diff --git a/x11-fonts/fontsproto/Makefile b/x11-fonts/fontsproto/Makefile
index 07cc54d..4b52a2f 100644
--- a/x11-fonts/fontsproto/Makefile
+++ b/x11-fonts/fontsproto/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	fontsproto
-PORTVERSION=	2.1.2
+PORTVERSION=	2.1.3
 PORTEPOCH=	1
 CATEGORIES=	x11-fonts
 
diff --git a/x11-fonts/fontsproto/distinfo b/x11-fonts/fontsproto/distinfo
index 10e1d1e..ac15338 100644
--- a/x11-fonts/fontsproto/distinfo
+++ b/x11-fonts/fontsproto/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xorg/proto/fontsproto-2.1.2.tar.bz2) = 869c97e5a536a8f3c9bc8b9923780ff1f062094bab935e26f96df3d6f1aa68a9
-SIZE (xorg/proto/fontsproto-2.1.2.tar.bz2) = 141990
+SHA256 (xorg/proto/fontsproto-2.1.3.tar.bz2) = 259046b0dd9130825c4a4c479ba3591d6d0f17a33f54e294b56478729a6e5ab8
+SIZE (xorg/proto/fontsproto-2.1.3.tar.bz2) = 154087
diff --git a/x11-fonts/libXfont/Makefile b/x11-fonts/libXfont/Makefile
index ad50997..84ccf0f 100644
--- a/x11-fonts/libXfont/Makefile
+++ b/x11-fonts/libXfont/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	libXfont
-PORTVERSION=	1.4.8
+PORTVERSION=	1.5.0
 PORTEPOCH=	2
 CATEGORIES=	x11-fonts
 
diff --git a/x11-fonts/libXfont/distinfo b/x11-fonts/libXfont/distinfo
index 8fde44a..4eb208b 100644
--- a/x11-fonts/libXfont/distinfo
+++ b/x11-fonts/libXfont/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xorg/lib/libXfont-1.4.8.tar.bz2) = 5568d4febf790fb250fb8d4ecf1f389a428eb545a79fb2abe9c82f652d14d005
-SIZE (xorg/lib/libXfont-1.4.8.tar.bz2) = 490641
+SHA256 (xorg/lib/libXfont-1.5.0.tar.bz2) = 3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f
+SIZE (xorg/lib/libXfont-1.5.0.tar.bz2) = 491483
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index 2725363..d3b8e61 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME?=	xorg-server
-PORTVERSION=	1.14.7
+PORTVERSION=	1.16.3
 PORTREVISION?=	1
 PORTEPOCH?=	1
 CATEGORIES=	x11-servers
@@ -40,17 +40,18 @@ USE_PERL5=	build
 USE_GL=		gl
 USE_XORG?=	xf86driproto glproto xdmcp x11 xkbfile xxf86misc xxf86vm xaw7 \
 		xmu xt xpm xext randrproto renderproto fixesproto damageproto \
-		dri2proto xcmiscproto xextproto xproto xtrans xf86miscproto \
-		xf86vidmodeproto xf86bigfontproto scrnsaverproto bigreqsproto \
-		resourceproto fontsproto inputproto xf86dgaproto \
-		videoproto compositeproto trapproto recordproto xineramaproto \
-		xinerama evieproto xfont fontenc xkbui pixman pciaccess
+		dri2proto xcmiscproto xextproto xproto xtrans \
+		xf86miscproto xf86vidmodeproto xf86bigfontproto scrnsaverproto \
+		bigreqsproto resourceproto fontsproto inputproto xf86dgaproto \
+		videoproto compositeproto trapproto presentproto recordproto \
+		xineramaproto xinerama evieproto xfont fontenc xkbui pixman \
+		pciaccess xshmfence
 
 USE_OPENSSL=	yes
 CONFIGURE_ARGS?=--disable-dmx --disable-xvfb --disable-xnest \
 		--without-xmlto --disable-docs --disable-devel-docs \
 		--localstatedir=/var --without-dtrace --disable-xephyr \
-		--enable-record=yes
+		--enable-record=yes --disable-dri3
 INSTALL_TARGET=	install-strip
 
 .if ${SLAVE_PORT} == "no"
diff --git a/x11-servers/xorg-server/distinfo b/x11-servers/xorg-server/distinfo
index 7574aaa..db61d6d 100644
--- a/x11-servers/xorg-server/distinfo
+++ b/x11-servers/xorg-server/distinfo
@@ -1,2 +1,2 @@
-SHA256 (xorg/xserver/xorg-server-1.14.7.tar.bz2) = fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f
-SIZE (xorg/xserver/xorg-server-1.14.7.tar.bz2) = 5520884
+SHA256 (xorg/xserver/xorg-server-1.16.3.tar.bz2) = 5e0f443238af1078b48f6eea98a382861b59187da221c2cf714d31c1d560b0fb
+SIZE (xorg/xserver/xorg-server-1.16.3.tar.bz2) = 5806406
diff --git a/x11-servers/xorg-server/files/extra-arch-i386 b/x11-servers/xorg-server/files/extra-arch-i386
index 1a0bdee..e56bfa2 100644
--- a/x11-servers/xorg-server/files/extra-arch-i386
+++ b/x11-servers/xorg-server/files/extra-arch-i386
@@ -1,11 +1,11 @@
---- hw/xfree86/common/compiler.h.orig	2012-05-17 19:09:03.000000000 +0200
-+++ hw/xfree86/common/compiler.h	2013-01-18 13:59:18.366436857 +0100
-@@ -1335,7 +1335,7 @@
- 
- #if !defined(__SUNPRO_C)
- #if !defined(FAKEIT) && !defined(__mc68000__) && !defined(__arm__) && !defined(__sh__) && !defined(__hppa__) && !defined(__s390__) && !defined(__m32r__)
+--- hw/xfree86/common/compiler.h.orig	2014-12-09 22:02:34.000000000 +0100
++++ hw/xfree86/common/compiler.h	2014-12-21 23:12:36.432293324 +0100
+@@ -1356,7 +1356,7 @@
+     !defined(__sh__) && !defined(__hppa__) && !defined(__s390__) && \
+     !defined(__m32r__) && !defined(__aarch64__) && !defined(__arc__) && \
+     !defined(__xtensa__)
 -#ifdef GCCUSESGAS
-+#if defined(GCCUSESGAS) || defined(__clang__)
++#ifdef GCCUSESGAS || defined(__clang__)
  
  /*
   * If gcc uses gas rather than the native assembler, the syntax of these
diff --git a/x11-servers/xorg-server/files/extra-arch-ia64 b/x11-servers/xorg-server/files/extra-arch-ia64
index 9a3f48e..77a84db 100644
--- a/x11-servers/xorg-server/files/extra-arch-ia64
+++ b/x11-servers/xorg-server/files/extra-arch-ia64
@@ -32,22 +32,6 @@
   if test "x$PPC_VIDEO" = xyes; then
    PPC_VIDEO_TRUE=
    PPC_VIDEO_FALSE='#'
---- hw/xfree86/common/compiler.h.orig	2011-06-11 18:55:47.000000000 +0200
-+++ hw/xfree86/common/compiler.h	2011-07-21 20:34:44.000000000 +0200
-@@ -397,12 +397,10 @@
- #include <machine/pio.h>
- #endif /* __NetBSD__ */
- 
--#   elif defined(linux) && defined(__ia64__) 
-+#   elif (defined(linux) || defined(__FreeBSD__)) && defined(__ia64__) 
-  
- #    include <inttypes.h>
- 
--#    include <sys/io.h>
--
- #    undef outb
- #    undef outw
- #    undef outl
 --- hw/xfree86/os-support/bsd/Makefile.in.dist	2009-06-18 17:45:13.000000000 -0700
 +++ hw/xfree86/os-support/bsd/Makefile.in	2009-06-18 17:45:19.000000000 -0700
 @@ -63,6 +63,7 @@
diff --git a/x11-servers/xorg-server/files/extra-arch-powerpc b/x11-servers/xorg-server/files/extra-arch-powerpc
index 389fc87..894dfae 100644
--- a/x11-servers/xorg-server/files/extra-arch-powerpc
+++ b/x11-servers/xorg-server/files/extra-arch-powerpc
@@ -1,70 +1,14 @@
---- hw/xfree86/os-support/bsd/ppc_video.c.orig	2014-07-22 07:52:58.000000000 -0700
-+++ hw/xfree86/os-support/bsd/ppc_video.c	2014-07-22 08:00:21.000000000 -0700
-@@ -44,6 +44,8 @@
- #define DEV_MEM "/dev/xf86"
- #endif
- 
-+static int kmem = -1;
-+
- static pointer ppcMapVidMem(int, unsigned long, unsigned long, int flags);
- static void ppcUnmapVidMem(int, pointer, unsigned long);
- 
-@@ -68,6 +70,17 @@
-     int fd = xf86Info.consoleFd;
-     pointer base;
- 
-+#ifdef __FreeBSD__
-+    if (kmem == -1) {
-+        kmem = open(DEV_MEM, 2);
-+        if (kmem == -1) {
-+            FatalError("mapVidMem: open %s", DEV_MEM);
-+        }
-+    }
-+
-+    fd = kmem;
-+#endif
-+
- #ifdef DEBUG
-     xf86MsgVerb(X_INFO, 3, "mapVidMem %lx, %lx, fd = %d", Base, Size, fd);
- #endif
-@@ -93,7 +106,6 @@
-              int Len)
+--- hw/xfree86/os-support/bsd/ppc_video.c.orig	2012-05-17 19:09:03.000000000 +0200
++++ hw/xfree86/os-support/bsd/ppc_video.c	2013-06-03 13:46:05.165578200 +0200
+@@ -135,7 +135,11 @@
  {
-     int rv;
--    static int kmem = -1;
  
-     if (kmem == -1) {
-         kmem = open(DEV_MEM, 2);
-@@ -118,6 +130,8 @@
-     int fd = xf86Info.consoleFd;
- 
-     xf86MsgVerb(X_WARNING, 3, "xf86EnableIO %d\n", fd);
-+
-+#ifndef __FreeBSD__
-     if (ioBase == MAP_FAILED) {
-         ioBase = mmap(NULL, 0x10000, PROT_READ | PROT_WRITE, MAP_SHARED, fd,
-                       0xf2000000);
-@@ -127,6 +141,12 @@
-             return FALSE;
-         }
-     }
-+#endif
-+   /*
-+    * Note that outl() etc. check for ioBase == MAP_FAILED, so leaving it that
-+    * way (e.g. on FreeBSD) is non-fatal.
-+    */
-+
-     return TRUE;
- }
- 
-@@ -134,8 +154,10 @@
- xf86DisableIO()
- {
- 
-+#ifndef __FreeBSD__
      if (ioBase != MAP_FAILED) {
++#if defined(__FreeBSD__)
++        munmap(__DEVOLATILE(unsigned char *, ioBase), 0x10000);
++#else
          munmap(__UNVOLATILE(ioBase), 0x10000);
++#endif
          ioBase = MAP_FAILED;
      }
-+#endif
  }
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4
deleted file mode 100644
index d04a03b..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-1-4
+++ /dev/null
@@ -1,37 +0,0 @@
-From eeae42d60bf3d5663ea088581f6c28a82cd17829 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 21:11:16 -0800
-Subject: [PATCH 01/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
- 1/4]
-
-ProcPutImage() calculates a length field from a width, left pad and depth
-specified by the client (if the specified format is XYPixmap).
-
-The calculations for the total amount of memory the server needs for the
-pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
-on 32-bit systems (since the length is stored in a long int variable).
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- dix/dispatch.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/dix/dispatch.c b/dix/dispatch.c
-index d844a09..55b978d 100644
---- dix/dispatch.c
-+++ dix/dispatch.c
-@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
-     tmpImage = (char *) &stuff[1];
-     lengthProto = length;
- 
-+    if (lengthProto >= (INT32_MAX / stuff->height))
-+        return BadLength;
-+
-     if ((bytes_to_int32(lengthProto * stuff->height) +
-          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
-         return BadLength;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4
deleted file mode 100644
index 25d58bd..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-2-4
+++ /dev/null
@@ -1,49 +0,0 @@
-From bc8e20430b6f6378daf6ce4329029248a88af08b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Mon, 6 Jan 2014 23:30:14 -0800
-Subject: [PATCH 02/40] dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
-
-GetHosts() iterates over all the hosts it has in memory, and copies
-them to a buffer. The buffer length is calculated by iterating over
-all the hosts and adding up all of their combined length. There is a
-potential integer overflow, if there are lots and lots of hosts (with
-a combined length of > ~4 gig). This should be possible by repeatedly
-calling ProcChangeHosts() on 64bit machines with enough memory.
-
-This patch caps the list at 1mb, because multi-megabyte hostname
-lists for X access control are insane.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- os/access.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/os/access.c b/os/access.c
-index 5c510de..f393c8d 100644
---- os/access.c
-+++ os/access.c
-@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
-     for (host = validhosts; host; host = host->next) {
-         nHosts++;
-         n += pad_to_int32(host->len) + sizeof(xHostEntry);
-+        /* Could check for INT_MAX, but in reality having more than 1mb of
-+           hostnames in the access list is ridiculous */
-+        if (n >= 1048576)
-+            break;
-     }
-     if (n) {
-         *data = ptr = malloc(n);
-@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
-         }
-         for (host = validhosts; host; host = host->next) {
-             len = host->len;
-+            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
-+                break;
-             ((xHostEntry *) ptr)->family = host->family;
-             ((xHostEntry *) ptr)->length = len;
-             ptr += sizeof(xHostEntry);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
deleted file mode 100644
index 1d40d04..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-3-4
+++ /dev/null
@@ -1,128 +0,0 @@
-From 97015a07b9e15d8ec5608b95d95ec0eb51202acb Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 22:37:15 -0800
-Subject: [PATCH 03/40] dix: integer overflow in RegionSizeof() [CVE-2014-8092
- 3/4]
-
-RegionSizeof contains several integer overflows if a large length
-value is passed in.  Once we fix it to return 0 on overflow, we
-also have to fix the callers to handle this error condition
-
-v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
----
- dix/region.c        | 20 +++++++++++++-------
- include/regionstr.h | 10 +++++++---
- 2 files changed, 20 insertions(+), 10 deletions(-)
-
-diff --git a/dix/region.c b/dix/region.c
-index ce1014e..04e5901 100644
---- dix/region.c
-+++ dix/region.c
-@@ -169,7 +169,6 @@ Equipment Corporation.
