Re-import x11/modular-xorg-server as x11/modular-xorg-server112.

x11/modular-xorg-server112/DESCR

@@ -0,0 +1,2 @@
+The X.org X11 Server from the modularized source tree of
+X.org X11.

x11/modular-xorg-server112/MESSAGE

@@ -0,0 +1,16 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+For the X server to run you need at least some fonts installed. The
+recommended approach is to install the entire modular-xorg-fonts
+meta-package, but failing that the minimum set required is:
+
+	fonts/font-alias
+	fonts/font-misc-misc
+	fonts/font-cursor-misc
+
+This package does *not* depend on these font packages directly as
+in some circumstances installing extra copies from pkgsrc would be
+redundant or possibly harmful.
+
+===========================================================================

x11/modular-xorg-server112/Makefile

@@ -0,0 +1,183 @@
+# $NetBSD: Makefile,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+DISTNAME=	xorg-server-1.12.4
+PKGNAME=	modular-${DISTNAME}
+PKGREVISION=	12
+CATEGORIES=	x11
+MASTER_SITES=	${MASTER_SITE_XORG:=xserver/}
+EXTRACT_SUFX=	.tar.bz2
+
+MAINTAINER=	pkgsrc-users@NetBSD.org
+HOMEPAGE=	http://xorg.freedesktop.org/
+COMMENT=	Modular X11 server from modular X.org
+
+SPECIAL_PERMS+=		bin/Xorg ${SETUID_ROOT_PERMS}
+
+GNU_CONFIGURE=	yes
+USE_LIBTOOL=	yes
+USE_TOOLS+=	gmake pkg-config
+USE_LANGUAGES+=	c99
+
+PKGCONFIG_OVERRIDE+=	xorg-server.pc.in
+SHLIBTOOL_OVERRIDE=	# empty
+
+BUILD_DEFS+=		VARBASE
+BUILD_DEFS_EFFECTS+=	XKB_OUTPUT_DIR
+
+OWN_DIRS+=		${VARBASE}/log
+OWN_DIRS+=		${XKB_OUTPUT_DIR}
+XKB_OUTPUT_DIR?=	${VARBASE}/db/xkb # XXX sync with xkeyboard-config
+
+CONFIGURE_ARGS+=	--localstatedir=${VARBASE:Q}
+CONFIGURE_ARGS+=	--with-xkb-output=${XKB_OUTPUT_DIR:Q}
+
+.if !empty(USE_TOOLS:Mauto*)
+TOOLS_DEPENDS+=	xorg-util-macros>=1.1.5:../../devel/xorg-util-macros
+.endif
+
+DEPENDS+=	xkbcomp-[0-9]*:../../x11/xkbcomp
+DEPENDS+=	xkeyboard-config-[0-9]*:../../x11/xkeyboard-config
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+CONFIGURE_ARGS+=	--with-builder-addr="tech-x11@NetBSD.org"
+CONFIGURE_ARGS+=	--with-os-vendor="The NetBSD Foundation"
+# TLS is not supported by NetBSD<6
+.  if !empty(OS_VERSION:M[0-5].*)
+CONFIGURE_ENV+=		ac_cv_tls=no
+CONFIGURE_ARGS+=	--disable-glx-tls
+.  endif
+.endif
+CONFIGURE_ARGS+=	--with-os-name=${MACHINE_PLATFORM:Q}
+
+CONFIGURE_ARGS+=	--enable-xorg
+
+CONFIGURE_ARGS+=	--with-fontrootdir=${PREFIX}/share/fonts/X11
+
+LEGACY_FONT_PATHS=
+DEFAULT_FONT_PATHS=
+.for f in misc TTF OTF Type1 100dpi 75dpi cyrillic
+DEFAULT_FONT_PATHS+=	${PREFIX}/share/fonts/X11/${f}
+LEGACY_FONT_PATHS+=	${PREFIX}/lib/X11/fonts/${f}
+.endfor
+FONT_PATHS=		${DEFAULT_FONT_PATHS} ${LEGACY_FONT_PATHS}
+
+CONFIGURE_ARGS+=	--with-default-font-path=${FONT_PATHS:ts,:Q}
+
+CONFIGURE_ARGS+=	--disable-config-hal
+CONFIGURE_ARGS+=	--disable-dmx
+CONFIGURE_ARGS+=	--disable-xwin
+CONFIGURE_ARGS+=	--disable-xephyr
+CONFIGURE_ARGS+=	--disable-kdrive
+#CONFIGURE_ARGS+=	--disable-kdrive-vesa
+CONFIGURE_ARGS+=	--disable-xfake
+CONFIGURE_ARGS+=	--disable-xfbdev
+
+CONFIGURE_ARGS+=	--with-int10=x86emu
+
+CONFIGURE_ENV+=		APP_MAN_SUFFIX=1 FILE_MAN_SUFFIX=5
+CONFIGURE_ENV+=		DRIVER_MAN_SUFFIX=4
+
+PLIST_VARS+=		sunos
+PLIST_SUBST+=		SUNOS_ARCH=${SUNOS_ARCH}
+
+.if ${OPSYS} == "SunOS"
+PLIST.sunos=		yes
+.  if ${MACHINE_ARCH} == "i386"
+SUNOS_ARCH=		ia32
+.  elif ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "x86_64"
+SUNOS_ARCH=		amd64
+.  elif ${MACHINE_ARCH} == "sparc" || ${MACHINE_ARCH} == "sparc64"
+SUNOS_ARCH=		sparcv8plus
+.  endif
+.endif
+
+# Workaround for PR#41556.
+# Avoid to use bsd_kqueue_apm, force to use bsd_apm instead.
+.if ${OPSYS} == "NetBSD"
+CONFIGURE_ENV+=		ac_cv_header_sys_event_h=no
+.endif
+
+INSTALLATION_DIRS+=	lib/xorg/modules/drivers lib/xorg/modules/input
+
+BUILDLINK_API_DEPENDS.MesaLib+=		MesaLib>=7.8.0<10
+BUILDLINK_API_DEPENDS.compositeproto+=	compositeproto>=0.4
+BUILDLINK_API_DEPENDS.fixesproto+=	fixesproto>=5.0
+BUILDLINK_API_DEPENDS.damageproto+=	damageproto>=1.1
+BUILDLINK_API_DEPENDS.xcmiscproto+=	xcmiscproto>=1.2.0
+BUILDLINK_API_DEPENDS.xtrans+=		xtrans>=1.2.2
+BUILDLINK_API_DEPENDS.bigreqsproto+=	bigreqsproto>=1.1.0
+BUILDLINK_API_DEPENDS.xproto+=		xproto>=7.0.22
+BUILDLINK_API_DEPENDS.xextproto+=	xextproto>=7.1.99
+BUILDLINK_API_DEPENDS.recordproto+=	recordproto>=1.13.99.1
+BUILDLINK_API_DEPENDS.scrnsaverproto+=	scrnsaverproto>=1.1
+BUILDLINK_API_DEPENDS.resourceproto+=	resourceproto>=1.2.0
+BUILDLINK_API_DEPENDS.dri+=		dri>=7.8
+BUILDLINK_API_DEPENDS.xfont+=		xfont>=1.4.2
+BUILDLINK_API_DEPENDS.glproto+=		glproto>=1.4.16
+BUILDLINK_API_DEPENDS.inputproto+=	inputproto>=2.1.99.6
+BUILDLINK_API_DEPENDS.kbproto+=		kbproto>=1.0.3
+BUILDLINK_API_DEPENDS.pixman+=		pixman>=0.21.8
+BUILDLINK_API_DEPENDS.randrproto+=	randrproto>=1.4.0
+BUILDLINK_API_DEPENDS.renderproto+=	renderproto>=0.11
+BUILDLINK_API_DEPENDS.xf86dgaproto+=	xf86dgaproto>=2.0.3
+BUILDLINK_API_DEPENDS.xf86driproto+=	xf86driproto>=2.1.0
+
+BUILD_DEPENDS+=		tradcpp-[0-9]*:../../devel/tradcpp
+CONFIGURE_ENV+=		ac_cv_path_RAWCPP="${PREFIX}/bin/tradcpp -Uunix"
+
+.include "options.mk"
+
+.include "../../devel/ncurses/buildlink3.mk"
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../fonts/libfontenc/buildlink3.mk"
+.include "../../graphics/MesaLib/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+BUILDLINK_API_DEPENDS.libpciaccess+=	libpciaccess>=0.11.0
+BUILDLINK_DEPMETHOD.libpciaccess=	full
+.include "../../sysutils/libpciaccess/buildlink3.mk"
+.include "../../x11/bigreqsproto/buildlink3.mk"
+.include "../../x11/compositeproto/buildlink3.mk"
+.include "../../x11/damageproto/buildlink3.mk"
+.include "../../x11/dri2proto/buildlink3.mk"
+.include "../../x11/evieext/buildlink3.mk"
+.include "../../x11/fixesproto/buildlink3.mk"
+.include "../../x11/fontsproto/buildlink3.mk"
+.include "../../x11/glproto/buildlink3.mk"
+.include "../../x11/inputproto/buildlink3.mk"
+.include "../../x11/libX11/buildlink3.mk"
+.include "../../x11/libXau/buildlink3.mk"
+.include "../../x11/libXaw/buildlink3.mk"
+BUILDLINK_API_DEPENDS.libXext+=	libXext>=1.1.1
+.include "../../x11/libXext/buildlink3.mk"
+.include "../../x11/libXfixes/buildlink3.mk"
+.include "../../x11/libXfont/buildlink3.mk"
+.include "../../x11/libXt/buildlink3.mk"
+.include "../../x11/libXxf86misc/buildlink3.mk"
+.include "../../x11/libXxf86vm/buildlink3.mk"
+.include "../../x11/libXinerama/buildlink3.mk"
+.include "../../x11/libdrm/buildlink3.mk"
+.include "../../x11/libxkbfile/buildlink3.mk"
+.include "../../x11/libxkbui/buildlink3.mk"
+.include "../../x11/pixman/buildlink3.mk"
+.include "../../x11/randrproto/buildlink3.mk"
+.include "../../x11/recordproto/buildlink3.mk"
+.include "../../x11/renderproto/buildlink3.mk"
+.include "../../x11/resourceproto/buildlink3.mk"
+.include "../../x11/scrnsaverproto/buildlink3.mk"
+.include "../../x11/trapproto/buildlink3.mk"
+.include "../../x11/videoproto/buildlink3.mk"
+.include "../../x11/xcmiscproto/buildlink3.mk"
+.include "../../x11/xextproto/buildlink3.mk"
+.include "../../x11/kbproto/buildlink3.mk"
+.include "../../x11/xf86bigfontproto/buildlink3.mk"
+.include "../../x11/xf86dgaproto/buildlink3.mk"
+.include "../../x11/xf86driproto/buildlink3.mk"
+.include "../../x11/xf86miscproto/buildlink3.mk"
+.include "../../x11/xf86vidmodeproto/buildlink3.mk"
+.include "../../x11/xineramaproto/buildlink3.mk"
+.include "../../x11/xproto/buildlink3.mk"
+.include "../../x11/xtrans/buildlink3.mk"
+
+.include "../../mk/bsd.pkg.mk"

x11/modular-xorg-server112/PLIST

@@ -0,0 +1,213 @@
+@comment $NetBSD: PLIST,v 1.1 2015/04/03 09:46:18 tnn Exp $
+bin/X
+bin/Xnest
+bin/Xorg
+bin/Xvfb
+bin/cvt
+bin/gtf
+include/xorg/BT.h
+include/xorg/IBM.h
+include/xorg/TI.h
+include/xorg/XIstubs.h
+include/xorg/Xprintf.h
+include/xorg/bt829.h
+include/xorg/callback.h
+include/xorg/client.h
+include/xorg/closestr.h
+include/xorg/closure.h
+include/xorg/colormap.h
+include/xorg/colormapst.h
+include/xorg/compiler.h
+include/xorg/compositeext.h
+include/xorg/cursor.h
+include/xorg/cursorstr.h
+include/xorg/damage.h
+include/xorg/damagestr.h
+include/xorg/dbestruct.h
+include/xorg/dgaproc.h
+include/xorg/dix.h
+include/xorg/dixaccess.h
+include/xorg/dixevents.h
+include/xorg/dixfont.h
+include/xorg/dixfontstr.h
+include/xorg/dixgrabs.h
+include/xorg/dixstruct.h
+${PLIST.dri}include/xorg/dri.h
+include/xorg/dri2.h
+${PLIST.dri}include/xorg/dristruct.h
+include/xorg/edid.h
+include/xorg/events.h
+include/xorg/exa.h
+include/xorg/exevents.h
+include/xorg/extension.h
+include/xorg/extinit.h
+include/xorg/extnsionst.h
+include/xorg/fb.h
+include/xorg/fbdevhw.h
+include/xorg/fboverlay.h
+include/xorg/fbpict.h
+include/xorg/fbrop.h
+include/xorg/fi1236.h
+include/xorg/fourcc.h
+include/xorg/gc.h
+include/xorg/gcstruct.h
+include/xorg/geext.h
+include/xorg/geint.h
+include/xorg/globals.h
+include/xorg/glyphstr.h
+include/xorg/hotplug.h
+include/xorg/i2c_def.h
+include/xorg/input.h
+include/xorg/inputstr.h
+include/xorg/list.h
+include/xorg/mi.h
+include/xorg/mibstore.h
+include/xorg/micmap.h
+include/xorg/micoord.h
+include/xorg/mifillarc.h
+include/xorg/mifpoly.h
+include/xorg/migc.h
+include/xorg/miline.h
+include/xorg/mioverlay.h
+include/xorg/mipict.h
+include/xorg/mipointer.h
+include/xorg/mipointrst.h
+include/xorg/misc.h
+include/xorg/miscstruct.h
+include/xorg/mispans.h
+include/xorg/mistruct.h
+include/xorg/misync.h
+include/xorg/misyncstr.h
+include/xorg/miwideline.h
+include/xorg/mizerarc.h
+include/xorg/msp3430.h
+include/xorg/opaque.h
+include/xorg/optionstr.h
+include/xorg/os.h
+include/xorg/panoramiX.h
+include/xorg/panoramiXsrv.h
+include/xorg/picture.h
+include/xorg/picturestr.h
+include/xorg/pixmap.h
+include/xorg/pixmapstr.h
+include/xorg/privates.h
+include/xorg/property.h
+include/xorg/propertyst.h
+include/xorg/ptrveloc.h
+include/xorg/randrstr.h
+include/xorg/region.h
+include/xorg/regionstr.h
+include/xorg/registry.h
+include/xorg/resource.h
+include/xorg/rgb.h
+include/xorg/rrtransform.h
+${PLIST.dri}include/xorg/sarea.h
+include/xorg/screenint.h
+include/xorg/scrnintstr.h
+include/xorg/selection.h
+include/xorg/servermd.h
+include/xorg/shadow.h
+include/xorg/shadowfb.h
+include/xorg/shmint.h
+include/xorg/site.h
+${PLIST.sunos}include/xorg/solaris-${SUNOS_ARCH}.il
+include/xorg/swaprep.h
+include/xorg/swapreq.h
+include/xorg/syncsdk.h
+include/xorg/tda8425.h
+include/xorg/tda9850.h
+include/xorg/tda9885.h
+include/xorg/uda1380.h
+include/xorg/validate.h
+include/xorg/vbe.h
+include/xorg/vbeModes.h
+include/xorg/vgaHW.h
+include/xorg/vidmodeproc.h
+include/xorg/wfbrename.h
+include/xorg/window.h
+include/xorg/windowstr.h
+include/xorg/xaarop.h
+include/xorg/xaa.h
+include/xorg/xaalocal.h
+include/xorg/xace.h
+include/xorg/xacestr.h
+include/xorg/xf86.h
+include/xorg/xf86Crtc.h
+include/xorg/xf86Cursor.h
+include/xorg/xf86DDC.h
+include/xorg/xf86Modes.h
+include/xorg/xf86Module.h
+include/xorg/xf86Opt.h
+include/xorg/xf86Optionstr.h
+include/xorg/xf86Optrec.h
+include/xorg/xf86Parser.h
+include/xorg/xf86Pci.h
+include/xorg/xf86PciInfo.h
+include/xorg/xf86Priv.h
+include/xorg/xf86Privstr.h
+include/xorg/xf86RamDac.h
+include/xorg/xf86RandR12.h
+include/xorg/xf86Rename.h
+include/xorg/xf86VGAarbiter.h
+include/xorg/xf86Xinput.h
+include/xorg/xf86_OSlib.h
+include/xorg/xf86_OSproc.h
+include/xorg/xf86cmap.h
+include/xorg/xf86fbman.h
+include/xorg/xf86i2c.h
+include/xorg/xf86int10.h
+include/xorg/xf86sbusBus.h
+include/xorg/xf86str.h
+include/xorg/xf86xv.h
+include/xorg/xf86xvmc.h
+include/xorg/xf86xvpriv.h
+include/xorg/xfixes.h
+include/xorg/xisb.h
+include/xorg/xkbfile.h
+include/xorg/xkbrules.h
+include/xorg/xkbsrv.h
+include/xorg/xkbstr.h
+include/xorg/xorg-server.h
+include/xorg/xorgVersion.h
+include/xorg/xserver-properties.h
+include/xorg/xvdix.h
+include/xorg/xvmcext.h
+lib/pkgconfig/xorg-server.pc
+${PLIST.dri}lib/xorg/modules/extensions/libdbe.la
+${PLIST.dri}lib/xorg/modules/extensions/libdri.la
+${PLIST.dri}lib/xorg/modules/extensions/libdri2.la
+${PLIST.dri}lib/xorg/modules/extensions/libextmod.la
+${PLIST.dri}lib/xorg/modules/extensions/libglx.la
+${PLIST.dri}lib/xorg/modules/extensions/librecord.la
+lib/xorg/modules/libexa.la
+lib/xorg/modules/libfb.la
+lib/xorg/modules/libfbdevhw.la
+lib/xorg/modules/libint10.la
+lib/xorg/modules/libshadow.la
+lib/xorg/modules/libshadowfb.la
+lib/xorg/modules/libvbe.la
+lib/xorg/modules/libvgahw.la
+lib/xorg/modules/libwfb.la
+lib/xorg/modules/libxaa.la
+lib/xorg/modules/multimedia/bt829_drv.la
+lib/xorg/modules/multimedia/fi1236_drv.la
+lib/xorg/modules/multimedia/msp3430_drv.la
+lib/xorg/modules/multimedia/tda8425_drv.la
+lib/xorg/modules/multimedia/tda9850_drv.la
+lib/xorg/modules/multimedia/tda9885_drv.la
+lib/xorg/modules/multimedia/uda1380_drv.la
+lib/xorg/protocol.txt
+man/man1/Xnest.1
+man/man1/Xorg.1
+man/man1/Xserver.1
+man/man1/Xvfb.1
+man/man1/cvt.1
+man/man1/gtf.1
+man/man4/exa.4
+man/man4/fbdevhw.4
+man/man5/xorg.conf.5
+man/man5/xorg.conf.d.5
+share/aclocal/xorg-server.m4
+${PLIST.dtrace}share/doc/xorg-server/Xserver-DTrace.xml
+@pkgdir lib/xorg/modules/input
+@pkgdir lib/xorg/modules/drivers

