Fix multiple xserver security advisories in the 1.12.4 xserver.

The patches where not ported to 1.7.7 so mark it forbidden. This version
is not default anymore and will be removed in the 1.14 update that currently
being tested.

Obtained from:	xserver upstream
MFH:		2014Q4
Security:	27b9b2f0-8081-11e4-b4ca-bcaec565249c

1 files changed, 73 insertions, 0 deletions

diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097 b/x11-servers/xorg-server/files/patch-CVE-2014-8097
new file mode 100644
index 000000000000..19964c2274e4
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097
@@ -0,0 +1,73 @@
+From 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:12:04 -0800
+Subject: [PATCH 06/40] dbe: unvalidated lengths in DbeSwapBuffers calls
+ [CVE-2014-8097]
+
+ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
+from a buffer. The length is never validated, which can lead to out of
+bound reads, and possibly returning the data read from out of bounds to
+the misbehaving client via an X Error packet.
+
+SProcDbeSwapBuffers() swaps data (for correct endianness) before
+handing it off to the real proc.  While doing the swapping, the
+length field is not validated, which can cause memory corruption.
+
+v2: reorder checks to avoid compilers optimizing out checks for overflow
+that happen after we'd already have done the overflowing multiplications.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dbe/dbe.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 527588c..df2ad5c 100644
+--- dbe/dbe.c
++++ dbe/dbe.c
+@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
+     DbeSwapInfoPtr swapInfo;
+     xDbeSwapInfo *dbeSwapInfo;
+     int error;
+-    register int i, j;
+-    int nStuff;
++    unsigned int i, j;
++    unsigned int nStuff;
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+     nStuff = stuff->n;          /* use local variable for performance. */
+ 
+     if (nStuff == 0) {
++        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+         return Success;
+     }
+ 
+     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+         return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+ 
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
+@@ -914,13 +916,16 @@ static int
+ SProcDbeSwapBuffers(ClientPtr client)
+ {
+     REQUEST(xDbeSwapBuffersReq);
+-    register int i;
++    unsigned int i;
+     xDbeSwapInfo *pSwapInfo;
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ 
+     swapl(&stuff->n);
++    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++        return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+ 
+     if (stuff->n != 0) {
+         pSwapInfo = (xDbeSwapInfo *) stuff + 1;
+-- 
+2.1.2
+