
+Subject: [PATCH 24/40] Xi: unvalidated lengths in Xinput extension
+ [CVE-2014-8095]
+
+Multiple functions in the Xinput extension handling of requests from
+clients failed to check that the length of the request sent by the
+client was large enough to perform all the required operations and
+thus could read or write to memory outside the bounds of the request
+buffer.
+
+This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
+macro in include/dix.h for the common case of needing to ensure a
+request is large enough to include both the request itself and a
+minimum amount of extra data following the request header.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ Xi/chgdctl.c
+ Xi/chgfctl.c
+ Xi/xiallowev.c
+ Xi/xichangecursor.c
+ Xi/xichangehierarchy.c
+ Xi/xigetclientpointer.c
+ Xi/xigrabdev.c
+ Xi/xipassivegrab.c
+ Xi/xiproperty.c
+ Xi/xiquerydevice.c
+ Xi/xiquerypointer.c
+ Xi/xiselectev.c
+ Xi/xisetclientpointer.c
+ Xi/xisetdevfocus.c
+ Xi/xiwarppointer.c
+
+[RHEL5: Xi/xi* files are XI2 ]
+---
+ nx-X11/programs/Xserver/Xi/chgdctl.c | 4 ++--
+ nx-X11/programs/Xserver/Xi/chgfctl.c | 2 ++
+ nx-X11/programs/Xserver/Xi/sendexev.c | 3 +++
+ nx-X11/programs/Xserver/include/dix.h | 4 ++++
+ 4 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c
+index 63a3c9c..144a51e 100644
+--- a/nx-X11/programs/Xserver/Xi/chgdctl.c
++++ b/nx-X11/programs/Xserver/Xi/chgdctl.c
+@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client)
+
+ REQUEST(xChangeDeviceControlReq);
+ swaps(&stuff->length, n);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+ swaps(&stuff->control, n);
+ return(ProcXChangeDeviceControl(client));
+ }
+@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client)
+ CARD32 *resolution;
+
+ REQUEST(xChangeDeviceControlReq);
+- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+
+ len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
+ dev = LookupDeviceIntRec (stuff->deviceid);
+diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c
+index fe8bd1f..3ffac39 100644
+--- a/nx-X11/programs/Xserver/Xi/chgfctl.c
++++ b/nx-X11/programs/Xserver/Xi/chgfctl.c
+@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client)
+ xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+ if (client->swapped)
+ {
++ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2)
++ return BadLength;
+ swaps(&f->num_keysyms,n);
+ }
+ if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
+diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c
+index 9b441f2..0b2a701 100644
+--- a/nx-X11/programs/Xserver/Xi/sendexev.c
++++ b/nx-X11/programs/Xserver/Xi/sendexev.c
+@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client)
+ return Success;
+ }
+
++ if (stuff->num_events == 0)
++ return ret;
++
+ /* The client's event type must be one defined by an extension. */
+
+ first = ((xEvent *) &stuff[1]);
+diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
+index d82979c..9fe575e 100644
+--- a/nx-X11/programs/Xserver/include/dix.h
++++ b/nx-X11/programs/Xserver/include/dix.h
+@@ -73,6 +73,10 @@ SOFTWARE.
+ if ((sizeof(req) >> 2) > client->req_len )\
+ return(BadLength)
+
++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
++ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
++ return(BadLength)
++
+ #define REQUEST_FIXED_SIZE(req, n)\
+ if (((sizeof(req) >> 2) > client->req_len) || \
+ ((n >> 2) >= client->req_len) || \
+--
+2.1.4
+
diff --git a/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch b/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
new file mode 100644
index 0000000..342728e
--- /dev/null
+++ b/debian/patches/1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
@@ -0,0 +1,29 @@
+From 0d53194f7ef5980a7cd78950a4f3eb2b56e65746 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 17:18:54 -0800
+Subject: [PATCH 25/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
+ [CVE-2014-8096]
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ nx-X11/programs/Xserver/Xext/xcmisc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/nx-X11/programs/Xserver/Xext/xcmisc.c b/nx-X11/programs/Xserver/Xext/xcmisc.c
+index c7bb72d..0a9a090 100644
+--- a/nx-X11/programs/Xserver/Xext/xcmisc.c
++++ b/nx-X11/programs/Xserver/Xext/xcmisc.c
+@@ -228,6 +228,7 @@ SProcXCMiscGetXIDList(client)
+ {
+ register int n;
+ REQUEST(xXCMiscGetXIDListReq);
++ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+
+ swaps(&stuff->length, n);
+ swapl(&stuff->count, n);
+--
+2.1.4
+
diff --git a/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
new file mode 100644
index 0000000..1d458a7
--- /dev/null
+++ b/debian/patches/1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
@@ -0,0 +1,184 @@
+From 2abde565df5de98800cec428fe612cb979063c02 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 19:23:17 -0800
+Subject: [PATCH 26/40] Xv: unvalidated lengths in XVideo extension swapped
+ procs [CVE-2014-8099]
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ Xext/xvdisp.c
+---
+ nx-X11/programs/Xserver/Xext/xvdisp.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/Xext/xvdisp.c b/nx-X11/programs/Xserver/Xext/xvdisp.c
+index 21ab0b6..b361c0f 100644
+--- a/nx-X11/programs/Xserver/Xext/xvdisp.c
++++ b/nx-X11/programs/Xserver/Xext/xvdisp.c
+@@ -1347,6 +1347,7 @@ SProcXvQueryExtension(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryExtensionReq);
++ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
+ swaps(&stuff->length, n);
+ return ProcXvQueryExtension(client);
+ }
+@@ -1356,6 +1357,7 @@ SProcXvQueryAdaptors(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryAdaptorsReq);
++ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->window, n);
+ return ProcXvQueryAdaptors(client);
+@@ -1366,6 +1368,7 @@ SProcXvQueryEncodings(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryEncodingsReq);
++ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ return ProcXvQueryEncodings(client);
+@@ -1376,6 +1379,7 @@ SProcXvGrabPort(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvGrabPortReq);
++ REQUEST_SIZE_MATCH(xvGrabPortReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->time, n);
+@@ -1387,6 +1391,7 @@ SProcXvUngrabPort(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvUngrabPortReq);
++ REQUEST_SIZE_MATCH(xvUngrabPortReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->time, n);
+@@ -1398,6 +1403,7 @@ SProcXvPutVideo(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvPutVideoReq);
++ REQUEST_SIZE_MATCH(xvPutVideoReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1418,6 +1424,7 @@ SProcXvPutStill(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvPutStillReq);
++ REQUEST_SIZE_MATCH(xvPutStillReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1438,6 +1445,7 @@ SProcXvGetVideo(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvGetVideoReq);
++ REQUEST_SIZE_MATCH(xvGetVideoReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1458,6 +1466,7 @@ SProcXvGetStill(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvGetStillReq);
++ REQUEST_SIZE_MATCH(xvGetStillReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1478,6 +1487,7 @@ SProcXvPutImage(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvPutImageReq);
++ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1502,6 +1512,7 @@ SProcXvShmPutImage(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvShmPutImageReq);
++ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1529,6 +1540,7 @@ SProcXvSelectVideoNotify(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvSelectVideoNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->drawable, n);
+ return ProcXvSelectVideoNotify(client);
+@@ -1539,6 +1551,7 @@ SProcXvSelectPortNotify(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvSelectPortNotifyReq);
++ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ return ProcXvSelectPortNotify(client);
+@@ -1549,6 +1562,7 @@ SProcXvStopVideo(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvStopVideoReq);
++ REQUEST_SIZE_MATCH(xvStopVideoReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->drawable, n);
+@@ -1560,6 +1574,7 @@ SProcXvSetPortAttribute(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvSetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->attribute, n);
+@@ -1571,6 +1586,7 @@ SProcXvGetPortAttribute(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvGetPortAttributeReq);
++ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swapl(&stuff->attribute, n);
+@@ -1582,6 +1598,7 @@ SProcXvQueryBestSize(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryBestSizeReq);
++ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ swaps(&stuff->vid_w, n);
+@@ -1596,6 +1613,7 @@ SProcXvQueryPortAttributes(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryPortAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ return ProcXvQueryPortAttributes(client);
+@@ -1606,6 +1624,7 @@ SProcXvQueryImageAttributes(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvQueryImageAttributesReq);
++ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->id, n);
+ swaps(&stuff->width, n);
+@@ -1618,6 +1637,7 @@ SProcXvListImageFormats(ClientPtr client)
+ {
+ register char n;
+ REQUEST(xvListImageFormatsReq);
++ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->port, n);