x11/modular-xorg-server112/distinfo

@@ -0,0 +1,68 @@
+$NetBSD: distinfo,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+SHA1 (xorg-server-1.12.4.tar.bz2) = 6d616874f9c7677bda08dc073c03f83e78fbc585
+RMD160 (xorg-server-1.12.4.tar.bz2) = 4907b5dc42efd6b3fb6bf9d64f1441080a6a6983
+Size (xorg-server-1.12.4.tar.bz2) = 5444761 bytes
+SHA1 (patch-Xext_xcmisc.c) = 8bf7ff8c928b14f6e98d2f1240ea5736bcf43021
+SHA1 (patch-Xext_xvdisp.c) = 5c85a221d11f9893bc68d223cf75e63c00586a9f
+SHA1 (patch-Xi_chgdctl.c) = 0bba99d4fe90832d9f364aa4d2eef4ba7f18ff24
+SHA1 (patch-Xi_chgfctl.c) = 1fb0fb890fc28e5374a00cc29aeee8ae1401f41c
+SHA1 (patch-Xi_sendexev.c) = 387d7382ad31b85530cdfb068831b29cf2f15755
+SHA1 (patch-Xi_xiallowev.c) = 4d10addbd669bd3b867b6e209e876806c402f3e2
+SHA1 (patch-Xi_xichangecursor.c) = f123415ca0b481bca7f43731992d8ce3ef842aac
+SHA1 (patch-Xi_xichangehierarchy.c) = 35ac279d2f7c4ed57bc583df2067a13c1dbee1bf
+SHA1 (patch-Xi_xigetclientpointer.c) = 7bac39459d98cf13fcd33582a594f67c53936881
+SHA1 (patch-Xi_xigrabdev.c) = 882474440142ffd1874b018d2cb3bceeff3c12ce
+SHA1 (patch-Xi_xipassivegrab.c) = 2a8c97b5e963ae48711db4e9e6c1e7fc6d49d645
+SHA1 (patch-Xi_xiproperty.c) = ba3fd9f9305f95ecf616cea5b221aa2a5de03096
+SHA1 (patch-Xi_xiquerydevice.c) = 33d70ace5b969521e573eb4ce416185b910374db
+SHA1 (patch-Xi_xiquerypointer.c) = e9dc180b4697d7a519d470e4f879a61dd64be2f2
+SHA1 (patch-Xi_xiselectev.c) = a17d893af3855f8676f4747defcb2b6866db0ec6
+SHA1 (patch-Xi_xisetclientpointer.c) = 3e1c4c7087383474f39362f9b53bc449d35b28ee
+SHA1 (patch-Xi_xisetdevfocus.c) = add3a8f096fa90c9966128f8641e447c570a8a11
+SHA1 (patch-Xi_xiwarppointer.c) = 0567dcc1ff2f8de4fa5caf865edd084611ff8c5c
+SHA1 (patch-configure) = 031bc0accf1dd71ed687e7aac3fcc9498cb06784
+SHA1 (patch-configure.ac) = c7dc061377e3bb25425ad3f418c40a45a0e55440
+SHA1 (patch-dbe_dbe.c) = 7c31812b30613b42e509677b6a430d261046a77a
+SHA1 (patch-dix_dispatch.c) = 454ce12b27d3906b22f32d7d4c1a3a6a6fb549e3
+SHA1 (patch-dix_dixfonts.c) = 2f1fd51c538eab12c06b85c4ddab18af25338174
+SHA1 (patch-dix_region.c) = 0a7fe6f67c4780c003f1e662be20e2294a7562f2
+SHA1 (patch-exa_exa__render.c) = e20fd4a8d30162d3d7b084ed2dbd46779387f25a
+SHA1 (patch-glx_glxcmds.c) = 2566885001178f47eb151a2ef84450b60137f3c1
+SHA1 (patch-glx_glxcmdsswap.c) = b9a0d5386ba928d2db95885f0b68414ffbae71ef
+SHA1 (patch-glx_glxserver.h) = 47bd1cc49dbf761c042f00adc6db8cec2a038501
+SHA1 (patch-glx_indirect__program.c) = fb49f91690ff3488e11f4708f23aaa358f98d40c
+SHA1 (patch-glx_indirect__reqsize.c) = 0b0305bb8b6a215f0e7548bf85ea571bed8df00b
+SHA1 (patch-glx_indirect__reqsize.h) = fa963a97083dc5b0cf6f80b76905ce1f21ea0d5e
+SHA1 (patch-glx_indirect__texture__compression.c) = b2af15e99e65c7f43a0218f6813b5bd4407618ea
+SHA1 (patch-glx_indirect__util.c) = 182c3c5768e87118ace979304a350c137a1119db
+SHA1 (patch-glx_rensize.c) = 574c5bf883ba9046e5cab52c0bd2919440ad1460
+SHA1 (patch-glx_single2.c) = 05cd1c9ba051561d68a28e23af7a5e7aaa942b82
+SHA1 (patch-glx_single2swap.c) = 900787c9b5e5f842141ea146f1b06740cfa7aa81
+SHA1 (patch-glx_singlepix.c) = 72ac42939b37ae0d57fc06453344ca76cdf2c856
+SHA1 (patch-glx_singlepixswap.c) = 1e3d54d3082a59d21edd81276980b953efc39ebb
+SHA1 (patch-glx_swap__interval.c) = 2ff4e2e7d2793dd8558b04c1f72abfa81998f2c6
+SHA1 (patch-glx_unpack.h) = 5ae5c10c93835cb51c08f5dae05c5a5e2afaad98
+SHA1 (patch-hw_xfree86_common_compiler.h) = 88de747715b80b22f448869ab32dce1641bcb6db
+SHA1 (patch-hw_xfree86_dri2_dri2.c) = 32a8c309f9ae417c99fe81b6a9c3b1f402880981
+SHA1 (patch-hw_xfree86_dri2_dri2ext.c) = bc2b57e4bef5ae386d1d3a015c01d243f8880ab4
+SHA1 (patch-hw_xfree86_os-support_xf86__OSlib.h) = 7c2760509610b44915da077b22899bef9c338cc1
+SHA1 (patch-include_dix.h) = ab0dc2debd87f29c0ac7f971a3cad4850b239c3a
+SHA1 (patch-include_regionstr.h) = c6f3e3b263593b622e7087d3ebe2b470cf9526e3
+SHA1 (patch-os_access.c) = 94ee087d68bc9ba713dbe42102f971a1b8e6a3c4
+SHA1 (patch-os_rpcauth.c) = 6617d5ef0e3cc5e9e10cd8db74f87e347e52ebe3
+SHA1 (patch-randr_randr.c) = e8d2b72f8230a2a8a6ade47f5459ec9b0849ed0b
+SHA1 (patch-randr_randrstr.h) = f634438dda61111b3bf3b77580951a638fbdea10
+SHA1 (patch-randr_rrsdispatch.c) = 13a2e819fea3ab8fa4caee7f9450a518ac41e517
+SHA1 (patch-render_picture.h) = ec7085022e2c896daaa91378632003aabd957f5e
+SHA1 (patch-render_render.c) = f86496fc392681d2fba3c50bbd37b24b78bed682
+SHA1 (patch-test_Makefile.am) = 77caa0c25103307d5bd30178f72e552dbae9555a
+SHA1 (patch-test_misc.c) = 1615c03ceb595fa976a571455723665025c14aa0
+SHA1 (patch-test_xi1_Makefile.am) = c5b7a86f6b4e8381c3063fa840de5e238a5877a4
+SHA1 (patch-test_xi1_protocol-xchangedevicecontrol.c) = e3efd2a5e8f93f6acf2f561451ca3d26a70ad826
+SHA1 (patch-test_xi2_protocol-xigetclientpointer.c) = e2eb3995d0bae797ba86d81165930dcd7365c74d
+SHA1 (patch-test_xi2_protocol-xipassivegrabdevice.c) = 503566a73fe797a98f637fb9dd497d55e7e7db1d
+SHA1 (patch-test_xi2_protocol-xiquerypointer.c) = 6594dff2bccac46aa4b8aec7c517d122517407ad
+SHA1 (patch-test_xi2_protocol-xiwarppointer.c) = fda57d72b963890478e8e78dfbe2864eb51971d2
+SHA1 (patch-xfixes_select.c) = 0f0dac08732a54112a2f0a7b3f1393a28fbfd8bc
+SHA1 (patch-xkb_xkb.c) = 95861e071546428ab5ada2365e2b8201f238577c

x11/modular-xorg-server112/options.mk

@@ -0,0 +1,41 @@
+# $NetBSD: options.mk,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.modular-xorg-server
+PKG_SUPPORTED_OPTIONS=	dri inet6 debug dtrace
+PKG_SUGGESTED_OPTIONS=	dri inet6
+
+.include "../../mk/bsd.options.mk"
+
+PLIST_VARS+=		dri dtrace
+
+.if !empty(PKG_OPTIONS:Mdri)
+PLIST.dri=		yes
+CONFIGURE_ARGS+=	--enable-dri
+CONFIGURE_ARGS+=	--enable-glx
+CONFIGURE_ARGS+=	--enable-aiglx
+.else
+###
+### XXX Perhaps we should allow for a built-in glx without dri enabled?
+###
+CONFIGURE_ARGS+=	--disable-dri
+CONFIGURE_ARGS+=	--disable-glx
+.endif
+
+.if !empty(PKG_OPTIONS:Minet6)
+CONFIGURE_ARGS+=	--enable-ipv6
+.else
+CONFIGURE_ARGS+=	--disable-ipv6
+.endif
+
+.if !empty(PKG_OPTIONS:Mdebug)
+CONFIGURE_ARGS+=	--enable-debug
+CFLAGS+=		-ggdb
+.endif
+
+
+.if !empty(PKG_OPTIONS:Mdtrace)
+PLIST.dtrace=		yes
+CONFIGURE_ARGS+=	--with-dtrace
+.else
+CONFIGURE_ARGS+=	--without-dtrace
+.endif

x11/modular-xorg-server112/patches/patch-Xext_xcmisc.c

@@ -0,0 +1,15 @@
+$NetBSD: patch-Xext_xcmisc.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xext/xcmisc.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xext/xcmisc.c
+@@ -161,6 +161,7 @@ static int
+ SProcXCMiscGetXIDList(ClientPtr client)
+ {
+     REQUEST(xXCMiscGetXIDListReq);
++    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->count);

