1 files changed, 333 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
new file mode 100644
index 0000000000..97c4c17a8a
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
+From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 19 Feb 2021 15:30:39 +0100
+Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
+ the wire
+The X protocol uses CARD16 values to represent the length so
+this would overflow.
+CVE-2021-31535
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+https://lists.x.org/archives/xorg-announce/2021-May/003088.html
+XLookupColor() and other X libraries function lack proper validation
+of the length of their string parameters. If those parameters can be
+controlled by an external application (for instance a color name that
+can be emitted via a terminal control sequence) it can lead to the
+emission of extra X protocol requests to the X server.
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
+CVE: CVE-2021-31535
+Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
+---
+ src/Font.c      | 6 ++++--
+ src/FontInfo.c  | 3 +++
+ src/FontNames.c | 3 +++
+ src/GetColor.c  | 4 ++++
+ src/LoadFont.c  | 4 ++++
+ src/LookupCol.c | 6 ++++--
+ src/ParseCol.c  | 5 ++++-
+ src/QuExt.c     | 5 +++++
+ src/SetFPath.c  | 8 +++++++-
+ src/SetHints.c  | 7 +++++++
+ src/StNColor.c  | 3 +++
+ src/StName.c    | 7 ++++++-
+ 12 files changed, 54 insertions(+), 7 deletions(-)
+diff --git a/src/Font.c b/src/Font.c
+index 09d2ae91..3f468e4b 100644
+--- a/src/Font.c
+++ b/src/Font.c
+@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
+     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return NULL;
+     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+       return font_result;
+     LockDisplay(dpy);
+@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
+ 
+     if (!name)
+        return 0;
+-    l = strlen(name);
+-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+    l = (int) strlen(name);
+    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+        return 0;
+     charset = NULL;
+     /* next three lines stolen from _XkbGetCharset() */
+diff --git a/src/FontInfo.c b/src/FontInfo.c
+index f870e431..51b48e29 100644
+--- a/src/FontInfo.c
+++ b/src/FontInfo.c
+@@ -58,6 +58,9 @@ XFontStruct **info)   /* RETURN */
+     register xListFontsReq *req;
+     int j;
+ 
+    if (strlen(pattern) >= USHRT_MAX)
+        return NULL;
+
+     LockDisplay(dpy);
+     GetReq(ListFontsWithInfo, req);
+     req->maxNames = maxNames;
+diff --git a/src/FontNames.c b/src/FontNames.c
+index b78792d6..4dac4916 100644
+--- a/src/FontNames.c
+++ b/src/FontNames.c
+@@ -51,6 +51,9 @@ int *actualCount)     /* RETURN */
+     register xListFontsReq *req;
+     unsigned long rlen = 0;
+ 
+    if (strlen(pattern) >= USHRT_MAX)
+        return NULL;
+
+     LockDisplay(dpy);
+     GetReq(ListFonts, req);
+     req->maxNames = maxNames;
+diff --git a/src/GetColor.c b/src/GetColor.c
+index cd0eb9f6..512ac308 100644
+--- a/src/GetColor.c
+++ b/src/GetColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
+     XcmsColor cmsColor_exact;
+     Status ret;
+ 
+    if (strlen(colorname) >= USHRT_MAX)
+        return (0);
+
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms and i18n approach to Parse Color
+diff --git a/src/LoadFont.c b/src/LoadFont.c
+index f547976b..85735249 100644
+--- a/src/LoadFont.c
+++ b/src/LoadFont.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include "Xlibint.h"
+ 
+ Font
+@@ -38,6 +39,9 @@ XLoadFont (
+     Font fid;
+     register xOpenFontReq *req;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return (0);
+
+     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+       return fid;
+ 
+diff --git a/src/LookupCol.c b/src/LookupCol.c
+index f7f969f5..cd9b1368 100644
+--- a/src/LookupCol.c
+++ b/src/LookupCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@ XLookupColor (
+        XcmsCCC ccc;
+        XcmsColor cmsColor_exact;
+ 
+       n = (int) strlen (spec);
+       if (n >= USHRT_MAX)
+            return 0;
+ #ifdef XCMS
+        /*
+         * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@ XLookupColor (
+         * Xcms and i18n methods failed, so lets pass it to the server
+         * for parsing.
