1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 0000000000..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+Reported-by: Gregory James DUCK <gjduck@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xkb/XKBGetMap.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
+++ b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             if (offset + newMap->nSyms >= map->size_syms) {
+                 register int sz;
+ 
+-                sz = map->size_syms + 128;
+                sz = offset + newMap->nSyms;
+                sz = ((sz + (unsigned) 128) / 128) * 128;
+                 _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+                 if (map->syms == NULL) {
+                     map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+                 map->size_syms = sz;
+             }
+             if (newMap->nSyms > 0) {
+-                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+-                                          newMap->nSyms);
+                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+                                              newMap->nSyms) == 0)
+                    return BadLength;
+                 offset += newMap->nSyms;
+             }
+             else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
+             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+             if (newSyms == NULL)
+                 return BadAlloc;
+-            if (newMap->nSyms > 0)
+-                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+            if (newMap->nSyms > 0) {
+                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+                    return BadLength;
+            }
+             else
+                 newSyms[0] = NoSymbol;
+             oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
	1	From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Sun, 17 Sep 2023 14:19:40 -0700
	4	Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
	5	_XkbReadKeySyms()
	6
	7	Make sure we allocate enough memory in the first place, and
	8	also handle error returns from _XkbReadBufferCopyKeySyms() when
	9	it detects out-of-bounds issues.
	10
	11	Reported-by: Gregory James DUCK <gjduck@gmail.com>
	12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	13
	14	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
	15	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
	16	CVE: CVE-2023-43785
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	src/xkb/XKBGetMap.c \| 14 +++++++++-----
	20	1 file changed, 9 insertions(+), 5 deletions(-)
	21
	22	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
	23	index 2891d21e..31199e4a 100644
	24	--- a/src/xkb/XKBGetMap.c
	25	+++ b/src/xkb/XKBGetMap.c
	26	@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
	27	if (offset + newMap->nSyms >= map->size_syms) {
	28	register int sz;
	29
	30	- sz = map->size_syms + 128;
	31	+ sz = offset + newMap->nSyms;
	32	+ sz = ((sz + (unsigned) 128) / 128) * 128;
	33	_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
	34	if (map->syms == NULL) {
	35	map->size_syms = 0;
	36	@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
	37	map->size_syms = sz;
	38	}
	39	if (newMap->nSyms > 0) {
	40	- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
	41	- newMap->nSyms);
	42	+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
	43	+ newMap->nSyms) == 0)
	44	+ return BadLength;
	45	offset += newMap->nSyms;
	46	}
	47	else {
	48	@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
	49	newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
	50	if (newSyms == NULL)
	51	return BadAlloc;
	52	- if (newMap->nSyms > 0)
	53	- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
	54	+ if (newMap->nSyms > 0) {
	55	+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
	56	+ return BadLength;
	57	+ }
	58	else
	59	newSyms[0] = NoSymbol;
	60	oldMap->kt_index[0] = newMap->ktIndex[0];
	61	--
	62	2.39.3
	63