-         ((r1)->y1 <= (r2)->y1) && \
-         ((r1)->y2 >= (r2)->y2) )
- 
--#define xallocData(n) malloc(RegionSizeof(n))
- #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
- 
- #define RECTALLOC_BAIL(pReg,n,bail) \
-@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
- #define DOWNSIZE(reg,numRects)						 \
- if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
- {									 \
--    RegDataPtr NewData;							 \
--    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
-+    size_t NewSize = RegionSizeof(numRects);				 \
-+    RegDataPtr NewData =						 \
-+        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
-     if (NewData)							 \
-     {									 \
- 	NewData->size = (numRects);					 \
-@@ -345,17 +345,20 @@ Bool
- RegionRectAlloc(RegionPtr pRgn, int n)
- {
-     RegDataPtr data;
-+    size_t rgnSize;
- 
-     if (!pRgn->data) {
-         n++;
--        pRgn->data = xallocData(n);
-+        rgnSize = RegionSizeof(n);
-+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-         if (!pRgn->data)
-             return RegionBreak(pRgn);
-         pRgn->data->numRects = 1;
-         *RegionBoxptr(pRgn) = pRgn->extents;
-     }
-     else if (!pRgn->data->size) {
--        pRgn->data = xallocData(n);
-+        rgnSize = RegionSizeof(n);
-+        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-         if (!pRgn->data)
-             return RegionBreak(pRgn);
-         pRgn->data->numRects = 0;
-@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
-                 n = 250;
-         }
-         n += pRgn->data->numRects;
--        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
-+        rgnSize = RegionSizeof(n);
-+        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
-         if (!data)
-             return RegionBreak(pRgn);
-         pRgn->data = data;
-@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
- {
- 
-     RegionPtr pRgn;
-+    size_t rgnSize;
-     RegDataPtr pData;
-     BoxPtr pBox;
-     int i;
-@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
-         }
-         return pRgn;
-     }
--    pData = xallocData(nrects);
-+    rgnSize = RegionSizeof(nrects);
-+    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
-     if (!pData) {
-         RegionBreak(pRgn);
-         return pRgn;
-diff --git a/include/regionstr.h b/include/regionstr.h
-index 515e93f..079375d 100644
---- include/regionstr.h
-+++ include/regionstr.h
-@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
- static inline size_t
- RegionSizeof(size_t n)
- {
--    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
-+        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
-+    else
-+        return 0;
- }
- 
- static inline void
-@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
-         (_pReg)->data = (RegDataPtr) NULL;
-     }
-     else {
-+        size_t rgnSize;
-         (_pReg)->extents = RegionEmptyBox;
--        if (((_size) > 1) && ((_pReg)->data =
--                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
-+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
-+            (((_pReg)->data = (RegDataPtr) malloc(rgnSize)) != NULL)) {
-             (_pReg)->data->size = (_size);
-             (_pReg)->data->numRects = 0;
-         }
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4
deleted file mode 100644
index 64436ed..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-4-4
+++ /dev/null
@@ -1,34 +0,0 @@
-From e0e11644622a589129a01e11e5d105dc74a098de Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:44:46 -0800
-Subject: [PATCH 04/40] dix: integer overflow in REQUEST_FIXED_SIZE()
- [CVE-2014-8092 4/4]
-
-Force use of 64-bit integers when evaluating data provided by clients
-in 32-bit fields which can overflow when added or multiplied during
-checks.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- include/dix.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/include/dix.h b/include/dix.h
-index 991a3ce..e0c6ed8 100644
---- include/dix.h
-+++ include/dix.h
-@@ -76,7 +76,8 @@ SOFTWARE.
- 
- #define REQUEST_FIXED_SIZE(req, n)\
-     if (((sizeof(req) >> 2) > client->req_len) || \
--        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
-+        ((n >> 2) >= client->req_len) || \
-+        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
-          return(BadLength)
- 
- #define LEGAL_NEW_RESOURCE(id,client)\
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
deleted file mode 100644
index 4446b48..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt5
+++ /dev/null
@@ -1,32 +0,0 @@
-From 9802a0162f738de03585ca3f3b8a8266494f7d45 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp@keithp.com>
-Date: Tue, 9 Dec 2014 09:30:59 -0800
-Subject: [PATCH 38/40] Missing parens in REQUEST_FIXED_SIZE macro
- [CVE-2014-8092 pt. 5]
-
-The 'n' parameter must be surrounded by parens in both places to
-prevent precedence from mis-computing things.
-
-Signed-off-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- include/dix.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/dix.h b/include/dix.h
-index 21176a8..921156b 100644
---- include/dix.h
-+++ include/dix.h
-@@ -80,7 +80,7 @@ SOFTWARE.
- 
- #define REQUEST_FIXED_SIZE(req, n)\
-     if (((sizeof(req) >> 2) > client->req_len) || \
--        ((n >> 2) >= client->req_len) || \
-+        (((n) >> 2) >= client->req_len) ||                              \
-         ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
-          return(BadLength)
- 
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6 b/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
deleted file mode 100644
index 5adb2b0..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8092-pt6
+++ /dev/null
@@ -1,35 +0,0 @@
-From 1559a94395258fd73e369f1a2c98a44bfe21a486 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp@keithp.com>
-Date: Tue, 9 Dec 2014 09:31:00 -0800
-Subject: [PATCH 39/40] dix: GetHosts bounds check using wrong pointer value
- [CVE-2014-8092 pt. 6]
-
-GetHosts saves the pointer to allocated memory in *data, and then
-wants to bounds-check writes to that region, but was mistakenly using
-a bare 'data' instead of '*data'. Also, data is declared as void **,
-so we need a cast to turn it into a byte pointer so we can actually do
-pointer comparisons.
-
-Signed-off-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- os/access.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/os/access.c b/os/access.c
-index f393c8d..28f2d32 100644
---- os/access.c
-+++ os/access.c
-@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
-         }
-         for (host = validhosts; host; host = host->next) {
-             len = host->len;
--            if ((ptr + sizeof(xHostEntry) + len) > (data + n))
-+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
-                 break;
-             ((xHostEntry *) ptr)->family = host->family;
-             ((xHostEntry *) ptr)->length = len;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
deleted file mode 100644
index ffa7e39..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-1-6
+++ /dev/null
@@ -1,47 +0,0 @@
-From 23fe7718bb171e71db2d1a30505c2ca2988799d9 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:36 -0500
-Subject: [PATCH 19/40] glx: Be more paranoid about variable-length requests
- [CVE-2014-8093 1/6]
-
-If the size computation routine returns -1 we should just reject the
-request outright.  Clamping it to zero could give an attacker the
-opportunity to also mangle cmdlen in such a way that the subsequent
-length check passes, and the request would get executed, thus passing
-data we wanted to reject to the renderer.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxcmds.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index 009fd9b..ea42e2a 100644
---- glx/glxcmds.c
-+++ glx/glxcmds.c
-@@ -2062,7 +2062,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-                                       client->swapped);
-             if (extra < 0) {
--                extra = 0;
-+                return BadLength;
-             }
-             if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
-                 return BadLength;
-@@ -2179,7 +2179,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
-             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
-                                       client->swapped);
-             if (extra < 0) {
--                extra = 0;
-+                return BadLength;
-             }
-             /* large command's header is 4 bytes longer, so add 4 */
-             if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
deleted file mode 100644
index 6be2721..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-2-6
+++ /dev/null
@@ -1,165 +0,0 @@
-From ab2ba9338aa5e85b4487bc7fbe69985c76483e01 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:37 -0500
-Subject: [PATCH 20/40] glx: Be more strict about rejecting invalid image sizes
- [CVE-2014-8093 2/6]
-
-Before this we'd just clamp the image size to 0, which was just
-hideously stupid; if the parameters were such that they'd overflow an
-integer, you'd allocate a small buffer, then pass huge values into (say)
-ReadPixels, and now you're scribbling over arbitrary server memory.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/singlepix.c     | 16 ++++++++--------
- glx/singlepixswap.c | 16 ++++++++--------
- 2 files changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/glx/singlepix.c b/glx/singlepix.c
-index 506fdaa..8b6c261 100644
---- glx/singlepix.c
-+++ glx/singlepix.c
-@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     lsbFirst = *(GLboolean *) (pc + 25);
-     compsize = __glReadPixels_size(format, type, width, height);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     compsize =
-         __glGetTexImage_size(target, level, format, type, width, height, depth);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
-     if (compsize2 < 0)
--        compsize2 = 0;
-+        return BadLength;
-     compsize = __GLX_PAD(compsize);
-     compsize2 = __GLX_PAD(compsize2);
- 
-@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- 
-     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
-index 8469101..8dc304f 100644
---- glx/singlepixswap.c
-+++ glx/singlepixswap.c
-@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
-     lsbFirst = *(GLboolean *) (pc + 25);
-     compsize = __glReadPixels_size(format, type, width, height);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
-@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
-     compsize =
-         __glGetTexImage_size(target, level, format, type, width, height, depth);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
-     if (compsize2 < 0)
--        compsize2 = 0;
-+        return BadLength;
-     compsize = __GLX_PAD(compsize);
-     compsize2 = __GLX_PAD(compsize2);
- 
-@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
- 
-     compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
-@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
-      */
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     if (compsize < 0)
--        compsize = 0;
-+        return BadLength;
- 
-     glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
-     __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
deleted file mode 100644
index 0145fc1..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-3-6
+++ /dev/null
@@ -1,59 +0,0 @@
-From 717a1b37767b41e14859e5022ae9e679152821a9 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:38 -0500
-Subject: [PATCH 21/40] glx: Additional paranoia in __glXGetAnswerBuffer /
- __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
-
-If the computed reply size is negative, something went wrong, treat it
-as an error.
-
-v2: Be more careful about size_t being unsigned (Matthieu Herrb)
-v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
-
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/indirect_util.c | 7 ++++++-
- glx/unpack.h        | 3 ++-
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index 926e57c..de81491 100644
---- glx/indirect_util.c
-+++ glx/indirect_util.c
-@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
-     const unsigned mask = alignment - 1;
- 
-     if (local_size < required_size) {
--        const size_t worst_case_size = required_size + alignment;
-+        size_t worst_case_size;
-         intptr_t temp_buf;
- 
-+        if (required_size < SIZE_MAX - alignment)
-+            worst_case_size = required_size + alignment;
-+        else
-+            return NULL;
-+
-         if (cl->returnBufSize < worst_case_size) {
-             void *temp = realloc(cl->returnBuf, worst_case_size);
- 
-diff --git a/glx/unpack.h b/glx/unpack.h
-index 52fba74..2b1ebcf 100644
---- glx/unpack.h
-+++ glx/unpack.h
-@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
- ** pointer.
- */
- #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align)			 \
--    if ((size) > sizeof(answerBuffer)) {				 \
-+    if (size < 0) return BadLength;                                      \
-+    else if ((size) > sizeof(answerBuffer)) {				 \
- 	int bump;							 \
- 	if ((cl)->returnBufSize < (size)+(align)) {			 \
- 	    (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf,	 	 \
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
deleted file mode 100644
index 6a461c9..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-4-6
+++ /dev/null
@@ -1,82 +0,0 @@
-From 2a5cbc17fc72185bf0fa06fef26d1f782de72595 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:40 -0500
-Subject: [PATCH 23/40] glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
-
-These are paranoid about integer overflow, and will return -1 if their
-operation would overflow a (signed) integer or if either argument is
-negative.
-
-Note that RenderLarge requests are sized with a uint32_t so in principle
-this could be sketchy there, but dix limits bigreqs to 128M so you
-shouldn't ever notice, and honestly if you're sending more than 2G of
-rendering commands you're already doing something very wrong.
-
-v2: Use INT_MAX for consistency with the rest of the server (jcristau)
-v3: Reject negative arguments (anholt)
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/glx/glxserver.h b/glx/glxserver.h
-index a324b29..9482601 100644
---- glx/glxserver.h
-+++ glx/glxserver.h
-@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
-  * Routines for computing the size of variably-sized rendering commands.
