summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff14
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff40
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff36
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff31
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff41
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff29
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff42
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff46
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff601
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff95
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff139
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff27
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff116
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch49
14 files changed, 1306 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff
new file mode 100644
index 00000000..8c0e3b54
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/x11.startwithblackscreen.diff
@@ -0,0 +1,14 @@
+diff -Nur xorg-server-1.12.1.orig/dix/window.c xorg-server-1.12.1/dix/window.c
+--- xorg-server-1.12.1.orig/dix/window.c 2012-03-29 21:57:25.000000000 -0500
++++ xorg-server-1.12.1/dix/window.c 2012-04-13 22:01:24.456073603 -0500
+@@ -145,8 +145,8 @@
+
+ Bool bgNoneRoot = FALSE;
+
+-static unsigned char _back_lsb[4] = { 0x88, 0x22, 0x44, 0x11 };
+-static unsigned char _back_msb[4] = { 0x11, 0x44, 0x22, 0x88 };
++static unsigned char _back_lsb[4] = { 0x00, 0x00, 0x00, 0x00 };
++static unsigned char _back_msb[4] = { 0x00, 0x00, 0x00, 0x00 };
+
+ static Bool WindowParentHasDeviceCursor(WindowPtr pWin,
+ DeviceIntPtr pDev, CursorPtr pCurs);
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff
new file mode 100644
index 00000000..00ed28ac
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10971.diff
@@ -0,0 +1,40 @@
+From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:42 +0300
+Subject: Xi: Do not try to swap GenericEvent.
+
+The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
+it is assuming that the event has fixed size and gives the swapping function
+xEvent-sized buffer.
+
+A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 5e63bfc..5c2e0fc 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client)
+
+ eventP = (xEvent *) &stuff[1];
+ for (i = 0; i < stuff->num_events; i++, eventP++) {
++ if (eventP->u.u.type == GenericEvent) {
++ client->errorValue = eventP->u.u.type;
++ return BadValue;
++ }
++
+ proc = EventSwapVector[eventP->u.u.type & 0177];
+- if (proc == NotImplemented) /* no swapping proc; invalid event type? */
++ /* no swapping proc; invalid event type? */
++ if (proc == NotImplemented) {
++ client->errorValue = eventP->u.u.type;
+ return BadValue;
++ }
+ (*proc) (eventP, &eventT);
+ *eventP = eventT;
+ }
+--
+cgit v0.10.2
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff
new file mode 100644
index 00000000..edddc8d6
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-10972.diff
@@ -0,0 +1,36 @@
+From 05442de962d3dc624f79fc1a00eca3ffc5489ced Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:39 +0300
+Subject: Xi: Zero target buffer in SProcXSendExtensionEvent.
+
+Make sure that the xEvent eventT is initialized with zeros, the same way as
+in SProcSendEvent.
+
+Some event swapping functions do not overwrite all 32 bytes of xEvent
+structure, for example XSecurityAuthorizationRevoked. Two cooperating
+clients, one swapped and the other not, can send
+XSecurityAuthorizationRevoked event to each other to retrieve old stack data
+from X server. This can be potentialy misused to go around ASLR or
+stack-protector.