+ return ProcXvListImageFormats(client);
+--
+2.1.4
+
diff --git a/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch b/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch
new file mode 100644
index 0000000..9540dde
--- /dev/null
+++ b/debian/patches/1027-render-check-request-size-before-reading-it-CVE-2014.patch
@@ -0,0 +1,40 @@
+From 6c820648ba4be98c94f61516e83f13edf5ed98db Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau at debian.org>
+Date: Tue, 28 Oct 2014 10:30:04 +0100
+Subject: [PATCH 27/40] render: check request size before reading it
+ [CVE-2014-8100 1/2]
+
+Otherwise we may be reading outside of the client request.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+
+Conflicts:
+ render/render.c
+---
+ nx-X11/programs/Xserver/render/render.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
+index d25d497..ebbce81 100644
+--- a/nx-X11/programs/Xserver/render/render.c
++++ b/nx-X11/programs/Xserver/render/render.c
+@@ -283,10 +283,11 @@ ProcRenderQueryVersion (ClientPtr client)
+ register int n;
+ REQUEST(xRenderQueryVersionReq);
+
++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+ pRenderClient->major_version = stuff->majorVersion;
+ pRenderClient->minor_version = stuff->minorVersion;
+
+- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+--
+2.1.4
+
diff --git a/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch b/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
new file mode 100644
index 0000000..b90b03c
--- /dev/null
+++ b/debian/patches/1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
@@ -0,0 +1,146 @@
+From 9c3842a4f72b4cca28ac1d5c14441787c7dd6e6a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 19:51:29 -0800
+Subject: [PATCH 28/40] render: unvalidated lengths in Render extn. swapped
+ procs [CVE-2014-8100 2/2]
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+Conflicts:
+ render/render.c
+---
+ nx-X11/programs/Xserver/render/render.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/render/render.c b/nx-X11/programs/Xserver/render/render.c
+index ebbce81..eee21db 100644
+--- a/nx-X11/programs/Xserver/render/render.c
++++ b/nx-X11/programs/Xserver/render/render.c
+@@ -2014,6 +2014,7 @@ SProcRenderQueryVersion (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderQueryVersionReq);
++ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
+ swaps(&stuff->length, n);
+ swapl(&stuff->majorVersion, n);
+@@ -2026,6 +2027,7 @@ SProcRenderQueryPictFormats (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderQueryPictFormatsReq);
++ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
+ swaps(&stuff->length, n);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+@@ -2035,6 +2037,7 @@ SProcRenderQueryPictIndexValues (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderQueryPictIndexValuesReq);
++ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->format, n);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2051,6 +2054,7 @@ SProcRenderCreatePicture (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderCreatePictureReq);
++ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->pid, n);
+ swapl(&stuff->drawable, n);
+@@ -2065,6 +2069,7 @@ SProcRenderChangePicture (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderChangePictureReq);
++ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->picture, n);
+ swapl(&stuff->mask, n);
+@@ -2077,6 +2082,7 @@ SProcRenderSetPictureClipRectangles (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderSetPictureClipRectanglesReq);
++ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->picture, n);
+ SwapRestS(stuff);
+@@ -2088,6 +2094,7 @@ SProcRenderFreePicture (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderFreePictureReq);
++ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->picture, n);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2098,6 +2105,7 @@ SProcRenderComposite (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderCompositeReq);
++ REQUEST_SIZE_MATCH(xRenderCompositeReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->src, n);
+ swapl(&stuff->mask, n);
+@@ -2118,6 +2126,7 @@ SProcRenderScale (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderScaleReq);
++ REQUEST_SIZE_MATCH(xRenderScaleReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->src, n);
+ swapl(&stuff->dst, n);
+@@ -2223,6 +2232,7 @@ SProcRenderCreateGlyphSet (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderCreateGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->gsid, n);
+ swapl(&stuff->format, n);
+@@ -2234,6 +2244,7 @@ SProcRenderReferenceGlyphSet (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderReferenceGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->gsid, n);
+ swapl(&stuff->existing, n);
+@@ -2245,6 +2256,7 @@ SProcRenderFreeGlyphSet (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderFreeGlyphSetReq);
++ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->glyphset, n);
+ return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2259,6 +2271,7 @@ SProcRenderAddGlyphs (ClientPtr client)
+ void *end;
+ xGlyphInfo *gi;
+ REQUEST(xRenderAddGlyphsReq);
++ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->glyphset, n);
+ swapl(&stuff->nglyphs, n);
+@@ -2295,6 +2308,7 @@ SProcRenderFreeGlyphs (ClientPtr client)
+ {
+ register int n;
+ REQUEST(xRenderFreeGlyphsReq);
++ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->glyphset, n);
+ SwapRestL(stuff);
+@@ -2313,7 +2327,8 @@ SProcRenderCompositeGlyphs (ClientPtr client)
+ int size;
+
+ REQUEST(xRenderCompositeGlyphsReq);
+-
++ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
++
+ switch (stuff->renderReqType) {
+ default: size = 1; break;
+ case X_RenderCompositeGlyphs16: size = 2; break;
+--
+2.1.4
+
diff --git a/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch b/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
new file mode 100644
index 0000000..90bc324
--- /dev/null
+++ b/debian/patches/1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
@@ -0,0 +1,32 @@
+From c12a473f29cfadb62d38b0fffc36762d8e626676 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 20:02:20 -0800
+Subject: [PATCH 29/40] xfixes: unvalidated length in
+ SProcXFixesSelectSelectionInput [CVE-2014-8102]
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Conflicts:
+ xfixes/select.c
+---
+ nx-X11/programs/Xserver/xfixes/select.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/nx-X11/programs/Xserver/xfixes/select.c b/nx-X11/programs/Xserver/xfixes/select.c
+index c72e19e..4b8bd01 100755
+--- a/nx-X11/programs/Xserver/xfixes/select.c
++++ b/nx-X11/programs/Xserver/xfixes/select.c
+@@ -216,6 +216,7 @@ SProcXFixesSelectSelectionInput (ClientPtr client)
+ register int n;
+ REQUEST(xXFixesSelectSelectionInputReq);
+
++ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->window, n);
+ swapl(&stuff->selection, n);
+--
+2.1.4
+
diff --git a/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch b/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
new file mode 100644
index 0000000..6a1757d
--- /dev/null
+++ b/debian/patches/1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
@@ -0,0 +1,45 @@
+From cea44678dd6a9418460ead314fb2106924b081f7 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Sun, 26 Jan 2014 19:38:09 -0800
+Subject: [PATCH 30/40] randr: unvalidated lengths in RandR extension swapped
+ procs [CVE-2014-8101]
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
+---
+ nx-X11/programs/Xserver/randr/rrsdispatch.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/randr/rrsdispatch.c b/nx-X11/programs/Xserver/randr/rrsdispatch.c
+index 80d16b7..c4425ec 100644
+--- a/nx-X11/programs/Xserver/randr/rrsdispatch.c
++++ b/nx-X11/programs/Xserver/randr/rrsdispatch.c
+@@ -28,6 +28,7 @@ SProcRRQueryVersion (ClientPtr client)
+ register int n;
+ REQUEST(xRRQueryVersionReq);
+
++ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->majorVersion, n);
+ swapl(&stuff->minorVersion, n);
+@@ -40,6 +41,7 @@ SProcRRGetScreenInfo (ClientPtr client)
+ register int n;
+ REQUEST(xRRGetScreenInfoReq);
+
++ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->window, n);
+ return (*ProcRandrVector[stuff->randrReqType]) (client);
+@@ -75,6 +77,7 @@ SProcRRSelectInput (ClientPtr client)
+ register int n;
+ REQUEST(xRRSelectInputReq);
+
++ REQUEST_SIZE_MATCH(xRRSelectInputReq);
+ swaps(&stuff->length, n);
+ swapl(&stuff->window, n);
+ swaps(&stuff->enable, n);
+--
+2.1.4
+
diff --git a/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch b/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
new file mode 100644
index 0000000..6d16d2e
--- /dev/null
+++ b/debian/patches/1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
@@ -0,0 +1,76 @@
+From 5c43bb2484414b37115dac56dc76f1ecf4c05837 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:36 -0500
+Subject: [PATCH 31/40] glx: Be more paranoid about variable-length requests
+ [CVE-2014-8093 1/6] (v2)
+
+If the size computation routine returns -1 we should just reject the
+request outright. Clamping it to zero could give an attacker the
+opportunity to also mangle cmdlen in such a way that the subsequent
+length check passes, and the request would get executed, thus passing
+data we wanted to reject to the renderer.