-  */
- 
-+static _X_INLINE int
-+safe_add(int a, int b)
-+{
-+    if (a < 0 || b < 0)
-+        return -1;
-+
-+    if (INT_MAX - a < b)
-+        return -1;
-+
-+    return a + b;
-+}
-+
-+static _X_INLINE int
-+safe_mul(int a, int b)
-+{
-+    if (a < 0 || b < 0)
-+        return -1;
-+
-+    if (a == 0 || b == 0)
-+        return 0;
-+
-+    if (a > INT_MAX / b)
-+        return -1;
-+
-+    return a * b;
-+}
-+
-+static _X_INLINE int
-+safe_pad(int a)
-+{
-+    int ret;
-+
-+    if (a < 0)
-+        return -1;
-+
-+    if ((ret = safe_add(a, 3)) < 0)
-+        return -1;
-+
-+    return ret & (GLuint)~3;
-+}
-+
- extern int __glXTypeSize(GLenum enm);
- extern int __glXImageSize(GLenum format, GLenum type,
-                           GLenum target, GLsizei w, GLsizei h, GLsizei d,
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
deleted file mode 100644
index 6384cd6..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-5-6
+++ /dev/null
@@ -1,225 +0,0 @@
-From 698888e6671d54c7ae41e9d456f7f5483a3459d2 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:42 -0500
-Subject: [PATCH 25/40] glx: Integer overflow protection for non-generated
- render requests (v3) [CVE-2014-8093 5/6]
-
-v2:
-Fix constants in __glXMap2fReqSize (Michal Srb)
-Validate w/h/d for proxy targets too (Keith Packard)
-
-v3:
-Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/rensize.c | 77 +++++++++++++++++++++++++++++++----------------------------
- 1 file changed, 41 insertions(+), 36 deletions(-)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index 9ff73c7..d46334a 100644
---- glx/rensize.c
-+++ glx/rensize.c
-@@ -43,19 +43,11 @@
-   (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
-    ((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
- 
--static int
--Map1Size(GLint k, GLint order)
--{
--    if (order <= 0 || k < 0)
--        return -1;
--    return k * order;
--}
--
- int
- __glXMap1dReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint order, k;
-+    GLint order;
- 
-     target = *(GLenum *) (pc + 16);
-     order = *(GLint *) (pc + 20);
-@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
-         target = SWAPL(target);
-         order = SWAPL(order);
-     }
--    k = __glMap1d_size(target);
--    return 8 * Map1Size(k, order);
-+    if (order < 1)
-+        return -1;
-+    return safe_mul(8, safe_mul(__glMap1d_size(target), order));
- }
- 
- int
- __glXMap1fReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint order, k;
-+    GLint order;
- 
-     target = *(GLenum *) (pc + 0);
-     order = *(GLint *) (pc + 12);
-@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
-         target = SWAPL(target);
-         order = SWAPL(order);
-     }
--    k = __glMap1f_size(target);
--    return 4 * Map1Size(k, order);
-+    if (order < 1)
-+        return -1;
-+    return safe_mul(4, safe_mul(__glMap1f_size(target), order));
- }
- 
- static int
- Map2Size(int k, int majorOrder, int minorOrder)
- {
--    if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
-+    if (majorOrder < 1 || minorOrder < 1)
-         return -1;
--    return k * majorOrder * minorOrder;
-+    return safe_mul(k, safe_mul(majorOrder, minorOrder));
- }
- 
- int
- __glXMap2dReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint uorder, vorder, k;
-+    GLint uorder, vorder;
- 
-     target = *(GLenum *) (pc + 32);
-     uorder = *(GLint *) (pc + 36);
-@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
-         uorder = SWAPL(uorder);
-         vorder = SWAPL(vorder);
-     }
--    k = __glMap2d_size(target);
--    return 8 * Map2Size(k, uorder, vorder);
-+    return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
- }
- 
- int
- __glXMap2fReqSize(const GLbyte * pc, Bool swap)
- {
-     GLenum target;
--    GLint uorder, vorder, k;
-+    GLint uorder, vorder;
- 
-     target = *(GLenum *) (pc + 0);
-     uorder = *(GLint *) (pc + 12);
-@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
-         uorder = SWAPL(uorder);
-         vorder = SWAPL(vorder);
-     }
--    k = __glMap2f_size(target);
--    return 4 * Map2Size(k, uorder, vorder);
-+    return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
- }
- 
- /**
-@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-     GLint bytesPerElement, elementsPerGroup, groupsPerRow;
-     GLint groupSize, rowSize, padding, imageSize;
- 
-+    if (w == 0 || h == 0 || d == 0)
-+        return 0;
-+
-     if (w < 0 || h < 0 || d < 0 ||
-         (type == GL_BITMAP &&
-          (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
-         return -1;
-     }
--    if (w == 0 || h == 0 || d == 0)
--        return 0;
- 
-+    /* proxy targets have no data */
-     switch (target) {
-     case GL_PROXY_TEXTURE_1D:
-     case GL_PROXY_TEXTURE_2D:
-@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         return 0;
-     }
- 
-+    /* real data has to have real sizes */
-+    if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
-+        return -1;
-+    if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
-+        return -1;
-+
-     if (type == GL_BITMAP) {
-         if (rowLength > 0) {
-             groupsPerRow = rowLength;
-@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-             groupsPerRow = w;
-         }
-         rowSize = bits_to_bytes(groupsPerRow);
-+        if (rowSize < 0)
-+            return -1;
-         padding = (rowSize % alignment);
-         if (padding) {
-             rowSize += alignment - padding;
-         }
--        return ((h + skipRows) * rowSize);
-+
-+        return safe_mul(safe_add(h, skipRows), rowSize);
-     }
-     else {
-         switch (format) {
-@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         default:
-             return -1;
-         }
-+        /* known safe by the switches above, not checked */
-         groupSize = bytesPerElement * elementsPerGroup;
-         if (rowLength > 0) {
-             groupsPerRow = rowLength;
-@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         else {
-             groupsPerRow = w;
-         }
--        rowSize = groupsPerRow * groupSize;
-+
-+        if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
-+            return -1;
-         padding = (rowSize % alignment);
-         if (padding) {
-             rowSize += alignment - padding;
-         }
--        if (imageHeight > 0) {
--            imageSize = (imageHeight + skipRows) * rowSize;
--        }
--        else {
--            imageSize = (h + skipRows) * rowSize;
--        }
--        return ((d + skipImages) * imageSize);
-+
-+        if (imageHeight > 0)
-+            h = imageHeight;
-+        h = safe_add(h, skipRows);
-+
-+        imageSize = safe_mul(h, rowSize);
-+
-+        return safe_mul(safe_add(d, skipImages), imageSize);
-     }
- }
- 
-@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
-     /* XXX Should rowLength be used for either or both image? */
-     image1size = __glXImageSize(format, type, 0, w, 1, 1,
-                                 0, rowLength, 0, 0, alignment);
--    image1size = __GLX_PAD(image1size);
-     image2size = __glXImageSize(format, type, 0, h, 1, 1,
-                                 0, rowLength, 0, 0, alignment);
--    return image1size + image2size;
--
-+    return safe_add(safe_pad(image1size), image2size);
- }
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6 b/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
deleted file mode 100644
index ce30413..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8093-6-6
+++ /dev/null
@@ -1,34 +0,0 @@
-From 7e7630bbb775573eea2a2335adb9d190c3e1e971 Mon Sep 17 00:00:00 2001
-From: Robert Morell <rmorell@nvidia.com>
-Date: Wed, 12 Nov 2014 18:51:43 -0800
-Subject: [PATCH 32/40] glx: Fix mask truncation in __glXGetAnswerBuffer
- [CVE-2014-8093 6/6]
-
-On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
-bitwise not operation will result in a mask that clears all high bits
-from temp_buf in the expression:
-        temp_buf = (temp_buf + mask) & ~mask;
-
-Signed-off-by: Robert Morell <rmorell@nvidia.com>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/indirect_util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/glx/indirect_util.c b/glx/indirect_util.c
-index de81491..9ba2815 100644
---- glx/indirect_util.c
-+++ glx/indirect_util.c
-@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
-                      void *local_buffer, size_t local_size, unsigned alignment)
- {
-     void *buffer = local_buffer;
--    const unsigned mask = alignment - 1;
-+    const intptr_t mask = alignment - 1;
- 
-     if (local_size < required_size) {
-         size_t worst_case_size;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8094 b/x11-servers/xorg-server/files/patch-CVE-2014-8094
deleted file mode 100644
index b634b65..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8094
+++ /dev/null
@@ -1,35 +0,0 @@
-From 6692670fde081bbfe9313f17d84037ae9116702a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:40:18 -0800
-Subject: [PATCH 05/40] dri2: integer overflow in ProcDRI2GetBuffers()
- [CVE-2014-8094]
-
-ProcDRI2GetBuffers() tries to validate a length field (count).
-There is an integer overflow in the validation. This can cause
-out of bound reads and memory corruption later on.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
----
- hw/xfree86/dri2/dri2ext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
-index ffd66fa..221ec53 100644
---- hw/xfree86/dri2/dri2ext.c
-+++ hw/xfree86/dri2/dri2ext.c
-@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
-     unsigned int *attachments;
- 
-     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-+    if (stuff->count > (INT_MAX / 4))
-+        return BadLength;
-+
-     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
-                        &pDrawable, &status))
-         return status;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8095 b/x11-servers/xorg-server/files/patch-CVE-2014-8095
deleted file mode 100644
index 8fddc45..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8095
+++ /dev/null
@@ -1,551 +0,0 @@
-From 73c63afb93c0af1bfd1969bf6e71c9edca586c77 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 10:54:41 -0800
-Subject: [PATCH 07/40] Xi: unvalidated lengths in Xinput extension
- [CVE-2014-8095]
-
-Multiple functions in the Xinput extension handling of requests from
-clients failed to check that the length of the request sent by the
-client was large enough to perform all the required operations and
-thus could read or write to memory outside the bounds of the request
-buffer.
-
-This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
-macro in include/dix.h for the common case of needing to ensure a
-request is large enough to include both the request itself and a
-minimum amount of extra data following the request header.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Xi/chgdctl.c            |  8 ++++++--
- Xi/chgfctl.c            |  2 ++
- Xi/sendexev.c           |  3 +++
- Xi/xiallowev.c          |  2 ++
- Xi/xichangecursor.c     |  2 +-
- Xi/xichangehierarchy.c  | 35 ++++++++++++++++++++++++++++++++---
- Xi/xigetclientpointer.c |  1 +
- Xi/xigrabdev.c          |  9 ++++++++-
- Xi/xipassivegrab.c      | 12 ++++++++++--
- Xi/xiproperty.c         | 14 ++++++--------
- Xi/xiquerydevice.c      |  1 +
- Xi/xiquerypointer.c     |  2 ++
- Xi/xiselectev.c         |  8 ++++++++
- Xi/xisetclientpointer.c |  3 ++-
- Xi/xisetdevfocus.c      |  4 ++++
- Xi/xiwarppointer.c      |  2 ++
- include/dix.h           |  4 ++++
- 17 files changed, 94 insertions(+), 18 deletions(-)
-
-diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
-index d078aa2..b3ee867 100644
---- Xi/chgdctl.c
-+++ Xi/chgdctl.c
-@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
- 
-     REQUEST(xChangeDeviceControlReq);
-     swaps(&stuff->length);
--    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
-     swaps(&stuff->control);
-     ctl = (xDeviceCtl *) &stuff[1];
-     swaps(&ctl->control);
-@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
-     xDeviceEnableCtl *e;
- 
-     REQUEST(xChangeDeviceControlReq);
--    REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
-+    REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
- 
-     len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
-@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
-         break;
-     case DEVICE_ENABLE:
-         e = (xDeviceEnableCtl *) &stuff[1];
-+        if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
-+            ret = BadLength;
-+            goto out;
-+        }
- 
-         if (IsXTestDevice(dev, NULL))
-             status = !Success;
-diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
-index 6dcf60c..224c2ba 100644
---- Xi/chgfctl.c
-+++ Xi/chgfctl.c
-@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
-         xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
- 
-         if (client->swapped) {
-+            if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
-+                return BadLength;
-             swaps(&f->num_keysyms);
-         }
-         if (len !=
-diff --git a/Xi/sendexev.c b/Xi/sendexev.c
-index 3c21386..183f88d 100644
---- Xi/sendexev.c
-+++ Xi/sendexev.c
-@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
-     if (ret != Success)
-         return ret;
- 
-+    if (stuff->num_events == 0)
-+        return ret;
-+
-     /* The client's event type must be one defined by an extension. */
- 
-     first = ((xEvent *) &stuff[1]);
-diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
-index ebef233..ca263ef 100644
---- Xi/xiallowev.c
-+++ Xi/xiallowev.c
-@@ -48,6 +48,7 @@ int
- SProcXIAllowEvents(ClientPtr client)
- {
-     REQUEST(xXIAllowEventsReq);
-+    REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
-     if (stuff->length > 3) {
-         xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
- 
-+        REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
-         swapl(&req_xi22->touchid);
-         swapl(&req_xi22->grab_window);
-     }
-diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
-index 7a1bb7a..8e6255b 100644
---- Xi/xichangecursor.c
-+++ Xi/xichangecursor.c
-@@ -57,11 +57,11 @@ int
- SProcXIChangeCursor(ClientPtr client)
- {
-     REQUEST(xXIChangeCursorReq);
-+    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-     swapl(&stuff->cursor);
-     swaps(&stuff->deviceid);
--    REQUEST_SIZE_MATCH(xXIChangeCursorReq);
-     return (ProcXIChangeCursor(client));
- }
- 
-diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
-index 9e36354..2732445 100644
---- Xi/xichangehierarchy.c
-+++ Xi/xichangehierarchy.c
-@@ -411,7 +411,7 @@ int
- ProcXIChangeHierarchy(ClientPtr client)
- {
-     xXIAnyHierarchyChangeInfo *any;
--    int required_len = sizeof(xXIChangeHierarchyReq);
-+    size_t len;			/* length of data remaining in request */
-     int rc = Success;
-     int flags[MAXDEVICES] = { 0 };
- 
-@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
-     if (!stuff->num_changes)
-         return rc;
- 
-+    if (stuff->length > (INT_MAX >> 2))
-+        return BadAlloc;
-+    len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
-+
-     any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
-     while (stuff->num_changes--) {
-+        if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
-+            rc = BadLength;
-+            goto unwind;
-+        }
-+
-         SWAPIF(swaps(&any->type));
-         SWAPIF(swaps(&any->length));
- 
--        required_len += any->length;
--        if ((stuff->length * 4) < required_len)
-+        if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
-             return BadLength;
- 
-+#define CHANGE_SIZE_MATCH(type) \
-+    do { \
-+        if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
-+            rc = BadLength; \
-+            goto unwind; \
-+        } \
-+    } while(0)
-+
-         switch (any->type) {
-         case XIAddMaster:
-         {
-             xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
- 
-+            /* Variable length, due to appended name string */
-+            if (len < sizeof(xXIAddMasterInfo)) {
-+                rc = BadLength;
-+                goto unwind;
-+            }
-             SWAPIF(swaps(&c->name_len));
-+            if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
-+                rc = BadLength;
-+                goto unwind;
-+            }
- 
-             rc = add_master(client, c, flags);
-             if (rc != Success)
-@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
-             rc = remove_master(client, r, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
-             rc = detach_slave(client, c, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-         {
-             xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
- 
-+            CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
-             rc = attach_slave(client, c, flags);
-             if (rc != Success)
-                 goto unwind;
-@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
-             break;
-         }
- 
-+        len -= any->length * 4;
-         any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
-     }
- 
-diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
-index 3c90d58..306dd39 100644
---- Xi/xigetclientpointer.c
-+++ Xi/xigetclientpointer.c
-@@ -50,6 +50,7 @@ int
- SProcXIGetClientPointer(ClientPtr client)
- {
-     REQUEST(xXIGetClientPointerReq);
-+    REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
-index 63d95bc..e2a2ae3 100644
---- Xi/xigrabdev.c
-+++ Xi/xigrabdev.c
-@@ -47,6 +47,11 @@ int
- SProcXIGrabDevice(ClientPtr client)
- {
-     REQUEST(xXIGrabDeviceReq);
-+    /*
-+     * Check here for at least the length of the struct we swap, then
-+     * let ProcXIGrabDevice check the full size after we swap mask_len.