+
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/sendexev.c b/Xi/sendexev.c
+index 11d8202..1cf118a 100644
+--- a/Xi/sendexev.c
++++ b/Xi/sendexev.c
+@@ -78,7 +78,7 @@ SProcXSendExtensionEvent(ClientPtr client)
+ {
+ CARD32 *p;
+ int i;
+- xEvent eventT;
++ xEvent eventT = { .u.u.type = 0 };
+ xEvent *eventP;
+ EventSwapPtr proc;
+
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff
new file mode 100644
index 00000000..9caf3124
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12176.diff
@@ -0,0 +1,31 @@
+From b747da5e25be944337a9cd1415506fc06b70aa81 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:15:46 -0500
+Subject: Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
+
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 8b371b6..176c7a0 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -3702,7 +3702,12 @@ ProcEstablishConnection(ClientPtr client)
+ prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq);
+ auth_proto = (char *) prefix + sz_xConnClientPrefix;
+ auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto);
+- if ((prefix->majorVersion != X_PROTOCOL) ||
++
++ if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix +
++ pad_to_int32(prefix->nbytesAuthProto) +
++ pad_to_int32(prefix->nbytesAuthString))
++ reason = "Bad length";
++ else if ((prefix->majorVersion != X_PROTOCOL) ||
+ (prefix->minorVersion != X_PROTOCOL_REVISION))
+ reason = "Protocol version mismatch";
+ else
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff
new file mode 100644
index 00000000..4a3eaa9e
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12177.diff
@@ -0,0 +1,41 @@
+From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:09:14 -0500
+Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
+ (CVE-2017-12177)
+
+v2: Protect against integer overflow (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 9a0c7a7..292a223 100644
+--- a/dbe/dbe.c
++++ b/dbe/dbe.c
+@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
+ XdbeScreenVisualInfo *pScrVisInfo;
+
+ REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
++ if (stuff->n > UINT32_MAX / sizeof(CARD32))
++ return BadLength;
++ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
+
+ if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+ return BadAlloc;
+@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
+
+ swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+- return BadAlloc;
++ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff
new file mode 100644
index 00000000..8177c119
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12178.diff
@@ -0,0 +1,29 @@
+From 859b08d523307eebde7724fd1a0789c44813e821 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Wed, 24 Dec 2014 16:22:18 -0500
+Subject: Xi: fix wrong extra length check in ProcXIChangeHierarchy
+ (CVE-2017-12178)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 87f191f..cbdd912 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+ if (!stuff->num_changes)
+ return rc;
+
+- len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++ len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq);
+
+ any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+ while (stuff->num_changes--) {
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff
new file mode 100644
index 00000000..0b373464
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff
@@ -0,0 +1,42 @@
+From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Fri, 7 Jul 2017 17:21:46 +0200
+Subject: Xi: Test exact size of XIBarrierReleasePointer
+
+Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index af1562e..d82ecb6 100644
+--- a/Xi/xibarriers.c
++++ b/Xi/xibarriers.c
+@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
+ REQUEST(xXIBarrierReleasePointerReq);
+ int i;
+
+- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+-
+ swaps(&stuff->length);
++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++
+ swapl(&stuff->num_barriers);
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
++
++ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
+ swaps(&info->deviceid);
+ swapl(&info->barrier);
+@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+ xXIBarrierReleasePointerInfo *info;
+
+ REQUEST(xXIBarrierReleasePointerReq);
+- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+ for (i = 0; i < stuff->num_barriers; i++, info++) {
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff
new file mode 100644
index 00000000..34675603
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff
@@ -0,0 +1,46 @@
+From d088e3c1286b548a58e62afdc70bb40981cdb9e8 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 10:04:41 -0500
+Subject: Xi: integer overflow and unvalidated length in
+ (S)ProcXIBarrierReleasePointer
+
+[jcristau: originally this patch fixed the same issue as commit
+ 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
+ addition of these checks]
+
+This addresses CVE-2017-12179
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
+index d82ecb6..d0be701 100644
+--- a/Xi/xibarriers.c
++++ b/Xi/xibarriers.c
+@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
+ swapl(&stuff->num_barriers);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
+ xXIBarrierReleasePointerInfo *info;
+
+ REQUEST(xXIBarrierReleasePointerReq);
++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff
new file mode 100644
index 00000000..70ebee8c
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12180_12181_12182.diff
@@ -0,0 +1,601 @@
+From 1b1d4c04695dced2463404174b50b3581dbd857b Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Sun, 21 Dec 2014 01:10:03 -0500
+Subject: hw/xfree86: unvalidated lengths
+
+This addresses:
+CVE-2017-12180 in XFree86-VidModeExtension
+CVE-2017-12181 in XFree86-DGA
+CVE-2017-12182 in XFree86-DRI
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/vidmode.c b/Xext/vidmode.c
+index 8ba919a..6e4a7c7 100644
+--- a/Xext/vidmode.c
++++ b/Xext/vidmode.c
+@@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeAddModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client)
+ stuff->after_vsyncend, stuff->after_vtotal,
+ (unsigned long) stuff->after_flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeDeleteModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq));
+- }
+ if (len != stuff->privsize) {
+ DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, "
+ "len = %d, length = %d\n",
+@@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeModModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend,
+ stuff->vtotal, (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeModModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ DEBUG_P("XF86VidModeValidateModeline");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
++ len = client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq);
+- len = client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ DEBUG_P("XF86VidModeSwitchToMode");
+
+ ver = ClientMajorVersion(client);
++
++ if (ver < 2) {
++ REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
++ }
++ else {
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
++ len =
++ client->req_len -
++ bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
++ }
++
+ if (ver < 2) {
+ /* convert from old format */
+ stuff = &newstuff;
+@@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client)
+ stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal,
+ (unsigned long) stuff->flags);
+
+- if (ver < 2) {
+- REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq));
+- }
+- else {
+- REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq);
+- len =
+- client->req_len -
+- bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq));
+- }
+ if (len != stuff->privsize)
+ return BadLength;
+
+@@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client)
+ VidModePtr pVidMode;
+
+ REQUEST(xXF86VidModeSetGammaRampReq);
++ REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq);
+
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
+index 95434e8..505b019 100644
+--- a/hw/xfree86/common/xf86DGA.c
++++ b/hw/xfree86/common/xf86DGA.c
+@@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client)
+ char *deviceName;
+ int nameSize;
+
++ REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client)
+ {
+ REQUEST(xXDGACloseFramebufferReq);
+
++ REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+- REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq);
+-
+ DGACloseFramebuffer(stuff->screen);
+
+ return Success;
+@@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client)
+ xXDGAModeInfo info;
+ XDGAModePtr mode;
+
++ REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXDGAQueryModesReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.number = 0;
+@@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client)
+ ClientPtr owner;
+ int size;
+
