xserver-xorg: Security fix for CVE-2020-14360/-25712

Source: https://gitlab.freedesktop.org/xorg/xserver MR: 108223, Type: Security Fix Disposition: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b and https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9 ChangeID: 496c2a2d80e4f8fff9b0d3148fca70c090cec31e Description: affects < 1.20.10 Fixes CVE-2020-14360 and CVE-2020-25712 (From OE-Core rev: ee4a4f9053909f820de48a48750bda92170aaf86) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-09-09 16:55:20 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-14 17:27:42 +0100
commit: d3f4731220e66a97d5eff60df8de6d0683169cda (patch)
tree: 96bc7b342c9a1172afe099818a718f61086df254 /meta
parent: 7f73831fde4c3e31bda5631ed966f33d8e9c9d45 (diff)
download: poky-d3f4731220e66a97d5eff60df8de6d0683169cda.tar.gz
3 files changed, 236 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
new file mode 100644
index 0000000000..e9ab42742e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
+From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Nov 2020 19:15:07 +0100
+Subject: [PATCH] Check SetMap request length carefully.
+Avoid out of bounds memory accesses on too short request.
+ZDI-CAN 11572 /  CVE-2020-14360
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport 
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
+CVE: CVE-2020-14360
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
+++ xorg-server-1.20.8/xkb/xkb.c
+@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
+     return (char *) wire;
+ }
+ 
+#define _add_check_len(new) \
+    if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+    else len += new
+
+/**
+ * Check the length of the SetMap request
+ */
+static int
+_XkbSetMapCheckLength(xkbSetMapReq *req)
+{
+    size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+    xkbKeyTypeWireDesc *keytype;
+    xkbSymMapWireDesc *symmap;
+    BOOL preserve;
+    int i, map_count, nSyms;
+
+    if (req_len < len)
+        goto bad;
+    /* types */
+    if (req->present & XkbKeyTypesMask) {
+        keytype = (xkbKeyTypeWireDesc *)(req + 1);
+        for (i = 0; i < req->nTypes; i++) {
+            _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+            if (req->flags & XkbSetMapResizeTypes) {
+                _add_check_len(keytype->nMapEntries
+                               * sz_xkbKTSetMapEntryWireDesc);
+                preserve = keytype->preserve;
+                map_count = keytype->nMapEntries;
+                if (preserve) {
+                    _add_check_len(map_count * sz_xkbModsWireDesc);
+                }
+                keytype += 1;
+                keytype = (xkbKeyTypeWireDesc *)
+                          ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+                if (preserve)
+                    keytype = (xkbKeyTypeWireDesc *)
+                              ((xkbModsWireDesc *)keytype + map_count);
+            }
+        }
+    }
+    /* syms */
+    if (req->present & XkbKeySymsMask) {
+        symmap = (xkbSymMapWireDesc *)((char *)req + len);
+        for (i = 0; i < req->nKeySyms; i++) {
+            _add_check_len(sz_xkbSymMapWireDesc);
+            nSyms = symmap->nSyms;
+            _add_check_len(nSyms*sizeof(CARD32));
+            symmap += 1;
+            symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
+        }
+    }
+    /* actions */
+    if (req->present & XkbKeyActionsMask) {
+        _add_check_len(req->totalActs * sz_xkbActionWireDesc 
+                       + XkbPaddedSize(req->nKeyActs));
+    }
+    /* behaviours */
+    if (req->present & XkbKeyBehaviorsMask) {
+        _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
+    }
+    /* vmods */
+    if (req->present & XkbVirtualModsMask) {
+        _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
+    }
+    /* explicit */
+    if (req->present & XkbExplicitComponentsMask) {
+        /* two bytes per non-zero explicit componen */
+        _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
+    }
+    /* modmap */
+    if (req->present & XkbModifierMapMask) {
+         /* two bytes per non-zero modmap component */
+        _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
+    }
+    /* vmodmap */
+    if (req->present & XkbVirtualModMapMask) {
+        _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
+    }
+    if (len == req_len)
+        return Success;
+bad:
+    ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
+           len, req_len);
+    return BadLength;
+}
+
+
+ /**
+  * Check if the given request can be applied to the given device but don't
+  * actually do anything..
