main/libxrender: upgrade to 0.9.8

b53d4783 · prymeroot · 42c51407 · b53d4783 · 42c51407 · 42c51407
Commit b53d4783 authored 11 years ago by prymeroot
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxrender
-pkgver=0.9.7
-pkgrel=1
+pkgver=0.9.8
+pkgrel=0
 pkgdesc="X Rendering Extension client library"
 url="http://xorg.freedesktop.org/"
 arch="all"
@@ -10,22 +10,10 @@ subpackages="$pkgname-dev"
 depends=
 depends_dev="xproto renderproto libx11-dev"
 makedepends="$depends_dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
-	CVE-2013-1987-1.patch
-	CVE-2013-1987-2.patch
-	CVE-2013-1987-3.patch
-	"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"


 _builddir="$srcdir"/libXrender-$pkgver
-prepare() {
-	cd "$_builddir"
-	for i in $source; do
-		case $i in
-		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
-		esac
-	done
-}

 build() { 
 	cd "$_builddir"
@@ -38,15 +26,6 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
-md5sums="ee62f4c7f0f16ced4da63308963ccad2  libXrender-0.9.7.tar.bz2
-5d82b028bed7456b38f1d001a222b1d8  CVE-2013-1987-1.patch
-8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7  CVE-2013-1987-2.patch
-b3bac65a7f41bcacbf5fd8278ac709b6  CVE-2013-1987-3.patch"
-sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6  libXrender-0.9.7.tar.bz2
-4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a  CVE-2013-1987-1.patch
-7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39  CVE-2013-1987-2.patch
-141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce  CVE-2013-1987-3.patch"
-sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc  libXrender-0.9.7.tar.bz2
-5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d  CVE-2013-1987-1.patch
-45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b  CVE-2013-1987-2.patch
-8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05  CVE-2013-1987-3.patch"
+md5sums="2bd9a15fcf64d216e63b8d129e4f1f1c  libXrender-0.9.8.tar.bz2"
+sha256sums="1d14b02f0060aec5d90dfdcf16a996f17002e515292906ed26e3dcbba0f4fc62  libXrender-0.9.8.tar.bz2"
+sha512sums="111a0ec4e19932a50da4914d9112b0a16c1d9c800e2b8398ddaf9ed70dae1a4eb75860282ca62d023e78957bbc3f015cb80d91ba76a24595df9f8a2b7e055b58  libXrender-0.9.8.tar.bz2"
--- a/main/libxrender/CVE-2013-1987-1.patch
+++ b/main/libxrender/CVE-2013-1987-1.patch
-From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 05:45:20 +0000
-Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
-
-The length, numFilters & numAliases members of the reply are all CARD32
-and need to be bounds checked before multiplying & adding them together
-to come up with the total size to allocate, to avoid integer overflow
-leading to underallocation and writing data from the network past the
-end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
-diff --git a/src/Filter.c b/src/Filter.c
-index 924b2a3..edfa572 100644
--- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #endif
- #include "Xrenderint.h"
-+#include <limits.h>
- 
- XFilters *
- XRenderQueryFilters (Display *dpy, Drawable drawable)
-@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     char			*name;
-     char			len;
-     int				i;
-    long			nbytes, nbytesAlias, nbytesName;
-+    unsigned long		nbytes, nbytesAlias, nbytesName;
- 
-     if (!RenderHasExtension (info))
- 	return NULL;
-@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
- 	SyncHandle ();
- 	return NULL;
-     }
-    /*
-     * Compute total number of bytes for filter names
-     */
-    nbytes = (long)rep.length << 2;
-    nbytesAlias = rep.numAliases * 2;
-    if (rep.numAliases & 1)
-	nbytesAlias += 2;
-    nbytesName = nbytes - nbytesAlias;
- 
-     /*
-     * Allocate one giant block for the whole data structure
-+     * Limit each component of combined size to 1/4 the max, which is far
-+     * more than they should ever possibly need.
-      */
-    filters = Xmalloc (sizeof (XFilters) +
-		       rep.numFilters * sizeof (char *) +
-		       rep.numAliases * sizeof (short) +
-		       nbytesName);
-+    if ((rep.length < (INT_MAX >> 2)) &&
-+	(rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
-+	(rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
-+	/*
-+	 * Compute total number of bytes for filter names
-+	 */
-+	nbytes = (unsigned long)rep.length << 2;
-+	nbytesAlias = rep.numAliases * 2;
-+	if (rep.numAliases & 1)
-+	    nbytesAlias += 2;
-+	nbytesName = nbytes - nbytesAlias;
-+
-+	/*
-+	 * Allocate one giant block for the whole data structure
-+	 */
-+	filters = Xmalloc (sizeof (XFilters) +
-+			   (rep.numFilters * sizeof (char *)) +
-+			   (rep.numAliases * sizeof (short)) +
-+			   nbytesName);
-+    } else
-+	filters = NULL;
- 
-     if (!filters)
-     {
--
-cgit v0.9.0.2-2-gbebe
--- a/main/libxrender/CVE-2013-1987-2.patch
+++ b/main/libxrender/CVE-2013-1987-2.patch
-From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 06:02:11 +0000
-Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
-
-The length, numFormats, numScreens, numDepths, and numVisuals members of
-the reply are all CARD32 and need to be bounds checked before multiplying
-and adding them together to come up with the total size to allocate, to
-avoid integer overflow leading to underallocation and writing data from
-the network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
-diff --git a/src/Xrender.c b/src/Xrender.c
-index 5c8e5f5..a62c753 100644
--- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -26,6 +26,7 @@
- #include <config.h>
- #endif
- #include "Xrenderint.h"
-+#include <limits.h>
- 
- XRenderExtInfo XRenderExtensionInfo;
- char XRenderExtensionName[] = RENDER_NAME;
-@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
-     CARD32			*xSubpixel;
-     void			*xData;
-     int				nf, ns, nd, nv;
-    int				rlength;
-    int				nbytes;
-+    unsigned long		rlength;
-+    unsigned long		nbytes;
- 
-     RenderCheckExtension (dpy, info, 0);
-     LockDisplay (dpy);
-@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
-     if (async_state.major_version == 0 && async_state.minor_version < 6)
- 	rep.numSubpixel = 0;
- 
-    xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
-				   rep.numFormats * sizeof (XRenderPictFormat) +
-				   rep.numScreens * sizeof (XRenderScreen) +
-				   rep.numDepths * sizeof (XRenderDepth) +
-				   rep.numVisuals * sizeof (XRenderVisual));
-    rlength = (rep.numFormats * sizeof (xPictFormInfo) +
-	       rep.numScreens * sizeof (xPictScreen) +
-	       rep.numDepths * sizeof (xPictDepth) +
-	       rep.numVisuals * sizeof (xPictVisual) +
-	       rep.numSubpixel * 4);
-    xData = (void *) Xmalloc (rlength);
-    nbytes = (int) rep.length << 2;
-+    if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
-+	(rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
-+	(rep.numDepths  < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
-+	(rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
-+	(rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
-+	(rep.length < (INT_MAX >> 2)) ) {
-+	xri = Xmalloc (sizeof (XRenderInfo) +
-+		       (rep.numFormats * sizeof (XRenderPictFormat)) +
-+		       (rep.numScreens * sizeof (XRenderScreen)) +
-+		       (rep.numDepths * sizeof (XRenderDepth)) +
-+		       (rep.numVisuals * sizeof (XRenderVisual)));
-+	rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
-+		   (rep.numScreens * sizeof (xPictScreen)) +
-+		   (rep.numDepths * sizeof (xPictDepth)) +
-+		   (rep.numVisuals * sizeof (xPictVisual)) +
-+		   (rep.numSubpixel * 4));
-+	xData = Xmalloc (rlength);
-+	nbytes = (unsigned long) rep.length << 2;
-+    } else {
-+	xri = NULL;
-+	xData = NULL;
-+	rlength = nbytes = 0;
-+    }
- 
-     if (!xri || !xData || nbytes < rlength)
-     {
--
-cgit v0.9.0.2-2-gbebe
--- a/main/libxrender/CVE-2013-1987-3.patch
+++ b/main/libxrender/CVE-2013-1987-3.patch
-From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 06:02:11 +0000
-Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
-
-The length and numIndexValues members of the reply are both CARD32 and
-need to be bounds checked before multiplying by sizeof (XIndexValue) to
-avoid integer overflow leading to underallocation and writing data from
-the network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
-diff --git a/src/Xrender.c b/src/Xrender.c
-index a62c753..3102eb2 100644
--- a/src/Xrender.c
-+++ b/src/Xrender.c
-@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display			*dpy,
-     xRenderQueryPictIndexValuesReq	*req;
-     xRenderQueryPictIndexValuesReply	rep;
-     XIndexValue				*values;
-    int					nbytes, nread, rlength, i;
-+    unsigned int			nbytes, nread, rlength, i;
- 
-     RenderCheckExtension (dpy, info, NULL);
- 
-@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display			*dpy,
- 	return NULL;
-     }
- 
-    /* request data length */
-    nbytes = (long)rep.length << 2;
-    /* bytes of actual data in the request */
-    nread = rep.numIndexValues * SIZEOF (xIndexValue);
-    /* size of array returned to application */
-    rlength = rep.numIndexValues * sizeof (XIndexValue);
-+    if ((rep.length < (INT_MAX >> 2)) &&
-+	(rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
-+	/* request data length */
-+	nbytes = rep.length << 2;
-+	/* bytes of actual data in the request */
-+	nread = rep.numIndexValues * SIZEOF (xIndexValue);
-+	/* size of array returned to application */
-+	rlength = rep.numIndexValues * sizeof (XIndexValue);
-+
-+	/* allocate returned data */
-+	values = Xmalloc (rlength);
-+    } else {
-+	nbytes = nread = rlength = 0;
-+	values = NULL;
-+    }
- 
-    /* allocate returned data */
-    values = (XIndexValue *)Xmalloc (rlength);
-     if (!values)
-     {
- 	_XEatDataWords (dpy, rep.length);
--
-cgit v0.9.0.2-2-gbebe