commit 1bdeb431c3cc9eec7e12fdd29a83237f2f228865
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Oct 25 12:43:44 2016 +1000

    libXi 1.7.8
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 43904c9c5a0f5750a03a9bd8c96ccda182eb5a9a
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Oct 13 13:33:11 2016 +1000

    XListInputDevices: don't touch ndevices in case of error
    
    We used to always set *ndevices to the number of devices returned by the
    server. This magically worked because we pretty much never returned an error
    except on faulty server or library implementations. With 19a9cd60 we now have
    more chances of getting an error, so the polite thing is to just leave *ndevices
    alone when we error out.
    
    Document it as such in the man page, just in case someone accidentally reads
    it.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    CC: Niels Ole Salscheider <niels_ole@salscheider-online.de>
    Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>

commit b843fe1c0a6b4dbaae9f364042c6a247249305ef
Author: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Date:   Fri Oct 7 21:46:44 2016 +0200

    SizeClassInfo can return 0 even without an error
    
    Catch the error case separately. Commit 19a9cd607d added length checking to
    SizeClassInfo but re-used the return value of 0 for an error. A device without
    classes (as is initialized by xf86-input-libinput for tablets) can
    legitimately return 0 and erroneously triggers an error.
    Fix this by using a separate value for the error.
    
    Reproducible by calling XListInputDevices() with a tablet attached.
    
    This fixes a regression introduced in commit 19a9cd607d.
    
    Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>

commit 8e0476653dd134cee84f4e893f656b2f93c4e3b0
Author: Matthieu Herrb <matthieu.herrb@laas.fr>
Date:   Tue Oct 4 21:14:01 2016 +0200

    libXi 1.7.7
    
    Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>

commit 19a9cd607de73947fcfb104682f203ffe4e1f4e5
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Sun Sep 25 22:31:34 2016 +0200

    Properly validate server responses.
    
    By validating length fields from server responses, out of boundary
    accesses and endless loops can be mitigated.
    
    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit 2286282f965064176b3b1492646c6e2e0f4ab7dd
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Dec 22 11:20:01 2015 +1000

    libXi 1.7.6
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 13f25bfb55f4a0bc1f614cbf9b0b13a50ecad8a0
Author: Javier Pello <javier.pello@urjc.es>
Date:   Wed Oct 7 12:41:01 2015 +0200

    Fix const compiler warnings
    
    When invoking Data, Data16 and Data32 from XChangeDeviceProperty,
    we must cast the data pointer to the right type, but we do not need
    to cast constness away. This change allows to enable -Wcast-qual on
    the build and have it complete without warnings.
    
    Signed-off-by: Javier Pello <javier.pello@urjc.es>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 380861589690bcbe8b04b7a2c23b5dd5d10c4bf8
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Oct 19 11:46:41 2015 +1000

    Don't use raw serial numbers in XIEvents
    
    cookie->serial is an Xlib contoction, provided by _XSetLastRequestRead(). This
    serial may be different to the raw serial number from the wire protocol.
    This causes issues when the raw serial is used to e.g. compare the event to
    other non-XI events.
    
    Use the cookie's serial number instead.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=756649
    
    See also https://bugs.freedesktop.org/show_bug.cgi?id=64687
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f180dff710dc54d00e0e26b84de053151f8f207e
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Sep 10 01:16:19 2015 +1000

    libXi 1.7.5
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 05c86e53c0bae30e58b32b94e191c8720990918a
Author: Cosimo Cecchi <cosimoc@gnome.org>
Date:   Tue Feb 24 07:49:34 2015 +1000

    Fix version check in _XIAllowEvents
    
    Commit 5810d0797160a97012664ffe719a59e1b288a525 changed _XIAllowEvents() to
    use _XiCheckVersion() instead of _XiCheckExtInit() to avoid a double display
    unlock, but it failed to correctly check for the version, since we should set
    have_XI22 to True for every version greater or equal to 2.2.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit c648441036cf5ffc5225cd484e2c906d374f0a4b
Author: Michal Srb <msrb@suse.com>
Date:   Mon Nov 3 12:43:40 2014 +0200

    XIGrabDevice: Unlock display in error path.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 29c77457ad86966ae2204b865fb8b437269063c4
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:57 2014 +0200

    Refactor XGetExtensionVersion.
    
