libx11 : fix CVE-2020-14344

fix CVE-2020-14344 with squashed patch. squashed patch include below patch, https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2 https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60 https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488 also include fix to issue introduced in above patch (388b303c62aa35a245f1704211a023440ad2c488) https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b (From OE-Core rev: b68ded7dee5e6e8b8f23840e3118edcdee7e5c7e) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-09-08 21:07:44 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-09-17 12:51:24 +0100
commit: 94b6af19ef73f77e1be56c492e3b279fbc667277 (patch)
tree: fc1da0cd687acd665a746758dda4a2a998f1d49e
parent: a063c1c630f56792716ecdebf4f8bd9e6cb2a4ef (diff)
download: poky-94b6af19ef73f77e1be56c492e3b279fbc667277.tar.gz
2 files changed, 324 insertions, 1 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
new file mode 100644
index 0000000000..9d07202b06
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
@@ -0,0 +1,321 @@
+From f64388ed036b6668686ad5448bc7d4f73b35e1c7 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 24 Jul 2020 21:09:10 +0200
+Subject: [PATCH] Fix CVE-2020-14344
+This is a squashed of below commit:
+commit 1 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+Change the data_len parameter of _XimAttributeToValue() to CARD16
+It's coming from a length in the protocol (unsigned) and passed
+to functions that expect unsigned int parameters (_XCopyToArg()
+and memcpy()).
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Todd Carson <toc@daybefore.net>
+commit 2 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+Zero out buffers in functions
+It looks like uninitialized stack or heap memory can leak
+out via padding bytes.
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+commit 3 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+Fix more unchecked lengths
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+commit 4 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+fix integer overflows in _XimAttributeToValue()
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+commit 5 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+Fix size calculation in `_XimAttributeToValue`.
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+Fix #116
+Upstream-Status: Backport
+[ https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b ]
+CVE: CVE-2020-14344
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ modules/im/ximcp/imDefIc.c  |  6 ++++--
+ modules/im/ximcp/imDefIm.c  | 25 +++++++++++++++++--------
+ modules/im/ximcp/imRmAttr.c | 31 +++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 18 deletions(-)
+diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
+index 7564dbad..d552aa9e 100644
+--- a/modules/im/ximcp/imDefIc.c
+++ b/modules/im/ximcp/imDefIc.c
+@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+             + sizeof(INT16)
+             + XIM_PAD(2 + buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
+        return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -708,6 +708,7 @@ _XimProtoSetICValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentICValues(ic, &ic_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE
+        + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@ _XimProtoSetICValues(
+ 
+        buf_size += ret_len;
+        if (buf == tmp_buf) {
+-           if (!(tmp = Xmalloc(buf_size + data_len))) {
+           if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+                return tmp_name;
+            }
+            memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@ _XimProtoSetICValues(
+                Xfree(buf);
+                return tmp_name;
+            }
+            memset(&tmp[buf_size], 0, data_len);
+            buf = tmp;
+        }
+     }
+diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
+index cf922e48..d0329b54 100644
+--- a/modules/im/ximcp/imDefIm.c
+++ b/modules/im/ximcp/imDefIm.c
+@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+ 
+#include <limits.h>
+ 
+ int
+ _XimCheckDataSize(
+@@ -807,12 +808,16 @@ _XimOpen(
+     int                         buf_size;
+     int                         ret_code;
+     char               *locale_name;
+    size_t              locale_len;
+ 
+     locale_name = im->private.proto.locale_name;
+-    len = strlen(locale_name);
+-    buf_b[0] = (BYTE)len;                         /* length of locale name */
+-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
+-    len += sizeof(BYTE);                          /* sizeof length */
+    locale_len = strlen(locale_name);
+    if (locale_len > UCHAR_MAX)
+      return False;
+    memset(buf32, 0, sizeof(buf32));
+    buf_b[0] = (BYTE)locale_len;               /* length of locale name */
+    memcpy(&buf_b[1], locale_name, locale_len);           /* locale name */
+    len = (INT16)(locale_len + sizeof(BYTE));     /* sizeof length */
+     XIM_SET_PAD(buf_b, len);                      /* pad */
+ 
+     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
+ 
+        buf_size += ret_len;
+        if (buf == tmp_buf) {
+-           if (!(tmp = Xmalloc(buf_size + data_len))) {
+           if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+                return arg->name;
+            }
+            memcpy(tmp, buf, buf_size);
+@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
+                Xfree(buf);
+                return arg->name;
+            }
+            memset(&tmp[buf_size], 0, data_len);
+            buf = tmp;
+        }
+     }
+@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+             + sizeof(INT16)
+             + XIM_PAD(buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
+        return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+        + sizeof(CARD16)
+        + detail_len;
+ 
+-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
+    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+        goto free_detail_ptr;
+ 
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
+     int                         ret_code;
+ 
+     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
+ 
+        buf_size += ret_len;
+        if (buf == tmp_buf) {
+-           if (!(tmp = Xmalloc(buf_size + data_len))) {
+           if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+                return False;
+            }
+            memcpy(tmp, buf, buf_size);
+@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
+                Xfree(buf);
+                return False;
+            }
+            memset(&tmp[buf_size], 0, data_len);
+            buf = tmp;
+        }
+     }
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 9d4e4625..118f191d 100644
+--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
+@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@ _XimAttributeToValue(
+     Xic                          ic,
+     XIMResourceList      res,
+     CARD16              *data,
+-    INT16                data_len,
+    CARD16               data_len,
+     XPointer             value,
+     BITMASK32            mode)
+ {
+@@ -250,18 +252,24 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMStyles:
+        {
+-           INT16                num = data[0];
+           CARD16               num = data[0];
+            register CARD32     *style_list = (CARD32 *)&data[2];
+            XIMStyle            *style;
+            XIMStyles           *rep;
+            register int         i;
+            char                *p;
+-           int                  alloc_len;
+           unsigned int         alloc_len;
+ 
+            if (!(value))
+                return False;
+ 
+           if (num > (USHRT_MAX / sizeof(XIMStyle)))
+               return False;
+           if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+               return False;
+            alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+           if (alloc_len < sizeof(XIMStyles))
+               return False;
+            if (!(p = Xmalloc(alloc_len)))
+                return False;
+ 
+@@ -313,7 +321,7 @@ _XimAttributeToValue(
+ 
+     case XimType_XFontSet:
+        {
+-           INT16        len = data[0];
+           CARD16       len = data[0];
+            char        *base_name;
+            XFontSet     rep = (XFontSet)NULL;
+            char        **missing_list = NULL;
+@@ -324,11 +332,12 @@ _XimAttributeToValue(
+                return False;
+            if (!ic)
+                return False;
+-
+           if (len > data_len)
+               return False;
+            if (!(base_name = Xmalloc(len + 1)))
+                return False;
+ 
+-           (void)strncpy(base_name, (char *)&data[1], (int)len);
+           (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+            base_name[len] = '\0';
+ 
+            if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMHotKeyTriggers:
+        {
+-           INT32                        num = *((CARD32 *)data);
+           CARD32                       num = *((CARD32 *)data);
+            register CARD32             *key_list = (CARD32 *)&data[2];
+            XIMHotKeyTrigger            *key;
+            XIMHotKeyTriggers           *rep;
+            register int                 i;
+            char                        *p;
+-           int                          alloc_len;
+           unsigned int                 alloc_len;
+ 
+            if (!(value))
+                return False;
+ 
+           if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+               return False;
+           if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+               return False;
+            alloc_len = sizeof(XIMHotKeyTriggers)
+                      + sizeof(XIMHotKeyTrigger) * num;
+           if (alloc_len < sizeof(XIMHotKeyTriggers))
+               return False;
+            if (!(p = Xmalloc(alloc_len)))
+                return False;
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
index ff60a4240c..84e0e4457e 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -12,7 +12,9 @@ PE = "1"
 SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
            file://disable_tests.patch \
-            file://libx11-whitespace.patch"
+            file://libx11-whitespace.patch \
+            file://CVE-2020-14344.patch \
+"
 SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
 SRC_URI[sha256sum] = "9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-09-08 21:07:44 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-09-17 12:51:24 +0100
commit	94b6af19ef73f77e1be56c492e3b279fbc667277 (patch)
tree	fc1da0cd687acd665a746758dda4a2a998f1d49e
parent	a063c1c630f56792716ecdebf4f8bd9e6cb2a4ef (diff)
download	poky-94b6af19ef73f77e1be56c492e3b279fbc667277.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch new file mode 100644 index 0000000000..9d07202b06 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2020-14344.patch
@@ -0,0 +1,321 @@
		1	From f64388ed036b6668686ad5448bc7d4f73b35e1c7 Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Fri, 24 Jul 2020 21:09:10 +0200
		4	Subject: [PATCH] Fix CVE-2020-14344
		5
		6	This is a squashed of below commit:
		7
		8	commit 1 :-
		9	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
		10	Change the data_len parameter of _XimAttributeToValue() to CARD16
		11
		12	It's coming from a length in the protocol (unsigned) and passed
		13	to functions that expect unsigned int parameters (_XCopyToArg()
		14	and memcpy()).
		15
		16	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		17	Reviewed-by: Todd Carson <toc@daybefore.net>
		18
		19	commit 2 :-
		20	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
		21	Zero out buffers in functions
		22
		23	It looks like uninitialized stack or heap memory can leak
		24	out via padding bytes.
		25
		26	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		27	Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
		28
		29	commit 3 :-
		30	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
		31	Fix more unchecked lengths
		32
		33	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		34	Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
		35
		36	commit 4 :-
		37	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
		38	fix integer overflows in _XimAttributeToValue()
		39
		40	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		41	Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
		42
		43	commit 5 :-
		44	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
		45	Fix size calculation in `_XimAttributeToValue`.
		46
		47	The check here guards the read below.
		48	For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
		49	these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
		50	(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
		51	function and doesn't need to be checked.)
		52
		53	The old code here used the native datatype size instead of the wire protocol size causing
		54	the check to always fail.
		55
		56	Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
		57	despite the unused `CARD16` for `XimType_XIMStyles`.
		58
		59	[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
		60
		61	This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
		62
		63	Fix #116
		64
		65	Upstream-Status: Backport
		66	[ https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
		67	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
		68	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
		69	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
		70	https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b ]
		71	CVE: CVE-2020-14344
		72	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		73	---
		74	modules/im/ximcp/imDefIc.c \| 6 ++++--
		75	modules/im/ximcp/imDefIm.c \| 25 +++++++++++++++++--------
		76	modules/im/ximcp/imRmAttr.c \| 31 +++++++++++++++++++++++--------
		77	3 files changed, 44 insertions(+), 18 deletions(-)
		78
		79	diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
		80	index 7564dbad..d552aa9e 100644
		81	--- a/modules/im/ximcp/imDefIc.c
		82	+++ b/modules/im/ximcp/imDefIc.c
		83	@@ -350,7 +350,7 @@ _XimProtoGetICValues(
		84	+ sizeof(INT16)
		85	+ XIM_PAD(2 + buf_size);
		86
		87	- if (!(buf = Xmalloc(buf_size)))
		88	+ if (!(buf = Xcalloc(buf_size, 1)))
		89	return arg->name;
		90	buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
		91
		92	@@ -708,6 +708,7 @@ _XimProtoSetICValues(
		93	#endif /* XIM_CONNECTABLE */
		94
		95	_XimGetCurrentICValues(ic, &ic_values);
		96	+ memset(tmp_buf, 0, sizeof(tmp_buf32));
		97	buf = tmp_buf;
		98	buf_size = XIM_HEADER_SIZE
		99	+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
		100	@@ -730,7 +731,7 @@ _XimProtoSetICValues(
		101
		102	buf_size += ret_len;
		103	if (buf == tmp_buf) {
		104	- if (!(tmp = Xmalloc(buf_size + data_len))) {
		105	+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
		106	return tmp_name;
		107	}
		108	memcpy(tmp, buf, buf_size);
		109	@@ -740,6 +741,7 @@ _XimProtoSetICValues(
		110	Xfree(buf);
		111	return tmp_name;
		112	}
		113	+ memset(&tmp[buf_size], 0, data_len);
		114	buf = tmp;
		115	}
		116	}
		117	diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
		118	index cf922e48..d0329b54 100644
		119	--- a/modules/im/ximcp/imDefIm.c
		120	+++ b/modules/im/ximcp/imDefIm.c
		121	@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
		122	#include "XimTrInt.h"
		123	#include "Ximint.h"
		124
		125	+#include <limits.h>
		126
		127	int
		128	_XimCheckDataSize(
		129	@@ -807,12 +808,16 @@ _XimOpen(
		130	int buf_size;
		131	int ret_code;
		132	char *locale_name;
		133	+ size_t locale_len;
		134
		135	locale_name = im->private.proto.locale_name;
		136	- len = strlen(locale_name);
		137	- buf_b[0] = (BYTE)len; /* length of locale name */
		138	- (void)strcpy((char )&buf_b[1], locale_name); / locale name */
		139	- len += sizeof(BYTE); /* sizeof length */
		140	+ locale_len = strlen(locale_name);
		141	+ if (locale_len > UCHAR_MAX)
		142	+ return False;
		143	+ memset(buf32, 0, sizeof(buf32));
		144	+ buf_b[0] = (BYTE)locale_len; /* length of locale name */
		145	+ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */
		146	+ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */
		147	XIM_SET_PAD(buf_b, len); /* pad */
		148
		149	_XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
		150	@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
		151	#endif /* XIM_CONNECTABLE */
		152
		153	_XimGetCurrentIMValues(im, &im_values);
		154	+ memset(tmp_buf, 0, sizeof(tmp_buf32));
		155	buf = tmp_buf;
		156	buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
		157	data_len = BUFSIZE - buf_size;
		158	@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
		159
		160	buf_size += ret_len;
		161	if (buf == tmp_buf) {
		162	- if (!(tmp = Xmalloc(buf_size + data_len))) {
		163	+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
		164	return arg->name;
		165	}
		166	memcpy(tmp, buf, buf_size);
		167	@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
		168	Xfree(buf);
		169	return arg->name;
		170	}
		171	+ memset(&tmp[buf_size], 0, data_len);
		172	buf = tmp;
		173	}
		174	}
		175	@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
		176	+ sizeof(INT16)
		177	+ XIM_PAD(buf_size);
		178
		179	- if (!(buf = Xmalloc(buf_size)))
		180	+ if (!(buf = Xcalloc(buf_size, 1)))
		181	return arg->name;
		182	buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
		183
		184	@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
		185	+ sizeof(CARD16)
		186	+ detail_len;
		187
		188	- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
		189	+ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
		190	goto free_detail_ptr;
		191
		192	buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
		193	@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
		194	int ret_code;
		195
		196	_XimGetCurrentIMValues(im, &im_values);
		197	+ memset(tmp_buf, 0, sizeof(tmp_buf32));
		198	buf = tmp_buf;
		199	buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
		200	data_len = BUFSIZE - buf_size;
		201	@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
		202
		203	buf_size += ret_len;
		204	if (buf == tmp_buf) {
		205	- if (!(tmp = Xmalloc(buf_size + data_len))) {
		206	+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
		207	return False;
		208	}
		209	memcpy(tmp, buf, buf_size);
		210	@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
		211	Xfree(buf);
		212	return False;
		213	}
		214	+ memset(&tmp[buf_size], 0, data_len);
		215	buf = tmp;
		216	}
		217	}
		218	diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
		219	index 9d4e4625..118f191d 100644
		220	--- a/modules/im/ximcp/imRmAttr.c
		221	+++ b/modules/im/ximcp/imRmAttr.c
		222	@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE.
		223	#ifdef HAVE_CONFIG_H
		224	#include <config.h>
		225	#endif
		226	+#include <limits.h>
		227	+
		228	#include "Xlibint.h"
		229	#include "Xlcint.h"
		230	#include "Ximint.h"
		231	@@ -214,7 +216,7 @@ _XimAttributeToValue(
		232	Xic ic,
		233	XIMResourceList res,
		234	CARD16 *data,
		235	- INT16 data_len,
		236	+ CARD16 data_len,
		237	XPointer value,
		238	BITMASK32 mode)
		239	{
		240	@@ -250,18 +252,24 @@ _XimAttributeToValue(
		241
		242	case XimType_XIMStyles:
		243	{
		244	- INT16 num = data[0];
		245	+ CARD16 num = data[0];
		246	register CARD32 style_list = (CARD32 )&data[2];
		247	XIMStyle *style;
		248	XIMStyles *rep;
		249	register int i;
		250	char *p;
		251	- int alloc_len;
		252	+ unsigned int alloc_len;
		253
		254	if (!(value))
		255	return False;
		256
		257	+ if (num > (USHRT_MAX / sizeof(XIMStyle)))
		258	+ return False;
		259	+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
		260	+ return False;
		261	alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
		262	+ if (alloc_len < sizeof(XIMStyles))
		263	+ return False;
		264	if (!(p = Xmalloc(alloc_len)))
		265	return False;
		266
		267	@@ -313,7 +321,7 @@ _XimAttributeToValue(
		268
		269	case XimType_XFontSet:
		270	{
		271	- INT16 len = data[0];
		272	+ CARD16 len = data[0];
		273	char *base_name;
		274	XFontSet rep = (XFontSet)NULL;
		275	char **missing_list = NULL;
		276	@@ -324,11 +332,12 @@ _XimAttributeToValue(
		277	return False;
		278	if (!ic)
		279	return False;
		280	-
		281	+ if (len > data_len)
		282	+ return False;
		283	if (!(base_name = Xmalloc(len + 1)))
		284	return False;
		285
		286	- (void)strncpy(base_name, (char *)&data[1], (int)len);
		287	+ (void)strncpy(base_name, (char *)&data[1], (size_t)len);
		288	base_name[len] = '\0';
		289
		290	if (mode & XIM_PREEDIT_ATTR) {
		291	@@ -357,19 +366,25 @@ _XimAttributeToValue(
		292
		293	case XimType_XIMHotKeyTriggers:
		294	{
		295	- INT32 num = ((CARD32 )data);
		296	+ CARD32 num = ((CARD32 )data);
		297	register CARD32 key_list = (CARD32 )&data[2];
		298	XIMHotKeyTrigger *key;
		299	XIMHotKeyTriggers *rep;
		300	register int i;
		301	char *p;
		302	- int alloc_len;
		303	+ unsigned int alloc_len;
		304
		305	if (!(value))
		306	return False;
		307
		308	+ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
		309	+ return False;
		310	+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
		311	+ return False;
		312	alloc_len = sizeof(XIMHotKeyTriggers)
		313	+ sizeof(XIMHotKeyTrigger) * num;
		314	+ if (alloc_len < sizeof(XIMHotKeyTriggers))
		315	+ return False;
		316	if (!(p = Xmalloc(alloc_len)))
		317	return False;
		318
		319	--
		320	2.17.1
		321


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb index ff60a4240c..84e0e4457e 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.6.9.bb
@@ -12,7 +12,9 @@ PE = "1"
12		12
13	SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \	13	SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
14	file://disable_tests.patch \	14	file://disable_tests.patch \
15	file://libx11-whitespace.patch"	15	file://libx11-whitespace.patch \
		16	file://CVE-2020-14344.patch \
		17	"
16		18
17	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"	19	SRC_URI[md5sum] = "55adbfb6d4370ecac5e70598c4e7eed2"
18	SRC_URI[sha256sum] = "9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1"	20	SRC_URI[sha256sum] = "9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1"