x11/modular-xorg-server112/patches/patch-Xext_xvdisp.c

@@ -0,0 +1,167 @@
+$NetBSD: patch-Xext_xvdisp.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xext/xvdisp.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xext/xvdisp.c
+@@ -1202,6 +1202,7 @@ static int
+ SProcXvQueryExtension(ClientPtr client)
+ {
+     REQUEST(xvQueryExtensionReq);
++    REQUEST_SIZE_MATCH(xvQueryExtensionReq);
+     swaps(&stuff->length);
+     return XvProcVector[xv_QueryExtension] (client);
+ }
+@@ -1210,6 +1211,7 @@ static int
+ SProcXvQueryAdaptors(ClientPtr client)
+ {
+     REQUEST(xvQueryAdaptorsReq);
++    REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+     return XvProcVector[xv_QueryAdaptors] (client);
+@@ -1219,6 +1221,7 @@ static int
+ SProcXvQueryEncodings(ClientPtr client)
+ {
+     REQUEST(xvQueryEncodingsReq);
++    REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     return XvProcVector[xv_QueryEncodings] (client);
+@@ -1228,6 +1231,7 @@ static int
+ SProcXvGrabPort(ClientPtr client)
+ {
+     REQUEST(xvGrabPortReq);
++    REQUEST_SIZE_MATCH(xvGrabPortReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->time);
+@@ -1238,6 +1242,7 @@ static int
+ SProcXvUngrabPort(ClientPtr client)
+ {
+     REQUEST(xvUngrabPortReq);
++    REQUEST_SIZE_MATCH(xvUngrabPortReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->time);
+@@ -1248,6 +1253,7 @@ static int
+ SProcXvPutVideo(ClientPtr client)
+ {
+     REQUEST(xvPutVideoReq);
++    REQUEST_SIZE_MATCH(xvPutVideoReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1267,6 +1273,7 @@ static int
+ SProcXvPutStill(ClientPtr client)
+ {
+     REQUEST(xvPutStillReq);
++    REQUEST_SIZE_MATCH(xvPutStillReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1286,6 +1293,7 @@ static int
+ SProcXvGetVideo(ClientPtr client)
+ {
+     REQUEST(xvGetVideoReq);
++    REQUEST_SIZE_MATCH(xvGetVideoReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1305,6 +1313,7 @@ static int
+ SProcXvGetStill(ClientPtr client)
+ {
+     REQUEST(xvGetStillReq);
++    REQUEST_SIZE_MATCH(xvGetStillReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1324,6 +1333,7 @@ static int
+ SProcXvPutImage(ClientPtr client)
+ {
+     REQUEST(xvPutImageReq);
++    REQUEST_AT_LEAST_SIZE(xvPutImageReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1347,6 +1357,7 @@ static int
+ SProcXvShmPutImage(ClientPtr client)
+ {
+     REQUEST(xvShmPutImageReq);
++    REQUEST_SIZE_MATCH(xvShmPutImageReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1374,6 +1385,7 @@ static int
+ SProcXvSelectVideoNotify(ClientPtr client)
+ {
+     REQUEST(xvSelectVideoNotifyReq);
++    REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
+     swaps(&stuff->length);
+     swapl(&stuff->drawable);
+     return XvProcVector[xv_SelectVideoNotify] (client);
+@@ -1383,6 +1395,7 @@ static int
+ SProcXvSelectPortNotify(ClientPtr client)
+ {
+     REQUEST(xvSelectPortNotifyReq);
++    REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     return XvProcVector[xv_SelectPortNotify] (client);
+@@ -1392,6 +1405,7 @@ static int
+ SProcXvStopVideo(ClientPtr client)
+ {
+     REQUEST(xvStopVideoReq);
++    REQUEST_SIZE_MATCH(xvStopVideoReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->drawable);
+@@ -1402,6 +1416,7 @@ static int
+ SProcXvSetPortAttribute(ClientPtr client)
+ {
+     REQUEST(xvSetPortAttributeReq);
++    REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->attribute);
+@@ -1413,6 +1428,7 @@ static int
+ SProcXvGetPortAttribute(ClientPtr client)
+ {
+     REQUEST(xvGetPortAttributeReq);
++    REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->attribute);
+@@ -1423,6 +1439,7 @@ static int
+ SProcXvQueryBestSize(ClientPtr client)
+ {
+     REQUEST(xvQueryBestSizeReq);
++    REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swaps(&stuff->vid_w);
+@@ -1436,6 +1453,7 @@ static int
+ SProcXvQueryPortAttributes(ClientPtr client)
+ {
+     REQUEST(xvQueryPortAttributesReq);
++    REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     return XvProcVector[xv_QueryPortAttributes] (client);
+@@ -1445,6 +1463,7 @@ static int
+ SProcXvQueryImageAttributes(ClientPtr client)
+ {
+     REQUEST(xvQueryImageAttributesReq);
++    REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     swapl(&stuff->id);
+@@ -1457,6 +1476,7 @@ static int
+ SProcXvListImageFormats(ClientPtr client)
+ {
+     REQUEST(xvListImageFormatsReq);
++    REQUEST_SIZE_MATCH(xvListImageFormatsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->port);
+     return XvProcVector[xv_ListImageFormats] (client);

x11/modular-xorg-server112/patches/patch-Xi_chgdctl.c

@@ -0,0 +1,36 @@
+$NetBSD: patch-Xi_chgdctl.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/chgdctl.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/chgdctl.c
+@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr clie
+ 
+     REQUEST(xChangeDeviceControlReq);
+     swaps(&stuff->length);
+-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+     swaps(&stuff->control);
+     ctl = (xDeviceCtl *) &stuff[1];
+     swaps(&ctl->control);
+@@ -116,7 +116,7 @@ ProcXChangeDeviceControl(ClientPtr clien
+     devicePresenceNotify dpn;
+ 
+     REQUEST(xChangeDeviceControlReq);
+-    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
++    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
+ 
+     len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
+     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
+@@ -184,6 +184,10 @@ ProcXChangeDeviceControl(ClientPtr clien
+         break;
+     case DEVICE_ENABLE:
+         e = (xDeviceEnableCtl *) &stuff[1];
++        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
++            ret = BadLength;
++            goto out;
++        }
+ 
+         status = ChangeDeviceControl(client, dev, (xDeviceCtl *) e);
+ 

x11/modular-xorg-server112/patches/patch-Xi_chgfctl.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-Xi_chgfctl.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/chgfctl.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/chgfctl.c
+@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr cli
+         xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
+ 
+         if (client->swapped) {
++            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
++                return BadLength;
+             swaps(&f->num_keysyms);
+         }
+         if (len !=

x11/modular-xorg-server112/patches/patch-Xi_sendexev.c

@@ -0,0 +1,17 @@
+$NetBSD: patch-Xi_sendexev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/sendexev.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/sendexev.c
+@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client
+     if (ret != Success)
+         return ret;
+ 
++    if (stuff->num_events == 0)
++        return ret;
++
+     /* The client's event type must be one defined by an extension. */
+ 
+     first = ((xEvent *) &stuff[1]);

x11/modular-xorg-server112/patches/patch-Xi_xiallowev.c

@@ -0,0 +1,23 @@
+$NetBSD: patch-Xi_xiallowev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiallowev.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xiallowev.c
+@@ -48,6 +48,7 @@ int
+ SProcXIAllowEvents(ClientPtr client)
+ {
+     REQUEST(xXIAllowEventsReq);
++    REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
+     if (stuff->length > 3) {
+         xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+ 
++        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
+         swapl(&req_xi22->touchid);
+         swapl(&req_xi22->grab_window);
+     }

x11/modular-xorg-server112/patches/patch-Xi_xichangecursor.c

@@ -0,0 +1,20 @@
+$NetBSD: patch-Xi_xichangecursor.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xichangecursor.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xichangecursor.c
+@@ -57,11 +57,11 @@ int
+ SProcXIChangeCursor(ClientPtr client)
+ {
+     REQUEST(xXIChangeCursorReq);
++    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
+     swaps(&stuff->length);
+     swapl(&stuff->win);
+     swapl(&stuff->cursor);
+     swaps(&stuff->deviceid);
+-    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
+     return (ProcXIChangeCursor(client));
+ }
+ 

x11/modular-xorg-server112/patches/patch-Xi_xichangehierarchy.c

@@ -0,0 +1,97 @@
+$NetBSD: patch-Xi_xichangehierarchy.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xichangehierarchy.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xichangehierarchy.c
+@@ -407,7 +407,7 @@ int
+ ProcXIChangeHierarchy(ClientPtr client)
+ {
+     xXIAnyHierarchyChangeInfo *any;
+-    int required_len = sizeof(xXIChangeHierarchyReq);
++    size_t len;			/* length of data remaining in request */
+     int rc = Success;
+     int flags[MAXDEVICES] = { 0 };
+ 
+@@ -417,21 +417,46 @@ ProcXIChangeHierarchy(ClientPtr client)
+     if (!stuff->num_changes)
+         return rc;
+ 
++    if (stuff->length > (INT_MAX >> 2))
++        return BadAlloc;
++    len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
++
+     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
+     while (stuff->num_changes--) {
++        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
++            rc = BadLength;
++            goto unwind;
++        }
++
+         SWAPIF(swaps(&any->type));
+         SWAPIF(swaps(&any->length));
+ 
+-        required_len += any->length;
+-        if ((stuff->length * 4) < required_len)
++        if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
+             return BadLength;
+ 
++#define CHANGE_SIZE_MATCH(type) \
++    do { \
++        if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
++            rc = BadLength; \
++            goto unwind; \
++        } \
++    } while(0)
++
+         switch (any->type) {
+         case XIAddMaster:
+         {
+             xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
+ 
++            /* Variable length, due to appended name string */
++            if (len < sizeof(xXIAddMasterInfo)) {
++                rc = BadLength;
++                goto unwind;
++            }
+             SWAPIF(swaps(&c->name_len));
++            if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
++                rc = BadLength;
++                goto unwind;
++            }
+ 
+             rc = add_master(client, c, flags);
+             if (rc != Success)
+@@ -442,6 +467,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+         {
+             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+ 
++            CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
+             rc = remove_master(client, r, flags);
+             if (rc != Success)
+                 goto unwind;
+@@ -451,6 +477,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+         {
+             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+ 
++            CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
+             rc = detach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+@@ -460,6 +487,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+         {
+             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+ 
++            CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
+             rc = attach_slave(client, c, flags);
+             if (rc != Success)
+                 goto unwind;
+@@ -467,6 +495,7 @@ ProcXIChangeHierarchy(ClientPtr client)
+             break;
+         }
+ 
++        len -= any->length * 4;
+         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+     }
+ 

x11/modular-xorg-server112/patches/patch-Xi_xigetclientpointer.c

@@ -0,0 +1,15 @@
+$NetBSD: patch-Xi_xigetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xigetclientpointer.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xigetclientpointer.c
+@@ -50,6 +50,7 @@ int
+ SProcXIGetClientPointer(ClientPtr client)
+ {
+     REQUEST(xXIGetClientPointerReq);
++    REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->win);

x11/modular-xorg-server112/patches/patch-Xi_xigrabdev.c

@@ -0,0 +1,44 @@
+$NetBSD: patch-Xi_xigrabdev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xigrabdev.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xigrabdev.c
+@@ -47,6 +47,11 @@ int
+ SProcXIGrabDevice(ClientPtr client)
+ {
+     REQUEST(xXIGrabDeviceReq);
++    /*
++     * Check here for at least the length of the struct we swap, then
++     * let ProcXIGrabDevice check the full size after we swap mask_len.
++     */
++    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+@@ -69,7 +74,7 @@ ProcXIGrabDevice(ClientPtr client)
+     int mask_len;
+ 
+     REQUEST(xXIGrabDeviceReq);
+-    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
++    REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
+ 
+     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
+     if (ret != Success)
+@@ -118,6 +123,7 @@ int
+ SProcXIUngrabDevice(ClientPtr client)
+ {
+     REQUEST(xXIUngrabDeviceReq);
++    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+@@ -135,6 +141,7 @@ ProcXIUngrabDevice(ClientPtr client)
+     TimeStamp time;
+ 
+     REQUEST(xXIUngrabDeviceReq);
++    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
+ 
+     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
+     if (ret != Success)

x11/modular-xorg-server112/patches/patch-Xi_xipassivegrab.c

@@ -0,0 +1,61 @@
+$NetBSD: patch-Xi_xipassivegrab.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xipassivegrab.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xipassivegrab.c
+@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr clien
+     xXIModifierInfo *mods;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
++    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr clien
+     swaps(&stuff->mask_len);
+     swaps(&stuff->num_modifiers);
+ 
++    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
++        ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
+     mods = (xXIModifierInfo *) &stuff[1];
+ 
+     for (i = 0; i < stuff->num_modifiers; i++, mods++) {
+@@ -88,7 +91,8 @@ ProcXIPassiveGrabDevice(ClientPtr client
+     int mask_len;
+ 
+     REQUEST(xXIPassiveGrabDeviceReq);
+-    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
++    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
++        ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
+ 
+     if (stuff->deviceid == XIAllDevices)
+         dev = inputInfo.all_devices;
+@@ -250,6 +254,7 @@ SProcXIPassiveUngrabDevice(ClientPtr cli
+     uint32_t *modifiers;
+ 
+     REQUEST(xXIPassiveUngrabDeviceReq);
++    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->grab_window);
+@@ -257,6 +262,8 @@ SProcXIPassiveUngrabDevice(ClientPtr cli
+     swapl(&stuff->detail);
+     swaps(&stuff->num_modifiers);
+ 
++    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
++                       ((uint32_t) stuff->num_modifiers) << 2);
+     modifiers = (uint32_t *) &stuff[1];
+ 
+     for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
+@@ -275,7 +282,8 @@ ProcXIPassiveUngrabDevice(ClientPtr clie
+     int i, rc;
+ 
+     REQUEST(xXIPassiveUngrabDeviceReq);
+-    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
++    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
++                       ((uint32_t) stuff->num_modifiers) << 2);
+ 
+     if (stuff->deviceid == XIAllDevices)
+         dev = inputInfo.all_devices;

x11/modular-xorg-server112/patches/patch-Xi_xiproperty.c

@@ -0,0 +1,88 @@
+$NetBSD: patch-Xi_xiproperty.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiproperty.c.orig	2012-08-19 15:45:55.000000000 +0000
++++ Xi/xiproperty.c
+@@ -1007,10 +1007,9 @@ int
+ SProcXListDeviceProperties(ClientPtr client)
+ {
+     REQUEST(xListDevicePropertiesReq);
++    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
+ 
+     swaps(&stuff->length);
+-
+-    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
+     return (ProcXListDeviceProperties(client));
+ }
+ 
+@@ -1031,10 +1030,10 @@ int
+ SProcXDeleteDeviceProperty(ClientPtr client)
+ {
+     REQUEST(xDeleteDevicePropertyReq);
++    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->property);
+-    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
+     return (ProcXDeleteDeviceProperty(client));
+ }
+ 
+@@ -1042,13 +1041,13 @@ int
+ SProcXGetDeviceProperty(ClientPtr client)
+ {
+     REQUEST(xGetDevicePropertyReq);
++    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
+ 
+     swaps(&stuff->length);
+     swapl(&stuff->property);
+     swapl(&stuff->type);
+     swapl(&stuff->longOffset);
+     swapl(&stuff->longLength);
+-    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
+     return (ProcXGetDeviceProperty(client));
+ }
+ 
+@@ -1243,11 +1242,10 @@ int
+ SProcXIListProperties(ClientPtr client)
+ {
+     REQUEST(xXIListPropertiesReq);
++    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+-
+-    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
+     return (ProcXIListProperties(client));
+ }
+ 
+@@ -1269,11 +1267,11 @@ int
+ SProcXIDeleteProperty(ClientPtr client)
+ {
+     REQUEST(xXIDeletePropertyReq);
++    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+     swapl(&stuff->property);
+-    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
+     return (ProcXIDeleteProperty(client));
+ }
+ 
+@@ -1281,6 +1279,7 @@ int
+ SProcXIGetProperty(ClientPtr client)
+ {
+     REQUEST(xXIGetPropertyReq);
++    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+@@ -1288,7 +1287,6 @@ SProcXIGetProperty(ClientPtr client)
+     swapl(&stuff->type);
+     swapl(&stuff->offset);
+     swapl(&stuff->len);
+-    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
+     return (ProcXIGetProperty(client));
+ }
+ 

