1 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
new file mode 100644
index 0000000000..4800bedf41
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
+From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 15:55:04 -0700
+Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
+ allowed by protocol
+The PutImage request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), same as the maximum dimensions of an X11
+Drawable, which the image is being copied to.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
+CVE: CVE-2023-43786
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/PutImage.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/src/PutImage.c b/src/PutImage.c
+index a6db7b42..ba411e36 100644
+--- a/src/PutImage.c
+++ b/src/PutImage.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include "Xlibint.h"
+ #include "Xutil.h"
+ #include <stdio.h>
+#include <limits.h>
+ #include "Cr.h"
+ #include "ImUtil.h"
+ #include "reallocarray.h"
+@@ -962,6 +963,10 @@ XPutImage (
+        height = image->height - req_yoffset;
+     if ((width <= 0) || (height <= 0))
+        return 0;
+    if (width > USHRT_MAX)
+        width = USHRT_MAX;
+    if (height > USHRT_MAX)
+        height = USHRT_MAX;
+ 
+     if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
+        dest_bits_per_pixel = 1;
+-- 
+2.39.3

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch new file mode 100644 index 0000000000..4800bedf41 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
@@ -0,0 +1,46 @@
	1	From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Thu, 7 Sep 2023 15:55:04 -0700
	4	Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
	5	allowed by protocol
	6
	7	The PutImage request specifies height & width of the image as CARD16
	8	(unsigned 16-bit integer), same as the maximum dimensions of an X11
	9	Drawable, which the image is being copied to.
	10
	11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	12
	13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
	14	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
	15	CVE: CVE-2023-43786
	16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	17	---
	18	src/PutImage.c \| 5 +++++
	19	1 file changed, 5 insertions(+)
	20
	21	diff --git a/src/PutImage.c b/src/PutImage.c
	22	index a6db7b42..ba411e36 100644
	23	--- a/src/PutImage.c
	24	+++ b/src/PutImage.c
	25	@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
	26	#include "Xlibint.h"
	27	#include "Xutil.h"
	28	#include <stdio.h>
	29	+#include <limits.h>
	30	#include "Cr.h"
	31	#include "ImUtil.h"
	32	#include "reallocarray.h"
	33	@@ -962,6 +963,10 @@ XPutImage (
	34	height = image->height - req_yoffset;
	35	if ((width <= 0) \|\| (height <= 0))
	36	return 0;
	37	+ if (width > USHRT_MAX)
	38	+ width = USHRT_MAX;
	39	+ if (height > USHRT_MAX)
	40	+ height = USHRT_MAX;
	41
	42	if ((image->bits_per_pixel == 1) \|\| (image->format != ZPixmap)) {
	43	dest_bits_per_pixel = 1;
	44	--
	45	2.39.3
	46