+         */
+-
+-       n = strlen (spec);
+        LockDisplay(dpy);
+        GetReq (LookupColor, req);
+        req->cmap = cmap;
+diff --git a/src/ParseCol.c b/src/ParseCol.c
+index e997b1b8..180132dd 100644
+--- a/src/ParseCol.c
+++ b/src/ParseCol.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,7 +47,9 @@ XParseColor (
+        XcmsColor cmsColor;
+ 
+         if (!spec) return(0);
+-       n = strlen (spec);
+       n = (int) strlen (spec);
+       if (n >= USHRT_MAX)
+            return(0);
+        if (*spec == '#') {
+            /*
+             * RGB
+diff --git a/src/QuExt.c b/src/QuExt.c
+index 4e230e77..d38a1572 100644
+--- a/src/QuExt.c
+++ b/src/QuExt.c
+@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+#include <stdbool.h>
+ #include "Xlibint.h"
+ 
+ Bool
+@@ -40,6 +42,9 @@ XQueryExtension(
+     xQueryExtensionReply rep;
+     register xQueryExtensionReq *req;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return false;
+
+     LockDisplay(dpy);
+     GetReq(QueryExtension, req);
+     req->nbytes = name ? strlen(name) : 0;
+diff --git a/src/SetFPath.c b/src/SetFPath.c
+index 60aaef01..3d8c50cb 100644
+--- a/src/SetFPath.c
+++ b/src/SetFPath.c
+@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+ 
+@@ -48,7 +49,12 @@ XSetFontPath (
+        GetReq (SetFontPath, req);
+        req->nFonts = ndirs;
+        for (i = 0; i < ndirs; i++) {
+-               n += safestrlen (directories[i]) + 1;
+               n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
+               if (n >= USHRT_MAX) {
+                       UnlockDisplay(dpy);
+                       SyncHandle();
+                       return 0;
+               }
+        }
+        nbytes = (n + 3) & ~3;
+        req->length += nbytes >> 2;
+diff --git a/src/SetHints.c b/src/SetHints.c
+index bc46498a..f3d727ec 100644
+--- a/src/SetHints.c
+++ b/src/SetHints.c
+@@ -49,6 +49,7 @@ SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@ XSetCommand (
+        register char *buf, *bp;
+        for (i = 0, nbytes = 0; i < argc; i++) {
+                nbytes += safestrlen(argv[i]) + 1;
+               if (nbytes >= USHRT_MAX)
+                    return 1;
+        }
+        if ((bp = buf = Xmalloc(nbytes))) {
+            /* copy arguments into single buffer */
+@@ -256,6 +259,8 @@ XSetStandardProperties (
+ 
+        if (name != NULL) XStoreName (dpy, w, name);
+ 
+        if (safestrlen(icon_string) >= USHRT_MAX)
+            return 1;
+        if (icon_string != NULL) {
+            XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                              PropModeReplace,
+@@ -298,6 +303,8 @@ XSetClassHint(
+ 
+        len_nm = safestrlen(classhint->res_name);
+        len_cl = safestrlen(classhint->res_class);
+        if (len_nm + len_cl >= USHRT_MAX)
+            return 1;
+        if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+            if (len_nm) {
+                strcpy(s, classhint->res_name);
+diff --git a/src/StNColor.c b/src/StNColor.c
+index 8b821c3e..ba021958 100644
+--- a/src/StNColor.c
+++ b/src/StNColor.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@ int flags)  /* DoRed, DoGreen, DoBlue */
+     XcmsColor cmsColor_exact;
+     XColor scr_def;
+ 
+    if (strlen(name) >= USHRT_MAX)
+        return 0;
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms approach to Parse Color
+diff --git a/src/StName.c b/src/StName.c
+index b4048bff..5a632d0c 100644
+--- a/src/StName.c
+++ b/src/StName.c
+@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+ 
+@@ -36,7 +37,9 @@ XStoreName (
+     Window w,
+     _Xconst char *name)
+ {
+-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+    if (strlen(name) >= USHRT_MAX)
+        return 0;
+    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
+                           8, PropModeReplace, (_Xconst unsigned char *)name,
+                           name ? strlen(name) : 0);
+ }
+@@ -47,6 +50,8 @@ XSetIconName (
+     Window w,
+     _Xconst char *icon_name)
+ {
+    if (strlen(icon_name) >= USHRT_MAX)
+        return 0;
+     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                            PropModeReplace, (_Xconst unsigned char *)icon_name,
+                           icon_name ? strlen(icon_name) : 0);
+-- 
+2.32.0

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch new file mode 100644 index 0000000000..97c4c17a8a --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch
@@ -0,0 +1,333 @@
	1	From 5c539ee6aba5872fcc73aa3d46a4e9a33dc030db Mon Sep 17 00:00:00 2001
	2	From: Matthieu Herrb <matthieu@herrb.eu>
	3	Date: Fri, 19 Feb 2021 15:30:39 +0100
	4	Subject: [PATCH] Reject string longer than USHRT_MAX before sending them on
	5	the wire
	6
	7	The X protocol uses CARD16 values to represent the length so
	8	this would overflow.