++ REQUEST_SIZE_MATCH(xXDGASetModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+ owner = DGA_GETCLIENT(stuff->screen);
+
+- REQUEST_SIZE_MATCH(xXDGASetModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.offset = 0;
+@@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client)
+ {
+ REQUEST(xXDGASetViewportReq);
+
++ REQUEST_SIZE_MATCH(xXDGASetViewportReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASetViewportReq);
+-
+ DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags);
+
+ return Success;
+@@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXDGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAInstallColormapReq);
+-
+ rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP,
+ client, DixInstallAccess);
+ if (rc != Success)
+@@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client)
+ {
+ REQUEST(xXDGASelectInputReq);
+
++ REQUEST_SIZE_MATCH(xXDGASelectInputReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASelectInputReq);
+-
+ if (DGA_GETCLIENT(stuff->screen) == client)
+ DGASelectInput(stuff->screen, client, stuff->mask);
+
+@@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client)
+ {
+ REQUEST(xXDGAFillRectangleReq);
+
++ REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAFillRectangleReq);
+-
+ if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y,
+ stuff->width, stuff->height, stuff->color))
+ return BadMatch;
+@@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyAreaReq);
+-
+ if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty))
+@@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client)
+ {
+ REQUEST(xXDGACopyTransparentAreaReq);
+
++ REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq);
+-
+ if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy,
+ stuff->width, stuff->height, stuff->dstx,
+ stuff->dsty, stuff->key))
+@@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client)
+ REQUEST(xXDGAGetViewportStatusReq);
+ xXDGAGetViewportStatusReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client)
+ REQUEST(xXDGASyncReq);
+ xXDGASyncReply rep;
+
++ REQUEST_SIZE_MATCH(xXDGASyncReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGASyncReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client)
+ xXDGAChangePixmapModeReply rep;
+ int x, y;
+
++ REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client)
+ REQUEST(xXDGACreateColormapReq);
+ int result;
+
++ REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXDGACreateColormapReq);
+-
+ if (!stuff->mode)
+ return BadValue;
+
+@@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client)
+ int num, offset, flags;
+ char *name;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client)
+
+ REQUEST(xXF86DGADirectVideoReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+- REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq);
+
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+@@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client)
+ REQUEST(xXF86DGAGetViewPortSizeReq);
+ xXF86DGAGetViewPortSizeReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetViewPortReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq);
+-
+ if (!DGAAvailable(stuff->screen))
+ return DGAErrorBase + XF86DGANoDirectVideoMode;
+
+@@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client)
+ REQUEST(xXF86DGAGetVidPageReq);
+ xXF86DGAGetVidPageReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client)
+ {
+ REQUEST(xXF86DGASetVidPageReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq);
+-
+ /* silently fail */
+
+ return Success;
+@@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client)
+
+ REQUEST(xXF86DGAInstallColormapReq);
+
++ REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+@@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client)
+ REQUEST(xXF86DGAQueryDirectVideoReq);
+ xXF86DGAQueryDirectVideoReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+- REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq);
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+@@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client)
+ REQUEST(xXF86DGAViewPortChangedReq);
+ xXF86DGAViewPortChangedReply rep;
+
++ REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
++
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
+ if (DGA_GETCLIENT(stuff->screen) != client)
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+- REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq);