-+     */
-+    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
-     unsigned int pointer_mode;
- 
-     REQUEST(xXIGrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
- 
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
-     if (ret != Success)
-@@ -131,6 +136,7 @@ int
- SProcXIUngrabDevice(ClientPtr client)
- {
-     REQUEST(xXIUngrabDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
-     TimeStamp time;
- 
-     REQUEST(xXIUngrabDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
- 
-     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
-     if (ret != Success)
---- Xi/xipassivegrab.c.orig	2014-04-15 03:01:56.000000000 +0200
-+++ Xi/xipassivegrab.c	2014-12-11 09:00:53.965074134 +0100
-@@ -53,6 +53,7 @@
-     uint32_t *mods;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
-+    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -63,7 +64,9 @@
-     swaps(&stuff->mask_len);
-     swaps(&stuff->num_modifiers);
- 
--    mods = (uint32_t *) &stuff[1];
-+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
-+    mods = (uint32_t *) &stuff[1] + stuff->mask_len;
- 
-     for (i = 0; i < stuff->num_modifiers; i++, mods++) {
-         swapl(mods);
-@@ -92,7 +95,8 @@
-     int mask_len;
- 
-     REQUEST(xXIPassiveGrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
-+        ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
- 
-     if (stuff->deviceid == XIAllDevices)
-         dev = inputInfo.all_devices;
-@@ -248,6 +252,7 @@
-     uint32_t *modifiers;
- 
-     REQUEST(xXIPassiveUngrabDeviceReq);
-+    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->grab_window);
-@@ -255,6 +260,8 @@
-     swapl(&stuff->detail);
-     swaps(&stuff->num_modifiers);
- 
-+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+                       ((uint32_t) stuff->num_modifiers) << 2);
-     modifiers = (uint32_t *) &stuff[1];
- 
-     for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
-@@ -273,7 +280,8 @@
-     int i, rc;
- 
-     REQUEST(xXIPassiveUngrabDeviceReq);
--    REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
-+    REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
-+                       ((uint32_t) stuff->num_modifiers) << 2);
- 
-     if (stuff->deviceid == XIAllDevices)
-         dev = inputInfo.all_devices;
-diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
-index 463607d..8e8e4b0 100644
---- Xi/xiproperty.c
-+++ Xi/xiproperty.c
-@@ -1013,10 +1013,9 @@ int
- SProcXListDeviceProperties(ClientPtr client)
- {
-     REQUEST(xListDevicePropertiesReq);
-+    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
- 
-     swaps(&stuff->length);
--
--    REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
-     return (ProcXListDeviceProperties(client));
- }
- 
-@@ -1037,10 +1036,10 @@ int
- SProcXDeleteDeviceProperty(ClientPtr client)
- {
-     REQUEST(xDeleteDevicePropertyReq);
-+    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->property);
--    REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
-     return (ProcXDeleteDeviceProperty(client));
- }
- 
-@@ -1048,13 +1047,13 @@ int
- SProcXGetDeviceProperty(ClientPtr client)
- {
-     REQUEST(xGetDevicePropertyReq);
-+    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->property);
-     swapl(&stuff->type);
-     swapl(&stuff->longOffset);
-     swapl(&stuff->longLength);
--    REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
-     return (ProcXGetDeviceProperty(client));
- }
- 
-@@ -1253,11 +1252,10 @@ int
- SProcXIListProperties(ClientPtr client)
- {
-     REQUEST(xXIListPropertiesReq);
-+    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
--
--    REQUEST_SIZE_MATCH(xXIListPropertiesReq);
-     return (ProcXIListProperties(client));
- }
- 
-@@ -1279,11 +1277,11 @@ int
- SProcXIDeleteProperty(ClientPtr client)
- {
-     REQUEST(xXIDeletePropertyReq);
-+    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->property);
--    REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
-     return (ProcXIDeleteProperty(client));
- }
- 
-@@ -1291,6 +1289,7 @@ int
- SProcXIGetProperty(ClientPtr client)
- {
-     REQUEST(xXIGetPropertyReq);
-+    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
-     swapl(&stuff->type);
-     swapl(&stuff->offset);
-     swapl(&stuff->len);
--    REQUEST_SIZE_MATCH(xXIGetPropertyReq);
-     return (ProcXIGetProperty(client));
- }
- 
-diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
-index 4e544f0..67a9a4f 100644
---- Xi/xiquerydevice.c
-+++ Xi/xiquerydevice.c
-@@ -54,6 +54,7 @@ int
- SProcXIQueryDevice(ClientPtr client)
- {
-     REQUEST(xXIQueryDeviceReq);
-+    REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
- 
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
-index e9bdd42..7ec0c85 100644
---- Xi/xiquerypointer.c
-+++ Xi/xiquerypointer.c
-@@ -63,6 +63,8 @@ int
- SProcXIQueryPointer(ClientPtr client)
- {
-     REQUEST(xXIQueryPointerReq);
-+    REQUEST_SIZE_MATCH(xXIQueryPointerReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->win);
-diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
-index 45a996e..168579f 100644
---- Xi/xiselectev.c
-+++ Xi/xiselectev.c
-@@ -114,6 +114,7 @@ int
- SProcXISelectEvents(ClientPtr client)
- {
-     int i;
-+    int len;
-     xXIEventMask *evmask;
- 
-     REQUEST(xXISelectEventsReq);
-@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
-     swapl(&stuff->win);
-     swaps(&stuff->num_masks);
- 
-+    len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
-     evmask = (xXIEventMask *) &stuff[1];
-     for (i = 0; i < stuff->num_masks; i++) {
-+        if (len < bytes_to_int32(sizeof(xXIEventMask)))
-+            return BadLength;
-+        len -= bytes_to_int32(sizeof(xXIEventMask));
-         swaps(&evmask->deviceid);
-         swaps(&evmask->mask_len);
-+        if (len < evmask->mask_len)
-+            return BadLength;
-+        len -= evmask->mask_len;
-         evmask =
-             (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
-     }
-diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
-index 38ff51e..24d4a53 100644
---- Xi/xisetclientpointer.c
-+++ Xi/xisetclientpointer.c
-@@ -51,10 +51,11 @@ int
- SProcXISetClientPointer(ClientPtr client)
- {
-     REQUEST(xXISetClientPointerReq);
-+    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
-+
-     swaps(&stuff->length);
-     swapl(&stuff->win);
-     swaps(&stuff->deviceid);
--    REQUEST_SIZE_MATCH(xXISetClientPointerReq);
-     return (ProcXISetClientPointer(client));
- }
- 
-diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
-index 372ec24..96a9a16 100644
---- Xi/xisetdevfocus.c
-+++ Xi/xisetdevfocus.c
-@@ -44,6 +44,8 @@ int
- SProcXISetFocus(ClientPtr client)
- {
-     REQUEST(xXISetFocusReq);
-+    REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
-     swapl(&stuff->focus);
-@@ -56,6 +58,8 @@ int
- SProcXIGetFocus(ClientPtr client)
- {
-     REQUEST(xXIGetFocusReq);
-+    REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
-+
-     swaps(&stuff->length);
-     swaps(&stuff->deviceid);
- 
-diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
-index 3f051f7..780758a 100644
---- Xi/xiwarppointer.c
-+++ Xi/xiwarppointer.c
-@@ -56,6 +56,8 @@ int
- SProcXIWarpPointer(ClientPtr client)
- {
-     REQUEST(xXIWarpPointerReq);
-+    REQUEST_SIZE_MATCH(xXIWarpPointerReq);
-+
-     swaps(&stuff->length);
-     swapl(&stuff->src_win);
-     swapl(&stuff->dst_win);
-diff --git a/include/dix.h b/include/dix.h
-index e0c6ed8..21176a8 100644
---- include/dix.h
-+++ include/dix.h
-@@ -74,6 +74,10 @@ SOFTWARE.
-     if ((sizeof(req) >> 2) > client->req_len )\
-          return(BadLength)
- 
-+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
-+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
-+         return(BadLength)
-+
- #define REQUEST_FIXED_SIZE(req, n)\
-     if (((sizeof(req) >> 2) > client->req_len) || \
-         ((n >> 2) >= client->req_len) || \
--- 
-cgit v0.10.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8096 b/x11-servers/xorg-server/files/patch-CVE-2014-8096
deleted file mode 100644
index 789801a..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8096
+++ /dev/null
@@ -1,27 +0,0 @@
-From 7553082b9b883b5f130044f3d53bce2f0b660e52 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 17:18:54 -0800
-Subject: [PATCH 08/40] xcmisc: unvalidated length in SProcXCMiscGetXIDList()
- [CVE-2014-8096]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Xext/xcmisc.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
-index 034bfb6..1e91010 100644
---- Xext/xcmisc.c
-+++ Xext/xcmisc.c
-@@ -167,6 +167,7 @@ static int
- SProcXCMiscGetXIDList(ClientPtr client)
- {
-     REQUEST(xXCMiscGetXIDListReq);
-+    REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
- 
-     swaps(&stuff->length);
-     swapl(&stuff->count);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097 b/x11-servers/xorg-server/files/patch-CVE-2014-8097
deleted file mode 100644
index 19964c2..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8097
+++ /dev/null
@@ -1,73 +0,0 @@
-From 2ef42519c41e793579c9cea699c866fee3d9321f Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Wed, 22 Jan 2014 23:12:04 -0800
-Subject: [PATCH 06/40] dbe: unvalidated lengths in DbeSwapBuffers calls
- [CVE-2014-8097]
-
-ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
-from a buffer. The length is never validated, which can lead to out of
-bound reads, and possibly returning the data read from out of bounds to
-the misbehaving client via an X Error packet.
-
-SProcDbeSwapBuffers() swaps data (for correct endianness) before
-handing it off to the real proc.  While doing the swapping, the
-length field is not validated, which can cause memory corruption.
-
-v2: reorder checks to avoid compilers optimizing out checks for overflow
-that happen after we'd already have done the overflowing multiplications.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- dbe/dbe.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/dbe/dbe.c b/dbe/dbe.c
-index 527588c..df2ad5c 100644
---- dbe/dbe.c
-+++ dbe/dbe.c
-@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
-     DbeSwapInfoPtr swapInfo;
-     xDbeSwapInfo *dbeSwapInfo;
-     int error;
--    register int i, j;
--    int nStuff;
-+    unsigned int i, j;
-+    unsigned int nStuff;
- 
-     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
-     nStuff = stuff->n;          /* use local variable for performance. */
- 
-     if (nStuff == 0) {
-+        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
-         return Success;
-     }
- 
-     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
-         return BadAlloc;
-+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
- 
-     /* Get to the swap info appended to the end of the request. */
-     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
-@@ -914,13 +916,16 @@ static int
- SProcDbeSwapBuffers(ClientPtr client)
- {
-     REQUEST(xDbeSwapBuffersReq);
--    register int i;
-+    unsigned int i;
-     xDbeSwapInfo *pSwapInfo;
- 
-     swaps(&stuff->length);
-     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
- 
-     swapl(&stuff->n);
-+    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-+        return BadAlloc;
-+    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
- 
-     if (stuff->n != 0) {
-         pSwapInfo = (xDbeSwapInfo *) stuff + 1;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
deleted file mode 100644
index 70b8987..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2
+++ /dev/null
@@ -1,50 +0,0 @@
-From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp@keithp.com>
-Date: Tue, 9 Dec 2014 09:30:57 -0800
-Subject: [PATCH 36/40] dbe: Call to DDX SwapBuffers requires address of int,
- not unsigned int [CVE-2014-8097 pt. 2]
-
-When the local types used to walk the DBE request were changed, this
-changed the type of the parameter passed to the DDX SwapBuffers API,
-but there wasn't a matching change in the API definition.
-
-At this point, with the API frozen, I just stuck a new variable in
-with the correct type. Because we've already bounds-checked nStuff to
-be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
-fit in a signed int without overflow.
-
-Signed-off-by: Keith Packard <keithp@keithp.com
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- dbe/dbe.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/dbe/dbe.c b/dbe/dbe.c
-index df2ad5c..e5d928d 100644
---- dbe/dbe.c
-+++ dbe/dbe.c
-@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
-     int error;
-     unsigned int i, j;
-     unsigned int nStuff;
-+    int nStuff_i;       /* DDX API requires int for nStuff */
- 
-     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
-     nStuff = stuff->n;          /* use local variable for performance. */
-@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
-      * could deal with cross-screen synchronization.
-      */
- 
--    while (nStuff > 0) {
-+    nStuff_i = nStuff;
-+    while (nStuff_i > 0) {
-         pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
--        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
-+        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
-         if (error != Success) {
-             free(swapInfo);
-             return error;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
deleted file mode 100644
index 658fa96..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-1-8
+++ /dev/null
@@ -1,59 +0,0 @@
-From 13d36923e0ddb077f4854e354c3d5c80590b5d9d Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:39 -0500
-Subject: [PATCH 22/40] glx: Fix image size computation for EXT_texture_integer
- [CVE-2014-8098 1/8]
-
-Without this we'd reject the request with BadLength.  Note that some old
-versions of Mesa had a bug in the same place, and would _send_ zero
-bytes of image data; these will now be rejected, correctly.