+@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
+     CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
+     CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
+ 
+    /* first verify the request length carefully */
+    rc = _XkbSetMapCheckLength(stuff);
+    if (rc != Success)
+        return rc;
+
+     tmp = (char *) &stuff[1];
+ 
+     /* Check if we can to the SetMap on the requested device. If this
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
new file mode 100644
index 0000000000..f39f6b32b1
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
@@ -0,0 +1,102 @@
+From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun, 11 Oct 2020 17:05:09 +0200
+Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
+ overflows
+ZDI-CAN 11389 / CVE-2020-25712
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
+CVE: CVE-2020-25712
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ xkb/xkb.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+Index: xorg-server-1.20.8/xkb/xkb.c
+===================================================================
+--- xorg-server-1.20.8.orig/xkb/xkb.c
+++ xorg-server-1.20.8/xkb/xkb.c
+@@ -6625,7 +6625,9 @@ SetDeviceIndicators(char *wire,
+                     unsigned changed,
+                     int num,
+                     int *status_rtrn,
+-                    ClientPtr client, xkbExtensionDeviceNotify * ev)
+                    ClientPtr client,
+                    xkbExtensionDeviceNotify * ev,
+                    xkbSetDeviceInfoReq * stuff)
+ {
+     xkbDeviceLedsWireDesc *ledWire;
+     int i;
+@@ -6646,6 +6648,11 @@ SetDeviceIndicators(char *wire,
+         xkbIndicatorMapWireDesc *mapWire;
+         XkbSrvLedInfoPtr sli;
+ 
+        if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
+            *status_rtrn = BadLength;
+            return (char *) ledWire;
+        }
+
+         namec = mapc = statec = 0;
+         sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
+                                 XkbXI_IndicatorMapsMask);
+@@ -6664,6 +6671,10 @@ SetDeviceIndicators(char *wire,
+             memset((char *) sli->names, 0, XkbNumIndicators * sizeof(Atom));
+             for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+                 if (ledWire->namesPresent & bit) {
+                    if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
+                        *status_rtrn = BadLength;
+                        return (char *) atomWire;
+                    }
+                     sli->names[n] = (Atom) *atomWire;
+                     if (sli->names[n] == None)
+                         ledWire->namesPresent &= ~bit;
+@@ -6681,6 +6692,10 @@ SetDeviceIndicators(char *wire,
+         if (ledWire->mapsPresent) {
+             for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
+                 if (ledWire->mapsPresent & bit) {
+                    if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
+                        *status_rtrn = BadLength;
+                        return (char *) mapWire;
+                    }
+                     sli->maps[n].flags = mapWire->flags;
+                     sli->maps[n].which_groups = mapWire->whichGroups;
+                     sli->maps[n].groups = mapWire->groups;
+@@ -6760,7 +6775,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+     ed.deviceID = dev->id;
+     wire = (char *) &stuff[1];
+     if (stuff->change & XkbXI_ButtonActionsMask) {
+-        int nBtns, sz, i;
+       int nBtns, sz, i;
+         XkbAction *acts;
+         DeviceIntPtr kbd;
+ 
+@@ -6772,7 +6787,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+                 return BadAlloc;
+             dev->button->xkb_acts = acts;
+         }
+        if (stuff->firstBtn + stuff->nBtns > nBtns)
+            return BadValue;
+         sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
+        if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
+            return BadLength;
+         memcpy((char *) &acts[stuff->firstBtn], (char *) wire, sz);
+         wire += sz;
+         ed.reason |= XkbXI_ButtonActionsMask;
+@@ -6793,7 +6812,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
+         int status = Success;
+ 
+         wire = SetDeviceIndicators(wire, dev, stuff->change,
+-                                   stuff->nDeviceLedFBs, &status, client, &ed);
+                                   stuff->nDeviceLedFBs, &status, client, &ed,
+                                   stuff);
+         if (status != Success)
+             return status;
+     }
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
index 2af1b6f307..8c77c3756b 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
           file://CVE-2020-14361.patch \
           file://CVE-2020-14362.patch \
           file://CVE-2020-14345.patch \
+           file://CVE-2020-14360.patch \
+           file://CVE-2020-25712.patch \
           "
 SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
 SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"
author	Armin Kuster <akuster@mvista.com>	2021-09-09 16:55:20 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-14 17:27:42 +0100
commit	d3f4731220e66a97d5eff60df8de6d0683169cda (patch)
tree	96bc7b342c9a1172afe099818a718f61086df254 /meta
parent	7f73831fde4c3e31bda5631ed966f33d8e9c9d45 (diff)
download	poky-d3f4731220e66a97d5eff60df8de6d0683169cda.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch new file mode 100644 index 0000000000..e9ab42742e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
@@ -0,0 +1,132 @@
		1	From 446ff2d3177087b8173fa779fa5b77a2a128988b Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Thu, 12 Nov 2020 19:15:07 +0100