x11/modular-xorg-server112/patches/patch-Xi_xiquerydevice.c

@@ -0,0 +1,15 @@
+$NetBSD: patch-Xi_xiquerydevice.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiquerydevice.c.orig	2012-07-24 04:36:54.000000000 +0000
++++ Xi/xiquerydevice.c
+@@ -54,6 +54,7 @@ int
+ SProcXIQueryDevice(ClientPtr client)
+ {
+     REQUEST(xXIQueryDeviceReq);
++    REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
+ 
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);

x11/modular-xorg-server112/patches/patch-Xi_xiquerypointer.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-Xi_xiquerypointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiquerypointer.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xiquerypointer.c
+@@ -62,6 +62,8 @@ int
+ SProcXIQueryPointer(ClientPtr client)
+ {
+     REQUEST(xXIQueryPointerReq);
++    REQUEST_SIZE_MATCH(xXIQueryPointerReq);
++
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+     swapl(&stuff->win);

x11/modular-xorg-server112/patches/patch-Xi_xiselectev.c

@@ -0,0 +1,33 @@
+$NetBSD: patch-Xi_xiselectev.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiselectev.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xiselectev.c
+@@ -63,6 +63,7 @@ int
+ SProcXISelectEvents(ClientPtr client)
+ {
+     int i;
++    int len;
+     xXIEventMask *evmask;
+ 
+     REQUEST(xXISelectEventsReq);
+@@ -71,10 +72,17 @@ SProcXISelectEvents(ClientPtr client)
+     swapl(&stuff->win);
+     swaps(&stuff->num_masks);
+ 
++    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
+     evmask = (xXIEventMask *) &stuff[1];
+     for (i = 0; i < stuff->num_masks; i++) {
++        if (len < bytes_to_int32(sizeof(xXIEventMask)))
++            return BadLength;
++        len -= bytes_to_int32(sizeof(xXIEventMask));
+         swaps(&evmask->deviceid);
+         swaps(&evmask->mask_len);
++        if (len < evmask->mask_len)
++            return BadLength;
++        len -= evmask->mask_len;
+         evmask =
+             (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
+     }

x11/modular-xorg-server112/patches/patch-Xi_xisetclientpointer.c

@@ -0,0 +1,20 @@
+$NetBSD: patch-Xi_xisetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xisetclientpointer.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xisetclientpointer.c
+@@ -51,10 +51,11 @@ int
+ SProcXISetClientPointer(ClientPtr client)
+ {
+     REQUEST(xXISetClientPointerReq);
++    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
++
+     swaps(&stuff->length);
+     swapl(&stuff->win);
+     swaps(&stuff->deviceid);
+-    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+     return (ProcXISetClientPointer(client));
+ }
+ 

x11/modular-xorg-server112/patches/patch-Xi_xisetdevfocus.c

@@ -0,0 +1,25 @@
+$NetBSD: patch-Xi_xisetdevfocus.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xisetdevfocus.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xisetdevfocus.c
+@@ -44,6 +44,8 @@ int
+ SProcXISetFocus(ClientPtr client)
+ {
+     REQUEST(xXISetFocusReq);
++    REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
++
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+     swapl(&stuff->focus);
+@@ -56,6 +58,8 @@ int
+ SProcXIGetFocus(ClientPtr client)
+ {
+     REQUEST(xXIGetFocusReq);
++    REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
++
+     swaps(&stuff->length);
+     swaps(&stuff->deviceid);
+ 

x11/modular-xorg-server112/patches/patch-Xi_xiwarppointer.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-Xi_xiwarppointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- Xi/xiwarppointer.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ Xi/xiwarppointer.c
+@@ -56,6 +56,8 @@ int
+ SProcXIWarpPointer(ClientPtr client)
+ {
+     REQUEST(xXIWarpPointerReq);
++    REQUEST_SIZE_MATCH(xXIWarpPointerReq);
++
+     swaps(&stuff->length);
+     swapl(&stuff->src_win);
+     swapl(&stuff->dst_win);

x11/modular-xorg-server112/patches/patch-configure

@@ -0,0 +1,14 @@
+$NetBSD: patch-configure,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Allow x86_64 as a SunOS arch.
+--- configure.orig	2009-10-12 05:04:15.000000000 +0000
++++ configure
+@@ -18293,7 +18293,7 @@ fi
+ 		  sparc*)
+ 			SOLARIS_INOUT_ARCH="sparcv8plus"
+ 			;;
+-		  i*86)
++		  i*86|x86_64)
+ 			if test x$SOLARIS_64 = xyes ; then
+ 				SOLARIS_INOUT_ARCH="amd64"
+ 			else

x11/modular-xorg-server112/patches/patch-configure.ac

@@ -0,0 +1,15 @@
+$NetBSD: patch-configure.ac,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- configure.ac.orig	2012-08-27 05:10:47.000000000 +0000
++++ configure.ac
+@@ -2229,6 +2229,7 @@ hw/kdrive/fbdev/Makefile
+ hw/kdrive/linux/Makefile
+ hw/kdrive/src/Makefile
+ test/Makefile
++test/xi1/Makefile
+ test/xi2/Makefile
+ xserver.ent
+ xorg-server.pc

x11/modular-xorg-server112/patches/patch-dbe_dbe.c

@@ -0,0 +1,48 @@
+$NetBSD: patch-dbe_dbe.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- dbe/dbe.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ dbe/dbe.c
+@@ -453,18 +453,20 @@ ProcDbeSwapBuffers(ClientPtr client)
+     DbeSwapInfoPtr swapInfo;
+     xDbeSwapInfo *dbeSwapInfo;
+     int error;
+-    register int i, j;
+-    int nStuff;
++    unsigned int i, j;
++    unsigned int nStuff;
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+     nStuff = stuff->n;          /* use local variable for performance. */
+ 
+     if (nStuff == 0) {
++        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+         return Success;
+     }
+ 
+     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+         return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+ 
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
+@@ -955,13 +957,16 @@ static int
+ SProcDbeSwapBuffers(ClientPtr client)
+ {
+     REQUEST(xDbeSwapBuffersReq);
+-    register int i;
++    unsigned int i;
+     xDbeSwapInfo *pSwapInfo;
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ 
+     swapl(&stuff->n);
++    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++        return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+ 
+     if (stuff->n != 0) {
+         pSwapInfo = (xDbeSwapInfo *) stuff + 1;

x11/modular-xorg-server112/patches/patch-dix_dispatch.c

@@ -0,0 +1,17 @@
+$NetBSD: patch-dix_dispatch.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- dix/dispatch.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ dix/dispatch.c
+@@ -1952,6 +1952,9 @@ ProcPutImage(ClientPtr client)
+     tmpImage = (char *) &stuff[1];
+     lengthProto = length;
+ 
++    if (lengthProto >= (INT32_MAX / stuff->height))
++        return BadLength;
++
+     if ((bytes_to_int32(lengthProto * stuff->height) +
+          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
+         return BadLength;

x11/modular-xorg-server112/patches/patch-dix_dixfonts.c

@@ -0,0 +1,74 @@
+$NetBSD: patch-dix_dixfonts.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Fix CVE-2013-4396.
+
+From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original.  If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/dixfonts.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- dix/dixfonts.c.orig	2012-05-17 17:09:01.000000000 +0000
++++ dix/dixfonts.c
+@@ -1414,6 +1414,7 @@ doImageText(ClientPtr client, ITclosureP
+             GC *pGC;
+             unsigned char *data;
+             ITclosurePtr new_closure;
++            ITclosurePtr old_closure;
+ 
+             /* We're putting the client to sleep.  We need to
+                save some state.  Similar problem to that handled
+@@ -1425,12 +1426,14 @@ doImageText(ClientPtr client, ITclosureP
+                 err = BadAlloc;
+                 goto bail;
+             }
++            old_closure = c;
+             *new_closure = *c;
+             c = new_closure;
+ 
+             data = malloc(c->nChars * itemSize);
+             if (!data) {
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1441,6 +1444,7 @@ doImageText(ClientPtr client, ITclosureP
+             if (!pGC) {
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1453,6 +1457,7 @@ doImageText(ClientPtr client, ITclosureP
+                 FreeScratchGC(pGC);
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }

x11/modular-xorg-server112/patches/patch-dix_region.c

@@ -0,0 +1,78 @@
+$NetBSD: patch-dix_region.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- dix/region.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ dix/region.c
+@@ -169,7 +169,6 @@ Equipment Corporation.
+         ((r1)->y1 <= (r2)->y1) && \
+         ((r1)->y2 >= (r2)->y2) )
+ 
+-#define xallocData(n) malloc(RegionSizeof(n))
+ #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
+ 
+ #define RECTALLOC_BAIL(pReg,n,bail) \
+@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num
+ #define DOWNSIZE(reg,numRects)						 \
+ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
+ {									 \
+-    RegDataPtr NewData;							 \
+-    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
++    size_t NewSize = RegionSizeof(numRects);				 \
++    RegDataPtr NewData =						 \
++        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
+     if (NewData)							 \
+     {									 \
+ 	NewData->size = (numRects);					 \
+@@ -330,17 +330,20 @@ Bool
+ RegionRectAlloc(RegionPtr pRgn, int n)
+ {
+     RegDataPtr data;
++    size_t rgnSize;
+ 
+     if (!pRgn->data) {
+         n++;
+-        pRgn->data = xallocData(n);
++        rgnSize = RegionSizeof(n);
++        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+         if (!pRgn->data)
+             return RegionBreak(pRgn);
+         pRgn->data->numRects = 1;
+         *RegionBoxptr(pRgn) = pRgn->extents;
+     }
+     else if (!pRgn->data->size) {
+-        pRgn->data = xallocData(n);
++        rgnSize = RegionSizeof(n);
++        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+         if (!pRgn->data)
+             return RegionBreak(pRgn);
+         pRgn->data->numRects = 0;
+@@ -352,7 +355,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
+                 n = 250;
+         }
+         n += pRgn->data->numRects;
+-        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
++        rgnSize = RegionSizeof(n);
++        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
+         if (!data)
+             return RegionBreak(pRgn);
+         pRgn->data = data;
+@@ -1297,6 +1301,7 @@ RegionFromRects(int nrects, xRectangle *
+ {
+ 
+     RegionPtr pRgn;
++    size_t rgnSize;
+     RegDataPtr pData;
+     BoxPtr pBox;
+     int i;
+@@ -1323,7 +1328,8 @@ RegionFromRects(int nrects, xRectangle *
+         }
+         return pRgn;
+     }
+-    pData = xallocData(nrects);
++    rgnSize = RegionSizeof(nrects);
++    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+     if (!pData) {
+         RegionBreak(pRgn);
+         return pRgn;

x11/modular-xorg-server112/patches/patch-exa_exa__render.c

@@ -0,0 +1,17 @@
+$NetBSD: patch-exa_exa__render.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Fix CVE-2013-6424 using
+http://lists.x.org/archives/xorg-devel/2013-October/037996.html
+
+--- exa/exa_render.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ exa/exa_render.c
+@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc,
+ 
+         exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+         for (; ntrap; ntrap--, traps++)
+-            (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
++            if (xTrapezoidValid(traps))
++                (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+         exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+ 
+         xRel = bounds.x1 + xSrc - xDst;

x11/modular-xorg-server112/patches/patch-glx_glxcmds.c

@@ -0,0 +1,62 @@
+$NetBSD: patch-glx_glxcmds.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/glxcmds.c.orig	2012-08-02 00:59:23.000000000 +0000
++++ glx/glxcmds.c
+@@ -1983,7 +1983,8 @@ __glXDisp_Render(__GLXclientState * cl, 
+         if (entry.varsize) {
+             /* variable size command */
+             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
+-                                      client->swapped);
++                                      client->swapped,
++                                      left - __GLX_RENDER_HDR_SIZE);
+             if (extra < 0) {
+                 extra = 0;
+             }
+@@ -2060,6 +2061,7 @@ __glXDisp_RenderLarge(__GLXclientState *
+         return BadLength;
+     }
+     pc += sz_xGLXRenderLargeReq;
++        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
+ 
+     if (cl->largeCmdRequestsSoFar == 0) {
+         __GLXrenderSizeData entry;
+@@ -2100,7 +2102,8 @@ __glXDisp_RenderLarge(__GLXclientState *
+              ** will be in the 1st request, so it's okay to do this.
+              */
+             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
+-                                      client->swapped);
++                                      client->swapped,
++                                      left - __GLX_RENDER_LARGE_HDR_SIZE);
+             if (extra < 0) {
+                 extra = 0;
+             }
+@@ -2178,17 +2181,16 @@ __glXDisp_RenderLarge(__GLXclientState *
+              ** This is the last request; it must have enough bytes to complete
+              ** the command.
+              */
+-            /* NOTE: the two pad macros have been added below; they are needed
+-             ** because the client library pads the total byte count, but not
+-             ** the per-request byte counts.  The Protocol Encoding says the
+-             ** total byte count should not be padded, so a proposal will be 
+-             ** made to the ARB to relax the padding constraint on the total 
+-             ** byte count, thus preserving backward compatibility.  Meanwhile, 
+-             ** the padding done below fixes a bug that did not allow
+-             ** large commands of odd sizes to be accepted by the server.
++            /* NOTE: the pad macro below is needed because the client library
++             ** pads the total byte count, but not the per-request byte counts.
++             ** The Protocol Encoding says the total byte count should not be
++             ** padded, so a proposal will be made to the ARB to relax the
++             ** padding constraint on the total byte count, thus preserving
++             ** backward compatibility.  Meanwhile, the padding done below
++             ** fixes a bug that did not allow large commands of odd sizes to
++             ** be accepted by the server.
+              */
+-            if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
+-                __GLX_PAD(cl->largeCmdBytesTotal)) {
++            if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
+                 client->errorValue = dataBytes;
+                 __glXResetLargeCommandStatus(cl);
+                 return __glXError(GLXBadLargeRequest);

x11/modular-xorg-server112/patches/patch-glx_glxcmdsswap.c

@@ -0,0 +1,35 @@
+$NetBSD: patch-glx_glxcmdsswap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/glxcmdsswap.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/glxcmdsswap.c
+@@ -962,11 +962,13 @@ __glXDispSwap_RenderLarge(__GLXclientSta
+ int
+ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXVendorPrivateReq *req;
+     GLint vendorcode;
+     __GLXdispatchVendorPrivProcPtr proc;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
++    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
+ 
+     req = (xGLXVendorPrivateReq *) pc;
+     __GLX_SWAP_SHORT(&req->length);
+@@ -989,11 +991,13 @@ __glXDispSwap_VendorPrivate(__GLXclientS
+ int
+ __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     xGLXVendorPrivateWithReplyReq *req;
+     GLint vendorcode;
+     __GLXdispatchVendorPrivProcPtr proc;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
++    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
+ 
+     req = (xGLXVendorPrivateWithReplyReq *) pc;
+     __GLX_SWAP_SHORT(&req->length);