+-
+ if (!DGAActive(stuff->screen))
+ return DGAErrorBase + XF86DGADirectNotActivated;
+
+diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c
+index 8f3c2d6..d356db9 100644
+--- a/hw/xfree86/dri/xf86dri.c
++++ b/hw/xfree86/dri/xf86dri.c
+@@ -570,6 +570,7 @@ static int _X_COLD
+ SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client)
+ {
+ REQUEST(xXF86DRIQueryDirectRenderingCapableReq);
++ REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq);
+ swaps(&stuff->length);
+ swapl(&stuff->screen);
+ return ProcXF86DRIQueryDirectRenderingCapable(client);
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff
new file mode 100644
index 00000000..b88ba950
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12183.diff
@@ -0,0 +1,95 @@
+From 55caa8b08c84af2b50fbc936cf334a5a93dd7db5 Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 11:43:05 -0500
+Subject: xfixes: unvalidated lengths (CVE-2017-12183)
+
+v2: Use before swap (Jeremy Huddleston Sequoia)
+
+v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
+
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index c1ab3be..dc447ed 100644
+--- a/xfixes/cursor.c
++++ b/xfixes/cursor.c
+@@ -281,6 +281,7 @@ int _X_COLD
+ SProcXFixesSelectCursorInput(ClientPtr client)
+ {
+ REQUEST(xXFixesSelectCursorInputReq);
++ REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+@@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client)
+ REQUEST(xXFixesSetCursorNameReq);
+ Atom atom;
+
+- REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq);
++ REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes);
+ VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess);
+ tchar = (char *) &stuff[1];
+ atom = MakeAtom(tchar, stuff->nbytes, TRUE);
+@@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+ int i;
+ CARD16 *in_devices = (CARD16 *) &stuff[1];
+
++ REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq);
++
+ swaps(&stuff->length);
+ swaps(&stuff->num_devices);
+ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
+diff --git a/xfixes/region.c b/xfixes/region.c
+index e773701..7c0a7d2 100644
+--- a/xfixes/region.c
++++ b/xfixes/region.c
+@@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client)
+ RegionPtr pSource, pDestination;
+
+ REQUEST(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+
+ VERIFY_REGION(pSource, stuff->source, client, DixReadAccess);
+ VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess);
+@@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client)
+ REQUEST(xXFixesCopyRegionReq);
+
+ swaps(&stuff->length);
+- REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq);
++ REQUEST_SIZE_MATCH(xXFixesCopyRegionReq);
+ swapl(&stuff->source);
+ swapl(&stuff->destination);
+ return (*ProcXFixesVector[stuff->xfixesReqType]) (client);
+diff --git a/xfixes/saveset.c b/xfixes/saveset.c
+index 2043153..fd9c7a1 100644
+--- a/xfixes/saveset.c
++++ b/xfixes/saveset.c
+@@ -62,6 +62,7 @@ int _X_COLD
+ SProcXFixesChangeSaveSet(ClientPtr client)
+ {
+ REQUEST(xXFixesChangeSaveSetReq);
++ REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->window);
+diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c
+index 77efd64..248bf02 100644
+--- a/xfixes/xfixes.c
++++ b/xfixes/xfixes.c
+@@ -160,6 +160,7 @@ static _X_COLD int
+ SProcXFixesQueryVersion(ClientPtr client)
+ {
+ REQUEST(xXFixesQueryVersionReq);
++ REQUEST_SIZE_MATCH(xXFixesQueryVersionReq);
+
+ swaps(&stuff->length);
+ swapl(&stuff->majorVersion);
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff
new file mode 100644
index 00000000..d2995686
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff
@@ -0,0 +1,139 @@
+From cad5a1050b7184d828aef9c1dd151c3ab649d37e Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 09:57:23 -0500
+Subject: Unvalidated lengths
+
+v2: Add overflow check and remove unnecessary check (Julien Cristau)
+
+This addresses:
+CVE-2017-12184 in XINERAMA
+CVE-2017-12185 in MIT-SCREEN-SAVER
+CVE-2017-12186 in X-Resource
+CVE-2017-12187 in RENDER
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
+index 209df29..844ea49 100644
+--- a/Xext/panoramiX.c
++++ b/Xext/panoramiX.c
+@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
+ xPanoramiXGetScreenSizeReply rep;
+ int rc;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= PanoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 0949761..f6090d8 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1186,6 +1186,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