+
+v3: backport to nx-libs 3.6.x (Mike DePaulo)
+v2: backport to RHEL5 - fix swap paths
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+fixup swaps
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c | 4 ++--
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index ca5eee8..02f3ba7 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1484,7 +1484,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+ /* variable size command */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
+ return BadLength;
+@@ -1601,7 +1601,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ /* large command's header is 4 bytes longer, so add 4 */
+ if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 595e814..027cba7 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -535,7 +535,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+ /* variable size command */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
+ return BadLength;
+@@ -659,7 +659,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
+ if (extra < 0) {
+- extra = 0;
++ return BadLength;
+ }
+ /* large command's header is 4 bytes longer, so add 4 */
+ if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
+--
+2.1.4
+
diff --git a/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch b/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
new file mode 100644
index 0000000..af577aa
--- /dev/null
+++ b/debian/patches/1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
@@ -0,0 +1,163 @@
+From cdf0c3e65670c797a4fd0617d44d2bdff4011815 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:37 -0500
+Subject: [PATCH 32/40] glx: Be more strict about rejecting invalid image sizes
+ [CVE-2014-8093 2/6]
+
+Before this we'd just clamp the image size to 0, which was just
+hideously stupid; if the parameters were such that they'd overflow an
+integer, you'd allocate a small buffer, then pass huge values into (say)
+ReadPixels, and now you're scribbling over arbitrary server memory.
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/singlepix.c | 14 +++++++-------
+ nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 14 +++++++-------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c
+index 845c46a..be804d8 100644
+--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c
++++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c
+@@ -70,7 +70,7 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
+ swapBytes = *(GLboolean *)(pc + 24);
+ lsbFirst = *(GLboolean *)(pc + 25);
+ compsize = __glReadPixels_size(format,type,width,height);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
+@@ -130,7 +130,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width, height, and depth would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -227,7 +227,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+ compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
+
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+ if (compsize2 < 0) compsize2 = 0;
+ compsize = __GLX_PAD(compsize);
+ compsize2 = __GLX_PAD(compsize2);
+@@ -291,7 +291,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width and height would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -346,7 +346,7 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -389,7 +389,7 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
+ reset = *(GLboolean *)(pc + 13);
+
+ compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -436,7 +436,7 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+index ff68ece..cdc6f16 100644
+--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+@@ -79,7 +79,7 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
+ swapBytes = *(GLboolean *)(pc + 24);
+ lsbFirst = *(GLboolean *)(pc + 25);
+ compsize = __glReadPixels_size(format,type,width,height);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
+@@ -148,7 +148,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width, height, and depth would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,level,format,type,width,height,depth);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -257,7 +257,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+ compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
+
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+ if (compsize2 < 0) compsize2 = 0;
+ compsize = __GLX_PAD(compsize);
+ compsize2 = __GLX_PAD(compsize2);
+@@ -328,7 +328,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width and height would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,height,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -390,7 +390,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -439,7 +439,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
+ reset = *(GLboolean *)(pc + 13);
+
+ compsize = __glGetTexImage_size(target,1,format,type,2,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+@@ -491,7 +491,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
+ * are illegal, but then width would still be zero anyway.
+ */
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+- if (compsize < 0) compsize = 0;
++ if (compsize < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+ __GLX_GET_ANSWER_BUFFER(answer,cl,compsize,1);
+--
+2.1.4
+
diff --git a/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch b/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
new file mode 100644
index 0000000..a043d21
--- /dev/null
+++ b/debian/patches/1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
@@ -0,0 +1,41 @@
+From d0fcbc8a6ca82df82c410d0f8f9062b05fa5ec8d Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:38 -0500
+Subject: [PATCH 33/40] glx: Additional paranoia in __glXGetAnswerBuffer /
+ __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
+
+If the computed reply size is negative, something went wrong, treat it
+as an error.
+
+v2: Be more careful about size_t being unsigned (Matthieu Herrb)
+v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/unpack.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/unpack.h b/nx-X11/programs/Xserver/GL/glx/unpack.h
+index 723fb85..94bdae8 100644
+--- a/nx-X11/programs/Xserver/GL/glx/unpack.h
++++ b/nx-X11/programs/Xserver/GL/glx/unpack.h
+@@ -89,7 +89,8 @@ extern xGLXSingleReply __glXReply;
+ ** pointer.
+ */
+ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
+- if ((size) > sizeof(answerBuffer)) { \
++ if (size < 0) return BadLength; \
++ else if ((size) > sizeof(answerBuffer)) { \
+ int bump; \
+ if ((cl)->returnBufSize < (size)+(align)) { \
+ (cl)->returnBuf = (GLbyte*)Xrealloc((cl)->returnBuf, \
+--
+2.1.4
+
diff --git a/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch b/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
new file mode 100644
index 0000000..3fe45a9
--- /dev/null
+++ b/debian/patches/1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
@@ -0,0 +1,96 @@
+From 1a9f23118787be611b6db51e4eac864c43c702d9 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:40 -0500
+Subject: [PATCH 34/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
+ (v4)
+
+These are paranoid about integer overflow, and will return -1 if their
+operation would overflow a (signed) integer or if either argument is
+negative.
+
+Note that RenderLarge requests are sized with a uint32_t so in principle
+this could be sketchy there, but dix limits bigreqs to 128M so you
+shouldn't ever notice, and honestly if you're sending more than 2G of
+rendering commands you're already doing something very wrong.
+
+v2: Use INT_MAX for consistency with the rest of the server (jcristau)
+v3: Reject negative arguments (anholt)
+
+v4: RHEL5: add limits.h, use inline
+
+v5: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxserver.h | 41 ++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+index e8449b2..4047574 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+@@ -54,6 +54,7 @@
+ #include "GL/glx_ansic.h"
+
+
++#include <limits.h>
+ /*
+ ** The X header misc.h defines these math functions.
+ */
+@@ -223,6 +224,46 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
+ /*
+ * Routines for computing the size of variably-sized rendering commands.
+ */
++static __inline__ int
++safe_add(int a, int b)
++{
++ if (a < 0 || b < 0)
++ return -1;
++
++ if (INT_MAX - a < b)
++ return -1;
++
++ return a + b;
++}
++
++static __inline__ int
++safe_mul(int a, int b)
++{
++ if (a < 0 || b < 0)
++ return -1;
++
++ if (a == 0 || b == 0)
++ return 0;
++
++ if (a > INT_MAX / b)
++ return -1;
++
++ return a * b;
++}
++
++static __inline__ int
++safe_pad(int a)
++{
++ int ret;
++
++ if (a < 0)
++ return -1;
++
++ if ((ret = safe_add(a, 3)) < 0)
++ return -1;
++
++ return ret & (GLuint)~3;
++}
+
+ extern int __glXTypeSize(GLenum enm);
+ extern int __glXImageSize(GLenum format, GLenum type,
+--
+2.1.4
+
diff --git a/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch b/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
new file mode 100644
index 0000000..17afae9
--- /dev/null
+++ b/debian/patches/1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
@@ -0,0 +1,132 @@
+From 78b38a8a37e6105360c82a710ef62c92643ea4c1 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau at debian.org>
+Date: Mon, 10 Nov 2014 12:13:41 -0500
+Subject: [PATCH 35/40] glx: Length checking for GLXRender requests (v2)
+ [CVE-2014-8098 2/8] (v3)
+
+v2:
+Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+
+v3: backport to RHEL5 hit old paths
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Adam Jackson <ajax at redhat.com>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c | 20 ++++++++++----------
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 20 ++++++++++----------
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index 02f3ba7..831c65b 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1443,7 +1443,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+ left = (req->length << 2) - sz_xGLXRenderReq;
+ while (left > 0) {
+ __GLXrenderSizeData *entry;
+- int extra;
++ int extra = 0;
+ void (* proc)(GLbyte *);
+
+ /*
+@@ -1454,6 +1454,9 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+ cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if (left < cmdlen)
++ return BadLength;
++
+ /*
+ ** Check for core opcodes and grab entry data.