	9
	10	CVE-2021-31535
	11
	12	Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
	13
	14	https://lists.x.org/archives/xorg-announce/2021-May/003088.html
	15
	16	XLookupColor() and other X libraries function lack proper validation
	17	of the length of their string parameters. If those parameters can be
	18	controlled by an external application (for instance a color name that
	19	can be emitted via a terminal control sequence) it can lead to the
	20	emission of extra X protocol requests to the X server.
	21
	22	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605]
	23	CVE: CVE-2021-31535
	24	Signed-off-by: Jasper Orschulko <Jasper.Orschulko@iris-sensing.com>
	25	---
	26	src/Font.c \| 6 ++++--
	27	src/FontInfo.c \| 3 +++
	28	src/FontNames.c \| 3 +++
	29	src/GetColor.c \| 4 ++++
	30	src/LoadFont.c \| 4 ++++
	31	src/LookupCol.c \| 6 ++++--
	32	src/ParseCol.c \| 5 ++++-
	33	src/QuExt.c \| 5 +++++
	34	src/SetFPath.c \| 8 +++++++-
	35	src/SetHints.c \| 7 +++++++
	36	src/StNColor.c \| 3 +++
	37	src/StName.c \| 7 ++++++-
	38	12 files changed, 54 insertions(+), 7 deletions(-)
	39
	40	diff --git a/src/Font.c b/src/Font.c
	41	index 09d2ae91..3f468e4b 100644
	42	--- a/src/Font.c
	43	+++ b/src/Font.c
	44	@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
	45	XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
	46	#endif
	47
	48	+ if (strlen(name) >= USHRT_MAX)
	49	+ return NULL;
	50	if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
	51	return font_result;
	52	LockDisplay(dpy);
	53	@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
	54
	55	if (!name)
	56	return 0;
	57	- l = strlen(name);
	58	- if (l < 2 \|\| name[l - 1] != '*' \|\| name[l - 2] != '-')
	59	+ l = (int) strlen(name);
	60	+ if (l < 2 \|\| name[l - 1] != '*' \|\| name[l - 2] != '-' \|\| l >= USHRT_MAX)
	61	return 0;
	62	charset = NULL;
	63	/* next three lines stolen from _XkbGetCharset() */
	64	diff --git a/src/FontInfo.c b/src/FontInfo.c
	65	index f870e431..51b48e29 100644
	66	--- a/src/FontInfo.c
	67	+++ b/src/FontInfo.c
	68	@@ -58,6 +58,9 @@ XFontStruct *info) / RETURN */
	69	register xListFontsReq *req;
	70	int j;
	71
	72	+ if (strlen(pattern) >= USHRT_MAX)
	73	+ return NULL;
	74	+
	75	LockDisplay(dpy);
	76	GetReq(ListFontsWithInfo, req);
	77	req->maxNames = maxNames;
	78	diff --git a/src/FontNames.c b/src/FontNames.c
	79	index b78792d6..4dac4916 100644
	80	--- a/src/FontNames.c
	81	+++ b/src/FontNames.c
	82	@@ -51,6 +51,9 @@ int actualCount) / RETURN */
	83	register xListFontsReq *req;
	84	unsigned long rlen = 0;
	85
	86	+ if (strlen(pattern) >= USHRT_MAX)
	87	+ return NULL;
	88	+
	89	LockDisplay(dpy);
	90	GetReq(ListFonts, req);
	91	req->maxNames = maxNames;
	92	diff --git a/src/GetColor.c b/src/GetColor.c
	93	index cd0eb9f6..512ac308 100644
	94	--- a/src/GetColor.c
	95	+++ b/src/GetColor.c
	96	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	97	#ifdef HAVE_CONFIG_H
	98	#include <config.h>
	99	#endif
	100	+#include <limits.h>
	101	#include <stdio.h>
	102	#include "Xlibint.h"
	103	#include "Xcmsint.h"
	104	@@ -48,6 +49,9 @@ XColor exact_def) / RETURN */
	105	XcmsColor cmsColor_exact;
	106	Status ret;
	107
	108	+ if (strlen(colorname) >= USHRT_MAX)
	109	+ return (0);
	110	+
	111	#ifdef XCMS
	112	/*
	113	* Let's Attempt to use Xcms and i18n approach to Parse Color
	114	diff --git a/src/LoadFont.c b/src/LoadFont.c
	115	index f547976b..85735249 100644
	116	--- a/src/LoadFont.c
	117	+++ b/src/LoadFont.c