x11/modular-xorg-server112/patches/patch-glx_glxserver.h

@@ -0,0 +1,64 @@
+$NetBSD: patch-glx_glxserver.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/glxserver.h.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/glxserver.h
+@@ -167,7 +167,7 @@ typedef int (*__GLXprocPtr) (__GLXclient
+ /*
+  * Tables for computing the size of each rendering command.
+  */
+-typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
++typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
+ 
+ typedef struct {
+     int bytes;
+@@ -218,6 +218,47 @@ extern void glxSwapQueryServerStringRepl
+  * Routines for computing the size of variably-sized rendering commands.
+  */
+ 
++static _X_INLINE int
++safe_add(int a, int b)
++{
++    if (a < 0 || b < 0)
++        return -1;
++
++    if (INT_MAX - a < b)
++        return -1;
++
++    return a + b;
++}
++
++static _X_INLINE int
++safe_mul(int a, int b)
++{
++    if (a < 0 || b < 0)
++        return -1;
++
++    if (a == 0 || b == 0)
++        return 0;
++
++    if (a > INT_MAX / b)
++        return -1;
++
++    return a * b;
++}
++
++static _X_INLINE int
++safe_pad(int a)
++{
++    int ret;
++
++    if (a < 0)
++        return -1;
++
++    if ((ret = safe_add(a, 3)) < 0)
++        return -1;
++
++    return ret & (GLuint)~3;
++}
++
+ extern int __glXTypeSize(GLenum enm);
+ extern int __glXImageSize(GLenum format, GLenum type,
+                           GLenum target, GLsizei w, GLsizei h, GLsizei d,

x11/modular-xorg-server112/patches/patch-glx_indirect__program.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-glx_indirect__program.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/indirect_program.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/indirect_program.c
+@@ -69,6 +69,8 @@ DoGetProgramString(struct __GLXclientSta
+     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
+     ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
++
+     pc += __GLX_VENDPRIV_HDR_SIZE;
+     if (cx != NULL) {
+         GLenum target;

x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.c

@@ -0,0 +1,568 @@
+$NetBSD: patch-glx_indirect__reqsize.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/indirect_reqsize.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/indirect_reqsize.c
+@@ -31,24 +31,22 @@
+ #include "indirect_size.h"
+ #include "indirect_reqsize.h"
+ 
+-#define __GLX_PAD(x)  (((x) + 3) & ~3)
+-
+ #if defined(__CYGWIN__) || defined(__MINGW32__)
+ #undef HAVE_ALIAS
+ #endif
+ #ifdef HAVE_ALIAS
+ #define ALIAS2(from,to) \
+-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
++    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
+         __attribute__ ((alias( # to )));
+ #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
+ #else
+ #define ALIAS(from,to) \
+-    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
+-    { return __glX ## to ## ReqSize( pc, swap ); }
++    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
++    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
+ #endif
+ 
+ int
+-__glXCallListsReqSize(const GLbyte * pc, Bool swap)
++__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 0);
+     GLenum type = *(GLenum *) (pc + 4);
+@@ -60,11 +58,11 @@ __glXCallListsReqSize(const GLbyte * pc,
+     }
+ 
+     compsize = __glCallLists_size(type);
+-    return __GLX_PAD((compsize * n));
++    return safe_pad(safe_mul(compsize, n));
+ }
+ 
+ int
+-__glXBitmapReqSize(const GLbyte * pc, Bool swap)
++__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -88,7 +86,7 @@ __glXBitmapReqSize(const GLbyte * pc, Bo
+ }
+ 
+ int
+-__glXFogfvReqSize(const GLbyte * pc, Bool swap)
++__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 0);
+     GLsizei compsize;
+@@ -98,11 +96,11 @@ __glXFogfvReqSize(const GLbyte * pc, Boo
+     }
+ 
+     compsize = __glFogfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXLightfvReqSize(const GLbyte * pc, Bool swap)
++__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -112,11 +110,11 @@ __glXLightfvReqSize(const GLbyte * pc, B
+     }
+ 
+     compsize = __glLightfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
++__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 0);
+     GLsizei compsize;
+@@ -126,11 +124,11 @@ __glXLightModelfvReqSize(const GLbyte * 
+     }
+ 
+     compsize = __glLightModelfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
++__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -140,11 +138,11 @@ __glXMaterialfvReqSize(const GLbyte * pc
+     }
+ 
+     compsize = __glMaterialfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
++__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -164,7 +162,7 @@ __glXPolygonStippleReqSize(const GLbyte 
+ }
+ 
+ int
+-__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -174,11 +172,11 @@ __glXTexParameterfvReqSize(const GLbyte 
+     }
+ 
+     compsize = __glTexParameterfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -206,7 +204,7 @@ __glXTexImage1DReqSize(const GLbyte * pc
+ }
+ 
+ int
+-__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -236,7 +234,7 @@ __glXTexImage2DReqSize(const GLbyte * pc
+ }
+ 
+ int
+-__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -246,11 +244,11 @@ __glXTexEnvfvReqSize(const GLbyte * pc, 
+     }
+ 
+     compsize = __glTexEnvfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
++__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -260,11 +258,11 @@ __glXTexGendvReqSize(const GLbyte * pc, 
+     }
+ 
+     compsize = __glTexGendv_size(pname);
+-    return __GLX_PAD((compsize * 8));
++    return safe_pad(safe_mul(compsize, 8));
+ }
+ 
+ int
+-__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
++__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -274,11 +272,11 @@ __glXTexGenfvReqSize(const GLbyte * pc, 
+     }
+ 
+     compsize = __glTexGenfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
++__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei mapsize = *(GLsizei *) (pc + 4);
+ 
+@@ -286,11 +284,11 @@ __glXPixelMapfvReqSize(const GLbyte * pc
+         mapsize = bswap_32(mapsize);
+     }
+ 
+-    return __GLX_PAD((mapsize * 4));
++    return safe_pad(safe_mul(mapsize, 4));
+ }
+ 
+ int
+-__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
++__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei mapsize = *(GLsizei *) (pc + 4);
+ 
+@@ -298,11 +296,11 @@ __glXPixelMapusvReqSize(const GLbyte * p
+         mapsize = bswap_32(mapsize);
+     }
+ 
+-    return __GLX_PAD((mapsize * 2));
++    return safe_pad(safe_mul(mapsize, 2));
+ }
+ 
+ int
+-__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
++__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -330,7 +328,7 @@ __glXDrawPixelsReqSize(const GLbyte * pc
+ }
+ 
+ int
+-__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
++__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 0);
+ 
+@@ -338,11 +336,11 @@ __glXPrioritizeTexturesReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 4) + (n * 4));
++    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
+ }
+ 
+ int
+-__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -370,7 +368,7 @@ __glXTexSubImage1DReqSize(const GLbyte *
+ }
+ 
+ int
+-__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -400,7 +398,7 @@ __glXTexSubImage2DReqSize(const GLbyte *
+ }
+ 
+ int
+-__glXColorTableReqSize(const GLbyte * pc, Bool swap)
++__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -428,7 +426,7 @@ __glXColorTableReqSize(const GLbyte * pc
+ }
+ 
+ int
+-__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -438,11 +436,11 @@ __glXColorTableParameterfvReqSize(const 
+     }
+ 
+     compsize = __glColorTableParameterfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
++__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -470,7 +468,7 @@ __glXColorSubTableReqSize(const GLbyte *
+ }
+ 
+ int
+-__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -498,7 +496,7 @@ __glXConvolutionFilter1DReqSize(const GL
+ }
+ 
+ int
+-__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = 0;
+@@ -528,7 +526,7 @@ __glXConvolutionFilter2DReqSize(const GL
+ }
+ 
+ int
+-__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
++__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 4);
+     GLsizei compsize;
+@@ -538,11 +536,11 @@ __glXConvolutionParameterfvReqSize(const
+     }
+ 
+     compsize = __glConvolutionParameterfv_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad(safe_mul(compsize, 4));
+ }
+ 
+ int
+-__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
++__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = *(GLint *) (pc + 8);
+@@ -579,7 +577,7 @@ __glXTexImage3DReqSize(const GLbyte * pc
+ }
+ 
+ int
+-__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
++__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLint row_length = *(GLint *) (pc + 4);
+     GLint image_height = *(GLint *) (pc + 8);
+@@ -613,7 +611,7 @@ __glXTexSubImage3DReqSize(const GLbyte *
+ }
+ 
+ int
+-__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei imageSize = *(GLsizei *) (pc + 20);
+ 
+@@ -621,11 +619,11 @@ __glXCompressedTexImage1DARBReqSize(cons
+         imageSize = bswap_32(imageSize);
+     }
+ 
+-    return __GLX_PAD(imageSize);
++    return safe_pad(imageSize);
+ }
+ 
+ int
+-__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei imageSize = *(GLsizei *) (pc + 24);
+ 
+@@ -633,11 +631,11 @@ __glXCompressedTexImage2DARBReqSize(cons
+         imageSize = bswap_32(imageSize);
+     }
+ 
+-    return __GLX_PAD(imageSize);
++    return safe_pad(imageSize);
+ }
+ 
+ int
+-__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei imageSize = *(GLsizei *) (pc + 28);
+ 
+@@ -645,11 +643,11 @@ __glXCompressedTexImage3DARBReqSize(cons
+         imageSize = bswap_32(imageSize);
+     }
+ 
+-    return __GLX_PAD(imageSize);
++    return safe_pad(imageSize);
+ }
+ 
+ int
+-__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
++__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei imageSize = *(GLsizei *) (pc + 36);
+ 
+@@ -657,11 +655,11 @@ __glXCompressedTexSubImage3DARBReqSize(c
+         imageSize = bswap_32(imageSize);
+     }
+ 
+-    return __GLX_PAD(imageSize);
++    return safe_pad(imageSize);
+ }
+ 
+ int
+-__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
++__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei len = *(GLsizei *) (pc + 8);
+ 
+@@ -669,11 +667,11 @@ __glXProgramStringARBReqSize(const GLbyt
+         len = bswap_32(len);
+     }
+ 
+-    return __GLX_PAD(len);
++    return safe_pad(len);
+ }
+ 
+ int
+-__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
++__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 0);
+ 
+@@ -681,11 +679,11 @@ __glXDrawBuffersARBReqSize(const GLbyte 
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 4));
++    return safe_pad((n * 4));
+ }
+ 
+ int
+-__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
++__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum pname = *(GLenum *) (pc + 0);
+     GLsizei compsize;
+@@ -695,11 +693,11 @@ __glXPointParameterfvEXTReqSize(const GL
+     }
+ 
+     compsize = __glPointParameterfvEXT_size(pname);
+-    return __GLX_PAD((compsize * 4));
++    return safe_pad((compsize * 4));
+ }
+ 
+ int
+-__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei num = *(GLsizei *) (pc + 8);
+ 
+@@ -707,11 +705,11 @@ __glXProgramParameters4dvNVReqSize(const
+         num = bswap_32(num);
+     }
+ 
+-    return __GLX_PAD((num * 32));
++    return safe_pad((num * 32));
+ }
+ 
+ int
+-__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei num = *(GLsizei *) (pc + 8);
+ 
+@@ -719,11 +717,11 @@ __glXProgramParameters4fvNVReqSize(const
+         num = bswap_32(num);
+     }
+ 
+-    return __GLX_PAD((num * 16));
++    return safe_pad((num * 16));
+ }
+ 
+ int
+-__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -731,11 +729,11 @@ __glXVertexAttribs1dvNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 8));
++    return safe_pad(safe_mul(n, 8));
+ }
+ 
+ int
+-__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -743,11 +741,11 @@ __glXVertexAttribs2dvNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 16));
++    return safe_pad(safe_mul(n, 16));
+ }
+ 
+ int
+-__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -755,11 +753,11 @@ __glXVertexAttribs3dvNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 24));
++    return safe_pad(safe_mul(n, 24));
+ }
+ 
+ int
+-__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -767,11 +765,11 @@ __glXVertexAttribs3fvNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 12));
++    return safe_pad(safe_mul(n, 12));
+ }
+ 
+ int
+-__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -779,11 +777,11 @@ __glXVertexAttribs3svNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 6));
++    return safe_pad(safe_mul(n, 6));
+ }
+ 
+ int
+-__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
++__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei n = *(GLsizei *) (pc + 4);
+ 
+@@ -791,11 +789,11 @@ __glXVertexAttribs4dvNVReqSize(const GLb
+         n = bswap_32(n);
+     }
+ 
+-    return __GLX_PAD((n * 32));
++    return safe_pad(safe_mul(n, 32));
+ }
+ 
+ int
+-__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
++__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLsizei len = *(GLsizei *) (pc + 4);
+ 
+@@ -803,7 +801,7 @@ __glXProgramNamedParameter4fvNVReqSize(c
+         len = bswap_32(len);
+     }
+ 
+-    return __GLX_PAD(len);
++    return safe_pad(len);
+ }
+ 
+ ALIAS(Fogiv, Fogfv)

x11/modular-xorg-server112/patches/patch-glx_indirect__reqsize.h

@@ -0,0 +1,210 @@
+$NetBSD: patch-glx_indirect__reqsize.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/indirect_reqsize.h.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/indirect_reqsize.h
+@@ -36,128 +36,128 @@
+ #define PURE
+ #endif
+ 
+-extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
++extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
+-                                                   Bool swap);
++                                                   Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
+-                                                   Bool swap);
+-extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
++                                                   Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
+-                                                     Bool swap);
++                                                     Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
+-                                                     Bool swap);
++                                                     Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
+-                                                     Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
+-extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
++                                                     Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
+-                                                    Bool swap);
++                                                    Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
+-                                                    Bool swap);
+-extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
++                                                    Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
+-                                                            Bool swap);
++                                                            Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
+-                                                            Bool swap);
++                                                            Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
+-                                                    Bool swap);
++                                                    Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
+-                                                          Bool swap);
++                                                          Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
+-                                                          Bool swap);
++                                                          Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
+-                                                             Bool swap);
++                                                             Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
+-                                                             Bool swap);
++                                                             Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
+-                                                        Bool swap);
+-extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
++                                                        Bool swap, int reqlen);
++extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
+-                                                    Bool swap);
++                                                    Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc,
+-                                                              Bool swap);
++                                                              Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc,
+-                                                              Bool swap);
++                                                              Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc,
+-                                                              Bool swap);
++                                                              Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *
+-                                                                 pc, Bool swap);
++                                                                 pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *
+-                                                                 pc, Bool swap);
++                                                                 pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *
+-                                                                 pc, Bool swap);
++                                                                 pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
+-                                                       Bool swap);
++                                                       Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc,
+-                                                     Bool swap);
++                                                     Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc,
+-                                                          Bool swap);
++                                                          Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc,
+-                                                    Bool swap);
++                                                    Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc,
+-                                                             Bool swap);
++                                                             Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc,
+-                                                             Bool swap);
++                                                             Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *
+-                                                                pc, Bool swap);
++                                                                pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
+-                                                          Bool swap);
++                                                          Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc,
+-                                                         Bool swap);
++                                                         Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *
+-                                                                 pc, Bool swap);
++                                                                 pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *
+-                                                                 pc, Bool swap);
++                                                                 pc, Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc,
+-                                                            Bool swap);
++                                                            Bool swap, int reqlen);
+ extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc,
+-                                                             Bool swap);
++                                                             Bool swap, int reqlen);
+ 
+ #undef PURE
+ 