+ */
+@@ -1480,22 +1483,19 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+ client->errorValue = commandsDone;
+ return __glXBadRenderRequest;
+ }
++
++ if (cmdlen < entry->bytes) {
++ return BadLength;
++ }
++
+ if (entry->varsize) {
+ /* variable size command */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
+ if (extra < 0) {
+ return BadLength;
+ }
+- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
+- return BadLength;
+- }
+- } else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry->bytes)) {
+- return BadLength;
+- }
+ }
+- if (left < cmdlen) {
++ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
+ return BadLength;
+ }
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 027cba7..7174fda 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -498,7 +498,7 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+ left = (req->length << 2) - sz_xGLXRenderReq;
+ while (left > 0) {
+ __GLXrenderSizeData *entry;
+- int extra;
++ int extra = 0;
+ void (* proc)(GLbyte *);
+
+ /*
+@@ -511,6 +511,9 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+ cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if (left < cmdlen)
++ return BadLength;
++
+ if ( (opcode >= __GLX_MIN_RENDER_OPCODE) &&
+ (opcode <= __GLX_MAX_RENDER_OPCODE) ) {
+ entry = &__glXRenderSizeTable[opcode];
+@@ -531,22 +534,19 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+ client->errorValue = commandsDone;
+ return __glXBadRenderRequest;
+ }
++
++ if (cmdlen < entry->bytes) {
++ return BadLength;
++ }
++
+ if (entry->varsize) {
+ /* variable size command */
+ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
+ if (extra < 0) {
+ return BadLength;
+ }
+- if (cmdlen != __GLX_PAD(entry->bytes + extra)) {
+- return BadLength;
+- }
+- } else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry->bytes)) {
+- return BadLength;
+- }
+ }
+- if (left < cmdlen) {
++ if (cmdlen != safe_pad(safe_add(entry->bytes, extra))) {
+ return BadLength;
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch b/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch
new file mode 100644
index 0000000..742a8bd
--- /dev/null
+++ b/debian/patches/1036-glx-Integer-overflow-protection-for-non-generated-re.patch
@@ -0,0 +1,215 @@
+From ddb1235bc621d06bf28309be70c173ae06131edf Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:42 -0500
+Subject: [PATCH 36/40] glx: Integer overflow protection for non-generated
+ render requests (v3) [CVE-2014-8093 5/6]
+
+v2:
+Fix constants in __glXMap2fReqSize (Michal Srb)
+Validate w/h/d for proxy targets too (Keith Packard)
+
+v3:
+Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/rensize.c | 68 +++++++++++++++++---------------
+ 1 file changed, 37 insertions(+), 31 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
+index 7ab02d2..9bf0d00 100644
+--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
+@@ -167,16 +167,10 @@ int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
+ return __glXTexEnvfvReqSize( pc, swap );
+ }
+
+-static int Map1Size( GLint k, GLint order)
+-{
+- if (order <= 0 || k < 0) return -1;
+- return k * order;
+-}
+-
+ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+ {
+ GLenum target;
+- GLint order, k;
++ GLint order;
+
+ target = *(GLenum*) (pc + 16);
+ order = *(GLint*) (pc + 20);
+@@ -184,14 +178,15 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+ target = SWAPL( target );
+ order = SWAPL( order );
+ }
+- k = __glMap1d_size( target );
+- return 8 * Map1Size( k, order );
++ if (order < 1)
++ return -1;
++ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
+ }
+
+ int __glXMap1fReqSize(GLbyte *pc, Bool swap )
+ {
+ GLenum target;
+- GLint order, k;
++ GLint order;
+
+ target = *(GLenum *)(pc + 0);
+ order = *(GLint *)(pc + 12);
+@@ -199,20 +194,21 @@ int __glXMap1fReqSize(GLbyte *pc, Bool swap )
+ target = SWAPL( target );
+ order = SWAPL( order );
+ }
+- k = __glMap1f_size(target);
+- return 4 * Map1Size(k, order);
++ if (order < 1)
++ return -1;
++ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
+ }
+
+ static int Map2Size(int k, int majorOrder, int minorOrder)
+ {
+- if (majorOrder <= 0 || minorOrder <= 0 || k < 0) return -1;
+- return k * majorOrder * minorOrder;
++ if (majorOrder < 1 || minorOrder < 1) return -1;
++ return safe_mul(k, safe_mul(majorOrder, minorOrder));
+ }
+
+ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+ {
+ GLenum target;
+- GLint uorder, vorder, k;
++ GLint uorder, vorder;
+
+ target = *(GLenum *)(pc + 32);
+ uorder = *(GLint *)(pc + 36);
+@@ -222,14 +218,13 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+ uorder = SWAPL( uorder );
+ vorder = SWAPL( vorder );
+ }
+- k = __glMap2d_size( target );
+- return 8 * Map2Size( k, uorder, vorder );
++ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
+ }
+
+ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+ {
+ GLenum target;
+- GLint uorder, vorder, k;
++ GLint uorder, vorder;
+
+ target = *(GLenum *)(pc + 0);
+ uorder = *(GLint *)(pc + 12);
+@@ -239,8 +234,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+ uorder = SWAPL( uorder );
+ vorder = SWAPL( vorder );
+ }
+- k = __glMap2f_size( target );
+- return 4 * Map2Size( k, uorder, vorder );
++ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
+ }
+
+ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+@@ -315,13 +309,16 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ GLint bytesPerElement, elementsPerGroup, groupsPerRow;
+ GLint groupSize, rowSize, padding, imageSize;
+
++ if (w == 0 || h == 0 || d == 0)
++ return 0;
++
+ if (w < 0 || h < 0 || d < 0 ||
+ (type == GL_BITMAP &&
+ (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
+ return -1;
+ }
+- if (w==0 || h==0 || d == 0) return 0;
+
++ /* proxy targets have no data */
+ switch( target ) {
+ case GL_PROXY_TEXTURE_1D:
+ case GL_PROXY_TEXTURE_2D:
+@@ -338,6 +335,12 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ return 0;
+ }
+
++ /* real data has to have real sizes */
++ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
++ return -1;
++ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
++ return -1;
++
+ if (type == GL_BITMAP) {
+ if (rowLength > 0) {
+ groupsPerRow = rowLength;
+@@ -345,11 +348,13 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ groupsPerRow = w;
+ }
+ rowSize = (groupsPerRow + 7) >> 3;
++ if (rowSize < 0)
++ return -1;
+ padding = (rowSize % alignment);
+ if (padding) {
+ rowSize += alignment - padding;
+ }
+- return ((h + skipRows) * rowSize);
++ return safe_mul(safe_add(h, skipRows), rowSize);
+ } else {
+ switch(format) {
+ case GL_COLOR_INDEX:
+@@ -430,23 +435,25 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ default:
+ return -1;
+ }
++ /* known safe by the switches above, not checked */
+ groupSize = bytesPerElement * elementsPerGroup;
+ if (rowLength > 0) {
+ groupsPerRow = rowLength;
+ } else {
+ groupsPerRow = w;
+ }
+- rowSize = groupsPerRow * groupSize;
++ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
++ return -1;
+ padding = (rowSize % alignment);
+ if (padding) {
+ rowSize += alignment - padding;
+ }
+- if (imageHeight > 0) {
+- imageSize = (imageHeight + skipRows) * rowSize;
+- } else {
+- imageSize = (h + skipRows) * rowSize;
+- }
+- return ((d + skipImages) * imageSize);
++ if (imageHeight > 0)
++ h = imageHeight;
++ h = safe_add(h, skipRows);
++
++ imageSize = safe_mul(h, rowSize);
++ return safe_mul(safe_add(d, skipImages), imageSize);
+ }
+ }
+
+@@ -873,10 +880,9 @@ int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
+ /* XXX Should rowLength be used for either or both image? */
+ image1size = __glXImageSize( format, type, 0, w, 1, 1,
+ 0, rowLength, 0, 0, alignment );
+- image1size = __GLX_PAD(image1size);
+ image2size = __glXImageSize( format, type, 0, h, 1, 1,
+ 0, rowLength, 0, 0, alignment );
+- return image1size + image2size;
++ return safe_add(safe_pad(image1size), image2size);
+
+ }
+
+--
+2.1.4
+
diff --git a/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch b/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
new file mode 100644
index 0000000..7934b47
--- /dev/null
+++ b/debian/patches/1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
@@ -0,0 +1,53 @@
+From ad29acd7697e18333e164b1746f61c5a9e29a436 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:44 -0500
+Subject: [PATCH 37/40] glx: Top-level length checking for swapped
+ VendorPrivate requests [CVE-2014-8098 4/8]
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Keith Packard <keithp at keithp.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 7174fda..2685355 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -797,10 +797,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ xGLXVendorPrivateReq *req;
+ GLint vendorcode;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
+
+ req = (xGLXVendorPrivateReq *) pc;
+ __GLX_SWAP_SHORT(&req->length);
+@@ -835,10 +837,12 @@ int __glXSwapVendorPrivate(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXSwapVendorPrivateWithReply(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ xGLXVendorPrivateWithReplyReq *req;
+ GLint vendorcode;
+
+ __GLX_DECLARE_SWAP_VARIABLES;
++ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
+
+ req = (xGLXVendorPrivateWithReplyReq *) pc;
+ __GLX_SWAP_SHORT(&req->length);
+--
+2.1.4
+
diff --git a/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch b/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch
new file mode 100644
index 0000000..5db4682
--- /dev/null
+++ b/debian/patches/1038-glx-Length-checking-for-non-generated-single-request.patch
@@ -0,0 +1,413 @@
+From 8931066077a04999d973932e04da577bd6906c82 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:47 -0500
+Subject: [PATCH 38/40] glx: Length checking for non-generated single requests
+ (v2) [CVE-2014-8098 7/8]
+
+v2:
+Fix single versus vendor-private length checking for ARB_imaging subset
+extensions. (Julien Cristau)
+
+v3:
+Fix single versus vendor-private length checking for ARB_imaging subset
+extensions. (Julien Cristau)
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Julien Cristau <jcristau at debian.org>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+fix safe_Add
+---
+ nx-X11/programs/Xserver/GL/glx/single2.c | 21 +++++++++++++++------
+ nx-X11/programs/Xserver/GL/glx/single2swap.c | 15 +++++++++++----
+ nx-X11/programs/Xserver/GL/glx/singlepix.c | 19 ++++++++++++++-----
+ nx-X11/programs/Xserver/GL/glx/singlepixswap.c | 17 ++++++++++++-----
+ 4 files changed, 52 insertions(+), 20 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/single2.c b/nx-X11/programs/Xserver/GL/glx/single2.c
+index 9fee5ff..10152c3 100644
+--- a/nx-X11/programs/Xserver/GL/glx/single2.c
++++ b/nx-X11/programs/Xserver/GL/glx/single2.c
+@@ -48,11 +48,14 @@
+
+ int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ GLsizei size;
+ GLenum type;
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -78,10 +81,12 @@ int __glXDisp_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLsizei size;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -106,7 +111,7 @@ int __glXDisp_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ xGLXRenderModeReply reply;
+ __GLXcontext *cx;
+ GLint nitems=0, retBytes=0, retval, newModeCheck;
+@@ -114,6 +119,8 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ GLenum newMode;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -188,7 +195,6 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ ** selection array, as per the API for glRenderMode itself.