	118	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	119	#ifdef HAVE_CONFIG_H
	120	#include <config.h>
	121	#endif
	122	+#include <limits.h>
	123	#include "Xlibint.h"
	124
	125	Font
	126	@@ -38,6 +39,9 @@ XLoadFont (
	127	Font fid;
	128	register xOpenFontReq *req;
	129
	130	+ if (strlen(name) >= USHRT_MAX)
	131	+ return (0);
	132	+
	133	if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
	134	return fid;
	135
	136	diff --git a/src/LookupCol.c b/src/LookupCol.c
	137	index f7f969f5..cd9b1368 100644
	138	--- a/src/LookupCol.c
	139	+++ b/src/LookupCol.c
	140	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	141	#ifdef HAVE_CONFIG_H
	142	#include <config.h>
	143	#endif
	144	+#include <limits.h>
	145	#include <stdio.h>
	146	#include "Xlibint.h"
	147	#include "Xcmsint.h"
	148	@@ -46,6 +47,9 @@ XLookupColor (
	149	XcmsCCC ccc;
	150	XcmsColor cmsColor_exact;
	151
	152	+ n = (int) strlen (spec);
	153	+ if (n >= USHRT_MAX)
	154	+ return 0;
	155	#ifdef XCMS
	156	/*
	157	* Let's Attempt to use Xcms and i18n approach to Parse Color
	158	@@ -77,8 +81,6 @@ XLookupColor (
	159	* Xcms and i18n methods failed, so lets pass it to the server
	160	* for parsing.
	161	*/
	162	-
	163	- n = strlen (spec);
	164	LockDisplay(dpy);
	165	GetReq (LookupColor, req);
	166	req->cmap = cmap;
	167	diff --git a/src/ParseCol.c b/src/ParseCol.c
	168	index e997b1b8..180132dd 100644
	169	--- a/src/ParseCol.c
	170	+++ b/src/ParseCol.c
	171	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	172	#ifdef HAVE_CONFIG_H
	173	#include <config.h>
	174	#endif
	175	+#include <limits.h>
	176	#include <stdio.h>
	177	#include "Xlibint.h"
	178	#include "Xcmsint.h"
	179	@@ -46,7 +47,9 @@ XParseColor (
	180	XcmsColor cmsColor;
	181
	182	if (!spec) return(0);
	183	- n = strlen (spec);
	184	+ n = (int) strlen (spec);
	185	+ if (n >= USHRT_MAX)
	186	+ return(0);
	187	if (*spec == '#') {
	188	/*
	189	* RGB
	190	diff --git a/src/QuExt.c b/src/QuExt.c
	191	index 4e230e77..d38a1572 100644
	192	--- a/src/QuExt.c
	193	+++ b/src/QuExt.c
	194	@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
	195	#ifdef HAVE_CONFIG_H
	196	#include <config.h>
	197	#endif
	198	+#include <limits.h>
	199	+#include <stdbool.h>
	200	#include "Xlibint.h"
	201
	202	Bool
	203	@@ -40,6 +42,9 @@ XQueryExtension(
	204	xQueryExtensionReply rep;
	205	register xQueryExtensionReq *req;
	206
	207	+ if (strlen(name) >= USHRT_MAX)
	208	+ return false;
	209	+
	210	LockDisplay(dpy);
	211	GetReq(QueryExtension, req);
	212	req->nbytes = name ? strlen(name) : 0;
	213	diff --git a/src/SetFPath.c b/src/SetFPath.c
	214	index 60aaef01..3d8c50cb 100644
	215	--- a/src/SetFPath.c
	216	+++ b/src/SetFPath.c
	217	@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
	218
	219	#ifdef HAVE_CONFIG_H
	220	#include <config.h>
	221	+#include <limits.h>
	222	#endif
	223	#include "Xlibint.h"
	224
	225	@@ -48,7 +49,12 @@ XSetFontPath (
	226	GetReq (SetFontPath, req);
	227	req->nFonts = ndirs;
	228	for (i = 0; i < ndirs; i++) {
	229	- n += safestrlen (directories[i]) + 1;
	230	+ n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
	231	+ if (n >= USHRT_MAX) {
	232	+ UnlockDisplay(dpy);
	233	+ SyncHandle();
	234	+ return 0;
	235	+ }
	236	}
	237	nbytes = (n + 3) & ~3;
	238	req->length += nbytes >> 2;
	239	diff --git a/src/SetHints.c b/src/SetHints.c
	240	index bc46498a..f3d727ec 100644
	241	--- a/src/SetHints.c
	242	+++ b/src/SetHints.c
	243	@@ -49,6 +49,7 @@ SOFTWARE.