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/rensize.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/glx/rensize.c b/glx/rensize.c
-index ba22d10..9ff73c7 100644
---- glx/rensize.c
-+++ glx/rensize.c
-@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         case GL_ALPHA:
-         case GL_LUMINANCE:
-         case GL_INTENSITY:
-+        case GL_RED_INTEGER_EXT:
-+        case GL_GREEN_INTEGER_EXT:
-+        case GL_BLUE_INTEGER_EXT:
-+        case GL_ALPHA_INTEGER_EXT:
-+        case GL_LUMINANCE_INTEGER_EXT:
-             elementsPerGroup = 1;
-             break;
-         case GL_422_EXT:
-@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
-         case GL_DEPTH_STENCIL_MESA:
-         case GL_YCBCR_MESA:
-         case GL_LUMINANCE_ALPHA:
-+        case GL_LUMINANCE_ALPHA_INTEGER_EXT:
-             elementsPerGroup = 2;
-             break;
-         case GL_RGB:
-         case GL_BGR:
-+        case GL_RGB_INTEGER_EXT:
-+        case GL_BGR_INTEGER_EXT:
-             elementsPerGroup = 3;
-             break;
-         case GL_RGBA:
-         case GL_BGRA:
-+        case GL_RGBA_INTEGER_EXT:
-+        case GL_BGRA_INTEGER_EXT:
-         case GL_ABGR_EXT:
-             elementsPerGroup = 4;
-             break;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
deleted file mode 100644
index bbbc5b6..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-2-8
+++ /dev/null
@@ -1,75 +0,0 @@
-From be09e0c988ffdb0371293af49fb4ea8f49ed324a Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Mon, 10 Nov 2014 12:13:41 -0500
-Subject: [PATCH 24/40] glx: Length checking for GLXRender requests (v2)
- [CVE-2014-8098 2/8]
-
-v2:
-Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
-
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxcmds.c | 21 ++++++++++-----------
- 1 file changed, 10 insertions(+), 11 deletions(-)
-
-diff --git a/glx/glxcmds.c b/glx/glxcmds.c
-index ea42e2a..ddd9119 100644
---- glx/glxcmds.c
-+++ glx/glxcmds.c
-@@ -2025,7 +2025,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-     left = (req->length << 2) - sz_xGLXRenderReq;
-     while (left > 0) {
-         __GLXrenderSizeData entry;
--        int extra;
-+        int extra = 0;
-         __GLXdispatchRenderProcPtr proc;
-         int err;
- 
-@@ -2044,6 +2044,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-         cmdlen = hdr->length;
-         opcode = hdr->opcode;
- 
-+        if (left < cmdlen)
-+            return BadLength;
-+
-         /*
-          ** Check for core opcodes and grab entry data.
-          */
-@@ -2057,6 +2060,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             return __glXError(GLXBadRenderRequest);
-         }
- 
-+        if (cmdlen < entry.bytes) {
-+            return BadLength;
-+        }
-+
-         if (entry.varsize) {
-             /* variable size command */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
-@@ -2064,17 +2071,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
-             if (extra < 0) {
-                 return BadLength;
-             }
--            if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
--                return BadLength;
--            }
-         }
--        else {
--            /* constant size command */
--            if (cmdlen != __GLX_PAD(entry.bytes)) {
--                return BadLength;
--            }
--        }
--        if (left < cmdlen) {
-+
-+        if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
-             return BadLength;
-         }
- 
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
deleted file mode 100644
index 0f54277..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-3-8
+++ /dev/null
@@ -1,153 +0,0 @@
-From a33a939e6abb255b14d8dbc85fcbd2c55b958bae Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:43 -0500
-Subject: [PATCH 26/40] glx: Length checking for RenderLarge requests (v2)
- [CVE-2014-8098 3/8]
-
-This is a half-measure until we start passing request length into the
-varsize function, but it's better than the nothing we had before.
-
-v2: Verify that there's at least a large render header's worth of
-dataBytes (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 34 insertions(+), 23 deletions(-)
-
---- glx/glxcmds.c.orig	2014-12-10 14:30:17.826442820 +0100
-+++ glx/glxcmds.c	2014-12-10 14:32:34.472432537 +0100
-@@ -2032,6 +2032,8 @@
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
-+
-     req = (xGLXRenderLargeReq *) pc;
-     if (client->swapped) {
-         __GLX_SWAP_SHORT(&req->length);
-@@ -2047,12 +2049,14 @@
-         __glXResetLargeCommandStatus(cl);
-         return error;
-     }
-+    if (safe_pad(req->dataBytes) < 0)
-+        return BadLength;
-     dataBytes = req->dataBytes;
- 
-     /*
-      ** Check the request length.
-      */
--    if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
-+    if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
-         client->errorValue = req->length;
-         /* Reset in case this isn't 1st request. */
-         __glXResetLargeCommandStatus(cl);
-@@ -2062,7 +2066,7 @@
- 
-     if (cl->largeCmdRequestsSoFar == 0) {
-         __GLXrenderSizeData entry;
--        int extra;
-+        int extra = 0;
-         size_t cmdlen;
-         int err;
- 
-@@ -2075,13 +2079,17 @@
-             return __glXError(GLXBadLargeRequest);
-         }
- 
-+        if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
-+            return BadLength;
-+
-         hdr = (__GLXrenderLargeHeader *) pc;
-         if (client->swapped) {
-             __GLX_SWAP_INT(&hdr->length);
-             __GLX_SWAP_INT(&hdr->opcode);
-         }
--        cmdlen = hdr->length;
-         opcode = hdr->opcode;
-+        if ((cmdlen = safe_pad(hdr->length)) < 0)
-+            return BadLength;
- 
-         /*
-          ** Check for core opcodes and grab entry data.
-@@ -2103,17 +2111,13 @@
-             if (extra < 0) {
-                 return BadLength;
-             }
--            /* large command's header is 4 bytes longer, so add 4 */
--            if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--                return BadLength;
--            }
-         }
--        else {
--            /* constant size command */
--            if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
--                return BadLength;
--            }
-+
-+        /* the +4 is safe because we know entry.bytes is small */
-+        if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
-+            return BadLength;
-         }
-+
-         /*
-          ** Make enough space in the buffer, then copy the entire request.
-          */
-@@ -2143,6 +2147,7 @@
-          ** We are receiving subsequent (i.e. not the first) requests of a
-          ** multi request command.
-          */
-+        int bytesSoFar; /* including this packet */
- 
-         /*
-          ** Check the request number and the total request count.
-@@ -2161,11 +2166,18 @@
-         /*
-          ** Check that we didn't get too much data.
-          */
--        if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
-+        if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
-+            client->errorValue = dataBytes;
-+            __glXResetLargeCommandStatus(cl);
-+            return __glXError(GLXBadLargeRequest);
-+        }
-+
-+        if (bytesSoFar > cl->largeCmdBytesTotal) {
-             client->errorValue = dataBytes;
-             __glXResetLargeCommandStatus(cl);
-             return __glXError(GLXBadLargeRequest);
-         }
-+
-         memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
-         cl->largeCmdBytesSoFar += dataBytes;
-         cl->largeCmdRequestsSoFar++;
-@@ -2177,17 +2189,16 @@
-              ** This is the last request; it must have enough bytes to complete
-              ** the command.
-              */
--            /* NOTE: the two pad macros have been added below; they are needed
--             ** because the client library pads the total byte count, but not
--             ** the per-request byte counts.  The Protocol Encoding says the
--             ** total byte count should not be padded, so a proposal will be 
--             ** made to the ARB to relax the padding constraint on the total 
--             ** byte count, thus preserving backward compatibility.  Meanwhile, 
--             ** the padding done below fixes a bug that did not allow
--             ** large commands of odd sizes to be accepted by the server.
-+            /* NOTE: the pad macro below is needed because the client library
-+             ** pads the total byte count, but not the per-request byte counts.
-+             ** The Protocol Encoding says the total byte count should not be
-+             ** padded, so a proposal will be made to the ARB to relax the
-+             ** padding constraint on the total byte count, thus preserving
-+             ** backward compatibility.  Meanwhile, the padding done below
-+             ** fixes a bug that did not allow large commands of odd sizes to
-+             ** be accepted by the server.
-              */
--            if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
--                __GLX_PAD(cl->largeCmdBytesTotal)) {
-+            if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
-                 client->errorValue = dataBytes;
-                 __glXResetLargeCommandStatus(cl);
-                 return __glXError(GLXBadLargeRequest);
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
deleted file mode 100644
index 3a89be2..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-4-8
+++ /dev/null
@@ -1,51 +0,0 @@
-From c91e4abc3b892f42802efa20fef7ada442c2d3f5 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:44 -0500
-Subject: [PATCH 27/40] glx: Top-level length checking for swapped
- VendorPrivate requests [CVE-2014-8098 4/8]
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxcmdsswap.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
-index 5d179f3..9ec1222 100644
---- glx/glxcmdsswap.c
-+++ glx/glxcmdsswap.c
-@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXVendorPrivateReq *req;
-     GLint vendorcode;
-     __GLXdispatchVendorPrivProcPtr proc;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
- 
-     req = (xGLXVendorPrivateReq *) pc;
-     __GLX_SWAP_SHORT(&req->length);
-@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
- int
- __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     xGLXVendorPrivateWithReplyReq *req;
-     GLint vendorcode;
-     __GLXdispatchVendorPrivProcPtr proc;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-+    REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
- 
-     req = (xGLXVendorPrivateWithReplyReq *) pc;
-     __GLX_SWAP_SHORT(&req->length);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
deleted file mode 100644
index 1a043b8..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-6-8
+++ /dev/null
@@ -1,45 +0,0 @@
-From 44ba149f28ece93c2fbfc9cc980588de5322dd4b Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:46 -0500
-Subject: [PATCH 29/40] glx: Length-checking for non-generated vendor private
- requests [CVE-2014-8098 6/8]
-
-Reviewed-by: Keith Packard <keithp@keithp.com>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/indirect_program.c | 2 ++
- glx/swap_interval.c    | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/glx/indirect_program.c b/glx/indirect_program.c
-index cda139e..5caee7b 100644
---- glx/indirect_program.c
-+++ glx/indirect_program.c
-@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
-     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
-+
-     pc += __GLX_VENDPRIV_HDR_SIZE;
-     if (cx != NULL) {
-         GLenum target;
-diff --git a/glx/swap_interval.c b/glx/swap_interval.c
-index 17bc992..2320550 100644
---- glx/swap_interval.c
-+++ glx/swap_interval.c
-@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
-     __GLXcontext *cx;
-     GLint interval;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
-+
-     cx = __glXLookupContextByTag(cl, tag);
- 
-     if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
deleted file mode 100644
index 76fa0e0..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-7-8
+++ /dev/null
@@ -1,553 +0,0 @@
-From 984583a497c813df5827ae22483133e704fee79c Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:47 -0500
-Subject: [PATCH 30/40] glx: Length checking for non-generated single requests
- (v2) [CVE-2014-8098 7/8]
-
-v2:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-v3:
-Fix single versus vendor-private length checking for ARB_imaging subset
-extensions. (Julien Cristau)
-
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/indirect_texture_compression.c |  4 ++++
- glx/single2.c                      | 23 +++++++++++++++-----
- glx/single2swap.c                  | 19 ++++++++++++----
- glx/singlepix.c                    | 44 +++++++++++++++++++++++++-------------
- glx/singlepixswap.c                | 34 ++++++++++++++++++++++++-----
- 5 files changed, 95 insertions(+), 29 deletions(-)
-
-diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
-index cda7656..1ebf7f3 100644
---- glx/indirect_texture_compression.c
-+++ glx/indirect_texture_compression.c
-@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
-     __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     pc += __GLX_SINGLE_HDR_SIZE;
-     if (cx != NULL) {
-         const GLenum target = *(GLenum *) (pc + 0);
-@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
-         __glXForceCurrent(cl, bswap_32(req->contextTag), &error);
-     ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     pc += __GLX_SINGLE_HDR_SIZE;
-     if (cx != NULL) {
-         const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
---- glx/single2.c.orig	2014-04-15 03:01:57.000000000 +0200
-+++ glx/single2.c	2014-12-11 09:08:22.788060618 +0100
-@@ -49,11 +49,14 @@
- int
- __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     GLsizei size;
-     GLenum type;
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -80,10 +83,13 @@
- int
- __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLsizei size;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -108,7 +114,7 @@
- int
- __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     xGLXRenderModeReply reply;
-     __GLXcontext *cx;
-     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -116,6 +122,8 @@
-     GLenum newMode;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -192,7 +200,6 @@
-      ** selection array, as per the API for glRenderMode itself.
-      */
-  noChangeAllowed:;
--    client = cl->client;
-     reply = (xGLXRenderModeReply) {
-         .type = X_Reply,
-         .sequenceNumber = client->sequence,
-@@ -211,9 +218,12 @@
- int
- __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -227,10 +237,12 @@
- int
- __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
--    ClientPtr client;
-     int error;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -321,7 +332,7 @@
- int
- DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLenum name;
-     const char *string;
-@@ -331,6 +342,8 @@
-     char *buf = NULL, *buf1 = NULL;
-     GLint length = 0;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     /* If the client has the opposite byte order, swap the contextTag and
-      * the name.
-      */
-@@ -347,7 +360,6 @@
-     pc += __GLX_SINGLE_HDR_SIZE;
-     name = *(GLenum *) (pc + 0);
-     string = (const char *) CALL_GetString(GET_DISPATCH(), (name));
--    client = cl->client;
- 
-     if (string == NULL)
-         string = "";
---- glx/single2swap.c.orig	2014-04-15 03:01:57.000000000 +0200
-+++ glx/single2swap.c	2014-12-11 09:05:12.670056539 +0100
-@@ -45,6 +45,7 @@
- int
- __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     GLsizei size;
-     GLenum type;
- 
-@@ -52,6 +53,8 @@
-     __GLXcontext *cx;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -81,12 +84,15 @@
- int
- __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     GLsizei size;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -113,7 +119,7 @@
- int
- __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
- {
--    ClientPtr client;
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     xGLXRenderModeReply reply;
-     GLint nitems = 0, retBytes = 0, retval, newModeCheck;
-@@ -124,6 +130,8 @@
-     __GLX_DECLARE_SWAP_ARRAY_VARIABLES;
-     int error;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -204,7 +212,6 @@
-      ** selection array, as per the API for glRenderMode itself.