x11/modular-xorg-server112/patches/patch-glx_indirect__texture__compression.c

@@ -0,0 +1,25 @@
+$NetBSD: patch-glx_indirect__texture__compression.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/indirect_texture_compression.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/indirect_texture_compression.c
+@@ -47,6 +47,8 @@ __glXDisp_GetCompressedTexImageARB(struc
+     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
+     ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+     pc += __GLX_SINGLE_HDR_SIZE;
+     if (cx != NULL) {
+         const GLenum target = *(GLenum *) (pc + 0);
+@@ -93,6 +95,8 @@ __glXDispSwap_GetCompressedTexImageARB(s
+         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
+     ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+     pc += __GLX_SINGLE_HDR_SIZE;
+     if (cx != NULL) {
+         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));

x11/modular-xorg-server112/patches/patch-glx_indirect__util.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-glx_indirect__util.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/indirect_util.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/indirect_util.c
+@@ -78,7 +78,7 @@ __glXGetAnswerBuffer(__GLXclientState * 
+                      void *local_buffer, size_t local_size, unsigned alignment)
+ {
+     void *buffer = local_buffer;
+-    const unsigned mask = alignment - 1;
++    const intptr_t mask = alignment - 1;
+ 
+     if (local_size < required_size) {
+         const size_t worst_case_size = required_size + alignment;

x11/modular-xorg-server112/patches/patch-glx_rensize.c

@@ -0,0 +1,96 @@
+$NetBSD: patch-glx_rensize.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/rensize.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/rensize.c
+@@ -52,7 +52,7 @@ Map1Size(GLint k, GLint order)
+ }
+ 
+ int
+-__glXMap1dReqSize(const GLbyte * pc, Bool swap)
++__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint order, k;
+@@ -68,7 +68,7 @@ __glXMap1dReqSize(const GLbyte * pc, Boo
+ }
+ 
+ int
+-__glXMap1fReqSize(const GLbyte * pc, Bool swap)
++__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint order, k;
+@@ -92,7 +92,7 @@ Map2Size(int k, int majorOrder, int mino
+ }
+ 
+ int
+-__glXMap2dReqSize(const GLbyte * pc, Bool swap)
++__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint uorder, vorder, k;
+@@ -110,7 +110,7 @@ __glXMap2dReqSize(const GLbyte * pc, Boo
+ }
+ 
+ int
+-__glXMap2fReqSize(const GLbyte * pc, Bool swap)
++__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     GLenum target;
+     GLint uorder, vorder, k;
+@@ -342,13 +342,14 @@ __glXTypeSize(GLenum enm)
+ }
+ 
+ int
+-__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
++__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
+     __GLXdispatchDrawArraysComponentHeader *compHeader;
+     GLint numVertexes = hdr->numVertexes;
+     GLint numComponents = hdr->numComponents;
+     GLint arrayElementSize = 0;
++    GLint x, size;
+     int i;
+ 
+     if (swap) {
+@@ -357,6 +358,13 @@ __glXDrawArraysReqSize(const GLbyte * pc
+     }
+ 
+     pc += sizeof(__GLXdispatchDrawArraysHeader);
++    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
++
++    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
++                    numComponents);
++    if (size < 0 || reqlen < 0 || reqlen < size)
++        return -1;
++
+     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
+ 
+     for (i = 0; i < numComponents; i++) {
+@@ -400,17 +408,18 @@ __glXDrawArraysReqSize(const GLbyte * pc
+             return -1;
+         }
+ 
+-        arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
++        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
++        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
++            return -1;
+ 
+         pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
+     }
+ 
+-    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
+-            (numVertexes * arrayElementSize));
++    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
+ }
+ 
+ int
+-__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
++__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
+ {
+     __GLXdispatchConvolutionFilterHeader *hdr =
+         (__GLXdispatchConvolutionFilterHeader *) pc;

x11/modular-xorg-server112/patches/patch-glx_single2.c

@@ -0,0 +1,115 @@
+$NetBSD: patch-glx_single2.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/single2.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/single2.c
+@@ -49,11 +49,14 @@
+ int
+ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     GLsizei size;
+     GLenum type;
+     __GLXcontext *cx;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -80,10 +83,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat
+ int
+ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     GLsizei size;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -108,7 +114,7 @@ __glXDisp_SelectBuffer(__GLXclientState 
+ int
+ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
+ {
+-    ClientPtr client;
++    ClientPtr client = cl->client;
+     xGLXRenderModeReply reply;
+     __GLXcontext *cx;
+     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
+@@ -116,6 +122,8 @@ __glXDisp_RenderMode(__GLXclientState * 
+     GLenum newMode;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -192,7 +200,6 @@ __glXDisp_RenderMode(__GLXclientState * 
+      ** selection array, as per the API for glRenderMode itself.
+      */
+  noChangeAllowed:;
+-    client = cl->client;
+     reply.length = nitems;
+     reply.type = X_Reply;
+     reply.sequenceNumber = client->sequence;
+@@ -209,9 +216,12 @@ __glXDisp_RenderMode(__GLXclientState * 
+ int
+ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     int error;
+ 
++    REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -225,10 +235,12 @@ __glXDisp_Flush(__GLXclientState * cl, G
+ int
+ __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+-    ClientPtr client;
+     int error;
+ 
++    REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -319,7 +331,7 @@ __glXcombine_strings(const char *cext_st
+ int
+ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
+ {
+-    ClientPtr client;
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     GLenum name;
+     const char *string;
+@@ -329,6 +341,8 @@ DoGetString(__GLXclientState * cl, GLbyt
+     char *buf = NULL, *buf1 = NULL;
+     GLint length = 0;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     /* If the client has the opposite byte order, swap the contextTag and
+      * the name.
+      */
+@@ -345,7 +359,6 @@ DoGetString(__GLXclientState * cl, GLbyt
+     pc += __GLX_SINGLE_HDR_SIZE;
+     name = *(GLenum *) (pc + 0);
+     string = (const char *) CALL_GetString(GET_DISPATCH(), (name));
+-    client = cl->client;
+ 
+     if (string == NULL)
+         string = "";

x11/modular-xorg-server112/patches/patch-glx_single2swap.c

@@ -0,0 +1,105 @@
+$NetBSD: patch-glx_single2swap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/single2swap.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/single2swap.c
+@@ -45,6 +45,7 @@
+ int
+ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     GLsizei size;
+     GLenum type;
+ 
+@@ -52,6 +53,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient
+     __GLXcontext *cx;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -81,12 +84,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient
+ int
+ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     GLsizei size;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -113,7 +119,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt
+ int
+ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
+ {
+-    ClientPtr client;
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     xGLXRenderModeReply reply;
+     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
+@@ -124,6 +130,8 @@ __glXDispSwap_RenderMode(__GLXclientStat
+     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
+     int error;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -204,7 +212,6 @@ __glXDispSwap_RenderMode(__GLXclientStat
+      ** selection array, as per the API for glRenderMode itself.
+      */
+  noChangeAllowed:;
+-    client = cl->client;
+     reply.length = nitems;
+     reply.type = X_Reply;
+     reply.sequenceNumber = client->sequence;
+@@ -226,11 +233,14 @@ __glXDispSwap_RenderMode(__GLXclientStat
+ int
+ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+     int error;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
+ 
++    REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -245,12 +255,14 @@ __glXDispSwap_Flush(__GLXclientState * c
+ int
+ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
+ {
++    ClientPtr client = cl->client;
+     __GLXcontext *cx;
+-    ClientPtr client;
+     int error;
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
+ 
++    REQUEST_SIZE_MATCH(xGLXSingleReq);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -262,7 +274,6 @@ __glXDispSwap_Finish(__GLXclientState * 
+     cx->hasUnflushedCommands = GL_FALSE;
+ 
+     /* Send empty reply packet to indicate finish is finished */
+-    client = cl->client;
+     __GLX_BEGIN_REPLY(0);
+     __GLX_PUT_RETVAL(0);
+     __GLX_SWAP_REPLY_HEADER();

x11/modular-xorg-server112/patches/patch-glx_singlepix.c

@@ -0,0 +1,170 @@
+$NetBSD: patch-glx_singlepix.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/singlepix.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/singlepix.c
+@@ -55,6 +55,8 @@ __glXDisp_ReadPixels(__GLXclientState * 
+     int error;
+     char *answer, answerBuffer[200];
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -68,7 +70,7 @@ __glXDisp_ReadPixels(__GLXclientState * 
+     swapBytes = *(GLboolean *) (pc + 24);
+     lsbFirst = *(GLboolean *) (pc + 25);
+     compsize = __glReadPixels_size(format, type, width, height);
+-    if (compsize < 0)
++    if ((compsize = safe_pad(compsize)) < 0)
+         compsize = 0;
+ 
+     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
+@@ -107,6 +109,8 @@ __glXDisp_GetTexImage(__GLXclientState *
+     char *answer, answerBuffer[200];
+     GLint width = 0, height = 0, depth = 1;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -133,7 +137,7 @@ __glXDisp_GetTexImage(__GLXclientState *
+      */
+     compsize =
+         __glGetTexImage_size(target, level, format, type, width, height, depth);
+-    if (compsize < 0)
++    if ((compsize = safe_pad(compsize)) < 0)
+         compsize = 0;
+ 
+     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
+@@ -169,6 +173,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS
+     GLubyte answerBuffer[200];
+     char *answer;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+         return error;
+@@ -231,15 +237,13 @@ GetSeparableFilter(__GLXclientState * cl
+     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+ 
+-    if (compsize < 0)
++    if ((compsize = safe_pad(compsize)) < 0)
+         compsize = 0;
+-    if (compsize2 < 0)
++    if ((compsize2 = safe_pad(compsize2)) < 0)
+         compsize2 = 0;
+-    compsize = __GLX_PAD(compsize);
+-    compsize2 = __GLX_PAD(compsize2);
+ 
+     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
+-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
++    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
+     __glXClearErrorOccured();
+     CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
+                                              *(GLenum *) (pc + 4),
+@@ -265,7 +269,8 @@ int
+ __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -273,7 +278,8 @@ int
+ __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -343,7 +349,8 @@ int
+ __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -351,7 +358,8 @@ int
+ __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -411,7 +419,8 @@ int
+ __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -419,7 +428,8 @@ int
+ __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -471,7 +481,8 @@ int
+ __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -479,7 +490,8 @@ int
+ __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -540,7 +552,8 @@ int
+ __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -548,6 +561,7 @@ int
+ __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+-
++    ClientPtr client = cl->client;
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }

x11/modular-xorg-server112/patches/patch-glx_singlepixswap.c

@@ -0,0 +1,152 @@
+$NetBSD: patch-glx_singlepixswap.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/singlepixswap.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/singlepixswap.c
+@@ -57,6 +57,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat
+     int error;
+     char *answer, answerBuffer[200];
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -122,6 +124,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta
+     char *answer, answerBuffer[200];
+     GLint width = 0, height = 0, depth = 1;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -197,6 +201,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli
+ 
+     __GLX_DECLARE_SWAP_VARIABLES;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
++
+     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
+     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
+     if (!cx) {
+@@ -266,15 +272,13 @@ GetSeparableFilter(__GLXclientState * cl
+     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
+     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
+ 
+-    if (compsize < 0)
++    if ((compsize = safe_pad(compsize)) < 0)
+         compsize = 0;
+-    if (compsize2 < 0)
++    if ((compsize2 = safe_pad(compsize2)) < 0)
+         compsize2 = 0;
+-    compsize = __GLX_PAD(compsize);
+-    compsize2 = __GLX_PAD(compsize2);
+ 
+     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
+-    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
++    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
+     __glXClearErrorOccured();
+     CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
+                                              *(GLenum *) (pc + 4),
+@@ -302,7 +306,9 @@ int
+ __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -310,7 +316,9 @@ int
+ __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -388,7 +396,9 @@ int
+ __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -396,7 +406,9 @@ int
+ __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -463,7 +475,9 @@ int
+ __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -471,7 +485,9 @@ int
+ __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -529,7 +545,9 @@ int
+ __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -537,7 +555,9 @@ int
+ __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }
+ 
+@@ -605,7 +625,9 @@ int
+ __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
+     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
+ }
+ 
+@@ -613,6 +635,8 @@ int
+ __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
+ {
+     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
++    ClientPtr client = cl->client;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
+     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
+ }

x11/modular-xorg-server112/patches/patch-glx_swap__interval.c

@@ -0,0 +1,16 @@
+$NetBSD: patch-glx_swap__interval.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/swap_interval.c.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/swap_interval.c
+@@ -50,6 +50,8 @@ DoSwapInterval(__GLXclientState * cl, GL
+     __GLXcontext *cx;
+     GLint interval;
+ 
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
++
+     cx = __glXLookupContextByTag(cl, tag);
+ 
+     if ((cx == NULL) || (cx->pGlxScreen == NULL)) {

x11/modular-xorg-server112/patches/patch-glx_unpack.h

@@ -0,0 +1,17 @@
+$NetBSD: patch-glx_unpack.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- glx/unpack.h.orig	2012-05-17 17:09:02.000000000 +0000
++++ glx/unpack.h
+@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
+ ** pointer.
+ */
+ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
+-    if ((size) > sizeof(answerBuffer)) {				 \
++    if (size < 0) return BadLength;                                      \
++    else if ((size) > sizeof(answerBuffer)) {				 \
+ 	int bump;							 \
+ 	if ((cl)->returnBufSize < (size)+(align)) {			 \
+ 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \

x11/modular-xorg-server112/patches/patch-hw_xfree86_common_compiler.h

@@ -0,0 +1,53 @@
+$NetBSD: patch-hw_xfree86_common_compiler.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+--- hw/xfree86/common/compiler.h.orig	2013-05-21 17:33:57.000000000 +0000
++++ hw/xfree86/common/compiler.h
+@@ -1392,26 +1392,26 @@ inl(unsigned short port)
+ static __inline__ void
+ outb(unsigned short port, unsigned char val)
+ {
+-    __asm__ __volatile__("out%B0 (%1)"::"a"(val), "d"(port));
++    __asm__ __volatile__("outb %0, %1"::"a"(val), "d"(port));
+ }
+ 
+ static __inline__ void
+ outw(unsigned short port, unsigned short val)
+ {
+-    __asm__ __volatile__("out%W0 (%1)"::"a"(val), "d"(port));
++    __asm__ __volatile__("outw %0, %1"::"a"(val), "d"(port));
+ }
+ 
+ static __inline__ void
+ outl(unsigned short port, unsigned int val)
+ {
+-    __asm__ __volatile__("out%L0 (%1)"::"a"(val), "d"(port));
++    __asm__ __volatile__("outl %0, %1"::"a"(val), "d"(port));
+ }
+ 
+ static __inline__ unsigned int
+ inb(unsigned short port)
+ {
+     unsigned char ret;
+-    __asm__ __volatile__("in%B0 (%1)":"=a"(ret):"d"(port));
++    __asm__ __volatile__("inb %1, %0":"=a"(ret):"d"(port));
+ 
+     return ret;
+ }
+@@ -1420,7 +1420,7 @@ static __inline__ unsigned int
+ inw(unsigned short port)
+ {
+     unsigned short ret;
+-    __asm__ __volatile__("in%W0 (%1)":"=a"(ret):"d"(port));
++    __asm__ __volatile__("inw %1, %0":"=a"(ret):"d"(port));
+ 
+     return ret;
+ }
+@@ -1429,7 +1429,7 @@ static __inline__ unsigned int
+ inl(unsigned short port)
+ {
+     unsigned int ret;
+-    __asm__ __volatile__("in%L0 (%1)":"=a"(ret):"d"(port));
++    __asm__ __volatile__("inl %1, %0":"=a"(ret):"d"(port));
+ 
+     return ret;
+ }