	244	#ifdef HAVE_CONFIG_H
	245	#include <config.h>
	246	#endif
	247	+#include <limits.h>
	248	#include <X11/Xlibint.h>
	249	#include <X11/Xutil.h>
	250	#include "Xatomtype.h"
	251	@@ -214,6 +215,8 @@ XSetCommand (
	252	register char buf, bp;
	253	for (i = 0, nbytes = 0; i < argc; i++) {
	254	nbytes += safestrlen(argv[i]) + 1;
	255	+ if (nbytes >= USHRT_MAX)
	256	+ return 1;
	257	}
	258	if ((bp = buf = Xmalloc(nbytes))) {
	259	/* copy arguments into single buffer */
	260	@@ -256,6 +259,8 @@ XSetStandardProperties (
	261
	262	if (name != NULL) XStoreName (dpy, w, name);
	263
	264	+ if (safestrlen(icon_string) >= USHRT_MAX)
	265	+ return 1;
	266	if (icon_string != NULL) {
	267	XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
	268	PropModeReplace,
	269	@@ -298,6 +303,8 @@ XSetClassHint(
	270
	271	len_nm = safestrlen(classhint->res_name);
	272	len_cl = safestrlen(classhint->res_class);
	273	+ if (len_nm + len_cl >= USHRT_MAX)
	274	+ return 1;
	275	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
	276	if (len_nm) {
	277	strcpy(s, classhint->res_name);
	278	diff --git a/src/StNColor.c b/src/StNColor.c
	279	index 8b821c3e..ba021958 100644
	280	--- a/src/StNColor.c
	281	+++ b/src/StNColor.c
	282	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	283	#ifdef HAVE_CONFIG_H
	284	#include <config.h>
	285	#endif
	286	+#include <limits.h>
	287	#include <stdio.h>
	288	#include "Xlibint.h"
	289	#include "Xcmsint.h"
	290	@@ -46,6 +47,8 @@ int flags) /* DoRed, DoGreen, DoBlue */
	291	XcmsColor cmsColor_exact;
	292	XColor scr_def;
	293
	294	+ if (strlen(name) >= USHRT_MAX)
	295	+ return 0;
	296	#ifdef XCMS
	297	/*
	298	* Let's Attempt to use Xcms approach to Parse Color
	299	diff --git a/src/StName.c b/src/StName.c
	300	index b4048bff..5a632d0c 100644
	301	--- a/src/StName.c
	302	+++ b/src/StName.c
	303	@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
	304	#ifdef HAVE_CONFIG_H
	305	#include <config.h>
	306	#endif
	307	+#include <limits.h>
	308	#include <X11/Xlibint.h>
	309	#include <X11/Xatom.h>
	310
	311	@@ -36,7 +37,9 @@ XStoreName (
	312	Window w,
	313	_Xconst char *name)
	314	{
	315	- return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
	316	+ if (strlen(name) >= USHRT_MAX)
	317	+ return 0;
	318	+ return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /* */
	319	8, PropModeReplace, (_Xconst unsigned char *)name,
	320	name ? strlen(name) : 0);
	321	}
	322	@@ -47,6 +50,8 @@ XSetIconName (
	323	Window w,
	324	_Xconst char *icon_name)
	325	{
	326	+ if (strlen(icon_name) >= USHRT_MAX)
	327	+ return 0;
	328	return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
	329	PropModeReplace, (_Xconst unsigned char *)icon_name,
	330	icon_name ? strlen(icon_name) : 0);
	331	--
	332	2.32.0
	333