-      */
-  noChangeAllowed:;
--    client = cl->client;
-     reply = (xGLXRenderModeReply) {
-         .type = X_Reply,
-         .sequenceNumber = client->sequence,
-@@ -228,11 +235,14 @@
- int
- __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
-     int error;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -247,12 +257,14 @@
- int
- __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
- {
-+    ClientPtr client = cl->client;
-     __GLXcontext *cx;
--    ClientPtr client;
-     int error;
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_SIZE_MATCH(xGLXSingleReq);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -264,7 +276,6 @@
-     cx->hasUnflushedCommands = GL_FALSE;
- 
-     /* Send empty reply packet to indicate finish is finished */
--    client = cl->client;
-     __GLX_BEGIN_REPLY(0);
-     __GLX_PUT_RETVAL(0);
-     __GLX_SWAP_REPLY_HEADER();
---- glx/singlepix.c.orig	2014-12-11 09:04:51.072058678 +0100
-+++ glx/singlepix.c	2014-12-11 09:10:51.484033826 +0100
-@@ -55,6 +55,8 @@
-     int error;
-     char *answer, answerBuffer[200];
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -107,6 +109,8 @@
-     char *answer, answerBuffer[200];
-     GLint width = 0, height = 0, depth = 1;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -169,6 +173,8 @@
-     GLubyte answerBuffer[200];
-     char *answer;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-         return error;
-@@ -231,15 +237,13 @@
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
--    if (compsize < 0)
-+    if ((compsize = safe_pad(compsize)) < 0)
-         return BadLength;
--    if (compsize2 < 0)
-+    if ((compsize2 = safe_pad(compsize2)) < 0)
-         return BadLength;
--    compsize = __GLX_PAD(compsize);
--    compsize2 = __GLX_PAD(compsize2);
- 
-     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes));
--    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
-     __glXClearErrorOccured();
-     CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
-                                              *(GLenum *) (pc + 4),
-@@ -265,7 +269,8 @@
- __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -273,7 +278,8 @@
- __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -343,7 +349,8 @@
- __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -351,7 +358,8 @@
- __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -411,7 +419,8 @@
- __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -419,7 +428,8 @@
- __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -471,7 +481,8 @@
- __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -479,7 +490,8 @@
- __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -540,7 +552,8 @@
- __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -548,6 +561,7 @@
- __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
--
-+    ClientPtr client = cl->client;
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
---- glx/singlepixswap.c.orig	2014-12-11 09:04:51.073058638 +0100
-+++ glx/singlepixswap.c	2014-12-11 09:12:14.151301716 +0100
-@@ -57,6 +57,8 @@
-     int error;
-     char *answer, answerBuffer[200];
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -122,6 +124,8 @@
-     char *answer, answerBuffer[200];
-     GLint width = 0, height = 0, depth = 1;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -197,6 +201,8 @@
- 
-     __GLX_DECLARE_SWAP_VARIABLES;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
-+
-     __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
-     cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
-     if (!cx) {
-@@ -266,15 +272,13 @@
-     compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
-     compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- 
--    if (compsize < 0)
-+    if ((compsize =safe_pad(compsize)) < 0)
-         return BadLength;
--    if (compsize2 < 0)
-+    if ((compsize2 = safe_pad(compsize2)) < 0)
-         return BadLength;
--    compsize = __GLX_PAD(compsize);
--    compsize2 = __GLX_PAD(compsize2);
- 
-     CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes));
--    __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
-+    __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
-     __glXClearErrorOccured();
-     CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0),
-                                              *(GLenum *) (pc + 4),
-@@ -302,7 +306,9 @@
- __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -310,7 +316,9 @@
- __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -388,7 +396,9 @@
- __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -396,7 +406,9 @@
- __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -463,7 +475,9 @@
- __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -471,7 +485,9 @@
- __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -529,7 +545,9 @@
- __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -537,7 +555,9 @@
- __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
- 
-@@ -605,7 +625,9 @@
- __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
-     return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
- }
- 
-@@ -613,6 +635,8 @@
- __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
- {
-     const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-+    ClientPtr client = cl->client;
- 
-+    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
-     return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
- }
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8 b/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
deleted file mode 100644
index defe212..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8098-8-8
+++ /dev/null
@@ -1,964 +0,0 @@
-From e883c170c15493ab3637c0a01890f5a7ca4e16a5 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 10 Nov 2014 12:13:48 -0500
-Subject: [PATCH 31/40] glx: Pass remaining request length into ->varsize (v2)
- [CVE-2014-8098 8/8]
-
-v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
-
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Michal Srb <msrb@suse.com>
-Reviewed-by: Andy Ritger <aritger@nvidia.com>
-Signed-off-by: Adam Jackson <ajax@redhat.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- glx/glxcmds.c          |   7 +-
- glx/glxserver.h        |   2 +-
- glx/indirect_reqsize.c | 142 +++++++++++++++++++-------------------
- glx/indirect_reqsize.h | 181 ++++++++++++++++++++++++++++++-------------------
- glx/rensize.c          |  27 +++++---
- 5 files changed, 205 insertions(+), 154 deletions(-)
-
---- glx/glxcmds.c.orig	2014-12-10 15:58:29.877078381 +0100
-+++ glx/glxcmds.c	2014-12-10 16:02:02.578063888 +0100
-@@ -1990,7 +1990,8 @@
-         if (entry.varsize) {
-             /* variable size command */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
--                                      client->swapped);
-+                                      client->swapped,
-+                                      left - __GLX_RENDER_HDR_SIZE);
-             if (extra < 0) {
-                 return BadLength;
-             }
-@@ -2067,6 +2068,7 @@
-     if (cl->largeCmdRequestsSoFar == 0) {
-         __GLXrenderSizeData entry;
-         int extra = 0;
-+        int left = (req->length << 2) - sz_xGLXRenderLargeReq;
-         size_t cmdlen;
-         int err;
- 
-@@ -2107,7 +2109,8 @@
-              ** will be in the 1st request, so it's okay to do this.
-              */
-             extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
--                                      client->swapped);
-+                                      client->swapped,
-+                                      left - __GLX_RENDER_LARGE_HDR_SIZE);
-             if (extra < 0) {
-                 return BadLength;
-             }
---- glx/glxserver.h.orig	2012-05-17 19:09:02.000000000 +0200
-+++ glx/glxserver.h	2014-12-10 14:55:50.575337222 +0100
-@@ -167,7 +167,7 @@
- /*
-  * Tables for computing the size of each rendering command.
-  */
--typedef int (*gl_proto_size_func) (const GLbyte *, Bool);
-+typedef int (*gl_proto_size_func) (const GLbyte *, Bool, int);
- 
- typedef struct {
-     int bytes;
---- glx/indirect_reqsize.c.orig	2012-05-17 19:09:02.000000000 +0200
-+++ glx/indirect_reqsize.c	2014-12-10 15:28:31.264202211 +0100
-@@ -31,24 +31,22 @@
- #include "indirect_size.h"
- #include "indirect_reqsize.h"
- 
--#define __GLX_PAD(x)  (((x) + 3) & ~3)
--
- #if defined(__CYGWIN__) || defined(__MINGW32__)
- #undef HAVE_ALIAS
- #endif
- #ifdef HAVE_ALIAS
- #define ALIAS2(from,to) \
--    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
-+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-         __attribute__ ((alias( # to )));
- #define ALIAS(from,to) ALIAS2( from, __glX ## to ## ReqSize )
- #else
- #define ALIAS(from,to) \
--    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap ) \
--    { return __glX ## to ## ReqSize( pc, swap ); }
-+    GLint __glX ## from ## ReqSize( const GLbyte * pc, Bool swap, int reqlen ) \
-+    { return __glX ## to ## ReqSize( pc, swap, reqlen ); }
- #endif
- 
- int
--__glXCallListsReqSize(const GLbyte * pc, Bool swap)
-+__glXCallListsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
-     GLenum type = *(GLenum *) (pc + 4);
-@@ -60,11 +58,11 @@
-     }
- 
-     compsize = __glCallLists_size(type);
--    return __GLX_PAD((compsize * n));
-+    return safe_pad(safe_mul(compsize, n));
- }
- 
- int
--__glXBitmapReqSize(const GLbyte * pc, Bool swap)
-+__glXBitmapReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -88,7 +86,7 @@
- }
- 
- int
--__glXFogfvReqSize(const GLbyte * pc, Bool swap)
-+__glXFogfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -98,11 +96,11 @@
-     }
- 
-     compsize = __glFogfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXLightfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -112,11 +110,11 @@
-     }
- 
-     compsize = __glLightfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXLightModelfvReqSize(const GLbyte * pc, Bool swap)
-+__glXLightModelfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -126,11 +124,11 @@
-     }
- 
-     compsize = __glLightModelfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXMaterialfvReqSize(const GLbyte * pc, Bool swap)
-+__glXMaterialfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -140,11 +138,11 @@
-     }
- 
-     compsize = __glMaterialfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap)
-+__glXPolygonStippleReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -164,7 +162,7 @@
- }
- 
- int
--__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -174,11 +172,11 @@
-     }
- 
-     compsize = __glTexParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -206,7 +204,7 @@
- }
- 
- int
--__glXTexImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -236,7 +234,7 @@
- }
- 
- int
--__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexEnvfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -246,11 +244,11 @@
-     }
- 
-     compsize = __glTexEnvfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexGendvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGendvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -260,11 +258,11 @@
-     }
- 
-     compsize = __glTexGendv_size(pname);
--    return __GLX_PAD((compsize * 8));
-+    return safe_pad(safe_mul(compsize, 8));
- }
- 
- int
--__glXTexGenfvReqSize(const GLbyte * pc, Bool swap)
-+__glXTexGenfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -274,11 +272,11 @@
-     }
- 
-     compsize = __glTexGenfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei mapsize = *(GLsizei *) (pc + 4);
- 
-@@ -286,11 +284,11 @@
-         mapsize = bswap_32(mapsize);
-     }
- 
--    return __GLX_PAD((mapsize * 4));
-+    return safe_pad(safe_mul(mapsize, 4));
- }
- 
- int
--__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap)
-+__glXPixelMapusvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei mapsize = *(GLsizei *) (pc + 4);
- 
-@@ -298,11 +296,11 @@
-         mapsize = bswap_32(mapsize);
-     }
- 
--    return __GLX_PAD((mapsize * 2));
-+    return safe_pad(safe_mul(mapsize, 2));
- }
- 
- int
--__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawPixelsReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -330,7 +328,7 @@
- }
- 
- int
--__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap)
-+__glXPrioritizeTexturesReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
- 
-@@ -338,11 +336,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 4) + (n * 4));
-+    return safe_pad(safe_add(safe_mul(n, 4), safe_mul(n, 4)));
- }
- 
- int
--__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -370,7 +368,7 @@
- }
- 
- int
--__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -400,7 +398,7 @@
- }
- 
- int
--__glXColorTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -428,7 +426,7 @@
- }
- 
- int
--__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXColorTableParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -438,11 +436,11 @@
-     }
- 
-     compsize = __glColorTableParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXColorSubTableReqSize(const GLbyte * pc, Bool swap)
-+__glXColorSubTableReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -470,7 +468,7 @@
- }
- 
- int
--__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter1DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -498,7 +496,7 @@
- }
- 
- int
--__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = 0;
-@@ -528,7 +526,7 @@
- }
- 
- int
--__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap)
-+__glXConvolutionParameterfvReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 4);
-     GLsizei compsize;
-@@ -538,11 +536,11 @@
-     }
- 
-     compsize = __glConvolutionParameterfv_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXTexImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = *(GLint *) (pc + 8);
-@@ -579,7 +577,7 @@
- }
- 
- int
--__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap)
-+__glXTexSubImage3DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLint row_length = *(GLint *) (pc + 4);
-     GLint image_height = *(GLint *) (pc + 8);
-@@ -613,7 +611,7 @@
- }
- 
- int
--__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage1DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 20);
- 
-@@ -621,11 +619,11 @@
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage2DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 24);
- 
-@@ -633,11 +631,11 @@
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 28);
- 
-@@ -645,11 +643,11 @@
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap)
-+__glXCompressedTexSubImage3DARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei imageSize = *(GLsizei *) (pc + 36);
- 
-@@ -657,11 +655,11 @@
-         imageSize = bswap_32(imageSize);
-     }
- 
--    return __GLX_PAD(imageSize);
-+    return safe_pad(imageSize);
- }
- 
- int
--__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramStringARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei len = *(GLsizei *) (pc + 8);
- 
-@@ -669,11 +667,11 @@
-         len = bswap_32(len);
-     }
- 
--    return __GLX_PAD(len);
-+    return safe_pad(len);
- }
- 
- int
--__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawBuffersARBReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 0);
- 
-@@ -681,11 +679,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 4));
-+    return safe_pad(safe_mul(n, 4));
- }
- 
- int
--__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap)
-+__glXPointParameterfvEXTReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum pname = *(GLenum *) (pc + 0);
-     GLsizei compsize;
-@@ -695,11 +693,11 @@
-     }
- 
-     compsize = __glPointParameterfvEXT_size(pname);
--    return __GLX_PAD((compsize * 4));
-+    return safe_pad(safe_mul(compsize, 4));
- }
- 
- int
--__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramParameters4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei num = *(GLsizei *) (pc + 8);
- 
-@@ -707,11 +705,11 @@
-         num = bswap_32(num);
-     }
- 
--    return __GLX_PAD((num * 32));
-+    return safe_pad(safe_mul(num, 32));
- }
- 
- int
--__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramParameters4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei num = *(GLsizei *) (pc + 8);
- 
-@@ -719,11 +717,11 @@
-         num = bswap_32(num);
-     }
- 
--    return __GLX_PAD((num * 16));
-+    return safe_pad(safe_mul(num, 16));
- }
- 
- int
--__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs1dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -731,11 +729,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 8));
-+    return safe_pad(safe_mul(n, 8));
- }
- 
- int
--__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs2dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -743,11 +741,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 16));
-+    return safe_pad(safe_mul(n, 16));
- }
- 
- int
--__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -755,11 +753,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 24));
-+    return safe_pad(safe_mul(n, 24));
- }
- 
- int
--__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -767,11 +765,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 12));
-+    return safe_pad(safe_mul(n, 12));
- }
- 
- int
--__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs3svNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -779,11 +777,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 6));
-+    return safe_pad(safe_mul(n, 6));
- }
- 
- int
--__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXVertexAttribs4dvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei n = *(GLsizei *) (pc + 4);
- 
-@@ -791,11 +789,11 @@
-         n = bswap_32(n);
-     }
- 
--    return __GLX_PAD((n * 32));
-+    return safe_pad(safe_mul(n, 32));
- }
- 
- int
--__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap)
-+__glXProgramNamedParameter4fvNVReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLsizei len = *(GLsizei *) (pc + 4);
- 
-@@ -803,7 +801,7 @@
-         len = bswap_32(len);
-     }
- 
--    return __GLX_PAD(len);
-+    return safe_pad(len);
- }
- 
- ALIAS(Fogiv, Fogfv)