    _XiGetExtensionVersion was called from XGetExtensionVersion and from
    _XiCheckExtInit. When called from _XiCheckExtInit, nothing accounted for the
    fact that it can return ((XExtensionVersion *) NoSuchExtension) in case of
    error. Also it recursively calls _XiCheckExtInit potentionally causing multiple
    unlocks if _XiCheckExtInit fails.
    -> Remove it and call directly _XiGetExtensionVersionRequest and only call
    _XiCheckExtInit only from XGetExtensionVersion.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 5810d0797160a97012664ffe719a59e1b288a525
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:56 2014 +0200

    Fix logic in _XIAllowEvents and prevent double unlock.
    
    Replacing the second _XiCheckExtInit with _XiCheckVersion prevents possible
    double unlock as _XiCheckExtInit actually unlocks the display when it returns
    -1.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f699770e7c92da1dbf16892fde83438f0b79c979
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:54 2014 +0200

    XIGetClientPointer: Return False on error.
    
    Not NoSuchExtension which is 1 = True!
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit dc1f8c6ec1ba8135afa185c8e8360c1ed90bf96c
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:53 2014 +0200

    Do not return NoSuchExtension casted to pointer as an error.
    
    Several functions were returning NoSuchExtension casted to a pointer in case of
    an error. Often in parallel with returning NULL in case of another error. It is
    undocumented and certainly wrong.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 83261c52a17543437882e2863b7f06a92c9039f8
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:52 2014 +0200

    XIChangeHierarchy: Add missing unlock.
    
    When num_changes <= 0 or Xmalloc fails, the display has to be unlocked.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 22ae8d4f26e92b17e1ce8239a38481933d6f1ca7
Author: Michal Srb <msrb@suse.com>
Date:   Sat Nov 1 20:00:51 2014 +0200

    Fix double unlock when _XiCheckExtInit return -1.
    
    _XiCheckExtInit unlocks the display if it fails and returns -1. Most callers
    account for it properly, but few didn't.
    
    Signed-off-by: Michal Srb <msrb@suse.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 71a42145b678be623e30bd5bf55833a04f14376f
Author: Julien Cristau <jcristau@debian.org>
Date:   Mon Oct 27 19:00:36 2014 +0100

    Advance the request buffer by the right amount in XIChangeHierarchy
    
    c->length is in 4-byte units, dptr is a char *, so we need to advance
    dptr by 4 * length to get the position of the next HierarchyChangeInfo.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 8c255b30f3a4ed8bf67e6bb76df47cbd480735f8
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Jul 18 16:45:51 2014 +1000

    libXi 1.7.4
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit b731d1357d993663ee6b28d6627bdeba69b60dd2
Author: Owen W. Taylor <otaylor@fishsoup.net>
Date:   Fri Jul 11 15:13:54 2014 -0400

    Fix locking bugs with XIAllowTouchEvents() and XIUngrabTouchBegin()
    
    Fix two places where the display was double locked when an API
    function chained to an implementation that also locks the display.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 0250f40fb7c9cb7d542189b9cd37e0ae75309729
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Jul 10 08:58:48 2014 +1000

    libXi 1.7.3
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit aa628936c7d81ff5fe2da62964dc543c67ec66f1
Author: Jasper St. Pierre <jstpierre@mecheye.net>
Date:   Tue Jul 8 17:01:04 2014 -0400

    XIPassiveGrab: Fix completely broken locking in XIGrabTouchBegin
    
    _XIPassiveGrabDevice calls LockDisplay as the first thing it does. That
    means that it expects the display to be unlocked. XIGrabTouchBegin locks
    the display to check for the XI extension, and then never unlocks it.
    Effectively, this meant that anybody that called XIGrabTouchBegin after
    XInitThreads just got a deadlock.
    