x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2.c

@@ -0,0 +1,40 @@
+$NetBSD: patch-hw_xfree86_dri2_dri2.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Fix uninitialized variables warning from clang (X crashes without this)
+
+dri2.c:242:27: note: initialize the variable 'ref' to silence this warning
+    DRI2DrawableRefPtr ref;
+dri2.c:320:27: note: initialize the variable 'ref' to silence this warning
+    DRI2DrawableRefPtr ref, next;
+dri2.c:601:27: note: initialize the variable 'ref' to silence this warning
+    DRI2DrawableRefPtr ref;
+
+--- hw/xfree86/dri2/dri2.c.orig	2012-08-02 00:05:32.000000000 +0000
++++ hw/xfree86/dri2/dri2.c
+@@ -239,7 +239,7 @@ typedef struct DRI2DrawableRefRec {
+ static DRI2DrawableRefPtr
+ DRI2LookupDrawableRef(DRI2DrawablePtr pPriv, XID id)
+ {
+-    DRI2DrawableRefPtr ref;
++    DRI2DrawableRefPtr ref = NULL;
+ 
+     xorg_list_for_each_entry(ref, &pPriv->reference_list, link) {
+         if (ref->id == id)
+@@ -317,7 +317,7 @@ DRI2DrawableGone(pointer p, XID id)
+ {
+     DRI2DrawablePtr pPriv = p;
+     DRI2ScreenPtr ds = pPriv->dri2_screen;
+-    DRI2DrawableRefPtr ref, next;
++    DRI2DrawableRefPtr ref = NULL, next;
+     WindowPtr pWin;
+     PixmapPtr pPixmap;
+     DrawablePtr pDraw;
+@@ -598,7 +598,7 @@ static void
+ DRI2InvalidateDrawable(DrawablePtr pDraw)
+ {
+     DRI2DrawablePtr pPriv = DRI2GetDrawable(pDraw);
+-    DRI2DrawableRefPtr ref;
++    DRI2DrawableRefPtr ref = NULL;
+ 
+     if (!pPriv || !pPriv->needInvalidate)
+         return;

x11/modular-xorg-server112/patches/patch-hw_xfree86_dri2_dri2ext.c

@@ -0,0 +1,17 @@
+$NetBSD: patch-hw_xfree86_dri2_dri2ext.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- hw/xfree86/dri2/dri2ext.c.orig	2012-05-17 17:09:03.000000000 +0000
++++ hw/xfree86/dri2/dri2ext.c
+@@ -263,6 +263,9 @@ ProcDRI2GetBuffers(ClientPtr client)
+     unsigned int *attachments;
+ 
+     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
++    if (stuff->count > (INT_MAX / 4))
++        return BadLength;
++
+     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
+                        &pDrawable, &status))
+         return status;

x11/modular-xorg-server112/patches/patch-hw_xfree86_os-support_xf86__OSlib.h

@@ -0,0 +1,15 @@
+$NetBSD: patch-hw_xfree86_os-support_xf86__OSlib.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+* treat DragonFly same as newer FreeBSD.
+
+--- hw/xfree86/os-support/xf86_OSlib.h.orig	2012-05-17 17:09:03.000000000 +0000
++++ hw/xfree86/os-support/xf86_OSlib.h
+@@ -277,7 +277,7 @@ struct pcvtid {
+ #include <dev/wscons/wsdisplay_usl_io.h>
+ #endif                          /* WSCONS_SUPPORT */
+ #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
+-#if defined(__FreeBSD_kernel_version) && (__FreeBSD_kernel_version >= 500013)
++#if defined(__FreeBSD_kernel_version) && (__FreeBSD_kernel_version >= 500013) || defined(__DragonFly__)
+ #include <sys/mouse.h>
+ #else
+ #undef MOUSE_GETINFO

x11/modular-xorg-server112/patches/patch-include_dix.h

@@ -0,0 +1,21 @@
+$NetBSD: patch-include_dix.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- include/dix.h.orig	2012-05-17 17:09:04.000000000 +0000
++++ include/dix.h
+@@ -72,8 +72,13 @@ SOFTWARE.
+     if ((sizeof(req) >> 2) > client->req_len )\
+          return(BadLength)
+ 
++#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
++    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
++         return(BadLength)
++
+ #define REQUEST_FIXED_SIZE(req, n)\
+     if (((sizeof(req) >> 2) > client->req_len) || \
++        (((n) >> 2) >= client->req_len) || \
+         (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+          return(BadLength)
+ 

x11/modular-xorg-server112/patches/patch-include_regionstr.h

@@ -0,0 +1,32 @@
+$NetBSD: patch-include_regionstr.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- include/regionstr.h.orig	2012-05-17 17:09:04.000000000 +0000
++++ include/regionstr.h
+@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
+ static inline size_t
+ RegionSizeof(int n)
+ {
+-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
++        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++    else
++        return 0;
+ }
+ 
+ static inline void
+@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
+         (_pReg)->data = (RegDataPtr) NULL;
+     }
+     else {
++        size_t rgnSize;
+         (_pReg)->extents = RegionEmptyBox;
+-        if (((_size) > 1) && ((_pReg)->data =
+-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
++        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
++            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
+             (_pReg)->data->size = (_size);
+             (_pReg)->data->numRects = 0;
+         }

x11/modular-xorg-server112/patches/patch-os_access.c

@@ -0,0 +1,27 @@
+$NetBSD: patch-os_access.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- os/access.c.orig	2012-05-17 17:09:04.000000000 +0000
++++ os/access.c
+@@ -1331,6 +1331,10 @@ GetHosts(pointer *data, int *pnHosts, in
+     for (host = validhosts; host; host = host->next) {
+         nHosts++;
+         n += pad_to_int32(host->len) + sizeof(xHostEntry);
++        /* Could check for INT_MAX, but in reality having more than 1mb of
++           hostnames in the access list is ridiculous */
++        if (n >= 1048576)
++            break;
+     }
+     if (n) {
+         *data = ptr = malloc(n);
+@@ -1339,6 +1343,8 @@ GetHosts(pointer *data, int *pnHosts, in
+         }
+         for (host = validhosts; host; host = host->next) {
+             len = host->len;
++            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
++                break;
+             ((xHostEntry *) ptr)->family = host->family;
+             ((xHostEntry *) ptr)->length = len;
+             ptr += sizeof(xHostEntry);

x11/modular-xorg-server112/patches/patch-os_rpcauth.c

@@ -0,0 +1,18 @@
+$NetBSD: patch-os_rpcauth.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- os/rpcauth.c.orig	2012-05-17 17:09:04.000000000 +0000
++++ os/rpcauth.c
+@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int 
+     SVCXPRT xprt;
+ 
+     temp_inmsg = malloc(len);
++    if (temp_inmsg == NULL) {
++        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
++        return NULL;
++    }
+     memmove(temp_inmsg, inmsg, len);
+ 
+     memset((char *) &msg, 0, sizeof(msg));

x11/modular-xorg-server112/patches/patch-randr_randr.c

@@ -0,0 +1,21 @@
+$NetBSD: patch-randr_randr.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Implements RRSetChanged()
+
+--- randr/randr.c.orig	2012-08-02 00:30:15.000000000 +0000
++++ randr/randr.c
+@@ -435,6 +435,14 @@ RRTellChanged(ScreenPtr pScreen)
+     }
+ }
+ 
++void
++RRSetChanged(ScreenPtr pScreen)
++{
++	rrScrPriv(pScreen);
++
++	pScrPriv->changed = TRUE;
++}
++
+ /*
+  * Return the first output which is connected to an active CRTC
+  * Used in emulating 1.0 behaviour

x11/modular-xorg-server112/patches/patch-randr_randrstr.h

@@ -0,0 +1,16 @@
+$NetBSD: patch-randr_randrstr.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Implements RRSetChanged()
+
+--- randr/randrstr.h.orig	2012-05-17 17:09:05.000000000 +0000
++++ randr/randrstr.h
+@@ -438,6 +438,9 @@ extern _X_EXPORT void
+ extern _X_EXPORT void
+  RRTellChanged(ScreenPtr pScreen);
+ 
++extern _X_EXPORT void
++ RRSetChanged(ScreenPtr pScreen);
++
+ /*
+  * Poll the driver for changed information
+  */

x11/modular-xorg-server112/patches/patch-randr_rrsdispatch.c

@@ -0,0 +1,39 @@
+$NetBSD: patch-randr_rrsdispatch.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- randr/rrsdispatch.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ randr/rrsdispatch.c
+@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
+ {
+     REQUEST(xRRQueryVersionReq);
+ 
++    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
+     swaps(&stuff->length);
+     swapl(&stuff->majorVersion);
+     swapl(&stuff->minorVersion);
+@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
+ {
+     REQUEST(xRRGetScreenInfoReq);
+ 
++    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+     return (*ProcRandrVector[stuff->randrReqType]) (client);
+@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
+ {
+     REQUEST(xRRSelectInputReq);
+ 
++    REQUEST_SIZE_MATCH(xRRSelectInputReq);
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+     swaps(&stuff->enable);
+@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr
+ {
+     REQUEST(xRRConfigureOutputPropertyReq);
+ 
++    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
+     swaps(&stuff->length);
+     swapl(&stuff->output);
+     swapl(&stuff->property);

x11/modular-xorg-server112/patches/patch-render_picture.h

@@ -0,0 +1,16 @@
+$NetBSD: patch-render_picture.h,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+Fix CVE-2013-6424 using
+http://lists.x.org/archives/xorg-devel/2013-October/037996.html
+
+--- render/picture.h.orig	2012-05-17 17:09:05.000000000 +0000
++++ render/picture.h
+@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed;
+ /* whether 't' is a well defined not obviously empty trapezoid */
+ #define xTrapezoidValid(t)  ((t)->left.p1.y != (t)->left.p2.y && \
+ 			     (t)->right.p1.y != (t)->right.p2.y && \
+-			     (int) ((t)->bottom - (t)->top) > 0)
++			     ((t)->bottom > (t)->top))
+ 
+ /*
+  * Standard NTSC luminance conversions:

x11/modular-xorg-server112/patches/patch-render_render.c

@@ -0,0 +1,141 @@
+$NetBSD: patch-render_render.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- render/render.c.orig	2014-12-21 14:51:52.000000000 +0000
++++ render/render.c
+@@ -271,10 +271,11 @@ ProcRenderQueryVersion(ClientPtr client)
+ 
+     REQUEST(xRenderQueryVersionReq);
+ 
++    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+     pRenderClient->major_version = stuff->majorVersion;
+     pRenderClient->minor_version = stuff->minorVersion;
+ 
+-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+     memset(&rep, 0, sizeof(xRenderQueryVersionReply));
+     rep.type = X_Reply;
+     rep.length = 0;
+@@ -1994,7 +1995,7 @@ static int
+ SProcRenderQueryVersion(ClientPtr client)
+ {
+     REQUEST(xRenderQueryVersionReq);
+-
++    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+     swaps(&stuff->length);
+     swapl(&stuff->majorVersion);
+     swapl(&stuff->minorVersion);
+@@ -2005,6 +2006,7 @@ static int
+ SProcRenderQueryPictFormats(ClientPtr client)
+ {
+     REQUEST(xRenderQueryPictFormatsReq);
++    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
+     swaps(&stuff->length);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+ }
+@@ -2013,6 +2015,7 @@ static int
+ SProcRenderQueryPictIndexValues(ClientPtr client)
+ {
+     REQUEST(xRenderQueryPictIndexValuesReq);
++    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->format);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2028,6 +2031,7 @@ static int
+ SProcRenderCreatePicture(ClientPtr client)
+ {
+     REQUEST(xRenderCreatePictureReq);
++    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->pid);
+     swapl(&stuff->drawable);
+@@ -2041,6 +2045,7 @@ static int
+ SProcRenderChangePicture(ClientPtr client)
+ {
+     REQUEST(xRenderChangePictureReq);
++    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     swapl(&stuff->mask);
+@@ -2052,6 +2057,7 @@ static int
+ SProcRenderSetPictureClipRectangles(ClientPtr client)
+ {
+     REQUEST(xRenderSetPictureClipRectanglesReq);
++    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     swaps(&stuff->xOrigin);
+@@ -2064,6 +2070,7 @@ static int
+ SProcRenderFreePicture(ClientPtr client)
+ {
+     REQUEST(xRenderFreePictureReq);
++    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
+     swaps(&stuff->length);
+     swapl(&stuff->picture);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2073,6 +2080,7 @@ static int
+ SProcRenderComposite(ClientPtr client)
+ {
+     REQUEST(xRenderCompositeReq);
++    REQUEST_SIZE_MATCH(xRenderCompositeReq);
+     swaps(&stuff->length);
+     swapl(&stuff->src);
+     swapl(&stuff->mask);
+@@ -2092,6 +2100,7 @@ static int
+ SProcRenderScale(ClientPtr client)
+ {
+     REQUEST(xRenderScaleReq);
++    REQUEST_SIZE_MATCH(xRenderScaleReq);
+     swaps(&stuff->length);
+     swapl(&stuff->src);
+     swapl(&stuff->dst);
+@@ -2192,6 +2201,7 @@ static int
+ SProcRenderCreateGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderCreateGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->gsid);
+     swapl(&stuff->format);
+@@ -2202,6 +2212,7 @@ static int
+ SProcRenderReferenceGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderReferenceGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->gsid);
+     swapl(&stuff->existing);
+@@ -2212,6 +2223,7 @@ static int
+ SProcRenderFreeGlyphSet(ClientPtr client)
+ {
+     REQUEST(xRenderFreeGlyphSetReq);
++    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     return (*ProcRenderVector[stuff->renderReqType]) (client);
+@@ -2226,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
+     xGlyphInfo *gi;
+ 
+     REQUEST(xRenderAddGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     swapl(&stuff->nglyphs);
+@@ -2260,6 +2273,7 @@ static int
+ SProcRenderFreeGlyphs(ClientPtr client)
+ {
+     REQUEST(xRenderFreeGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
+     swaps(&stuff->length);
+     swapl(&stuff->glyphset);
+     SwapRestL(stuff);
+@@ -2277,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr cli
+     int size;
+ 
+     REQUEST(xRenderCompositeGlyphsReq);
++    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
+ 
+     switch (stuff->renderReqType) {
+     default:

x11/modular-xorg-server112/patches/patch-test_Makefile.am

@@ -0,0 +1,16 @@
+$NetBSD: patch-test_Makefile.am,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/Makefile.am.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/Makefile.am
+@@ -4,7 +4,7 @@ noinst_PROGRAMS = list string touch
+ if XORG
+ # Tests that require at least some DDX functions in order to fully link
+ # For now, requires xf86 ddx, could be adjusted to use another
+-SUBDIRS += xi2
++SUBDIRS += xi1 xi2
+ noinst_PROGRAMS += xkb input xtest misc fixes xfree86
+ endif
+ check_LTLIBRARIES = libxservertest.la