		4	Subject: [PATCH] Check SetMap request length carefully.
		5
		6	Avoid out of bounds memory accesses on too short request.
		7
		8	ZDI-CAN 11572 / CVE-2020-14360
		9
		10	This vulnerability was discovered by:
		11	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		12
		13	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		14
		15	Upstream-Status: Backport
		16	https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
		17	CVE: CVE-2020-14360
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19	---
		20	xkb/xkb.c \| 92 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
		21	1 file changed, 92 insertions(+)
		22
		23	Index: xorg-server-1.20.8/xkb/xkb.c
		24	===================================================================
		25	--- xorg-server-1.20.8.orig/xkb/xkb.c
		26	+++ xorg-server-1.20.8/xkb/xkb.c
		27	@@ -2382,6 +2382,93 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
		28	return (char *) wire;
		29	}
		30
		31	+#define _add_check_len(new) \
		32	+ if (len > UINT32_MAX - (new) \|\| len > req_len - (new)) goto bad; \
		33	+ else len += new
		34	+
		35	+/**
		36	+ * Check the length of the SetMap request
		37	+ */
		38	+static int
		39	+_XkbSetMapCheckLength(xkbSetMapReq *req)
		40	+{
		41	+ size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
		42	+ xkbKeyTypeWireDesc *keytype;
		43	+ xkbSymMapWireDesc *symmap;
		44	+ BOOL preserve;
		45	+ int i, map_count, nSyms;
		46	+
		47	+ if (req_len < len)
		48	+ goto bad;
		49	+ /* types */
		50	+ if (req->present & XkbKeyTypesMask) {
		51	+ keytype = (xkbKeyTypeWireDesc *)(req + 1);
		52	+ for (i = 0; i < req->nTypes; i++) {
		53	+ _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
		54	+ if (req->flags & XkbSetMapResizeTypes) {
		55	+ _add_check_len(keytype->nMapEntries
		56	+ * sz_xkbKTSetMapEntryWireDesc);
		57	+ preserve = keytype->preserve;
		58	+ map_count = keytype->nMapEntries;
		59	+ if (preserve) {
		60	+ _add_check_len(map_count * sz_xkbModsWireDesc);
		61	+ }
		62	+ keytype += 1;
		63	+ keytype = (xkbKeyTypeWireDesc *)
		64	+ ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
		65	+ if (preserve)
		66	+ keytype = (xkbKeyTypeWireDesc *)
		67	+ ((xkbModsWireDesc *)keytype + map_count);
		68	+ }
		69	+ }
		70	+ }
		71	+ /* syms */
		72	+ if (req->present & XkbKeySymsMask) {
		73	+ symmap = (xkbSymMapWireDesc )((char )req + len);
		74	+ for (i = 0; i < req->nKeySyms; i++) {
		75	+ _add_check_len(sz_xkbSymMapWireDesc);
		76	+ nSyms = symmap->nSyms;
		77	+ _add_check_len(nSyms*sizeof(CARD32));
		78	+ symmap += 1;
		79	+ symmap = (xkbSymMapWireDesc )((CARD32 )symmap + nSyms);
		80	+ }
		81	+ }
		82	+ /* actions */
		83	+ if (req->present & XkbKeyActionsMask) {
		84	+ _add_check_len(req->totalActs * sz_xkbActionWireDesc
		85	+ + XkbPaddedSize(req->nKeyActs));
		86	+ }
		87	+ /* behaviours */
		88	+ if (req->present & XkbKeyBehaviorsMask) {
		89	+ _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
		90	+ }
		91	+ /* vmods */
		92	+ if (req->present & XkbVirtualModsMask) {
		93	+ _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