---- glx/indirect_reqsize.h.orig	2012-05-17 19:09:02.000000000 +0200
-+++ glx/indirect_reqsize.h	2014-12-10 15:45:48.967149775 +0100
-@@ -36,128 +36,169 @@
- #define PURE
- #endif
- 
--extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc,
--                                                   Bool swap);
--extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc,
--                                                   Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap);
-+extern PURE _X_HIDDEN int __glXCallListsReqSize(const GLbyte * pc, Bool swap,
-+                                                int reqlen);
-+extern PURE _X_HIDDEN int __glXBitmapReqSize(const GLbyte * pc, Bool swap,
-+                                             int reqlen);
-+extern PURE _X_HIDDEN int __glXFogfvReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXFogivReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXLightfvReqSize(const GLbyte * pc, Bool swap,
-+                                              int reqlen);
-+extern PURE _X_HIDDEN int __glXLightivReqSize(const GLbyte * pc, Bool swap,
-+                                              int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelfvReqSize(const GLbyte * pc, Bool swap,
-+                                                   int reqlen);
-+extern PURE _X_HIDDEN int __glXLightModelivReqSize(const GLbyte * pc, Bool swap,
-+                                                   int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialfvReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXMaterialivReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXPolygonStippleReqSize(const GLbyte * pc,
--                                                     Bool swap);
-+                                                     Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterfvReqSize(const GLbyte * pc,
--                                                     Bool swap);
-+                                                     Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexParameterivReqSize(const GLbyte * pc,
--                                                     Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap);
--extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap);
-+                                                     Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage1DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage2DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvfvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexEnvivReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGendvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenfvReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXTexGenivReqSize(const GLbyte * pc, Bool swap,
-+                                               int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1dReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap1fReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2dReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXMap2fReqSize(const GLbyte * pc, Bool swap,
-+                                            int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapfvReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapuivReqSize(const GLbyte * pc, Bool swap,
-+                                                  int reqlen);
-+extern PURE _X_HIDDEN int __glXPixelMapusvReqSize(const GLbyte * pc, Bool swap,
-+                                                  int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawPixelsReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
-+extern PURE _X_HIDDEN int __glXDrawArraysReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXPrioritizeTexturesReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage1DReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage2DReqSize(const GLbyte * pc,
--                                                    Bool swap);
--extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap);
-+                                                    Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXColorTableReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterfvReqSize(const GLbyte * pc,
--                                                            Bool swap);
-+                                                            Bool swap,
-+                                                            int reqlen);
- extern PURE _X_HIDDEN int __glXColorTableParameterivReqSize(const GLbyte * pc,
--                                                            Bool swap);
-+                                                            Bool swap,
-+                                                            int reqlen);
- extern PURE _X_HIDDEN int __glXColorSubTableReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter1DReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionFilter2DReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap,
-+                                                          int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterfvReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap,
-+                                                             int reqlen);
- extern PURE _X_HIDDEN int __glXConvolutionParameterivReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap,
-+                                                             int reqlen);
- extern PURE _X_HIDDEN int __glXSeparableFilter2DReqSize(const GLbyte * pc,
--                                                        Bool swap);
--extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap);
-+                                                        Bool swap, int reqlen);
-+extern PURE _X_HIDDEN int __glXTexImage3DReqSize(const GLbyte * pc, Bool swap,
-+                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXTexSubImage3DReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage1DARBReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage2DARBReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexImage3DARBReqSize(const GLbyte * pc,
--                                                              Bool swap);
-+                                                              Bool swap,
-+                                                              int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage1DARBReqSize(const GLbyte *
--                                                                 pc, Bool swap);
-+                                                                 pc, Bool swap,
-+                                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage2DARBReqSize(const GLbyte *
--                                                                 pc, Bool swap);
-+                                                                 pc, Bool swap,
-+                                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXCompressedTexSubImage3DARBReqSize(const GLbyte *
--                                                                 pc, Bool swap);
-+                                                                 pc, Bool swap,
-+                                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXProgramStringARBReqSize(const GLbyte * pc,
--                                                       Bool swap);
-+                                                       Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDrawBuffersARBReqSize(const GLbyte * pc,
--                                                     Bool swap);
-+                                                     Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterfvEXTReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXLoadProgramNVReqSize(const GLbyte * pc,
--                                                    Bool swap);
-+                                                    Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramParameters4dvNVReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramParameters4fvNVReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXRequestResidentProgramsNVReqSize(const GLbyte *
--                                                                pc, Bool swap);
-+                                                                pc, Bool swap,
-+                                                                int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs1svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs2svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs3svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4dvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4fvNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4svNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXVertexAttribs4ubvNVReqSize(const GLbyte * pc,
--                                                          Bool swap);
-+                                                          Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXPointParameterivNVReqSize(const GLbyte * pc,
--                                                         Bool swap);
-+                                                         Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXProgramNamedParameter4dvNVReqSize(const GLbyte *
--                                                                 pc, Bool swap);
-+                                                                 pc, Bool swap,
-+                                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXProgramNamedParameter4fvNVReqSize(const GLbyte *
--                                                                 pc, Bool swap);
-+                                                                 pc, Bool swap,
-+                                                                 int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteFramebuffersEXTReqSize(const GLbyte * pc,
--                                                            Bool swap);
-+                                                            Bool swap, int reqlen);
- extern PURE _X_HIDDEN int __glXDeleteRenderbuffersEXTReqSize(const GLbyte * pc,
--                                                             Bool swap);
-+                                                             Bool swap, int reqlen);
- 
- #undef PURE
- 
---- glx/rensize.c.orig	2012-05-17 19:09:02.000000000 +0200
-+++ glx/rensize.c	2014-12-10 14:55:50.580336482 +0100
-@@ -52,7 +52,7 @@
- }
- 
- int
--__glXMap1dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint order, k;
-@@ -68,7 +68,7 @@
- }
- 
- int
--__glXMap1fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap1fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint order, k;
-@@ -92,7 +92,7 @@
- }
- 
- int
--__glXMap2dReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2dReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint uorder, vorder, k;
-@@ -110,7 +110,7 @@
- }
- 
- int
--__glXMap2fReqSize(const GLbyte * pc, Bool swap)
-+__glXMap2fReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     GLenum target;
-     GLint uorder, vorder, k;
-@@ -342,13 +342,14 @@
- }
- 
- int
--__glXDrawArraysReqSize(const GLbyte * pc, Bool swap)
-+__glXDrawArraysReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     __GLXdispatchDrawArraysHeader *hdr = (__GLXdispatchDrawArraysHeader *) pc;
-     __GLXdispatchDrawArraysComponentHeader *compHeader;
-     GLint numVertexes = hdr->numVertexes;
-     GLint numComponents = hdr->numComponents;
-     GLint arrayElementSize = 0;
-+    GLint x, size;
-     int i;
- 
-     if (swap) {
-@@ -357,6 +358,13 @@
-     }
- 
-     pc += sizeof(__GLXdispatchDrawArraysHeader);
-+    reqlen -= sizeof(__GLXdispatchDrawArraysHeader);
-+
-+    size = safe_mul(sizeof(__GLXdispatchDrawArraysComponentHeader),
-+                    numComponents);
-+    if (size < 0 || reqlen < 0 || reqlen < size)
-+        return -1;
-+
-     compHeader = (__GLXdispatchDrawArraysComponentHeader *) pc;
- 
-     for (i = 0; i < numComponents; i++) {
-@@ -400,17 +408,18 @@
-             return -1;
-         }
- 
--        arrayElementSize += __GLX_PAD(numVals * __glXTypeSize(datatype));
-+        x = safe_pad(safe_mul(numVals, __glXTypeSize(datatype)));
-+        if ((arrayElementSize = safe_add(arrayElementSize, x)) < 0)
-+            return -1;
- 
-         pc += sizeof(__GLXdispatchDrawArraysComponentHeader);
-     }
- 
--    return ((numComponents * sizeof(__GLXdispatchDrawArraysComponentHeader)) +
--            (numVertexes * arrayElementSize));
-+    return safe_add(size, safe_mul(numVertexes, arrayElementSize));
- }
- 
- int
--__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
-+__glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap, int reqlen)
- {
-     __GLXdispatchConvolutionFilterHeader *hdr =
-         (__GLXdispatchConvolutionFilterHeader *) pc;
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8099 b/x11-servers/xorg-server/files/patch-CVE-2014-8099
deleted file mode 100644
index dfc1b68..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8099
+++ /dev/null
@@ -1,179 +0,0 @@
-From 32a95fb7c7dbe22c9441c62762dfa4a8ec54d6c3 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:23:17 -0800
-Subject: [PATCH 09/40] Xv: unvalidated lengths in XVideo extension swapped
- procs [CVE-2014-8099]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- Xext/xvdisp.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
-index 86f982a..c2d0fc9 100644
---- Xext/xvdisp.c
-+++ Xext/xvdisp.c
-@@ -1121,6 +1121,7 @@ static int
- SProcXvQueryExtension(ClientPtr client)
- {
-     REQUEST(xvQueryExtensionReq);
-+    REQUEST_SIZE_MATCH(xvQueryExtensionReq);
-     swaps(&stuff->length);
-     return XvProcVector[xv_QueryExtension] (client);
- }
-@@ -1129,6 +1130,7 @@ static int
- SProcXvQueryAdaptors(ClientPtr client)
- {
-     REQUEST(xvQueryAdaptorsReq);
-+    REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     return XvProcVector[xv_QueryAdaptors] (client);
-@@ -1138,6 +1140,7 @@ static int
- SProcXvQueryEncodings(ClientPtr client)
- {
-     REQUEST(xvQueryEncodingsReq);
-+    REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_QueryEncodings] (client);
-@@ -1147,6 +1150,7 @@ static int
- SProcXvGrabPort(ClientPtr client)
- {
-     REQUEST(xvGrabPortReq);
-+    REQUEST_SIZE_MATCH(xvGrabPortReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->time);
-@@ -1157,6 +1161,7 @@ static int
- SProcXvUngrabPort(ClientPtr client)
- {
-     REQUEST(xvUngrabPortReq);
-+    REQUEST_SIZE_MATCH(xvUngrabPortReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->time);
-@@ -1167,6 +1172,7 @@ static int
- SProcXvPutVideo(ClientPtr client)
- {
-     REQUEST(xvPutVideoReq);
-+    REQUEST_SIZE_MATCH(xvPutVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1186,6 +1192,7 @@ static int
- SProcXvPutStill(ClientPtr client)
- {
-     REQUEST(xvPutStillReq);
-+    REQUEST_SIZE_MATCH(xvPutStillReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1205,6 +1212,7 @@ static int
- SProcXvGetVideo(ClientPtr client)
- {
-     REQUEST(xvGetVideoReq);
-+    REQUEST_SIZE_MATCH(xvGetVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1224,6 +1232,7 @@ static int
- SProcXvGetStill(ClientPtr client)
- {
-     REQUEST(xvGetStillReq);
-+    REQUEST_SIZE_MATCH(xvGetStillReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1243,6 +1252,7 @@ static int
- SProcXvPutImage(ClientPtr client)
- {
-     REQUEST(xvPutImageReq);
-+    REQUEST_AT_LEAST_SIZE(xvPutImageReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1266,6 +1276,7 @@ static int
- SProcXvShmPutImage(ClientPtr client)
- {
-     REQUEST(xvShmPutImageReq);
-+    REQUEST_SIZE_MATCH(xvShmPutImageReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1293,6 +1304,7 @@ static int
- SProcXvSelectVideoNotify(ClientPtr client)
- {
-     REQUEST(xvSelectVideoNotifyReq);
-+    REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->drawable);
-     return XvProcVector[xv_SelectVideoNotify] (client);
-@@ -1302,6 +1314,7 @@ static int
- SProcXvSelectPortNotify(ClientPtr client)
- {
-     REQUEST(xvSelectPortNotifyReq);
-+    REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_SelectPortNotify] (client);
-@@ -1311,6 +1324,7 @@ static int
- SProcXvStopVideo(ClientPtr client)
- {
-     REQUEST(xvStopVideoReq);
-+    REQUEST_SIZE_MATCH(xvStopVideoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->drawable);
-@@ -1321,6 +1335,7 @@ static int
- SProcXvSetPortAttribute(ClientPtr client)
- {
-     REQUEST(xvSetPortAttributeReq);
-+    REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->attribute);
-@@ -1332,6 +1347,7 @@ static int
- SProcXvGetPortAttribute(ClientPtr client)
- {
-     REQUEST(xvGetPortAttributeReq);
-+    REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->attribute);
-@@ -1342,6 +1358,7 @@ static int
- SProcXvQueryBestSize(ClientPtr client)
- {
-     REQUEST(xvQueryBestSizeReq);
-+    REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swaps(&stuff->vid_w);
-@@ -1355,6 +1372,7 @@ static int
- SProcXvQueryPortAttributes(ClientPtr client)
- {
-     REQUEST(xvQueryPortAttributesReq);
-+    REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_QueryPortAttributes] (client);
-@@ -1364,6 +1382,7 @@ static int
- SProcXvQueryImageAttributes(ClientPtr client)
- {
-     REQUEST(xvQueryImageAttributesReq);
-+    REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     swapl(&stuff->id);
-@@ -1376,6 +1395,7 @@ static int
- SProcXvListImageFormats(ClientPtr client)
- {
-     REQUEST(xvListImageFormatsReq);
-+    REQUEST_SIZE_MATCH(xvListImageFormatsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->port);
-     return XvProcVector[xv_ListImageFormats] (client);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
deleted file mode 100644
index cfb0c4c..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8100-1-2
+++ /dev/null
@@ -1,36 +0,0 @@
-From b5f9ef03df6a650571b29d3d1c1d2b67c6e84336 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Tue, 28 Oct 2014 10:30:04 +0100
-Subject: [PATCH 13/40] render: check request size before reading it
- [CVE-2014-8100 1/2]
-
-Otherwise we may be reading outside of the client request.