+ PanoramiXRes *draw;
+ int rc, i;
+
++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
++
+ rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (rc != Success)
+diff --git a/Xext/xres.c b/Xext/xres.c
+index 21239f5..0242158 100644
+--- a/Xext/xres.c
++++ b/Xext/xres.c
+@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
+ ConstructResourceBytesCtx ctx;
+
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(ctx.specs[0]));
+
+@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
+ int c;
+ xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
+
+- swapl(&stuff->numSpecs);
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ swapl(&stuff->numSpecs);
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(specs[0]));
+
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index d99d3d4..5232b37 100644
+--- a/Xext/xvdisp.c
++++ b/Xext/xvdisp.c
+@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
+ PanoramiXRes *draw, *gc, *port;
+- Bool send_event = stuff->send_event;
++ Bool send_event;
+ Bool isRoot;
+ int result, i, x, y;
+
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+
++ send_event = stuff->send_event;
++
+ result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (result != Success)
+diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
+index 1f1022e..63caec9 100644
+--- a/hw/dmx/dmxpict.c
++++ b/hw/dmx/dmxpict.c
+@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
+ filter = (char *) (stuff + 1);
+ params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
+ nparams = ((XFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
+
+ XRenderSetPictureFilter(dmxScreen->beDisplay,
+ pPictPriv->pict, filter, params, nparams);
+diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
+index d8b2593..95f6e10 100644
+--- a/pseudoramiX/pseudoramiX.c
++++ b/pseudoramiX/pseudoramiX.c
+@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
+
+ TRACE;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= pseudoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/render/render.c b/render/render.c
+index ccae49a..7d94bd5 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
+ name = (char *) (stuff + 1);
+ params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
+ nparams = ((xFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
++
+ result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
+ return result;
+ }
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff
new file mode 100644
index 00000000..8341a337
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13721.diff
@@ -0,0 +1,27 @@
+From b95f25af141d33a65f6f821ea9c003f66a01e1f1 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Fri, 28 Jul 2017 16:27:10 +0200
+Subject: Xext/shm: Validate shmseg resource id (CVE-2017-13721)
+
+Otherwise it can belong to a non-existing client and abort X server with
+FatalError "client not in use", or overwrite existing segment of another
+existing client.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/shm.c b/Xext/shm.c
+index 91ea90b..2f9a788 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -1238,6 +1238,7 @@ ProcShmCreateSegment(ClientPtr client)
+ };
+
+ REQUEST_SIZE_MATCH(xShmCreateSegmentReq);
++ LEGAL_NEW_RESOURCE(stuff->shmseg, client);
+ if ((stuff->readOnly != xTrue) && (stuff->readOnly != xFalse)) {
+ client->errorValue = stuff->readOnly;
+ return BadValue;
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff
new file mode 100644
index 00000000..6e37be48
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-13723.diff
@@ -0,0 +1,116 @@
+From 94f11ca5cf011ef123bd222cabeaef6f424d76ac Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Thu, 27 Jul 2017 10:08:32 -0700
+Subject: xkb: Handle xkb formated string output safely (CVE-2017-13723)
+
+Generating strings for XKB data used a single shared static buffer,
+which offered several opportunities for errors. Use a ring of
+resizable buffers instead, to avoid problems when strings end up
+longer than anticipated.
+
+Reviewed-by: Michal Srb <msrb@suse.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c
+index ead2b1a..d2a2567 100644
+--- a/xkb/xkbtext.c
++++ b/xkb/xkbtext.c
+@@ -47,23 +47,27 @@
+
+ /***====================================================================***/
+
+-#define BUFFER_SIZE 512
+-
+-static char textBuffer[BUFFER_SIZE];