+ */
+ noChangeAllowed:;
+- client = cl->client;
+ reply.length = nitems;
+ reply.type = X_Reply;
+ reply.sequenceNumber = client->sequence;
+@@ -204,9 +210,11 @@ int __glXDisp_RenderMode(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -219,10 +227,11 @@ int __glXDisp_Flush(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+- ClientPtr client;
+ int error;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -233,7 +242,6 @@ int __glXDisp_Finish(__GLXclientState *cl, GLbyte *pc)
+ __GLX_NOTE_FLUSHED_CMDS(cx);
+
+ /* Send empty reply packet to indicate finish is finished */
+- client = cl->client;
+ __GLX_BEGIN_REPLY(0);
+ __GLX_SEND_HEADER();
+ return Success;
+@@ -302,7 +310,7 @@ char *__glXcombine_strings(const char *cext_string, const char *sext_string)
+
+ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLenum name;
+ const char *string;
+@@ -311,6 +319,8 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
+ char *buf = NULL, *buf1 = NULL;
+ GLint length = 0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ /* If the client has the opposite byte order, swap the contextTag and
+ * the name.
+ */
+@@ -327,7 +337,6 @@ int DoGetString(__GLXclientState *cl, GLbyte *pc, GLboolean need_swap)
+ pc += __GLX_SINGLE_HDR_SIZE;
+ name = *(GLenum *)(pc + 0);
+ string = (const char *)glGetString(name);
+- client = cl->client;
+
+ /*
+ ** Restrict extensions to those that are supported by both the
+diff --git a/nx-X11/programs/Xserver/GL/glx/single2swap.c b/nx-X11/programs/Xserver/GL/glx/single2swap.c
+index dab98ad..4b8541b 100644
+--- a/nx-X11/programs/Xserver/GL/glx/single2swap.c
++++ b/nx-X11/programs/Xserver/GL/glx/single2swap.c
+@@ -48,12 +48,14 @@
+
+ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ GLsizei size;
+ GLenum type;
+ __GLX_DECLARE_SWAP_VARIABLES;
+ __GLXcontext *cx;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -82,11 +84,13 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ GLsizei size;
+ __GLX_DECLARE_SWAP_VARIABLES;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -113,7 +117,7 @@ int __glXDispSwap_SelectBuffer(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ {
+- ClientPtr client;
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ xGLXRenderModeReply reply;
+ GLint nitems=0, retBytes=0, retval, newModeCheck;
+@@ -123,6 +127,8 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+ int error;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -201,7 +207,6 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
+ ** selection array, as per the API for glRenderMode itself.
+ */
+ noChangeAllowed:;
+- client = cl->client;
+ reply.length = nitems;
+ reply.type = X_Reply;
+ reply.sequenceNumber = client->sequence;
+@@ -222,10 +227,12 @@ int __glXDispSwap_RenderMode(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+ int error;
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -239,11 +246,12 @@ int __glXDispSwap_Flush(__GLXclientState *cl, GLbyte *pc)
+
+ int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc)
+ {
++ ClientPtr client = cl->client;
+ __GLXcontext *cx;
+- ClientPtr client;
+ int error;
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_SIZE_MATCH(xGLXSingleReq);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -255,7 +263,6 @@ int __glXDispSwap_Finish(__GLXclientState *cl, GLbyte *pc)
+ __GLX_NOTE_FLUSHED_CMDS(cx);
+
+ /* Send empty reply packet to indicate finish is finished */
+- client = cl->client;
+ __GLX_BEGIN_REPLY(0);
+ __GLX_PUT_RETVAL(0);
+ __GLX_SWAP_REPLY_HEADER();
+diff --git a/nx-X11/programs/Xserver/GL/glx/singlepix.c b/nx-X11/programs/Xserver/GL/glx/singlepix.c
+index be804d8..a156db5 100644
+--- a/nx-X11/programs/Xserver/GL/glx/singlepix.c
++++ b/nx-X11/programs/Xserver/GL/glx/singlepix.c
+@@ -57,6 +57,8 @@ int __glXDisp_ReadPixels(__GLXclientState *cl, GLbyte *pc)
+ int error;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -108,6 +110,7 @@ int __glXDisp_GetTexImage(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0, depth=1;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -204,6 +207,7 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -227,13 +231,11 @@ int __glXDisp_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+ compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
+
+- if (compsize < 0) return BadLength;
+- if (compsize2 < 0) compsize2 = 0;
+- compsize = __GLX_PAD(compsize);
+- compsize2 = __GLX_PAD(compsize2);
++ if ((compsize = safe_pad(compsize)) < 0) return BadLength;
++ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
+- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
++ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1);
+ __glXClearErrorOccured();
+ glGetSeparableFilter(
+ *(GLenum *)(pc + 0),
+@@ -269,6 +271,7 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -328,6 +331,8 @@ int __glXDisp_GetHistogram(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -376,6 +381,8 @@ int __glXDisp_GetMinmax(__GLXclientState *cl, GLbyte *pc)
+ int error;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -419,6 +426,8 @@ int __glXDisp_GetColorTable(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
++
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+diff --git a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+index cdc6f16..24f2e76 100644
+--- a/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/singlepixswap.c
+@@ -58,6 +58,8 @@ int __glXDispSwap_ReadPixels(__GLXclientState *cl, GLbyte *pc)
+ int error;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -120,6 +122,7 @@ int __glXDispSwap_GetTexImage(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0, depth=1;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 24);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -190,6 +193,7 @@ int __glXDispSwap_GetPolygonStipple(__GLXclientState *cl, GLbyte *pc)
+ char *answer;
+ __GLX_DECLARE_SWAP_VARIABLES;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+ __GLX_SWAP_INT(&((xGLXSingleReq *)pc)->contextTag);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+@@ -230,6 +234,7 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -257,13 +262,11 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState *cl, GLbyte *pc)
+ compsize = __glGetTexImage_size(target,1,format,type,width,1,1);
+ compsize2 = __glGetTexImage_size(target,1,format,type,height,1,1);
+
+- if (compsize < 0) return BadLength;
+- if (compsize2 < 0) compsize2 = 0;
+- compsize = __GLX_PAD(compsize);
+- compsize2 = __GLX_PAD(compsize2);
++ if ((compsize = safe_pad(compsize)) < 0) return BadLength;
++ if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength;
+
+ glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
+- __GLX_GET_ANSWER_BUFFER(answer,cl,compsize + compsize2,1);
++ __GLX_GET_ANSWER_BUFFER(answer,cl,safe_add(compsize, compsize2),1);
+ __glXClearErrorOccured();
+ glGetSeparableFilter(
+ *(GLenum *)(pc + 0),
+@@ -302,6 +305,7 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0, height=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -368,6 +372,7 @@ int __glXDispSwap_GetHistogram(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -422,6 +427,7 @@ int __glXDispSwap_GetMinmax(__GLXclientState *cl, GLbyte *pc)
+ __GLX_DECLARE_SWAP_VARIABLES;
+ char *answer, answerBuffer[200];
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+@@ -470,6 +476,7 @@ int __glXDispSwap_GetColorTable(__GLXclientState *cl, GLbyte *pc)
+ char *answer, answerBuffer[200];
+ GLint width=0;
+
++ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+ cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+ if (!cx) {
+ return error;
+--
+2.1.4
+
diff --git a/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch b/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
new file mode 100644
index 0000000..91433b6
--- /dev/null
+++ b/debian/patches/1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
@@ -0,0 +1,290 @@
+From 9c558f9ca2c0d4e34fa71dff272ed1c39c22cd9d Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:43 -0500
+Subject: [PATCH 39/40] glx: Length checking for RenderLarge requests (v2)
+ [CVE-2014-8098 3/8] (v3)
+
+This is a half-measure until we start passing request length into the
+varsize function, but it's better than the nothing we had before.