    Cool.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit eb0c522e0ce5763b6bf181f1236e78ca94f98b7e
Author: Jasper St. Pierre <jstpierre@mecheye.net>
Date:   Tue Jul 8 17:01:03 2014 -0400

    XIPassiveGrab: Fix display locking inside _XIPassiveGrabDevice for error paths
    
    The code here before would just leave the display locked on error, which is
    all sorts of broken.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 288f3362133a36e2c370eb34caf6b5ed6c0764ca
Author: Michael Joost <mehl@michael-joost.de>
Date:   Sat Nov 23 09:51:57 2013 -0800

    Remove fallback for _XEatDataWords, require libX11 1.6 for it
    
    _XEatDataWords was orignally introduced with the May 2013 security
    patches, and in order to ease the process of delivering those,
    fallback versions of _XEatDataWords were included in the X extension
    library patches so they could be applied to older versions that didn't
    have libX11 1.6 yet.   Now that we're past that hurdle, we can drop
    the fallbacks and just require libX11 1.6 for building new versions
    of the extension libraries.
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit c4b261d230a8ed7c04a140f65d40af86ea73f2fa
Author: Keith Packard <keithp@keithp.com>
Date:   Thu Jul 25 11:46:17 2013 -0700

    man: Update XIQueryVersion docs to match new version compatibility semantics
    
    The X server now allows clients to specify any combination of versions
    starting with version 2.2, document how that works.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit b6553cdb36c1bd7071d3bf0493216c5483325716
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Jul 3 10:28:10 2013 +1000

    libXi 1.7.2
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit d804af99e2dfaf20b99822066a37d586f12c8a5f
Author: Thomas Klausner <wiz@NetBSD.org>
Date:   Thu Jun 27 17:16:38 2013 +0200

    Remove check that can never be true.
    
    clang warns:
    warning: comparison of constant 268435455 with expression of type
    'CARD16' (aka 'unsigned short') is always false
    
    Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 957a9d64afd76f878ce6c5570f369e2a7fc1e772
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Jun 27 08:47:16 2013 +1000

    libXi 1.7.1.901
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 62033a9c83bcdc75b9f1452ce24729eefa8f4dc0
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Jun 27 06:25:02 2013 +1000

    Include limits.h to prevent build error: missing INT_MAX
    
    Introduced in 4c8e9bcab459ea5f870d3e56eff15f931807f9b7.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 0f3f5a36d5fc6dc53f69f48a0c83aef6a1fcf381
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue May 28 15:52:34 2013 +1000

    If the XGetDeviceDontPropagateList reply has an invalid length, return 0
    
    If we skip over the reply data, return 0 as number of event classes.
    
    Follow-up to 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 35ae16dc2f16b24a22625b2d9f76a2128b673a6c
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue May 28 15:52:33 2013 +1000

    Change size += to size = in XGetDeviceControl
    
    size += blah is technically correct but it implies that we're looping or
    otherwise incrementing the size. Which we don't, it's only ever set once.
    
    Change this to avoid reviewer confusion.
    
    Reported-by: Dave "color-me-confused" Airlie <airlied@redhat.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 4c8e9bcab459ea5f870d3e56eff15f931807f9b7
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue May 28 15:52:32 2013 +1000

    Fix potential corruption in mask_len handling
    
    First: check for allocation failure on the mask.
    XI2 requires that the mask is zeroed, so we can't just Data() the mask
    provided by the client (it will pad) - we need a tmp buffer. Make sure that
    doesn't fail.
    
