1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
+From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 16:12:27 -0700
+Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
+ out-of-range dimensions
+The CreatePixmap request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), so if either is larger than that, set it to 0
+so the X server returns a BadValue error as the protocol requires.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/CrPixmap.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/src/CrPixmap.c b/src/CrPixmap.c
+index cdf31207..3cb2ca6d 100644
+--- a/src/CrPixmap.c
+++ b/src/CrPixmap.c
+@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
+#include <limits.h>
+ 
+ #ifdef USE_DYNAMIC_XCURSOR
+ void
+@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
+     Pixmap pid;
+     register xCreatePixmapReq *req;
+ 
+    /*
+     * Force a BadValue X Error if the requested dimensions are larger
+     * than the X11 protocol has room for, since that's how callers expect
+     * to get notified of errors.
+     */
+    if (width > USHRT_MAX)
+        width = 0;
+    if (height > USHRT_MAX)
+        height = 0;
+
+     LockDisplay(dpy);
+     GetReq(CreatePixmap, req);
+     req->drawable = d;
+-- 
+2.39.3

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
	1	From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Thu, 7 Sep 2023 16:12:27 -0700
	4	Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
	5	out-of-range dimensions
	6
	7	The CreatePixmap request specifies height & width of the image as CARD16
	8	(unsigned 16-bit integer), so if either is larger than that, set it to 0
	9	so the X server returns a BadValue error as the protocol requires.
	10
	11	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	12
	13	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
	14	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
	15	CVE: CVE-2023-43787
	16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	17	---
	18	src/CrPixmap.c \| 11 +++++++++++
	19	1 file changed, 11 insertions(+)
	20
	21	diff --git a/src/CrPixmap.c b/src/CrPixmap.c
	22	index cdf31207..3cb2ca6d 100644
	23	--- a/src/CrPixmap.c
	24	+++ b/src/CrPixmap.c
	25	@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
	26	#include <config.h>
	27	#endif
	28	#include "Xlibint.h"
	29	+#include <limits.h>
	30
	31	#ifdef USE_DYNAMIC_XCURSOR
	32	void
	33	@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
	34	Pixmap pid;
	35	register xCreatePixmapReq *req;
	36
	37	+ /*
	38	+ * Force a BadValue X Error if the requested dimensions are larger
	39	+ * than the X11 protocol has room for, since that's how callers expect
	40	+ * to get notified of errors.
	41	+ */
	42	+ if (width > USHRT_MAX)
	43	+ width = 0;
	44	+ if (height > USHRT_MAX)
	45	+ height = 0;
	46	+
	47	LockDisplay(dpy);
	48	GetReq(CreatePixmap, req);
	49	req->drawable = d;
	50	--
	51	2.39.3
	52