+
+v2: Verify that there's at least a large render header's worth of
+dataBytes (Julien Cristau)
+
+v3: backport to RHEL5
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+fixup swap
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c | 58 ++++++++++++++++-----------
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 59 +++++++++++++++++-----------
+ 2 files changed, 71 insertions(+), 46 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index 831c65b..20c12f3 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1535,6 +1535,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** duplicated there.
+ */
+
++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
++
+ req = (xGLXRenderLargeReq *) pc;
+ glxc = __glXForceCurrent(cl, req->contextTag, &error);
+ if (!glxc) {
+@@ -1542,12 +1544,15 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ __glXResetLargeCommandStatus(cl);
+ return error;
+ }
++ if (safe_pad(req->dataBytes) < 0)
++ return BadLength;
++
+ dataBytes = req->dataBytes;
+
+ /*
+ ** Check the request length.
+ */
+- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
+ client->errorValue = req->length;
+ /* Reset in case this isn't 1st request. */
+ __glXResetLargeCommandStatus(cl);
+@@ -1557,7 +1562,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+- int extra, cmdlen;
++ int extra = 0, cmdlen;
+ /*
+ ** This is the first request of a multi request command.
+ ** Make enough space in the buffer, then copy the entire request.
+@@ -1567,9 +1572,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ return __glXBadLargeRequest;
+ }
+
++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
++ return BadLength;
++
+ hdr = (__GLXrenderLargeHeader *) pc;
+- cmdlen = hdr->length;
+ opcode = hdr->opcode;
++ if ((cmdlen = safe_pad(hdr->length)) < 0)
++ return BadLength;
+
+ /*
+ ** Check for core opcodes and grab entry data.
+@@ -1603,16 +1612,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (extra < 0) {
+ return BadLength;
+ }
+- /* large command's header is 4 bytes longer, so add 4 */
+- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
+- return BadLength;
+- }
+- } else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry->bytes + 4)) {
+- return BadLength;
+- }
+ }
++
++ /* the +4 is safe because we know entry.bytes is small */
++ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) {
++ return BadLength;
++ }
++
+ /*
+ ** Make enough space in the buffer, then copy the entire request.
+ */
+@@ -1641,6 +1647,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** We are receiving subsequent (i.e. not the first) requests of a
+ ** multi request command.
+ */
++ int bytesSoFar; /* including this packet */
+
+ /*
+ ** Check the request number and the total request count.
+@@ -1659,7 +1666,13 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ /*
+ ** Check that we didn't get too much data.
+ */
+- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
++ client->errorValue = dataBytes;
++ __glXResetLargeCommandStatus(cl);
++ return __glXBadLargeRequest;
++ }
++
++ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+@@ -1673,17 +1686,16 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** This is the last request; it must have enough bytes to complete
+ ** the command.
+ */
+- /* NOTE: the two pad macros have been added below; they are needed
+- ** because the client library pads the total byte count, but not
+- ** the per-request byte counts. The Protocol Encoding says the
+- ** total byte count should not be padded, so a proposal will be
+- ** made to the ARB to relax the padding constraint on the total
+- ** byte count, thus preserving backward compatibility. Meanwhile,
+- ** the padding done below fixes a bug that did not allow
+- ** large commands of odd sizes to be accepted by the server.
++ /* NOTE: the pad macro below is needed because the client library
++ ** pads the total byte count, but not the per-request byte counts.
++ ** The Protocol Encoding says the total byte count should not be
++ ** padded, so a proposal will be made to the ARB to relax the
++ ** padding constraint on the total byte count, thus preserving
++ ** backward compatibility. Meanwhile, the padding done below
++ ** fixes a bug that did not allow large commands of odd sizes to
++ ** be accepted by the server.
+ */
+- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
+- __GLX_PAD(cl->largeCmdBytesTotal)) {
++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 2685355..2e228c0 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -587,6 +587,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** duplicated there.
+ */
+
++ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
++
+ req = (xGLXRenderLargeReq *) pc;
+ __GLX_SWAP_SHORT(&req->length);
+ __GLX_SWAP_INT(&req->contextTag);
+@@ -599,12 +601,15 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ __glXResetLargeCommandStatus(cl);
+ return error;
+ }
++ if (safe_pad(req->dataBytes) < 0)
++ return BadLength;
++
+ dataBytes = req->dataBytes;
+
+ /*
+ ** Check the request length.
+ */
+- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
++ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
+ client->errorValue = req->length;
+ /* Reset in case this isn't 1st request. */
+ __glXResetLargeCommandStatus(cl);
+@@ -614,7 +619,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+- int extra;
++ int extra = 0;
+ size_t cmdlen;
+ /*
+ ** This is the first request of a multi request command.
+@@ -624,12 +629,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ client->errorValue = req->requestNumber;
+ return __glXBadLargeRequest;
+ }
++ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
++ return BadLength;
++
+ hdr = (__GLXrenderLargeHeader *) pc;
+ __GLX_SWAP_INT(&hdr->length);
+ __GLX_SWAP_INT(&hdr->opcode);
+- cmdlen = hdr->length;
+ opcode = hdr->opcode;
+
++ if ((cmdlen = safe_pad(hdr->length)) < 0)
++ return BadLength;
++
+ if ( (opcode >= __GLX_MIN_RENDER_OPCODE) &&
+ (opcode <= __GLX_MAX_RENDER_OPCODE) ) {
+ entry = &__glXRenderSizeTable[opcode];
+@@ -661,16 +671,12 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (extra < 0) {
+ return BadLength;
+ }
+- /* large command's header is 4 bytes longer, so add 4 */
+- if (cmdlen != __GLX_PAD(entry->bytes + 4 + extra)) {
+- return BadLength;
+- }
+- } else {
+- /* constant size command */
+- if (cmdlen != __GLX_PAD(entry->bytes + 4)) {
+- return BadLength;
+- }
+ }
++ /* the +4 is safe because we know entry->bytes is small */
++ if (cmdlen != safe_pad(safe_add(entry->bytes + 4, extra))) {
++ return BadLength;
++ }
++
+ /*
+ ** Make enough space in the buffer, then copy the entire request.
+ */
+@@ -698,6 +704,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** We are receiving subsequent (i.e. not the first) requests of a
+ ** multi request command.
+ */
++ int bytesSoFar; /* including this packet */
+
+ /*
+ ** Check the request number and the total request count.
+@@ -716,7 +723,13 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ /*
+ ** Check that we didn't get too much data.
+ */
+- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
++ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
++ client->errorValue = dataBytes;
++ __glXResetLargeCommandStatus(cl);
++ return __glXBadLargeRequest;
++ }
++
++ if (bytesSoFar > cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+@@ -730,17 +743,17 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** This is the last request; it must have enough bytes to complete
+ ** the command.
+ */
+- /* NOTE: the two pad macros have been added below; they are needed
+- ** because the client library pads the total byte count, but not
+- ** the per-request byte counts. The Protocol Encoding says the
+- ** total byte count should not be padded, so a proposal will be
+- ** made to the ARB to relax the padding constraint on the total
+- ** byte count, thus preserving backward compatibility. Meanwhile,
+- ** the padding done below fixes a bug that did not allow
+- ** large commands of odd sizes to be accepted by the server.