    Second:
    req->mask_len is a uint16_t, so check against malicious mask_lens that would
    cause us to corrupt memory on copy, as the code always allocates
    req->mask_len * 4, but copies mask->mask_len bytes.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 661c45ca17c434dbd342a46fd3fb813852ae0ca9
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue May 21 12:23:05 2013 +1000

    Don't overwrite the cookies serial number
    
    serial != sequenceNumber, see _XSetLastRequestRead()
    
    cookie->serial is already set at this point, setting it again directly from
    the sequenceNumber of the event causes a bunch of weird issues such as
    scrollbars and text drag-n-drop breaking.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=965347
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 81b4df8ac6aa1520c41c3526961014a6f115cc46
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 00:16:22 2013 -0800

    sign extension issue in XListInputDevices() [CVE-2013-1995]
    
    nptr is (signed) char, which can be negative, and will sign extend
    when added to the int size, which means size can be subtracted from,
    leading to allocating too small a buffer to hold the data being copied
    from the X server's reply.
    
    v2: check that string size fits inside the data read from the server,
        so that we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit ef82512288d8ca36ac0beeb289f158195b0a8cae
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 00:22:14 2013 -0800

    Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]
    
    If the length of the reply as reported by the Xserver is too long, it
    could overflow the calculation for the size of the buffer to copy the
    reply into, causing memory corruption.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 17071c1c608247800b2ca03a35b1fcc9c4cabe6c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Mar 10 13:30:55 2013 -0700

    Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
    
    If the number of items as reported by the Xserver is too large, it
    could overflow the calculation for the size of the buffer to copy the
    reply into, causing memory corruption.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 528419b9ef437e7eeafb41bf45e8ff7d818bd845
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
    
    If the number of events or masks reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    or the sizes overflow as they are totaled up, then memory corruption can
    occur when more bytes are copied from the X server reply than the size
    of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server,
        so that we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 242f92b490a695fbab244af5bad11b71f897c732
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
    
    If the number of items reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate item type,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit bb922ed4253b35590f0369f32a917ff89ade0830
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
    
    If the number of events or axes reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
    
    If the number of event classes reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    then memory corruption can occur when more bytes are copied from the
    X server reply than the size of the buffer we allocated to hold them.
    
    V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 322ee3576789380222d4403366e4fd12fb24cb6a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
    
    If the number of feedbacks reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate struct, or
    if the total size of all the feedback structures overflows when added
    together, then memory corruption can occur when more bytes are copied from
    the X server reply than the size of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server, so
        we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit b0b13c12a8079a5a0e7f43b2b8983699057b2cec
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:55:23 2013 -0800

    integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
    
    If the number of valuators reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate struct, then
    memory corruption can occur when more bytes are copied from the X server
    reply than the size of the buffer we allocated to hold them.
    
    v2: check that reply size fits inside the data read from the server, so
    we don't read out of bounds either
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 5398ac0797f7516f2c9b8f2869a6c6d071437352
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 26 22:48:36 2013 -0700

    unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
    
    If the lengths given for each class state in the reply add up to more
    than the rep.length, we could read past the end of the buffer allocated
    to hold the data read from the server.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 91434737f592e8f5cc1762383882a582b55fc03a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 23:37:23 2013 -0800

    memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
    
    If the server returned more modifiers than the caller asked for,
    we'd just keep copying past the end of the array provided by the
    caller, writing over who-knows-what happened to be there.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f3e08e4fbe40016484ba795feecf1a742170ffc1
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 9 22:26:52 2013 -0800

    Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
    
    We copy the entire reply sent by the server into the fixed size
    mapping[] array on the stack, even if the server says it's a larger
    size than the mapping array can hold.  HULK SMASH STACK!
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 59b8e1388a687f871831ac5a9e0ac11de75e2516
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed May 1 23:58:39 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 5d43d4914dcabb6de69859567061e99300e56ef4
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri May 17 09:07:44 2013 +1000

    Copy the sequence number into the target event too (#64687)
    
