xorg security update for netbsd-9 this combo patch is the xsrc portion for of these CVEs: CVE-2022-46285, CVE-2022-44617, CVE-2022-4883, CVE-2020-14363, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342 CVE-2022-46343, CVE-2022-46344, CVE-2022-46283, CVE-2021-4008, CVE-2021-4009, CVE-2021-4010, CVE-2021-4011 Index: external/mit/libX11/dist/modules/om/generic/omGeneric.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libX11/dist/modules/om/generic/omGeneric.c,v retrieving revision 1.1.1.8.2.1 diff -p -u -r1.1.1.8.2.1 omGeneric.c --- external/mit/libX11/dist/modules/om/generic/omGeneric.c 5 Aug 2020 14:10:17 -0000 1.1.1.8.2.1 +++ external/mit/libX11/dist/modules/om/generic/omGeneric.c 20 Jan 2023 23:03:48 -0000 @@ -1908,7 +1908,8 @@ init_om( char **required_list; XOrientation *orientation; char **value, buf[BUFSIZ], *bufptr; - int count = 0, num = 0, length = 0; + int count = 0, num = 0; + unsigned int length = 0; _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) Index: external/mit/libXpm/dist/src/RdFToI.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXpm/dist/src/RdFToI.c,v retrieving revision 1.1.1.4 diff -p -u -r1.1.1.4 RdFToI.c --- external/mit/libXpm/dist/src/RdFToI.c 16 Mar 2014 22:20:04 -0000 1.1.1.4 +++ external/mit/libXpm/dist/src/RdFToI.c 20 Jan 2023 23:03:48 -0000 @@ -43,6 +43,7 @@ #include #include #include +#include #else #ifdef FOR_MSW #include @@ -161,7 +162,17 @@ xpmPipeThrough( goto err; if ( 0 == pid ) { - execlp(cmd, cmd, arg1, (char *)NULL); +#ifdef HAVE_CLOSEFROM + closefrom(3); +#elif defined(HAVE_CLOSE_RANGE) +# ifdef CLOSE_RANGE_UNSHARE +# define close_range_flags CLOSE_RANGE_UNSHARE +# else +# define close_range_flags 0 +#endif + close_range(3, ~0U, close_range_flags); +#endif + execl(cmd, cmd, arg1, (char *)NULL); perror(cmd); goto err; } @@ -235,12 +246,12 @@ OpenReadFile( if ( ext && !strcmp(ext, ".Z") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); } else if ( ext && !strcmp(ext, ".gz") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); } else #endif /* z-files */ Index: external/mit/libXpm/dist/src/WrFFrI.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXpm/dist/src/WrFFrI.c,v retrieving revision 1.1.1.5 diff -p -u -r1.1.1.5 WrFFrI.c --- external/mit/libXpm/dist/src/WrFFrI.c 16 Mar 2014 22:20:04 -0000 1.1.1.5 +++ external/mit/libXpm/dist/src/WrFFrI.c 20 Jan 2023 23:03:48 -0000 @@ -336,10 +336,10 @@ OpenWriteFile( #ifndef NO_ZPIPE len = strlen(filename); if (len > 2 && !strcmp(".Z", filename + (len - 2))) { - mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); mdata->type = XPMPIPE; } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { - mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); mdata->type = XPMPIPE; } else #endif Index: external/mit/libXpm/dist/src/create.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXpm/dist/src/create.c,v retrieving revision 1.3 diff -p -u -r1.3 create.c --- external/mit/libXpm/dist/src/create.c 4 Mar 2017 21:48:03 -0000 1.3 +++ external/mit/libXpm/dist/src/create.c 20 Jan 2023 23:03:48 -0000 @@ -994,11 +994,15 @@ CreateXImage( #if !defined(FOR_MSW) && !defined(AMIGA) if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { XDestroyImage(*image_return); + *image_return = NULL; return XpmNoMemory; } /* now that bytes_per_line must have been set properly alloc data */ - if((*image_return)->bytes_per_line == 0 || height == 0) + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); + *image_return = NULL; return XpmNoMemory; + } (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); Index: external/mit/libXpm/dist/src/data.