-
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- render/render.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/render/render.c b/render/render.c
-index e3031da..200e0c8 100644
---- render/render.c
-+++ render/render.c
-@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
- 
-     REQUEST(xRenderQueryVersionReq);
- 
-+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-+
-     pRenderClient->major_version = stuff->majorVersion;
-     pRenderClient->minor_version = stuff->minorVersion;
- 
--    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
--
-     if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
-         (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
-         rep.majorVersion = stuff->majorVersion;
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2 b/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
deleted file mode 100644
index e4d6503..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8100-2-2
+++ /dev/null
@@ -1,140 +0,0 @@
-From 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:51:29 -0800
-Subject: [PATCH 14/40] render: unvalidated lengths in Render extn. swapped
- procs [CVE-2014-8100 2/2]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- render/render.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/render/render.c b/render/render.c
-index 200e0c8..723f380 100644
---- render/render.c
-+++ render/render.c
-@@ -1995,7 +1995,7 @@ static int
- SProcRenderQueryVersion(ClientPtr client)
- {
-     REQUEST(xRenderQueryVersionReq);
--
-+    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-     swapl(&stuff->minorVersion);
-@@ -2006,6 +2006,7 @@ static int
- SProcRenderQueryPictFormats(ClientPtr client)
- {
-     REQUEST(xRenderQueryPictFormatsReq);
-+    REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
-     swaps(&stuff->length);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
- }
-@@ -2014,6 +2015,7 @@ static int
- SProcRenderQueryPictIndexValues(ClientPtr client)
- {
-     REQUEST(xRenderQueryPictIndexValuesReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->format);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2029,6 +2031,7 @@ static int
- SProcRenderCreatePicture(ClientPtr client)
- {
-     REQUEST(xRenderCreatePictureReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->pid);
-     swapl(&stuff->drawable);
-@@ -2042,6 +2045,7 @@ static int
- SProcRenderChangePicture(ClientPtr client)
- {
-     REQUEST(xRenderChangePictureReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     swapl(&stuff->mask);
-@@ -2053,6 +2057,7 @@ static int
- SProcRenderSetPictureClipRectangles(ClientPtr client)
- {
-     REQUEST(xRenderSetPictureClipRectanglesReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     swaps(&stuff->xOrigin);
-@@ -2065,6 +2070,7 @@ static int
- SProcRenderFreePicture(ClientPtr client)
- {
-     REQUEST(xRenderFreePictureReq);
-+    REQUEST_SIZE_MATCH(xRenderFreePictureReq);
-     swaps(&stuff->length);
-     swapl(&stuff->picture);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2074,6 +2080,7 @@ static int
- SProcRenderComposite(ClientPtr client)
- {
-     REQUEST(xRenderCompositeReq);
-+    REQUEST_SIZE_MATCH(xRenderCompositeReq);
-     swaps(&stuff->length);
-     swapl(&stuff->src);
-     swapl(&stuff->mask);
-@@ -2093,6 +2100,7 @@ static int
- SProcRenderScale(ClientPtr client)
- {
-     REQUEST(xRenderScaleReq);
-+    REQUEST_SIZE_MATCH(xRenderScaleReq);
-     swaps(&stuff->length);
-     swapl(&stuff->src);
-     swapl(&stuff->dst);
-@@ -2193,6 +2201,7 @@ static int
- SProcRenderCreateGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderCreateGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->gsid);
-     swapl(&stuff->format);
-@@ -2203,6 +2212,7 @@ static int
- SProcRenderReferenceGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderReferenceGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->gsid);
-     swapl(&stuff->existing);
-@@ -2213,6 +2223,7 @@ static int
- SProcRenderFreeGlyphSet(ClientPtr client)
- {
-     REQUEST(xRenderFreeGlyphSetReq);
-+    REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     return (*ProcRenderVector[stuff->renderReqType]) (client);
-@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
-     xGlyphInfo *gi;
- 
-     REQUEST(xRenderAddGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     swapl(&stuff->nglyphs);
-@@ -2261,6 +2273,7 @@ static int
- SProcRenderFreeGlyphs(ClientPtr client)
- {
-     REQUEST(xRenderFreeGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
-     swaps(&stuff->length);
-     swapl(&stuff->glyphset);
-     SwapRestL(stuff);
-@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
-     int size;
- 
-     REQUEST(xRenderCompositeGlyphsReq);
-+    REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
- 
-     switch (stuff->renderReqType) {
-     default:
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8101 b/x11-servers/xorg-server/files/patch-CVE-2014-8101
deleted file mode 100644
index d7fcb8d..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8101
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3df2fcf12499ebdb26b9b67419ea485a42041f33 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 19:38:09 -0800
-Subject: [PATCH 12/40] randr: unvalidated lengths in RandR extension swapped
- procs [CVE-2014-8101]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- randr/rrsdispatch.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
-index 08c3b6a..47558cf 100644
---- randr/rrsdispatch.c
-+++ randr/rrsdispatch.c
-@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
- {
-     REQUEST(xRRQueryVersionReq);
- 
-+    REQUEST_SIZE_MATCH(xRRQueryVersionReq);
-     swaps(&stuff->length);
-     swapl(&stuff->majorVersion);
-     swapl(&stuff->minorVersion);
-@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
- {
-     REQUEST(xRRGetScreenInfoReq);
- 
-+    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     return (*ProcRandrVector[stuff->randrReqType]) (client);
-@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
- {
-     REQUEST(xRRSelectInputReq);
- 
-+    REQUEST_SIZE_MATCH(xRRSelectInputReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     swaps(&stuff->enable);
-@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
- {
-     REQUEST(xRRConfigureOutputPropertyReq);
- 
-+    REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
-     swaps(&stuff->length);
-     swapl(&stuff->output);
-     swapl(&stuff->property);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8102 b/x11-servers/xorg-server/files/patch-CVE-2014-8102
deleted file mode 100644
index 46f4ead..0000000
--- a/x11-servers/xorg-server/files/patch-CVE-2014-8102
+++ /dev/null
@@ -1,27 +0,0 @@
-From a0ece23a8bd300c8be10812d368dc8058c97c63e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun, 26 Jan 2014 20:02:20 -0800
-Subject: [PATCH 15/40] xfixes: unvalidated length in
- SProcXFixesSelectSelectionInput [CVE-2014-8102]
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
----
- xfixes/select.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/xfixes/select.c b/xfixes/select.c
-index c088ed3..e964d58 100644
---- xfixes/select.c
-+++ xfixes/select.c
-@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
- {
-     REQUEST(xXFixesSelectSelectionInputReq);
- 
-+    REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
-     swaps(&stuff->length);
-     swapl(&stuff->window);
-     swapl(&stuff->selection);
--- 
-2.1.2
-
diff --git a/x11-servers/xorg-server/files/patch-Xserver-hw-xfree86-os-support-bsd-i386_video.c b/x11-servers/xorg-server/files/patch-Xserver-hw-xfree86-os-support-bsd-i386_video.c
index d0bbe3d..933742b 100644
--- a/x11-servers/xorg-server/files/patch-Xserver-hw-xfree86-os-support-bsd-i386_video.c
+++ b/x11-servers/xorg-server/files/patch-Xserver-hw-xfree86-os-support-bsd-i386_video.c
@@ -1,5 +1,8 @@
-Index: hw/xfree86/os-support/bsd/i386_video.c
-@@ -32,6 +32,7 @@
+Index: programs/Xserver/hw/xfree86/os-support/bsd/i386_video.c
+diff -u -p programs/Xserver/hw/xfree86/os-support/bsd/i386_video.c.orig programs/Xserver/hw/xfree86/os-support/bsd/i386_video.c
+--- hw/xfree86/os-support/bsd/i386_video.c.orig	Tue Oct  4 01:46:14 2005
++++ hw/xfree86/os-support/bsd/i386_video.c	Thu Jan 26 14:57:56 2006
+@@ -35,6 +35,7 @@
  #include "xf86Priv.h"
  
  #include <errno.h>
diff --git a/x11-servers/xorg-server/files/patch-config_config-backends.h b/x11-servers/xorg-server/files/patch-config_config-backends.h
index 89d3c65..9b696c7 100644
--- a/x11-servers/xorg-server/files/patch-config_config-backends.h
+++ b/x11-servers/xorg-server/files/patch-config_config-backends.h
@@ -1,6 +1,6 @@
---- config/config-backends.h.orig	2014-04-12 15:29:14 UTC
-+++ config/config-backends.h
-@@ -75,3 +75,8 @@ void config_hal_fini(void);
+--- config/config-backends.h.orig	2014-12-09 22:02:34.000000000 +0100
++++ config/config-backends.h	2014-12-21 23:08:34.268311262 +0100
+@@ -44,3 +44,8 @@
  int config_wscons_init(void);
  void config_wscons_fini(void);
  #endif
diff --git a/x11-servers/xorg-server/files/patch-config_devd.c b/x11-servers/xorg-server/files/patch-config_devd.c
index 039205d..98924d8 100644
--- a/x11-servers/xorg-server/files/patch-config_devd.c
+++ b/x11-servers/xorg-server/files/patch-config_devd.c
@@ -1,5 +1,5 @@
---- config/devd.c.orig	2014-12-16 23:03:10 UTC
-+++ config/devd.c
+--- config/devd.c.orig	2014-12-22 10:28:36.549499138 +0100
++++ config/devd.c	2014-12-22 10:56:42.593381919 +0100
 @@ -0,0 +1,530 @@
 +/*
 + * Copyright (c) 2012 Baptiste Daroussin
@@ -376,7 +376,7 @@
 +}
 +
 +static CARD32
-+reconnect_handler(OsTimerPtr timer, CARD32 time, pointer arg)
++reconnect_handler(OsTimerPtr timer, CARD32 time, void *arg)
 +{
 +	int newsock;
 +
diff --git a/x11-servers/xorg-server/files/patch-configure b/x11-servers/xorg-server/files/patch-configure
new file mode 100644
index 0000000..a0f43ca
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-configure
@@ -0,0 +1,11 @@
+--- configure.orig	2013-11-14 02:26:46.000000000 +0100
++++ configure	2013-12-08 12:40:42.806307516 +0100
+@@ -25234,7 +25234,7 @@
+ case "x$XTRANS_SEND_FDS" in
+ xauto)
+ 	case "$host_os" in
+-	linux*|solaris*)
++	linux*|solaris*|freebsd*)
+ 		XTRANS_SEND_FDS=yes
+ 		;;
+ 	*)
diff --git a/x11-servers/xorg-server/files/patch-hw_xfree86_loader_loadmod.c b/x11-servers/xorg-server/files/patch-hw_xfree86_loader_loadmod.c
deleted file mode 100644
index 3af4e16..0000000
--- a/x11-servers/xorg-server/files/patch-hw_xfree86_loader_loadmod.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- hw/xfree86/loader/loadmod.c.orig	2014-04-12 15:29:14 UTC
-+++ hw/xfree86/loader/loadmod.c
-@@ -490,7 +490,7 @@ LoaderListDirs(const char **subdirlist, 
-     char **elem;
-     const char **subdirs;
-     const char **s;
--    PatternPtr patterns;
-+    PatternPtr patterns = NULL;
-     PatternPtr p;
-     DIR *d;
-     struct dirent *dp;
diff --git a/x11-servers/xorg-server/files/patch-hw_xfree86_modes_xf86Crtc.c b/x11-servers/xorg-server/files/patch-hw_xfree86_modes_xf86Crtc.c
deleted file mode 100644
index 8e89fbc..0000000
--- a/x11-servers/xorg-server/files/patch-hw_xfree86_modes_xf86Crtc.c
+++ /dev/null
@@ -1,12 +0,0 @@
---- hw/xfree86/modes/xf86Crtc.c.orig	2014-04-15 01:01:57 UTC
-+++ hw/xfree86/modes/xf86Crtc.c
-@@ -1774,6 +1774,9 @@ SetCompatOutput(xf86CrtcConfigPtr config
-     DisplayModePtr maxmode = NULL, testmode, mode;
-     int o, compat = -1, count, mincount = 0;
- 
-+    if (config->num_output == 0)
-+        return NULL;
-+
-     /* Look for one that's definitely connected */
-     for (o = 0; o < config->num_output; o++) {
-         test = config->output[o];
diff --git a/x11-servers/xorg-server/files/patch-xkb_Makefile.in b/x11-servers/xorg-server/files/patch-xkb_Makefile.in
index 48f821c..934bef0 100644
--- a/x11-servers/xorg-server/files/patch-xkb_Makefile.in
+++ b/x11-servers/xorg-server/files/patch-xkb_Makefile.in
@@ -1,6 +1,6 @@
---- xkb/Makefile.in.orig	2014-12-12 22:12:45 UTC
-+++ xkb/Makefile.in
-@@ -790,7 +790,7 @@ info: info-am
+--- xkb/Makefile.in.orig	2013-06-16 11:16:48.000000000 +0000
++++ xkb/Makefile.in	2013-06-16 11:17:08.000000000 +0000
+@@ -816,7 +816,7 @@
  
  info-am:
  
diff --git a/x11-servers/xorg-server/pkg-plist b/x11-servers/xorg-server/pkg-plist
index 62612ed..4ee7289 100644
--- a/x11-servers/xorg-server/pkg-plist
+++ b/x11-servers/xorg-server/pkg-plist
@@ -1,11 +1,6 @@
 bin/X
-%%SUID%%@owner root
-%%SUID%%@group wheel
-%%SUID%%@mode 4555
-bin/Xorg
-%%SUID%%@owner root
-%%SUID%%@group wheel
-%%SUID%%@mode
+%%SUID%%@(,,4555) bin/Xorg
+%%NO_SUID%%bin/Xorg
 bin/cvt
 bin/gtf
 include/xorg/BT.h
@@ -79,6 +74,8 @@ include/xorg/miscstruct.h
 include/xorg/mispans.h
 include/xorg/mistruct.h
 include/xorg/misync.h
+include/xorg/misyncfd.h
+include/xorg/misyncshm.h
 include/xorg/misyncstr.h
 include/xorg/miwideline.h
 include/xorg/mizerarc.h
@@ -93,6 +90,8 @@ include/xorg/picture.h
 include/xorg/picturestr.h
 include/xorg/pixmap.h
 include/xorg/pixmapstr.h
+include/xorg/present.h
+include/xorg/presentext.h
 include/xorg/privates.h
 include/xorg/property.h
 include/xorg/propertyst.h
@@ -147,7 +146,6 @@ include/xorg/xf86Priv.h
 include/xorg/xf86Privstr.h
 include/xorg/xf86RandR12.h
 include/xorg/xf86RamDac.h
-include/xorg/xf86Rename.h
 %%SPARC64%%include/xorg/xf86Sbus.h
 include/xorg/xf86Xinput.h
 include/xorg/xf86_OSlib.h