    X.Org Bug 64687 <http://bugs.freedesktop.org/show_bug.cgi?id=64687>
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>

commit bb82c72a1d69eaf60b7586570faf797df967f661
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Apr 29 18:39:34 2013 -0700

    Expand comment on the memory vs. reply ordering in XIGetSelectedEvents()
    
    Unpacking from the wire involves un-interleaving the structs & masks,
    which wasn't obvious to me the first time I read it, so make notes
    before I forget again.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 26cb4573cbb8808ce9d5c75c16bd613b2f03a368
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Apr 5 09:34:48 2013 +1000

    libXi 1.7.1
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 0358bb20384b759d6d41dc44f3aed30583689d53
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Mar 26 14:46:06 2013 +1000

    Require XFixes for PointerBarrier, remove duplicate typedef
    
    The PointerBarrier typedef is duplicate if a client includes both Xfixes.h
    and XInput2.h.
    
    gcc 4.6 won't complain about that, but earlier versions do:
    http://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=ce3765bf44e49ef0568a1ad4a0b7f807591d6412
    
    gcc 4.6 with -pedantic-errors shows:
    /opt/xorg/include/X11/extensions/XInput2.h:172:13: error: redefinition of
    typedef ‘PointerBarrier’ [-pedantic]
    In file included from test.c:1:0:
    /opt/xorg/include/X11/extensions/Xfixes.h:255:13: note: previous declaration
    of ‘PointerBarrier’ was here
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Julien Cristau <jcristau@debian.org>

commit 081e06492c0ffd003d4a0c34418c882332e58ac3
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Mar 7 11:16:02 2013 +1000

    libXi 1.7
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 9b26b81477cf3486e5aa0ef8d81af68a0f04df1b
Author: Colin Walters <walters@verbum.org>
Date:   Wed Jan 4 17:37:06 2012 -0500

    autogen.sh: Implement GNOME Build API
    
    http://people.gnome.org/~walters/docs/build-api.txt
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit fb67e7c99b8e95fa667b90837d312a98fa0a8a64
Author: Adam Jackson <ajax@redhat.com>
Date:   Tue Jan 15 14:28:48 2013 -0500

    configure: Remove AM_MAINTAINER_MODE
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 236be512c81b76dad711bec481e2139584006c4c
Author: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Date:   Mon Jan 14 18:32:05 2013 +0100

    Add missing XI_RawTouch* in XInputCopyCookie
    
    Looks like XI_RawTouch* events are missing in the big switch in this function.
    When running XIT tests for multitouch devices, several following errors appears:
    XInputCopyCookie: Failed to copy evtype 22
    XInputCopyCookie: Failed to copy evtype 23
    XInputCopyCookie: Failed to copy evtype 24
    
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit db3b9ba3404f6d128e7826aa489a34fd206b20ea
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Dec 26 15:29:43 2012 +1000

    libXi 1.6.99.1
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit af9f26510d87eee71f1cd688d7dcfbf173c13943
Merge: 31c6cf9 9e8a55d
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Dec 17 14:34:53 2012 +1000

    Merge branch 'barriers'

commit 9e8a55dfcb3dc2b42cd7e08e8e6e65ea1dd54251
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Dec 7 15:47:41 2012 +1000

    man: add man-page for XIBarrierReleasePointer
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 60d7386a1b98cc7760d55d6df1f90e6259d122fa
Author: Jasper St. Pierre <jstpierre@mecheye.net>
Date:   Thu Nov 1 17:00:19 2012 -0400

    Add support for pointer barrier events
    
    Signed-off-by: Jasper St. Pierre <jstpierre@mecheye.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f694bd3fcf38213ae787a3ebe4e8b2df8b2dcdc7
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Dec 7 14:39:50 2012 +1000

    Bump to 1.6.99
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 31c6cf9f6fbcc7e90e3d6b7927664cbe54e27edf
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Dec 6 10:38:16 2012 +1000