++ /* NOTE: the pad macro below is needed because the client library
++ ** pads the total byte count, but not the per-request byte counts.
++ ** The Protocol Encoding says the total byte count should not be
++ ** padded, so a proposal will be made to the ARB to relax the
++ ** padding constraint on the total byte count, thus preserving
++ ** backward compatibility. Meanwhile, the padding done below
++ ** fixes a bug that did not allow large commands of odd sizes to
++ ** be accepted by the server.
+ */
+- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
+- __GLX_PAD(cl->largeCmdBytesTotal)) {
++
++ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXBadLargeRequest;
+--
+2.1.4
+
diff --git a/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
new file mode 100644
index 0000000..85181f0
--- /dev/null
+++ b/debian/patches/1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
@@ -0,0 +1,622 @@
+From 1ea1cd8c4f93b0c03e5b34fe174b3fc9f27c7dfa Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax at redhat.com>
+Date: Mon, 10 Nov 2014 12:13:48 -0500
+Subject: [PATCH 40/40] glx: Pass remaining request length into ->varsize (v2)
+ [CVE-2014-8098 8/8] (V3)
+
+v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
+
+v3: RHEL5 backport
+
+v4: backport to nx-libs 3.6.x (Mike DePaulo)
+
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+Reviewed-by: Michal Srb <msrb at suse.com>
+Reviewed-by: Andy Ritger <aritger at nvidia.com>
+Signed-off-by: Adam Jackson <ajax at redhat.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Signed-off-by: Fedora X Ninjas <x at fedoraproject.org>
+Signed-off-by: Dave Airlie <airlied at redhat.com>
+---
+ nx-X11/programs/Xserver/GL/glx/glxcmds.c | 6 +-
+ nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c | 7 +-
+ nx-X11/programs/Xserver/GL/glx/glxserver.h | 90 +++++++++----------
+ nx-X11/programs/Xserver/GL/glx/rensize.c | 125 ++++++++++++++-------------
+ 4 files changed, 121 insertions(+), 107 deletions(-)
+
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmds.c b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+index 20c12f3..a1bb259 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmds.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmds.c
+@@ -1490,7 +1490,7 @@ int __glXRender(__GLXclientState *cl, GLbyte *pc)
+
+ if (entry->varsize) {
+ /* variable size command */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, False, left - __GLX_RENDER_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+@@ -1563,6 +1563,7 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+ int extra = 0, cmdlen;
++ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ /*
+ ** This is the first request of a multi request command.
+ ** Make enough space in the buffer, then copy the entire request.
+@@ -1608,7 +1609,8 @@ int __glXRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** be computed from its parameters), all the parameters needed
+ ** will be in the 1st request, so it's okay to do this.
+ */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, False,
++ left - __GLX_RENDER_LARGE_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+index 2e228c0..33a748a 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
++++ b/nx-X11/programs/Xserver/GL/glx/glxcmdsswap.c
+@@ -541,7 +541,8 @@ int __glXSwapRender(__GLXclientState *cl, GLbyte *pc)
+
+ if (entry->varsize) {
+ /* variable size command */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_HDR_SIZE, True,
++ left - __GLX_RENDER_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+@@ -620,6 +621,7 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ if (cl->largeCmdRequestsSoFar == 0) {
+ __GLXrenderSizeData *entry;
+ int extra = 0;
++ int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ size_t cmdlen;
+ /*
+ ** This is the first request of a multi request command.
+@@ -667,7 +669,8 @@ int __glXSwapRenderLarge(__GLXclientState *cl, GLbyte *pc)
+ ** be computed from its parameters), all the parameters needed
+ ** will be in the 1st request, so it's okay to do this.
+ */
+- extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True);
++ extra = (*entry->varsize)(pc + __GLX_RENDER_LARGE_HDR_SIZE, True,
++ left - __GLX_RENDER_LARGE_HDR_SIZE);
+ if (extra < 0) {
+ return BadLength;
+ }
+diff --git a/nx-X11/programs/Xserver/GL/glx/glxserver.h b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+index 4047574..193ebcb 100644
+--- a/nx-X11/programs/Xserver/GL/glx/glxserver.h
++++ b/nx-X11/programs/Xserver/GL/glx/glxserver.h
+@@ -179,7 +179,7 @@ extern __GLXprocPtr __glXProcTable[];
+ */
+ typedef struct {
+ int bytes;
+- int (*varsize)(GLbyte *pc, Bool swap);
++ int (*varsize)(GLbyte *pc, Bool swap, int left);
+ } __GLXrenderSizeData;
+ extern __GLXrenderSizeData __glXRenderSizeTable[];
+ extern __GLXrenderSizeData __glXRenderSizeTable_EXT[];
+@@ -271,48 +271,48 @@ extern int __glXImageSize(GLenum format, GLenum type,
+ GLint imageHeight, GLint rowLength, GLint skipImages, GLint skipRows,
+ GLint alignment);
+
+-extern int __glXCallListsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXBitmapReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXFogivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap1fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2dReqSize(GLbyte *pc, Bool swap);
+-extern int __glXMap2fReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap);
+-extern int __glXDrawArraysSize(GLbyte *pc, Bool swap);
+-extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap );
+-extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap);
+-extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap);
+-extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXDrawArraysSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen );
++extern int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+
+ /*
+ * Routines for computing the size of returned data.
+@@ -322,7 +322,7 @@ extern int __glXConvolutionParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterfvSize(GLenum pname);
+ extern int __glXColorTableParameterivSize(GLenum pname);
+
+-extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap);
+-extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap);
++extern int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen);
++extern int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen);
+
+ #endif /* !__GLX_server_h__ */
+diff --git a/nx-X11/programs/Xserver/GL/glx/rensize.c b/nx-X11/programs/Xserver/GL/glx/rensize.c
+index 9bf0d00..dc3475e 100644
+--- a/nx-X11/programs/Xserver/GL/glx/rensize.c
++++ b/nx-X11/programs/Xserver/GL/glx/rensize.c
+@@ -48,7 +48,7 @@
+ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
+ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
+
+-int __glXCallListsReqSize(GLbyte *pc, Bool swap )
++int __glXCallListsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLsizei n = *(GLsizei *)(pc + 0);
+ GLenum type = *(GLenum *)(pc + 4);
+@@ -60,7 +60,7 @@ int __glXCallListsReqSize(GLbyte *pc, Bool swap )
+ return n * __glCallLists_size( type );
+ }
+
+-int __glXFogivReqSize(GLbyte *pc, Bool swap )
++int __glXFogivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -69,12 +69,12 @@ int __glXFogivReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glFogiv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXFogfvReqSize(GLbyte *pc, Bool swap )
++int __glXFogfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXFogivReqSize( pc, swap );
++ return __glXFogivReqSize( pc, swap, reqlen);
+ }
+
+-int __glXLightfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -83,12 +83,12 @@ int __glXLightfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glLightfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXLightivReqSize(GLbyte *pc, Bool swap )
++int __glXLightivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXLightfvReqSize( pc, swap );
++ return __glXLightfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -97,12 +97,12 @@ int __glXLightModelfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glLightModelfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXLightModelivReqSize(GLbyte *pc, Bool swap )
++int __glXLightModelivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXLightModelfvReqSize( pc, swap );
++ return __glXLightModelfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -111,12 +111,12 @@ int __glXMaterialfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glMaterialfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXMaterialivReqSize(GLbyte *pc, Bool swap )
++int __glXMaterialivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXMaterialfvReqSize( pc, swap );
++ return __glXMaterialfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGendvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -125,7 +125,7 @@ int __glXTexGendvReqSize(GLbyte *pc, Bool swap )
+ return 8 * __glTexGendv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -134,12 +134,12 @@ int __glXTexGenfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexGenfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexGenivReqSize(GLbyte *pc, Bool swap )
++int __glXTexGenivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXTexGenfvReqSize( pc, swap );
++ return __glXTexGenfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -148,12 +148,12 @@ int __glXTexParameterfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexParameterfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXTexParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXTexParameterfvReqSize( pc, swap );
++ return __glXTexParameterfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -162,12 +162,12 @@ int __glXTexEnvfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glTexEnvfv_size( pname ); /* defined in samplegl lib */
+ }
+
+-int __glXTexEnvivReqSize(GLbyte *pc, Bool swap )
++int __glXTexEnvivReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+- return __glXTexEnvfvReqSize( pc, swap );
++ return __glXTexEnvfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXMap1dReqSize(GLbyte *pc, Bool swap )
++int __glXMap1dReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+ GLenum target;
+ GLint order;
+@@ -183,7 +183,7 @@ int __glXMap1dReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
+ }
+