		94	+ }
		95	+ /* explicit */
		96	+ if (req->present & XkbExplicitComponentsMask) {
		97	+ /* two bytes per non-zero explicit componen */
		98	+ _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
		99	+ }
		100	+ /* modmap */
		101	+ if (req->present & XkbModifierMapMask) {
		102	+ /* two bytes per non-zero modmap component */
		103	+ _add_check_len(XkbPaddedSize(req->totalModMapKeys * sizeof(CARD16)));
		104	+ }
		105	+ /* vmodmap */
		106	+ if (req->present & XkbVirtualModMapMask) {
		107	+ _add_check_len(req->totalVModMapKeys * sz_xkbVModMapWireDesc);
		108	+ }
		109	+ if (len == req_len)
		110	+ return Success;
		111	+bad:
		112	+ ErrorF("[xkb] BOGUS LENGTH in SetMap: expected %ld got %ld\n",
		113	+ len, req_len);
		114	+ return BadLength;
		115	+}
		116	+
		117	+
		118	/**
		119	* Check if the given request can be applied to the given device but don't
		120	* actually do anything..
		121	@@ -2639,6 +2726,11 @@ ProcXkbSetMap(ClientPtr client)
		122	CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
		123	CHK_MASK_LEGAL(0x01, stuff->present, XkbAllMapComponentsMask);
		124
		125	+ /* first verify the request length carefully */
		126	+ rc = _XkbSetMapCheckLength(stuff);
		127	+ if (rc != Success)
		128	+ return rc;
		129	+
		130	tmp = (char *) &stuff[1];
		131
		132	/* Check if we can to the SetMap on the requested device. If this


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch new file mode 100644 index 0000000000..f39f6b32b1 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
@@ -0,0 +1,102 @@
		1	From 87c64fc5b0db9f62f4e361444f4b60501ebf67b9 Mon Sep 17 00:00:00 2001
		2	From: Matthieu Herrb <matthieu@herrb.eu>
		3	Date: Sun, 11 Oct 2020 17:05:09 +0200
		4	Subject: [PATCH] Fix XkbSetDeviceInfo() and SetDeviceIndicators() heap
		5	overflows
		6
		7	ZDI-CAN 11389 / CVE-2020-25712
		8
		9	This vulnerability was discovered by:
		10	Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
		11
		12	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
		13
		14	Upstream-Status: Backport
		15	https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
		16	CVE: CVE-2020-25712
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	xkb/xkb.c \| 26 +++++++++++++++++++++++---
		21	1 file changed, 23 insertions(+), 3 deletions(-)
		22
		23	Index: xorg-server-1.20.8/xkb/xkb.c
		24	===================================================================
		25	--- xorg-server-1.20.8.orig/xkb/xkb.c
		26	+++ xorg-server-1.20.8/xkb/xkb.c
		27	@@ -6625,7 +6625,9 @@ SetDeviceIndicators(char *wire,
		28	unsigned changed,
		29	int num,
		30	int *status_rtrn,
		31	- ClientPtr client, xkbExtensionDeviceNotify * ev)
		32	+ ClientPtr client,
		33	+ xkbExtensionDeviceNotify * ev,
		34	+ xkbSetDeviceInfoReq * stuff)
		35	{
		36	xkbDeviceLedsWireDesc *ledWire;
		37	int i;
		38	@@ -6646,6 +6648,11 @@ SetDeviceIndicators(char *wire,
		39	xkbIndicatorMapWireDesc *mapWire;
		40	XkbSrvLedInfoPtr sli;
		41
		42	+ if (!_XkbCheckRequestBounds(client, stuff, ledWire, ledWire + 1)) {