    Fix const compiler warnings
    
    XExtInt.c:80:38: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    XExtInt.c:150:5: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    XExtInt.c:151:5: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    XExtInt.c:152:5: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    XExtInt.c:153:5: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    XExtInt.c:154:5: warning: initialization discards 'const' qualifier from
    pointer target type [enabled by default]
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>

commit b4e07e7acc84f68ed2d37557d64d5655cc262ed5
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Dec 6 10:27:35 2012 +1000

    Fix compiler warnings
    
    XIQueryVersion.c: In function '_xiQueryVersion':
    XIQueryVersion.c:63:26: warning: declaration of 'info' shadows a parameter
    [-Wshadow]
    XIQueryVersion.c:53:73: warning: shadowed declaration is here [-Wshadow]
    
    XExtInt.c: In function 'XInputWireToEvent':
    XExtInt.c:823:25: warning: declaration of 'i' shadows a previous local
    [-Wshadow]
    XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow]
    XExtInt.c:850:25: warning: declaration of 'i' shadows a previous local
    [-Wshadow]
    XExtInt.c:502:18: warning: shadowed declaration is here [-Wshadow]
    
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:166:17: note: previous declaration of
    '_xidevicebusy' was here
    XExtInt.c:101:12: warning: redundant redeclaration of
    '_XiGetDevicePresenceNotifyEvent' [-Wredundant-decls]
    
    XExtInt.c:76:13: warning: redundant redeclaration of '_xibaddevice'
    [-Wredundant-decls]
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:162:17: note: previous declaration of
    '_xibaddevice' was here
    XExtInt.c:81:13: warning: redundant redeclaration of '_xibadclass'
    [-Wredundant-decls]
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:163:17: note: previous declaration of
    '_xibadclass' was here
    XExtInt.c:86:13: warning: redundant redeclaration of '_xibadevent'
    [-Wredundant-decls]
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:164:17: note: previous declaration of
    '_xibadevent' was here
    XExtInt.c:91:13: warning: redundant redeclaration of '_xibadmode'
    [-Wredundant-decls]
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:165:17: note: previous declaration of
    '_xibadmode' was here
    XExtInt.c:96:13: warning: redundant redeclaration of '_xidevicebusy'
    [-Wredundant-decls]
    In file included from XExtInt.c:64:0:
    ../include/X11/extensions/XInput.h:166:17: note: previous declaration of
    '_xidevicebusy' was here
    
    XListDev.c: In function 'ParseClassInfo':
    XListDev.c:116:33: warning: declaration of 'k' shadows a previous local
    [-Wshadow]
    XListDev.c:109:12: warning: shadowed declaration is here [-Wshadow]
    
    XGetFCtl.c: In function 'XGetFeedbackControl':
    XGetFCtl.c:184:26: warning: declaration of 'i' shadows a previous local
    [-Wshadow]
    XGetFCtl.c:72:17: warning: shadowed declaration is here [-Wshadow]
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Dan Nicholson <dbn.lists@gmail.com>

commit 845550471fcd95d77e8d738ab8798d8e6e568b4a
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Nov 7 08:51:23 2012 +1000

    man: add generation of missing man pages for XIGrabTouchBegin
    
    The man page itself already contained the description, but it was missing
    from NAME so the shadow man pages were not generated.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Chase Douglas <chase.douglas@ubuntu.com>

commit 8c0eb1b6b4017b1e886981dc32cea90f2d4b9b64
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Oct 11 13:33:45 2012 +1000

    man: fix formatting issues in XGetDeviceControl(3)
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit ae163b6202d844a46541928d00049b29cbdf930f
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu May 3 16:01:35 2012 +1000

    libXi 1.6.1
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit fd5e000308925f703ecd15c288127ab33a456425
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Apr 23 13:32:59 2012 +1000

    man: update XIQueryVersion for current server behaviour
    
    XIQueryVersion(v1);
    XIQueryVersion(v2);
    
    is now ok as long as v1 <= v2.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>

commit f8f44f42eb543ecd944a84facba6c09bf48e7711
Author: Chase Douglas <chase.douglas@canonical.com>
Date:   Fri Apr 20 15:30:30 2012 -0700

    Destroy extension record after last display is removed
    
    The extension record is currently leaked and never freed.
    
    Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 2ac185d2fd2b884f4f59a7f7f61f414d139859aa
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Mar 26 09:07:34 2012 +1000

    Set the RawEvent sourceid (#34240)
    
    XI 2.2 and later include the sourceid in raw events.
    
    X.Org Bug 34240 <http://bugs.freedesktop.org/show_bug.cgi?id=34240>
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Chase Douglas <chase.douglas@canonical.com>

commit dfc101e4c6cdac4ff9a51732b2754287fbdc8582
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Mar 26 09:05:24 2012 +1000

    Move version comparison into a helper function.
    
    No functional changes, this simply introduces a version helper function that
    returns -1, 0 or 1 depending on the version comparison result. To be used
    internally only.
    
    Needed for fix to #34240
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Chase Douglas <chase.douglas@canonical.com>

commit 8436c920953f288aea2d6d5f370f8eaaaef82d97
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Mar 15 11:51:41 2012 +1000

    Fix wrong button label and mask copy on OS X
    
    Regression introduced in c1a5a70b51f12dedf354102217c7cd4247ed3a4b.
    
    If double-padding is applied, the length of the mask on the wire may be
    smaller than libXi's mask_len. When copying, only the wire length must be
    copied, with the remainder set to 0.
    When advancing to the button labels, the wire length matters, not libXi's
    internal length.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
    Tested-by: Jeremy Huddleston <jeremyhu@apple.com>

commit 70b730b0548ca9e408f14f2576b972beb32a0ad0
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Thu Mar 8 16:03:50 2012 +1000

    libXi 1.6.0
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 1b9f0394c3d4d3833f8560ae8170a4d5842419ab
Author: Chase Douglas <chase.douglas@canonical.com>
Date:   Wed Mar 7 14:52:54 2012 -0800

    Fix XIScrollClass increment value on 32-bit machines
    
    This fixes scroll class increment values on 32-bit machines. Performing
    1UL << 32 shifts the bit off the end of a 32-bit unsigned long value. By
    expanding to 1ULL, we have the full 64-bits of an unsigned long long
    including on 32-bit machines.
    
    Before this change, xinput list --long would output scroll increment
    values of -nan.
    
    Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit c1a5a70b51f12dedf354102217c7cd4247ed3a4b
Author: Michał Masłowski <mtjm@mtjm.eu>
Date:   Tue Feb 21 20:54:40 2012 +0100

    Fix bus error on MIPS N32 for bug #38331.
    
    XIValuatorClassInfo and XIScrollClassInfo might have an address
    of 4 bytes modulo 8, while they contain doubles which need 8 byte
    alignment.  This is fixed by adding extra padding after each structure
    or array in sizeDeviceClassType and adding helper functions to
    determine sizes and padding only in one place.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=38331
    Signed-off-by: Michał Masłowski <mtjm@mtjm.eu>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 34964b05c16161de65709d60799b9ad97ce56296
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Jan 27 15:35:44 2012 +1000

    libXi 1.5.99.3
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit b355b7300235395717de06809ee6631ce55d3189
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Jan 27 13:28:52 2012 +1000

    Handle new XIAllowEvent request size
    
    inputproto 2.1.99.6 restored the previous request for ABI compatibility
    reasons, and it introduced a new XI 2.2 specific define.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Keith Packard <keithp@keithp.com>

commit 07ced7b48219e3bc0c98806f3d7106f86d1b2ca0
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jan 17 21:26:14 2012 +0100

    Force class alignment to a multiple of sizeof(XID).
    
    Calculate length field to a multiples of sizeof(XID). XIDs are typedefs
    to ulong and thus may be 8 bytes on some platforms. This can trigger a