+-int __glXMap1fReqSize(GLbyte *pc, Bool swap )
++int __glXMap1fReqSize(GLbyte *pc, Bool swap, int reqlen )
+ {
+ GLenum target;
+ GLint order;
+@@ -205,7 +205,7 @@ static int Map2Size(int k, int majorOrder, int minorOrder)
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
+ }
+
+-int __glXMap2dReqSize(GLbyte *pc, Bool swap )
++int __glXMap2dReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder;
+@@ -221,7 +221,7 @@ int __glXMap2dReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
+ }
+
+-int __glXMap2fReqSize(GLbyte *pc, Bool swap )
++int __glXMap2fReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum target;
+ GLint uorder, vorder;
+@@ -237,7 +237,7 @@ int __glXMap2fReqSize(GLbyte *pc, Bool swap )
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
+ }
+
+-int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint mapsize;
+ mapsize = *(GLint *)(pc + 4);
+@@ -247,12 +247,12 @@ int __glXPixelMapfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * mapsize;
+ }
+
+-int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapuivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXPixelMapfvReqSize( pc, swap );
++ return __glXPixelMapfvReqSize( pc, swap, reqlen);
+ }
+
+-int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap )
++int __glXPixelMapusvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint mapsize;
+ mapsize = *(GLint *)(pc + 4);
+@@ -458,7 +458,7 @@ int __glXImageSize( GLenum format, GLenum type, GLenum target,
+ }
+
+
+-int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
++int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchDrawPixelsHeader *hdr = (__GLXdispatchDrawPixelsHeader *) pc;
+ GLenum format = hdr->format;
+@@ -482,7 +482,7 @@ int __glXDrawPixelsReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXBitmapReqSize(GLbyte *pc, Bool swap )
++int __glXBitmapReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchBitmapHeader *hdr = (__GLXdispatchBitmapHeader *) pc;
+ GLint w = hdr->width;
+@@ -502,7 +502,7 @@ int __glXBitmapReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+ GLenum target = hdr->target;
+@@ -531,7 +531,7 @@ int __glXTexImage1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImageHeader *hdr = (__GLXdispatchTexImageHeader *) pc;
+ GLenum target = hdr->target;
+@@ -578,13 +578,14 @@ int __glXTypeSize(GLenum enm)
+ }
+ }
+
+-int __glXDrawArraysSize( GLbyte *pc, Bool swap )
++int __glXDrawArraysSize( GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
+ __GLXdispatchDrawArraysComponentHeader *compHeader;
+ GLint numVertexes = hdr->numVertexes;
+ GLint numComponents = hdr->numComponents;
+ GLint arrayElementSize = 0;
++ GLint x, size;
+ int i;
+
+ if (swap) {
+@@ -593,6 +594,13 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+ }
+
+ pc += sizeof(__GLXdispatchDrawArraysHeader);
++ reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
++
++ size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
++ numComponents);
++ if (size < 0 || reqlen < 0 || reqlen < size)
++ return -1;
++
+ compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
+
+ for (i=0; i<numComponents; i++) {
+@@ -636,23 +644,24 @@ int __glXDrawArraysSize( GLbyte *pc, Bool swap )
+ return -1;
+ }
+
+- arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
++ x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
++ if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
++ return -1;
+
+ pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
+ }
+
+- return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+- (numVertexes * arrayElementSize));
++ return safe_add(size, safe_mul(numVertexes, arrayElementSize));
+ }
+
+-int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap )
++int __glXPrioritizeTexturesReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLint n = *(GLsizei *)(pc + 0);
+ if (swap) n = SWAPL(n);
+ return(8*n); /* 4*n for textures, 4*n for priorities */
+ }
+
+-int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+ GLenum format = hdr->format;
+@@ -674,7 +683,7 @@ int __glXTexSubImage1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImageHeader *hdr = (__GLXdispatchTexSubImageHeader *) pc;
+ GLenum format = hdr->format;
+@@ -698,7 +707,7 @@ int __glXTexSubImage2DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, skipRows, alignment );
+ }
+
+-int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexImage3DHeader *hdr = (__GLXdispatchTexImage3DHeader *) pc;
+ GLenum target = hdr->target;
+@@ -735,7 +744,7 @@ int __glXTexImage3DReqSize(GLbyte *pc, Bool swap )
+ }
+ }
+
+-int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
++int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchTexSubImage3DHeader *hdr =
+ (__GLXdispatchTexSubImage3DHeader *) pc;
+@@ -772,7 +781,7 @@ int __glXTexSubImage3DReqSize(GLbyte *pc, Bool swap )
+ }
+ }
+
+-int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -795,7 +804,7 @@ int __glXConvolutionFilter1DReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -841,7 +850,7 @@ int __glXConvolutionParameterfvSize(GLenum pname)
+ return __glXConvolutionParameterivSize(pname);
+ }
+
+-int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -850,12 +859,12 @@ int __glXConvolutionParameterivReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glXConvolutionParameterivSize( pname );
+ }
+
+-int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXConvolutionParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+- return __glXConvolutionParameterivReqSize( pc, swap );
++ return __glXConvolutionParameterivReqSize( pc, swap, reqlen);
+ }
+
+-int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap )
++int __glXSeparableFilter2DReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchConvolutionFilterHeader *hdr =
+ (__GLXdispatchConvolutionFilterHeader *) pc;
+@@ -904,7 +913,7 @@ int __glXColorTableParameterivSize(GLenum pname)
+ return __glXColorTableParameterfvSize(pname);
+ }
+
+-int __glXColorTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchColorTableHeader *hdr =
+ (__GLXdispatchColorTableHeader *) pc;
+@@ -939,7 +948,7 @@ int __glXColorTableReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
++int __glXColorSubTableReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ __GLXdispatchColorSubTableHeader *hdr =
+ (__GLXdispatchColorSubTableHeader *) pc;
+@@ -962,7 +971,7 @@ int __glXColorSubTableReqSize(GLbyte *pc, Bool swap )
+ 0, rowLength, 0, 0, alignment );
+ }
+
+-int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 4);
+ if (swap) {
+@@ -971,13 +980,13 @@ int __glXColorTableParameterfvReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glXColorTableParameterfvSize(pname);
+ }
+
+-int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXColorTableParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ /* no difference between fv and iv versions */
+- return __glXColorTableParameterfvReqSize(pc, swap);
++ return __glXColorTableParameterfvReqSize(pc, swap, reqlen);
+ }
+
+-int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ GLenum pname = *(GLenum *)(pc + 0);
+ if (swap) {
+@@ -986,8 +995,8 @@ int __glXPointParameterfvARBReqSize(GLbyte *pc, Bool swap )
+ return 4 * __glPointParameterfvEXT_size( pname );
+ }
+
+-int __glXPointParameterivReqSize(GLbyte *pc, Bool swap )
++int __glXPointParameterivReqSize(GLbyte *pc, Bool swap, int reqlen)
+ {
+ /* no difference between fv and iv versions */
+- return __glXPointParameterfvARBReqSize(pc, swap);
++ return __glXPointParameterfvARBReqSize(pc, swap, reqlen);
+ }
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index efd6f29..c31d33d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -72,5 +72,45 @@
0991_fix-hr-typos.full+lite.patch
0991_fix-hr-typos.full.patch
0999_nxagent_unbrand-nxagent-brand-x2goagent.full.patch
+1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch
+1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch
+1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch
+1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch
+1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch
+1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch
+1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch
+1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch
+1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch
+1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch
+1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch
+1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
+1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
+1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
+1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
+1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
+1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
+1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch
+1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
+1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch
+1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
+1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
+1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
+1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch
+1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch
+1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch
+1027-render-check-request-size-before-reading-it-CVE-2014.patch
+1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch
+1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch
+1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch
+1031-glx-Be-more-paranoid-about-variable-length-requests-.patch
+1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch
+1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch
+1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch
+1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch
+1036-glx-Integer-overflow-protection-for-non-generated-re.patch
+1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch
+1038-glx-Length-checking-for-non-generated-single-request.patch
+1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch
+1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch
0016_nx-X11_install-location.debian.patch
0102_xserver-xext_set-securitypolicy-path.debian.patch
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list