Pullup ticket #6295 - requested by maya x11/libX11: bugfix Revisions pulled up: - x11/libX11/Makefile 1.53 - x11/libX11/distinfo 1.32 - x11/libX11/patches/patch-regression 1.1 --- Module Name: pkgsrc Committed By: maya Date: Tue Aug 4 15:50:19 UTC 2020 Modified Files: pkgsrc/x11/libX11: Makefile distinfo Added Files: pkgsrc/x11/libX11/patches: patch-regression Log Message: libX11: backport patch fixing regression from upstream. bump PKGREVISION

(bsiegert)

 @@ -1,16 +1,17 @@
-# $NetBSD: Makefile,v 1.51.4.1 2020/08/01 06:47:52 bsiegert Exp $
+# $NetBSD: Makefile,v 1.51.4.2 2020/08/14 17:11:16 bsiegert Exp $
 DISTNAME=		libX11-1.6.10
 PKGREVISION=		1
 CATEGORIES=		x11 devel
 MASTER_SITES=		${MASTER_SITE_XORG:=lib/}
 EXTRACT_SUFX=		.tar.bz2
 MAINTAINER=		joerg@NetBSD.org
 HOMEPAGE=		https://xorg.freedesktop.org/
 COMMENT=		Base X libraries from modular Xorg X11
 LICENSE=		mit
 USE_LIBTOOL=		yes
 GNU_CONFIGURE=		yes
 USE_TOOLS+=		gmake pkg-config

 @@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.30.6.1 2020/08/01 06:47:52 bsiegert Exp $
+$NetBSD: distinfo,v 1.30.6.2 2020/08/14 17:11:16 bsiegert Exp $
 SHA1 (libX11-1.6.10.tar.bz2) = e28f6bc0a33ca512b1aeb973a1dd8b3a3c48cd9f
 RMD160 (libX11-1.6.10.tar.bz2) = 3d7ecf53bf8d87347857a0a810ce772f97c4b352
 SHA512 (libX11-1.6.10.tar.bz2) = ad384d8896fbe587f7fd99b0d3cc56fac6e2facbab52fa99174200d06b19dd163a483c998acf3834b3a4a3aa4de0dbbe13919a1c80e6797afe467c7075b403ff
 Size (libX11-1.6.10.tar.bz2) = 2294095 bytes
 SHA1 (patch-Makefile.in) = 93d3b8d9882babf70788e984884a9db46a5367ef
 SHA1 (patch-aa) = 4f502264e7200fd2f9409d8684c53de3bc6f0649
 SHA1 (patch-ac) = 565aa2a636b5c50f67cbd11e7c2adcac8d55418e
 SHA1 (patch-regression) = 55d611dacaa9b64e4275f83bb76843323bc38234

$NetBSD: patch-regression,v 1.2.2.2 2020/08/14 17:11:16 bsiegert Exp $ From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001 From: Yichao Yu <yyc1992@gmail.com> Date: Sun, 2 Aug 2020 13:43:58 -0400 Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`. The check here guards the read below. For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. (There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this function and doesn't need to be checked.) The old code here used the native datatype size instead of the wire protocol size causing the check to always fail. Also fix the size calculation for the header (size). It is 2 x CARD16 for both types despite the unused `CARD16` for `XimType_XIMStyles`. [1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10. Fix #116 --- modules/im/ximcp/imRmAttr.c.orig +++ modules/im/ximcp/imRmAttr.c @@ -265,7 +265,7 @@ _XimAttributeToValue( if (num > (USHRT_MAX / sizeof(XIMStyle))) return False; - if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len) + if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len) return False; alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num; if (alloc_len < sizeof(XIMStyles)) @@ -379,7 +379,7 @@ _XimAttributeToValue( if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger))) return False; - if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len) + if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len) return False; alloc_len = sizeof(XIMHotKeyTriggers) + sizeof(XIMHotKeyTrigger) * num;