Security fixes: X.Org CVE-2015-3418:

debian/changelog

@@ -175,6 +175,12 @@ nx-libs (2:3.5.0.32-0x2go1) UNRELEASED; urgency=low
       v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
       Changes:
       + 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
+  * Security fixes:
+    - X.Org CVE-2015-3418:
+      v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+      v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+      Changes:
+      + 1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
 
   [ Bernard Cafarelli ]
   * nx-X11: link to libdl to fix undefined references to 'dlopen' and 'dlsym'.

debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch

@@ -12,10 +12,11 @@ Date:   Fri May 1 13:09:24 2015 +0200
      Fix for regression introduced by fix for CVE-2014-8092.
 
      v2: backports to nx-libs 3.6.x (Mike Gabriel)
+     v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
+     v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
+
      Signed-off-by: Keith Packard <keithp@keithp.com>
 
-diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
-index 5ad2f5a..ab10640 100644
 --- a/nx-X11/programs/Xserver/dix/dispatch.c
 +++ b/nx-X11/programs/Xserver/dix/dispatch.c
 @@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
@@ -27,3 +28,14 @@ index 5ad2f5a..ab10640 100644
          return BadLength;
  
      if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
+--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
++++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+@@ -2630,7 +2630,7 @@ ProcPutImage(register ClientPtr client)
+ 
+     tmpImage = (char *)&stuff[1];
+     lengthProto = length;
+-    if (lengthProto >= (INT32_MAX / stuff->height))
++    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+         return BadLength;
+ 
+     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +