libx11: fix CVE-2021-31535

Backport patch to fix CVE-2021-31535 of libx11. Adjust indentation as well. (From OE-Core rev: 097df6a4ebee4bb1b7c60b61baf5c0c1d8137b5d) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2021-06-10 17:00:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-06-26 15:24:08 +0100
commit: a44f82dd8b20c288e858de7ec1d32618639f5df4 (patch)
tree: 97a23674356448c574be8ec9e38be6f6378f4871 /meta
parent: 35f5ce1fbd90bfc58e6c7aea649c07bd15e770f8 (diff)
download: poky-a44f82dd8b20c288e858de7ec1d32618639f5df4.tar.gz
2 files changed, 323 insertions, 2 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch
new file mode 100644
index 0000000000..2ec5cc1688
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch
@@ -0,0 +1,320 @@
+From 8d2e02ae650f00c4a53deb625211a0527126c605 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 19 Feb 2021 15:30:39 +0100
+Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
+ the wire
+The X protocol uses CARD16 values to represent the length so
+this would overflow.
+CVE-2021-31535
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+CVE: CVE-2021-31535
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02a]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/Font.c      | 4 +++-
+ src/FontInfo.c  | 3 +++
+ src/FontNames.c | 3 +++
+ src/GetColor.c  | 4 ++++
+ src/LoadFont.c  | 4 ++++
+ src/LookupCol.c | 6 ++++--
+ src/ParseCol.c  | 3 +++
+ src/QuExt.c     | 5 +++++
+ src/SetFPath.c  | 6 ++++++
+ src/SetHints.c  | 7 +++++++
+ src/StNColor.c  | 3 +++
+ src/StName.c    | 7 ++++++-
+ 12 files changed, 51 insertions(+), 4 deletions(-)
+diff --git a/src/Font.c b/src/Font.c
+index d4ebdaca..1cd89cca 100644
+--- a/src/Font.c
+++ b/src/Font.c
+@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
+     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return NULL;
+     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+       return font_result;
+     LockDisplay(dpy);
+@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont(
+     if (!name)
+        return 0;
+     l = (int) strlen(name);
+-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+        return 0;
+     charset = NULL;
+     /* next three lines stolen from _XkbGetCharset() */
+diff --git a/src/FontInfo.c b/src/FontInfo.c
+index 694efa10..6644b3fa 100644
+--- a/src/FontInfo.c
+++ b/src/FontInfo.c
+@@ -58,6 +58,9 @@ XFontStruct **info)   /* RETURN */
+     register xListFontsReq *req;
+     int j;
+ 
+    if (strlen(pattern) >= USHRT_MAX)
+        return NULL;
+
+     LockDisplay(dpy);
+     GetReq(ListFontsWithInfo, req);
+     req->maxNames = maxNames;
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 30912925..458d80c9 100644
+--- a/src/FontNames.c
+++ b/src/FontNames.c
+@@ -51,6 +51,9 @@ int *actualCount)     /* RETURN */
+     register xListFontsReq *req;
+     unsigned long rlen = 0;
+ 
+    if (strlen(pattern) >= USHRT_MAX)
+        return NULL;
+
+     LockDisplay(dpy);
+     GetReq(ListFonts, req);
+     req->maxNames = maxNames;
+diff --git a/src/GetColor.c b/src/GetColor.c
+index d088497f..c8178067 100644
+--- a/src/GetColor.c
+++ b/src/GetColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
+     XcmsColor cmsColor_exact;
+     Status ret;
+ 
+    if (strlen(colorname) >= USHRT_MAX)
+        return (0);
+
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms and i18n approach to Parse Color
+diff --git a/src/LoadFont.c b/src/LoadFont.c
+index 0a3809a8..3996436f 100644
+--- a/src/LoadFont.c
+++ b/src/LoadFont.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include "Xlibint.h"
+ 
+ Font
+@@ -38,6 +39,9 @@ XLoadFont (
+     Font fid;
+     register xOpenFontReq *req;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return (0);
+
+     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+       return fid;
+ 
+diff --git a/src/LookupCol.c b/src/LookupCol.c
+index 9608d512..cd9b1368 100644
+--- a/src/LookupCol.c
+++ b/src/LookupCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@ XLookupColor (
+        XcmsCCC ccc;
+        XcmsColor cmsColor_exact;
+ 
+       n = (int) strlen (spec);
+       if (n >= USHRT_MAX)
+            return 0;
+ #ifdef XCMS
+        /*
+         * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@ XLookupColor (
+         * Xcms and i18n methods failed, so lets pass it to the server
+         * for parsing.
+         */
+-
+-       n = (int) strlen (spec);
+        LockDisplay(dpy);
+        GetReq (LookupColor, req);
+        req->cmap = cmap;
+diff --git a/src/ParseCol.c b/src/ParseCol.c
+index 2691df36..7a84a17b 100644
+--- a/src/ParseCol.c
+++ b/src/ParseCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -47,6 +48,8 @@ XParseColor (
+ 
+         if (!spec) return(0);
+        n = (int) strlen (spec);
+       if (n >= USHRT_MAX)
+            return(0);
+        if (*spec == '#') {
+            /*
+             * RGB
+diff --git a/src/QuExt.c b/src/QuExt.c
+index 2021dca4..4cb99fcf 100644
+--- a/src/QuExt.c
+++ b/src/QuExt.c
+@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+#include <stdbool.h>
+ #include "Xlibint.h"
+ 
+ Bool
+@@ -40,6 +42,9 @@ XQueryExtension(
+     xQueryExtensionReply rep;
+     register xQueryExtensionReq *req;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return false;
+
+     LockDisplay(dpy);
+     GetReq(QueryExtension, req);
+     req->nbytes = name ? (CARD16) strlen(name) : 0;
+diff --git a/src/SetFPath.c b/src/SetFPath.c
+index 7d12f18c..13fce49e 100644
+--- a/src/SetFPath.c
+++ b/src/SetFPath.c
+@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+ 
+@@ -49,6 +50,11 @@ XSetFontPath (
+        req->nFonts = ndirs;
+        for (i = 0; i < ndirs; i++) {
+                n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
+               if (n >= USHRT_MAX) {
+                       UnlockDisplay(dpy);
+                       SyncHandle();
+                       return 0;
+               }
+        }
+        nbytes = (n + 3) & ~3;
+        req->length += nbytes >> 2;
+diff --git a/src/SetHints.c b/src/SetHints.c
+index e81aa9d3..61cb0684 100644
+--- a/src/SetHints.c
+++ b/src/SetHints.c
+@@ -49,6 +49,7 @@ SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@ XSetCommand (
+        register char *buf, *bp;
+        for (i = 0, nbytes = 0; i < argc; i++) {
+                nbytes += safestrlen(argv[i]) + 1;
+               if (nbytes >= USHRT_MAX)
+                    return 1;
+        }
+        if ((bp = buf = Xmalloc(nbytes))) {
+            /* copy arguments into single buffer */
+@@ -256,6 +259,8 @@ XSetStandardProperties (
+ 
+        if (name != NULL) XStoreName (dpy, w, name);
+ 
+        if (safestrlen(icon_string) >= USHRT_MAX)
+            return 1;
+        if (icon_string != NULL) {
+            XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                              PropModeReplace,
+@@ -298,6 +303,8 @@ XSetClassHint(
+ 
+        len_nm = safestrlen(classhint->res_name);
+        len_cl = safestrlen(classhint->res_class);
+        if (len_nm + len_cl >= USHRT_MAX)
+            return 1;
+        if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+            if (len_nm) {
+                strcpy(s, classhint->res_name);
+diff --git a/src/StNColor.c b/src/StNColor.c
+index 3b50401b..16dc9cbc 100644
+--- a/src/StNColor.c
+++ b/src/StNColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@ int flags)  /* DoRed, DoGreen, DoBlue */
+     XcmsColor cmsColor_exact;
+     XColor scr_def;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return 0;
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms approach to Parse Color
+diff --git a/src/StName.c b/src/StName.c
+index 58b5a5a6..04bb3aa6 100644
+--- a/src/StName.c
+++ b/src/StName.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+ 
+@@ -36,7 +37,9 @@ XStoreName (
+     Window w,
+     _Xconst char *name)
+ {
+-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+    if (strlen(name) >= USHRT_MAX)
+        return 0;
+    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
+                           8, PropModeReplace, (_Xconst unsigned char *)name,
+                           name ? (int) strlen(name) : 0);
+ }
+@@ -47,6 +50,8 @@ XSetIconName (
+     Window w,
+     _Xconst char *icon_name)
+ {
+    if (strlen(icon_name) >= USHRT_MAX)
+        return 0;
+     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                            PropModeReplace, (_Xconst unsigned char *)icon_name,
+                           icon_name ? (int) strlen(icon_name) : 0);
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb
index 3faee6e497..c6429cbbac 100644
--- a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb
@@ -11,8 +11,9 @@ FILESEXTRAPATHS =. "${FILE_DIRNAME}/libx11:"
 PE = "1"
 SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
-           file://disable_tests.patch \
+            file://disable_tests.patch \
-           "
+            file://fix-CVE-2021-31535.patch \
+            "
 SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54"
author	Kai Kang <kai.kang@windriver.com>	2021-06-10 17:00:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-06-26 15:24:08 +0100
commit	a44f82dd8b20c288e858de7ec1d32618639f5df4 (patch)
tree	97a23674356448c574be8ec9e38be6f6378f4871 /meta
parent	35f5ce1fbd90bfc58e6c7aea649c07bd15e770f8 (diff)
download	poky-a44f82dd8b20c288e858de7ec1d32618639f5df4.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch new file mode 100644 index 0000000000..2ec5cc1688 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/fix-CVE-2021-31535.patch
@@ -0,0 +1,320 @@
		1	From 8d2e02ae650f00c4a53deb625211a0527126c605 Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Fri, 19 Feb 2021 15:30:39 +0100
		4	Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
		5	the wire
		6
		7	The X protocol uses CARD16 values to represent the length so
		8	this would overflow.
		9
		10	CVE-2021-31535
		11
		12	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		13
		14	CVE: CVE-2021-31535
		15	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02a]
		16
		17	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		18	---
		19	src/Font.c \| 4 +++-
		20	src/FontInfo.c \| 3 +++
		21	src/FontNames.c \| 3 +++
		22	src/GetColor.c \| 4 ++++
		23	src/LoadFont.c \| 4 ++++
		24	src/LookupCol.c \| 6 ++++--
		25	src/ParseCol.c \| 3 +++
		26	src/QuExt.c \| 5 +++++
		27	src/SetFPath.c \| 6 ++++++
		28	src/SetHints.c \| 7 +++++++
		29	src/StNColor.c \| 3 +++
		30	src/StName.c \| 7 ++++++-
		31	12 files changed, 51 insertions(+), 4 deletions(-)
		32
		33	diff --git a/src/Font.c b/src/Font.c
		34	index d4ebdaca..1cd89cca 100644
		35	--- a/src/Font.c
		36	+++ b/src/Font.c
		37	@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
		38	XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
		39	#endif
		40
		41	+ if (strlen(name) >= USHRT_MAX)
		42	+ return NULL;
		43	if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
		44	return font_result;
		45	LockDisplay(dpy);
		46	@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont(
		47	if (!name)
		48	return 0;
		49	l = (int) strlen(name);
		50	- if (l < 2 \|\| name[l - 1] != '*' \|\| name[l - 2] != '-')
		51	+ if (l < 2 \|\| name[l - 1] != '*' \|\| name[l - 2] != '-' \|\| l >= USHRT_MAX)
		52	return 0;
		53	charset = NULL;
		54	/* next three lines stolen from _XkbGetCharset() */
		55	diff --git a/src/FontInfo.c b/src/FontInfo.c
		56	index 694efa10..6644b3fa 100644
		57	--- a/src/FontInfo.c
		58	+++ b/src/FontInfo.c
		59	@@ -58,6 +58,9 @@ XFontStruct *info) / RETURN */
		60	register xListFontsReq *req;
		61	int j;
		62
		63	+ if (strlen(pattern) >= USHRT_MAX)
		64	+ return NULL;
		65	+
		66	LockDisplay(dpy);
		67	GetReq(ListFontsWithInfo, req);
		68	req->maxNames = maxNames;
		69	diff --git a/src/FontNames.c b/src/FontNames.c
		70	index 30912925..458d80c9 100644
		71	--- a/src/FontNames.c
		72	+++ b/src/FontNames.c
		73	@@ -51,6 +51,9 @@ int actualCount) / RETURN */
		74	register xListFontsReq *req;
		75	unsigned long rlen = 0;
		76
		77	+ if (strlen(pattern) >= USHRT_MAX)
		78	+ return NULL;
		79	+
		80	LockDisplay(dpy);
		81	GetReq(ListFonts, req);
		82	req->maxNames = maxNames;
		83	diff --git a/src/GetColor.c b/src/GetColor.c
		84	index d088497f..c8178067 100644
		85	--- a/src/GetColor.c
		86	+++ b/src/GetColor.c
		87	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		88	#ifdef HAVE_CONFIG_H
		89	#include <config.h>
		90	#endif
		91	+#include <limits.h>
		92	#include <stdio.h>
		93	#include "Xlibint.h"
		94	#include "Xcmsint.h"
		95	@@ -48,6 +49,9 @@ XColor exact_def) / RETURN */
		96	XcmsColor cmsColor_exact;
		97	Status ret;
		98
		99	+ if (strlen(colorname) >= USHRT_MAX)
		100	+ return (0);
		101	+
		102	#ifdef XCMS
		103	/*
		104	* Let's Attempt to use Xcms and i18n approach to Parse Color
		105	diff --git a/src/LoadFont.c b/src/LoadFont.c
		106	index 0a3809a8..3996436f 100644
		107	--- a/src/LoadFont.c
		108	+++ b/src/LoadFont.c
		109	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		110	#ifdef HAVE_CONFIG_H
		111	#include <config.h>
		112	#endif
		113	+#include <limits.h>
		114	#include "Xlibint.h"
		115
		116	Font
		117	@@ -38,6 +39,9 @@ XLoadFont (
		118	Font fid;
		119	register xOpenFontReq *req;
		120
		121	+ if (strlen(name) >= USHRT_MAX)
		122	+ return (0);
		123	+
		124	if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
		125	return fid;
		126
		127	diff --git a/src/LookupCol.c b/src/LookupCol.c
		128	index 9608d512..cd9b1368 100644
		129	--- a/src/LookupCol.c
		130	+++ b/src/LookupCol.c
		131	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		132	#ifdef HAVE_CONFIG_H
		133	#include <config.h>
		134	#endif
		135	+#include <limits.h>
		136	#include <stdio.h>
		137	#include "Xlibint.h"
		138	#include "Xcmsint.h"
		139	@@ -46,6 +47,9 @@ XLookupColor (
		140	XcmsCCC ccc;
		141	XcmsColor cmsColor_exact;
		142
		143	+ n = (int) strlen (spec);
		144	+ if (n >= USHRT_MAX)
		145	+ return 0;
		146	#ifdef XCMS
		147	/*
		148	* Let's Attempt to use Xcms and i18n approach to Parse Color
		149	@@ -77,8 +81,6 @@ XLookupColor (
		150	* Xcms and i18n methods failed, so lets pass it to the server
		151	* for parsing.
		152	*/
		153	-
		154	- n = (int) strlen (spec);
		155	LockDisplay(dpy);
		156	GetReq (LookupColor, req);
		157	req->cmap = cmap;
		158	diff --git a/src/ParseCol.c b/src/ParseCol.c
		159	index 2691df36..7a84a17b 100644
		160	--- a/src/ParseCol.c
		161	+++ b/src/ParseCol.c
		162	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		163	#ifdef HAVE_CONFIG_H
		164	#include <config.h>
		165	#endif
		166	+#include <limits.h>
		167	#include <stdio.h>
		168	#include "Xlibint.h"
		169	#include "Xcmsint.h"
		170	@@ -47,6 +48,8 @@ XParseColor (
		171
		172	if (!spec) return(0);
		173	n = (int) strlen (spec);
		174	+ if (n >= USHRT_MAX)
		175	+ return(0);
		176	if (*spec == '#') {
		177	/*
		178	* RGB
		179	diff --git a/src/QuExt.c b/src/QuExt.c
		180	index 2021dca4..4cb99fcf 100644
		181	--- a/src/QuExt.c
		182	+++ b/src/QuExt.c
		183	@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
		184	#ifdef HAVE_CONFIG_H
		185	#include <config.h>
		186	#endif
		187	+#include <limits.h>
		188	+#include <stdbool.h>
		189	#include "Xlibint.h"
		190
		191	Bool
		192	@@ -40,6 +42,9 @@ XQueryExtension(
		193	xQueryExtensionReply rep;
		194	register xQueryExtensionReq *req;
		195
		196	+ if (strlen(name) >= USHRT_MAX)
		197	+ return false;
		198	+
		199	LockDisplay(dpy);
		200	GetReq(QueryExtension, req);
		201	req->nbytes = name ? (CARD16) strlen(name) : 0;
		202	diff --git a/src/SetFPath.c b/src/SetFPath.c
		203	index 7d12f18c..13fce49e 100644
		204	--- a/src/SetFPath.c
		205	+++ b/src/SetFPath.c
		206	@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
		207
		208	#ifdef HAVE_CONFIG_H
		209	#include <config.h>
		210	+#include <limits.h>
		211	#endif
		212	#include "Xlibint.h"
		213
		214	@@ -49,6 +50,11 @@ XSetFontPath (
		215	req->nFonts = ndirs;
		216	for (i = 0; i < ndirs; i++) {
		217	n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
		218	+ if (n >= USHRT_MAX) {
		219	+ UnlockDisplay(dpy);
		220	+ SyncHandle();
		221	+ return 0;
		222	+ }
		223	}
		224	nbytes = (n + 3) & ~3;
		225	req->length += nbytes >> 2;
		226	diff --git a/src/SetHints.c b/src/SetHints.c
		227	index e81aa9d3..61cb0684 100644
		228	--- a/src/SetHints.c
		229	+++ b/src/SetHints.c
		230	@@ -49,6 +49,7 @@ SOFTWARE.
		231	#ifdef HAVE_CONFIG_H
		232	#include <config.h>
		233	#endif
		234	+#include <limits.h>
		235	#include <X11/Xlibint.h>
		236	#include <X11/Xutil.h>
		237	#include "Xatomtype.h"
		238	@@ -214,6 +215,8 @@ XSetCommand (
		239	register char buf, bp;
		240	for (i = 0, nbytes = 0; i < argc; i++) {
		241	nbytes += safestrlen(argv[i]) + 1;
		242	+ if (nbytes >= USHRT_MAX)
		243	+ return 1;
		244	}
		245	if ((bp = buf = Xmalloc(nbytes))) {
		246	/* copy arguments into single buffer */
		247	@@ -256,6 +259,8 @@ XSetStandardProperties (
		248
		249	if (name != NULL) XStoreName (dpy, w, name);
		250
		251	+ if (safestrlen(icon_string) >= USHRT_MAX)
		252	+ return 1;
		253	if (icon_string != NULL) {
		254	XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
		255	PropModeReplace,
		256	@@ -298,6 +303,8 @@ XSetClassHint(
		257
		258	len_nm = safestrlen(classhint->res_name);
		259	len_cl = safestrlen(classhint->res_class);
		260	+ if (len_nm + len_cl >= USHRT_MAX)
		261	+ return 1;
		262	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
		263	if (len_nm) {
		264	strcpy(s, classhint->res_name);
		265	diff --git a/src/StNColor.c b/src/StNColor.c
		266	index 3b50401b..16dc9cbc 100644
		267	--- a/src/StNColor.c
		268	+++ b/src/StNColor.c
		269	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		270	#ifdef HAVE_CONFIG_H
		271	#include <config.h>
		272	#endif
		273	+#include <limits.h>
		274	#include <stdio.h>
		275	#include "Xlibint.h"
		276	#include "Xcmsint.h"
		277	@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
		278	XcmsColor cmsColor_exact;
		279	XColor scr_def;
		280
		281	+ if (strlen(name) >= USHRT_MAX)
		282	+ return 0;
		283	#ifdef XCMS
		284	/*
		285	* Let's Attempt to use Xcms approach to Parse Color
		286	diff --git a/src/StName.c b/src/StName.c
		287	index 58b5a5a6..04bb3aa6 100644
		288	--- a/src/StName.c
		289	+++ b/src/StName.c
		290	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
		291	#ifdef HAVE_CONFIG_H
		292	#include <config.h>
		293	#endif
		294	+#include <limits.h>
		295	#include <X11/Xlibint.h>
		296	#include <X11/Xatom.h>
		297
		298	@@ -36,7 +37,9 @@ XStoreName (
		299	Window w,
		300	_Xconst char *name)
		301	{
		302	- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
		303	+ if (strlen(name) >= USHRT_MAX)
		304	+ return 0;
		305	+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
		306	8, PropModeReplace, (_Xconst unsigned char *)name,
		307	name ? (int) strlen(name) : 0);
		308	}
		309	@@ -47,6 +50,8 @@ XSetIconName (
		310	Window w,
		311	_Xconst char *icon_name)
		312	{
		313	+ if (strlen(icon_name) >= USHRT_MAX)
		314	+ return 0;
		315	return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
		316	PropModeReplace, (_Xconst unsigned char *)icon_name,
		317	icon_name ? (int) strlen(icon_name) : 0);
		318	--
		319	GitLab
		320


diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb index 3faee6e497..c6429cbbac 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.0.bb
@@ -11,8 +11,9 @@ FILESEXTRAPATHS =. "${FILE_DIRNAME}/libx11:"
11	PE = "1"	11	PE = "1"
12		12
13	SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \	13	SRC_URI += "file://Fix-hanging-issue-in-_XReply.patch \
14	file://disable_tests.patch \	14	file://disable_tests.patch \
15	"	15	file://fix-CVE-2021-31535.patch \
		16	"
16		17
17	SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54"	18	SRC_URI[sha256sum] = "36c8f93b6595437c8cfbc9f08618bcb3041cbd303e140a0013f88e4c2977cb54"
18		19