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXpm/dist/src/data.c,v retrieving revision 1.1.1.4 diff -p -u -r1.1.1.4 data.c --- external/mit/libXpm/dist/src/data.c 31 May 2013 01:09:03 -0000 1.1.1.4 +++ external/mit/libXpm/dist/src/data.c 20 Jan 2023 23:03:48 -0000 @@ -174,6 +174,10 @@ ParseComment(xpmData *data) notend = 0; Ungetc(data, *s, file); } + else if (c == EOF) { + /* hit end of file before the end of the comment */ + return XpmFileInvalid; + } } return 0; } @@ -191,19 +195,23 @@ xpmNextString(xpmData *data) register char c; /* get to the end of the current string */ - if (data->Eos) - while ((c = *data->cptr++) && c != data->Eos); + if (data->Eos) { + while ((c = *data->cptr++) && c != data->Eos && c != '\0'); + + if (c == '\0') + return XpmFileInvalid; + } /* * then get to the beginning of the next string looking for possible * comment */ if (data->Bos) { - while ((c = *data->cptr++) && c != data->Bos) + while ((c = *data->cptr++) && c != data->Bos && c != '\0') if (data->Bcmt && c == data->Bcmt[0]) ParseComment(data); } else if (data->Bcmt) { /* XPM2 natural */ - while ((c = *data->cptr++) == data->Bcmt[0]) + while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') ParseComment(data); data->cptr--; } @@ -212,9 +220,13 @@ xpmNextString(xpmData *data) FILE *file = data->stream.file; /* get to the end of the current string */ - if (data->Eos) + if (data->Eos) { while ((c = Getc(data, file)) != data->Eos && c != EOF); + if (c == EOF) + return XpmFileInvalid; + } + /* * then get to the beginning of the next string looking for possible * comment @@ -230,7 +242,7 @@ xpmNextString(xpmData *data) Ungetc(data, c, file); } } - return 0; + return XpmSuccess; } Index: external/mit/libXpm/dist/src/parse.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXpm/dist/src/parse.c,v retrieving revision 1.1.1.5 diff -p -u -r1.1.1.5 parse.c --- external/mit/libXpm/dist/src/parse.c 4 Mar 2017 21:43:45 -0000 1.1.1.5 +++ external/mit/libXpm/dist/src/parse.c 20 Jan 2023 23:03:48 -0000 @@ -391,6 +391,13 @@ ParsePixels( { unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ unsigned int a, x, y; + int ErrorStatus; + + if ((width == 0) && (height != 0)) + return (XpmFileInvalid); + + if ((height == 0) && (width != 0)) + return (XpmFileInvalid); if ((height > 0 && width >= UINT_MAX / height) || width * height >= UINT_MAX / sizeof(unsigned int)) @@ -428,7 +435,11 @@ ParsePixels( colidx[(unsigned char)colorTable[a].string[0]] = a + 1; for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { int c = xpmGetC(data); @@ -475,7 +486,11 @@ do \ } for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { int cc1 = xpmGetC(data); if (cc1 > 0 && cc1 < 256) { @@ -515,7 +530,11 @@ do \ xpmHashAtom *slot; for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); @@ -535,7 +554,11 @@ do \ } } else { for (y = 0; y < height; y++) { - xpmNextString(data); + ErrorStatus = xpmNextString(data); + if (ErrorStatus != XpmSuccess) { + XpmFree(iptr2); + return (ErrorStatus); + } for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); Index: external/mit/xorg-server/dist/Xext/saver.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xext/saver.c,v retrieving revision 1.1.1.7.2.1 diff -p -u -r1.1.1.7.2.1 saver.c --- external/mit/xorg-server/dist/Xext/saver.c 6 Nov 2017 09:43:02 -0000 1.1.1.7.2.1 +++ external/mit/xorg-server/dist/Xext/saver.c 20 Jan 2023 23:03:48 -0000 @@ -1050,7 +1050,7 @@ ScreenSaverSetAttributes(ClientPtr clien pVlist++; } if (pPriv->attr) - FreeScreenAttr(pPriv->attr); + FreeResource(pPriv->attr->resource, AttrType); pPriv->attr = pAttr; pAttr->resource = FakeClientID(client->index); if (!AddResource(pAttr->resource, AttrType, (void *) pAttr)) Index: external/mit/xorg-server/dist/Xext/xtest.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xext/xtest.c,v retrieving revision 1.5 diff -p -u -r1.5 xtest.c --- external/mit/xorg-server/dist/Xext/xtest.c 11 Aug 2016 00:04:26 -0000 1.5 +++ external/mit/xorg-server/dist/Xext/xtest.c 20 Jan 2023 23:03:48 -0000 @@ -501,10 +501,11 @@ XTestSwapFakeInput(ClientPtr client, xRe nev = ((req->length << 2) - sizeof(xReq)) / sizeof(xEvent); for (ev = (xEvent *) &req[1]; --nev >= 0; ev++) { + int evtype = ev->u.u.type & 0x177; /* Swap event */ - proc = EventSwapVector[ev->u.u.type & 0177]; + proc = EventSwapVector[evtype]; /* no swapping proc; invalid event type? */ - if (!proc || proc == NotImplemented) { + if (!proc || proc == NotImplemented || evtype == GenericEvent) { client->errorValue = ev->u.u.type; return BadValue; } Index: external/mit/xorg-server/dist/Xext/xvmain.