		43	+ *status_rtrn = BadLength;
		44	+ return (char *) ledWire;
		45	+ }
		46	+
		47	namec = mapc = statec = 0;
		48	sli = XkbFindSrvLedInfo(dev, ledWire->ledClass, ledWire->ledID,
		49	XkbXI_IndicatorMapsMask);
		50	@@ -6664,6 +6671,10 @@ SetDeviceIndicators(char *wire,
		51	memset((char ) sli->names, 0, XkbNumIndicators sizeof(Atom));
		52	for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
		53	if (ledWire->namesPresent & bit) {
		54	+ if (!_XkbCheckRequestBounds(client, stuff, atomWire, atomWire + 1)) {
		55	+ *status_rtrn = BadLength;
		56	+ return (char *) atomWire;
		57	+ }
		58	sli->names[n] = (Atom) *atomWire;
		59	if (sli->names[n] == None)
		60	ledWire->namesPresent &= ~bit;
		61	@@ -6681,6 +6692,10 @@ SetDeviceIndicators(char *wire,
		62	if (ledWire->mapsPresent) {
		63	for (n = 0, bit = 1; n < XkbNumIndicators; n++, bit <<= 1) {
		64	if (ledWire->mapsPresent & bit) {
		65	+ if (!_XkbCheckRequestBounds(client, stuff, mapWire, mapWire + 1)) {
		66	+ *status_rtrn = BadLength;
		67	+ return (char *) mapWire;
		68	+ }
		69	sli->maps[n].flags = mapWire->flags;
		70	sli->maps[n].which_groups = mapWire->whichGroups;
		71	sli->maps[n].groups = mapWire->groups;
		72	@@ -6760,7 +6775,7 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
		73	ed.deviceID = dev->id;
		74	wire = (char *) &stuff[1];
		75	if (stuff->change & XkbXI_ButtonActionsMask) {
		76	- int nBtns, sz, i;
		77	+ int nBtns, sz, i;
		78	XkbAction *acts;
		79	DeviceIntPtr kbd;
		80
		81	@@ -6772,7 +6787,11 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
		82	return BadAlloc;
		83	dev->button->xkb_acts = acts;
		84	}
		85	+ if (stuff->firstBtn + stuff->nBtns > nBtns)
		86	+ return BadValue;
		87	sz = stuff->nBtns * SIZEOF(xkbActionWireDesc);
		88	+ if (!_XkbCheckRequestBounds(client, stuff, wire, (char *) wire + sz))
		89	+ return BadLength;
		90	memcpy((char ) &acts[stuff->firstBtn], (char ) wire, sz);
		91	wire += sz;
		92	ed.reason \|= XkbXI_ButtonActionsMask;
		93	@@ -6793,7 +6812,8 @@ _XkbSetDeviceInfoCheck(ClientPtr client,
		94	int status = Success;
		95
		96	wire = SetDeviceIndicators(wire, dev, stuff->change,
		97	- stuff->nDeviceLedFBs, &status, client, &ed);
		98	+ stuff->nDeviceLedFBs, &status, client, &ed,
		99	+ stuff);
		100	if (status != Success)
		101	return status;
		102	}


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb index 2af1b6f307..8c77c3756b 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.8.bb
@@ -10,6 +10,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
10	file://CVE-2020-14361.patch \	10	file://CVE-2020-14361.patch \
11	file://CVE-2020-14362.patch \	11	file://CVE-2020-14362.patch \
12	file://CVE-2020-14345.patch \	12	file://CVE-2020-14345.patch \
		13	file://CVE-2020-14360.patch \
		14	file://CVE-2020-25712.patch \
13	"	15	"
14	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"	16	SRC_URI[md5sum] = "a770aec600116444a953ff632f51f839"
15	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"	17	SRC_URI[sha256sum] = "d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146"