x11/modular-xorg-server112/patches/patch-test_misc.c

@@ -0,0 +1,63 @@
+$NetBSD: patch-test_misc.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/misc.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/misc.c
+@@ -28,6 +28,8 @@
+ #include <stdint.h>
+ #include "misc.h"
+ #include "scrnintstr.h"
++#include "dix.h"
++#include "dixstruct.h"
+ 
+ ScreenInfo screenInfo;
+ 
+@@ -155,11 +157,46 @@ dix_update_desktop_dimensions(void)
+     assert_dimensions(-w2, -h2, w2, h2);
+ }
+ 
++static int
++dix_request_fixed_size_overflow(ClientRec *client)
++{
++    xReq req = { 0 };
++
++    client->req_len = req.length = 1;
++    REQUEST_FIXED_SIZE(req, SIZE_MAX);
++    return Success;
++}
++
++static int
++dix_request_fixed_size_match(ClientRec *client)
++{
++    xReq req = { 0 };
++
++    client->req_len = req.length = 9;
++    REQUEST_FIXED_SIZE(req, 30);
++    return Success;
++}
++
++static void
++dix_request_size_checks(void)
++{
++    ClientRec client = { 0 };
++    int rc;
++
++    rc = dix_request_fixed_size_overflow(&client);
++    assert(rc == BadLength);
++
++    rc = dix_request_fixed_size_match(&client);
++    assert(rc == Success);
++}
++
++
+ int
+ main(int argc, char **argv)
+ {
+     dix_version_compare();
+     dix_update_desktop_dimensions();
++    dix_request_size_checks();
+ 
+     return 0;
+ }

x11/modular-xorg-server112/patches/patch-test_xi1_Makefile.am

@@ -0,0 +1,42 @@
+$NetBSD: patch-test_xi1_Makefile.am,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi1/Makefile.am.orig	2014-12-21 14:51:52.000000000 +0000
++++ test/xi1/Makefile.am
+@@ -0,0 +1,34 @@
++if ENABLE_UNIT_TESTS
++if HAVE_LD_WRAP
++noinst_PROGRAMS =  \
++	protocol-xchangedevicecontrol
++
++TESTS=$(noinst_PROGRAMS)
++TESTS_ENVIRONMENT = $(XORG_MALLOC_DEBUG_ENV)
++
++AM_CFLAGS = $(DIX_CFLAGS) @XORG_CFLAGS@
++AM_CPPFLAGS = @XORG_INCS@ -I$(srcdir)/../xi2
++TEST_LDADD=../libxservertest.la $(XORG_SYS_LIBS) $(XSERVER_SYS_LIBS) $(GLX_SYS_LIBS)
++COMMON_SOURCES=$(srcdir)/../xi2/protocol-common.c
++
++if SPECIAL_DTRACE_OBJECTS
++TEST_LDADD += $(OS_LIB) $(DIX_LIB)
++endif
++
++protocol_xchangedevicecontrol_LDADD=$(TEST_LDADD)
++
++protocol_xchangedevicecontrol_LDFLAGS=$(AM_LDFLAGS) -Wl,-wrap,WriteToClient
++
++protocol_xchangedevicecontrol_SOURCES=$(COMMON_SOURCES) protocol-xchangedevicecontrol.c
++
++else
++# Print that xi1-tests were skipped (exit code 77 for automake test harness)
++TESTS = xi1-tests
++CLEANFILES = $(TESTS)
++
++xi1-tests:
++	@echo 'echo "ld -wrap support required for xi1 unit tests, skipping"' > $@
++	@echo 'exit 77' >> $@
++	$(AM_V_GEN)chmod +x $@
++endif
++endif

x11/modular-xorg-server112/patches/patch-test_xi1_protocol-xchangedevicecontrol.c

@@ -0,0 +1,130 @@
+$NetBSD: patch-test_xi1_protocol-xchangedevicecontrol.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi1/protocol-xchangedevicecontrol.c.orig	2014-12-21 14:51:52.000000000 +0000
++++ test/xi1/protocol-xchangedevicecontrol.c
+@@ -0,0 +1,122 @@
++/**
++ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#ifdef HAVE_DIX_CONFIG_H
++#include <dix-config.h>
++#endif
++
++/*
++ * Protocol testing for ChangeDeviceControl request.
++ */
++#include <stdint.h>
++#include <X11/X.h>
++#include <X11/Xproto.h>
++#include <X11/extensions/XIproto.h>
++#include "inputstr.h"
++#include "chgdctl.h"
++
++#include "protocol-common.h"
++
++static ClientRec client_request;
++
++static void
++reply_ChangeDeviceControl(ClientPtr client, int len, char *data, void *userdata)
++{
++    xChangeDeviceControlReply *rep = (xChangeDeviceControlReply *) data;
++
++    if (client->swapped) {
++        swapl(&rep->length);
++        swaps(&rep->sequenceNumber);
++    }
++
++    reply_check_defaults(rep, len, ChangeDeviceControl);
++
++    /* XXX: check status code in reply */
++}
++
++static void
++request_ChangeDeviceControl(ClientPtr client, xChangeDeviceControlReq * req,
++                            xDeviceCtl *ctl, int error)
++{
++    int rc;
++
++    client_request.req_len = req->length;
++    rc = ProcXChangeDeviceControl(&client_request);
++    assert(rc == error);
++
++    /* XXX: ChangeDeviceControl doesn't seem to fill in errorValue to check */
++
++    client_request.swapped = TRUE;
++    swaps(&req->length);
++    swaps(&req->control);
++    swaps(&ctl->length);
++    swaps(&ctl->control);
++    /* XXX: swap other contents of ctl, depending on type */
++    rc = SProcXChangeDeviceControl(&client_request);
++    assert(rc == error);
++}
++
++static unsigned char *data[4096];       /* the request buffer */
++
++static void
++test_ChangeDeviceControl(void)
++{
++    xChangeDeviceControlReq *request = (xChangeDeviceControlReq *) data;
++    xDeviceCtl *control = (xDeviceCtl *) (&request[1]);
++
++    request_init(request, ChangeDeviceControl);
++
++    reply_handler = reply_ChangeDeviceControl;
++
++    client_request = init_client(request->length, request);
++
++    printf("Testing invalid lengths:\n");
++    printf(" -- no control struct\n");
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    printf(" -- xDeviceResolutionCtl\n");
++    request_init(request, ChangeDeviceControl);
++    request->control = DEVICE_RESOLUTION;
++    control->length = (sizeof(xDeviceResolutionCtl) >> 2);
++    request->length += control->length - 2;
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    printf(" -- xDeviceEnableCtl\n");
++    request_init(request, ChangeDeviceControl);
++    request->control = DEVICE_ENABLE;
++    control->length = (sizeof(xDeviceEnableCtl) >> 2);
++    request->length += control->length - 2;
++    request_ChangeDeviceControl(&client_request, request, control, BadLength);
++
++    /* XXX: Test functionality! */
++}
++
++int
++main(int argc, char **argv)
++{
++    init_simple();
++
++    test_ChangeDeviceControl();
++
++    return 0;
++}

x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xigetclientpointer.c

@@ -0,0 +1,19 @@
+$NetBSD: patch-test_xi2_protocol-xigetclientpointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi2/protocol-xigetclientpointer.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/xi2/protocol-xigetclientpointer.c
+@@ -124,6 +124,11 @@ test_XIGetClientPointer(void)
+     request.win = INVALID_WINDOW_ID;
+     request_XIGetClientPointer(&client_request, &request, BadWindow);
+ 
++    printf("Testing invalid length\n");
++    client_request.req_len -= 4;
++    request_XIGetClientPointer(&client_request, &request, BadLength);
++    client_request.req_len += 4;
++
+     test_data.cp_is_set = FALSE;
+ 
+     printf("Testing window None, unset ClientPointer.\n");

x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xipassivegrabdevice.c

@@ -0,0 +1,29 @@
+$NetBSD: patch-test_xi2_protocol-xipassivegrabdevice.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi2/protocol-xipassivegrabdevice.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/xi2/protocol-xipassivegrabdevice.c
+@@ -137,6 +137,7 @@ request_XIPassiveGrabDevice(ClientPtr cl
+     int rc;
+     int modifiers;
+ 
++    client_request.req_len = req->length;
+     rc = ProcXIPassiveGrabDevice(&client_request);
+     assert(rc == error);
+ 
+@@ -187,6 +188,13 @@ test_XIPassiveGrabDevice(void)
+     request_XIPassiveGrabDevice(&client_request, request, BadDevice,
+                                 request->deviceid);
+ 
++    printf("Testing invalid length\n");
++    request->length -= 2;
++    request_XIPassiveGrabDevice(&client_request, request, BadLength,
++                                client_request.errorValue);
++    /* re-init request since swapped length test leaves some values swapped */
++    request_init(request, XIPassiveGrabDevice);
++    request->grab_window = CLIENT_WINDOW_ID;
+     request->deviceid = XIAllMasterDevices;
+ 
+     printf("Testing invalid grab types\n");

x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiquerypointer.c

@@ -0,0 +1,18 @@
+$NetBSD: patch-test_xi2_protocol-xiquerypointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi2/protocol-xiquerypointer.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/xi2/protocol-xiquerypointer.c
+@@ -200,6 +200,10 @@ test_XIQueryPointer(void)
+     test_data.dev = devices.mouse;
+     request.deviceid = devices.mouse->id;
+     request_XIQueryPointer(&client_request, &request, Success);
++
++    /* test REQUEST_SIZE_MATCH */
++    client_request.req_len -= 4;
++    request_XIQueryPointer(&client_request, &request, BadLength);
+ }
+ 
+ int

x11/modular-xorg-server112/patches/patch-test_xi2_protocol-xiwarppointer.c

@@ -0,0 +1,17 @@
+$NetBSD: patch-test_xi2_protocol-xiwarppointer.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- test/xi2/protocol-xiwarppointer.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ test/xi2/protocol-xiwarppointer.c
+@@ -197,6 +197,9 @@ test_XIWarpPointer(void)
+     request_XIWarpPointer(&client_request, &request, Success);
+ 
+     /* FIXME: src_x/y checks */
++
++    client_request.req_len -= 2; /* invalid length */
++    request_XIWarpPointer(&client_request, &request, BadLength);
+ }
+ 
+ int

x11/modular-xorg-server112/patches/patch-xfixes_select.c

@@ -0,0 +1,15 @@
+$NetBSD: patch-xfixes_select.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+X.Org Security Advisory:  Dec. 9, 2014
+Protocol handling issues in X Window System servers
+
+--- xfixes/select.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ xfixes/select.c
+@@ -204,6 +204,7 @@ SProcXFixesSelectSelectionInput(ClientPt
+ {
+     REQUEST(xXFixesSelectSelectionInputReq);
+ 
++    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
+     swaps(&stuff->length);
+     swapl(&stuff->window);
+     swapl(&stuff->selection);

x11/modular-xorg-server112/patches/patch-xkb_xkb.c

@@ -0,0 +1,140 @@
+$NetBSD: patch-xkb_xkb.c,v 1.1 2015/04/03 09:46:18 tnn Exp $
+
+From cc830bd3a5b44796f1e8721f336dca4f565a8130 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 16 Jan 2015 08:44:45 +0100
+Subject: [PATCH] xkb: Check strings length against request size
+
+Ensure that the given strings length in an XkbSetGeometry request remain
+within the limits of the size of the request.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 40 insertions(+), 25 deletions(-)
+
+--- xkb/xkb.c.orig	2012-05-17 17:09:05.000000000 +0000
++++ xkb/xkb.c
+@@ -4946,26 +4946,29 @@ ProcXkbGetGeometry(ClientPtr client)
+ 
+ /***====================================================================***/
+ 
+-static char *
+-_GetCountedString(char **wire_inout, Bool swap)
++static Status
++_GetCountedString(char **wire_inout, ClientPtr client, char **str)
+ {
+-    char *wire, *str;
+-    CARD16 len, *plen;
++    char *wire, *next;
++    CARD16 len;
+ 
+     wire = *wire_inout;
+-    plen = (CARD16 *) wire;
+-    if (swap) {
+-        swaps(plen);
+-    }
+-    len = *plen;
+-    str = malloc(len + 1);
+-    if (str) {
+-        memcpy(str, &wire[2], len);
+-        str[len] = '\0';
++    len = *(CARD16 *) wire;
++    if (client->swapped) {
++        swaps(&len);
+     }
+-    wire += XkbPaddedSize(len + 2);
+-    *wire_inout = wire;
+-    return str;
++    next = wire + XkbPaddedSize(len + 2);
++    /* Check we're still within the size of the request */
++    if (client->req_len <
++        bytes_to_int32(next - (char *) client->requestBuffer))
++        return BadValue;
++    *str = malloc(len + 1);
++    if (!*str)
++        return BadAlloc;
++    memcpy(*str, &wire[2], len);
++    *(*str + len) = '\0';
++    *wire_inout = next;
++    return Success;
+ }
+ 
+ static Status
+@@ -4975,6 +4978,7 @@ _CheckSetDoodad(char **wire_inout,
+     char *wire;
+     xkbDoodadWireDesc *dWire;
+     XkbDoodadPtr doodad;
++    Status status;
+ 
+     dWire = (xkbDoodadWireDesc *) (*wire_inout);
+     wire = (char *) &dWire[1];
+@@ -5022,8 +5026,14 @@ _CheckSetDoodad(char **wire_inout,
+         doodad->text.width = dWire->text.width;
+         doodad->text.height = dWire->text.height;
+         doodad->text.color_ndx = dWire->text.colorNdx;
+-        doodad->text.text = _GetCountedString(&wire, client->swapped);
+-        doodad->text.font = _GetCountedString(&wire, client->swapped);
++        status = _GetCountedString(&wire, client, &doodad->text.text);
++        if (status != Success)
++            return status;
++        status = _GetCountedString(&wire, client, &doodad->text.font);
++        if (status != Success) {
++            free (doodad->text.text);
++            return status;
++        }
+         break;
+     case XkbIndicatorDoodad:
+         if (dWire->indicator.onColorNdx >= geom->num_colors) {
+@@ -5058,7 +5068,9 @@ _CheckSetDoodad(char **wire_inout,
+         }
+         doodad->logo.color_ndx = dWire->logo.colorNdx;
+         doodad->logo.shape_ndx = dWire->logo.shapeNdx;
+-        doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
++        status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
++        if (status != Success)
++            return status;
+         break;
+     default:
+         client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
+@@ -5290,18 +5302,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
+     char *wire;
+ 
+     wire = (char *) &req[1];
+-    geom->label_font = _GetCountedString(&wire, client->swapped);
++    status = _GetCountedString(&wire, client, &geom->label_font);
++    if (status != Success)
++        return status;
+ 
+     for (i = 0; i < req->nProperties; i++) {
+         char *name, *val;
+ 
+-        name = _GetCountedString(&wire, client->swapped);
+-        if (!name)
+-            return BadAlloc;
+-        val = _GetCountedString(&wire, client->swapped);
+-        if (!val) {
++        status = _GetCountedString(&wire, client, &name);
++        if (status != Success)
++            return status;
++        status = _GetCountedString(&wire, client, &val);
++        if (status != Success) {
+             free(name);
+-            return BadAlloc;
++            return status;
+         }
+         if (XkbAddGeomProperty(geom, name, val) == NULL) {
+             free(name);
+@@ -5335,9 +5349,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
+     for (i = 0; i < req->nColors; i++) {
+         char *name;
+ 
+-        name = _GetCountedString(&wire, client->swapped);
+-        if (!name)
+-            return BadAlloc;
++        status = _GetCountedString(&wire, client, &name);
++        if (status != Success)
++            return status;
+         if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
+             free(name);
+             return BadAlloc;