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xext/xvmain.c,v retrieving revision 1.1.1.4 diff -p -u -r1.1.1.4 xvmain.c --- external/mit/xorg-server/dist/Xext/xvmain.c 10 Aug 2016 07:44:31 -0000 1.1.1.4 +++ external/mit/xorg-server/dist/Xext/xvmain.c 20 Jan 2023 23:03:48 -0000 @@ -811,8 +811,10 @@ XvdiSelectVideoNotify(ClientPtr client, tpn = pn; while (tpn) { if (tpn->client == client) { - if (!onoff) + if (!onoff) { tpn->client = NULL; + FreeResource(tpn->id, XvRTVideoNotify); + } return Success; } if (!tpn->client) Index: external/mit/xorg-server/dist/Xi/xipassivegrab.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c,v retrieving revision 1.3 diff -p -u -r1.3 xipassivegrab.c --- external/mit/xorg-server/dist/Xi/xipassivegrab.c 11 Aug 2016 00:04:26 -0000 1.3 +++ external/mit/xorg-server/dist/Xi/xipassivegrab.c 20 Jan 2023 23:03:48 -0000 @@ -133,6 +133,12 @@ ProcXIPassiveGrabDevice(ClientPtr client return BadValue; } + /* XI2 allows 32-bit keycodes but thanks to XKB we can never + * implement this. Just return an error for all keycodes that + * cannot work anyway, same for buttons > 255. */ + if (stuff->detail > 255) + return XIAlreadyGrabbed; + if (XICheckInvalidMaskBits(client, (unsigned char *) &stuff[1], stuff->mask_len * 4) != Success) return BadValue; @@ -313,6 +319,12 @@ ProcXIPassiveUngrabDevice(ClientPtr clie return BadValue; } + /* We don't allow passive grabs for details > 255 anyway */ + if (stuff->detail > 255) { + client->errorValue = stuff->detail; + return BadValue; + } + rc = dixLookupWindow(&win, stuff->grab_window, client, DixSetAttrAccess); if (rc != Success) return rc; Index: external/mit/xorg-server/dist/Xi/xiproperty.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/Xi/xiproperty.c,v retrieving revision 1.3 diff -p -u -r1.3 xiproperty.c --- external/mit/xorg-server/dist/Xi/xiproperty.c 11 Aug 2016 00:04:26 -0000 1.3 +++ external/mit/xorg-server/dist/Xi/xiproperty.c 20 Jan 2023 23:03:48 -0000 @@ -886,7 +886,7 @@ ProcXChangeDeviceProperty(ClientPtr clie REQUEST(xChangeDevicePropertyReq); DeviceIntPtr dev; unsigned long len; - int totalSize; + uint64_t totalSize; int rc; REQUEST_AT_LEAST_SIZE(xChangeDevicePropertyReq); @@ -898,6 +898,8 @@ ProcXChangeDeviceProperty(ClientPtr clie rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->nUnits); + if (rc != Success) + return rc; len = stuff->nUnits; if (len > (bytes_to_int32(0xffffffff - sizeof(xChangeDevicePropertyReq)))) @@ -1124,7 +1126,7 @@ ProcXIChangeProperty(ClientPtr client) { int rc; DeviceIntPtr dev; - int totalSize; + uint64_t totalSize; unsigned long len; REQUEST(xXIChangePropertyReq); @@ -1137,6 +1139,9 @@ ProcXIChangeProperty(ClientPtr client) rc = check_change_property(client, stuff->property, stuff->type, stuff->format, stuff->mode, stuff->num_items); + if (rc != Success) + return rc; + len = stuff->num_items; if (len > bytes_to_int32(0xffffffff - sizeof(xXIChangePropertyReq))) return BadLength; Index: external/mit/xorg-server/dist/dix/property.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/dix/property.c,v retrieving revision 1.1.1.5 diff -p -u -r1.1.1.5 property.c --- external/mit/xorg-server/dist/dix/property.c 10 Aug 2016 07:44:31 -0000 1.1.1.5 +++ external/mit/xorg-server/dist/dix/property.c 20 Jan 2023 23:03:48 -0000 @@ -194,7 +194,8 @@ ProcChangeProperty(ClientPtr client) WindowPtr pWin; char format, mode; unsigned long len; - int sizeInBytes, totalSize, err; + int sizeInBytes, err; + uint64_t totalSize; REQUEST(xChangePropertyReq); Index: external/mit/xorg-server/dist/xkb/xkbUtils.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/xorg-server/dist/xkb/xkbUtils.c,v retrieving revision 1.1.1.5 diff -p -u -r1.1.1.5 xkbUtils.c --- external/mit/xorg-server/dist/xkb/xkbUtils.c 10 Aug 2016 07:44:35 -0000 1.1.1.5 +++ external/mit/xorg-server/dist/xkb/xkbUtils.c 20 Jan 2023 23:03:48 -0000 @@ -1327,6 +1327,7 @@ _XkbCopyNames(XkbDescPtr src, XkbDescPtr } else { free(dst->names->radio_groups); + dst->names->radio_groups = NULL; } dst->names->num_rg = src->names->num_rg;