+-static int tbNext = 0;
++#define NUM_BUFFER 8
++static struct textBuffer {
++ int size;
++ char *buffer;
++} textBuffer[NUM_BUFFER];
++static int textBufferIndex;
+
+ static char *
+ tbGetBuffer(unsigned size)
+ {
+- char *rtrn;
++ struct textBuffer *tb;
+
+- if (size >= BUFFER_SIZE)
+- return NULL;
+- if ((BUFFER_SIZE - tbNext) <= size)
+- tbNext = 0;
+- rtrn = &textBuffer[tbNext];
+- tbNext += size;
+- return rtrn;
++ tb = &textBuffer[textBufferIndex];
++ textBufferIndex = (textBufferIndex + 1) % NUM_BUFFER;
++
++ if (size > tb->size) {
++ free(tb->buffer);
++ tb->buffer = xnfalloc(size);
++ tb->size = size;
++ }
++ return tb->buffer;
+ }
+
+ /***====================================================================***/
+@@ -79,8 +83,6 @@ XkbAtomText(Atom atm, unsigned format)
+ int len;
+
+ len = strlen(atmstr) + 1;
+- if (len > BUFFER_SIZE)
+- len = BUFFER_SIZE - 2;
+ rtrn = tbGetBuffer(len);
+ strlcpy(rtrn, atmstr, len);
+ }
+@@ -128,8 +130,6 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ len = strlen(tmp) + 1;
+ if (format == XkbCFile)
+ len += 4;
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len);
+ if (format == XkbCFile) {
+ strcpy(rtrn, "vmod_");
+@@ -140,6 +140,8 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format)
+ return rtrn;
+ }
+
++#define VMOD_BUFFER_SIZE 512
++
+ char *
+ XkbVModMaskText(XkbDescPtr xkb,
+ unsigned modMask, unsigned mask, unsigned format)
+@@ -147,7 +149,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ register int i, bit;
+ int len;
+ char *mm, *rtrn;
+- char *str, buf[BUFFER_SIZE];
++ char *str, buf[VMOD_BUFFER_SIZE];
+
+ if ((modMask == 0) && (mask == 0)) {
+ rtrn = tbGetBuffer(5);
+@@ -173,7 +175,7 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = strlen(tmp) + 1 + (str == buf ? 0 : 1);
+ if (format == XkbCFile)
+ len += 4;
+- if ((str - (buf + len)) <= BUFFER_SIZE) {
++ if ((str - (buf + len)) <= VMOD_BUFFER_SIZE) {
+ if (str != buf) {
+ if (format == XkbCFile)
+ *str++ = '|';
+@@ -199,8 +201,6 @@ XkbVModMaskText(XkbDescPtr xkb,
+ len = 0;
+ if (str)
+ len += strlen(str) + (mm == NULL ? 0 : 1);
+- if (len >= BUFFER_SIZE)
+- len = BUFFER_SIZE - 1;
+ rtrn = tbGetBuffer(len + 1);
+ rtrn[0] = '\0';
+
+--
+cgit v0.10.2
+
+
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch b/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch
new file mode 100644
index 00000000..83f67303
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.combo.mouse.keyboard.layout.patch
@@ -0,0 +1,49 @@
+--- b/Xi/exevents.c 2013-12-27 19:38:52.000000000 +0200
++++ a/Xi/exevents.c 2014-03-04 19:44:15.228721619 +0200
+@@ -665,7 +665,8 @@
+ DeepCopyFeedbackClasses(from, to);
+
+ if ((dce->flags & DEVCHANGE_KEYBOARD_EVENT))
+- DeepCopyKeyboardClasses(from, to);
++ /* We need to copy to MASTER_KEYBOARD. Didn't worked with 'to'. */
++ DeepCopyKeyboardClasses(from, GetMaster(from, MASTER_KEYBOARD));
+ if ((dce->flags & DEVCHANGE_POINTER_EVENT))
+ DeepCopyPointerClasses(from, to);
+ }
+--- b/dix/getevents.c 2013-12-27 19:38:52.000000000 +0200
++++ a/dix/getevents.c 2014-03-04 19:46:50.126336327 +0200
+@@ -706,12 +706,19 @@
+ {
+ DeviceIntPtr master;
+
+- master =
+- GetMaster(dev,
+- (type & DEVCHANGE_POINTER_EVENT) ? MASTER_POINTER :
+- MASTER_KEYBOARD);
++ /* Don't guess the master upon the event type. Use MASTER_ATTACHED,
++ * otherwise we'll never get a DeviceChangedEvent(reason:SlaveSwith). */
++ master = GetMaster(dev, MASTER_ATTACHED);
++ /* Need to track the slave event type. Other we'le never get a
++ * DeviceChangedEvent(reason:SlaveSwith) for the 'keyboard' if the
++ * 'pointer' has been touched before. */
++ int slave_type = (type & DEVCHANGE_KEYBOARD_EVENT) |
++ (type & DEVCHANGE_POINTER_EVENT);
+
+- if (master && master->last.slave != dev) {
++ if (master &&
++ ((master->last.slave != dev) ||
++ (master->last.slave == dev && master->last.slave_type != slave_type))) {
++ master->last.slave_type = slave_type;
+ CreateClassesChangedEvent(events, master, dev,
+ type | DEVCHANGE_SLAVE_SWITCH);
+ if (IsPointerDevice(master)) {
+--- b/include/inputstr.h 2013-12-27 19:38:52.000000000 +0200
++++ a/include/inputstr.h 2014-03-04 19:47:28.074051116 +0200
+@@ -577,6 +577,7 @@
+ double valuators[MAX_VALUATORS];
+ int numValuators;
+ DeviceIntPtr slave;
++ int slave_type;
+ ValuatorMask *scroll;
+ int num_touches; /* size of the touches array */
+ DDXTouchPointInfoPtr touches;