1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
new file mode 100644
index 0000000000..110bd445df
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
+From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
+From: Yair Mizrahi <yairm@jfrog.com>
+Date: Thu, 7 Sep 2023 16:15:32 -0700
+Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
+ leading to a heap overflow
+When the format is `Pixmap` it calculates the size of the image data as:
+    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+There is no validation on the `width` of the image, and so this
+calculation exceeds the capacity of a 4-byte integer, causing an overflow.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ImUtil.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+diff --git a/src/ImUtil.c b/src/ImUtil.c
+index 36f08a03..fbfad33e 100644
+--- a/src/ImUtil.c
+++ b/src/ImUtil.c
+@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include <stdio.h>
+#include <limits.h>
+ #include "ImUtil.h"
+ 
+ static int _XDestroyImage(XImage *);
+@@ -361,13 +362,22 @@ XImage *XCreateImage (
+        /*
+         * compute per line accelerator.
+         */
+-       {
+-       if (format == ZPixmap)
+       if (format == ZPixmap) {
+           if ((INT_MAX / bits_per_pixel) < width) {
+               Xfree(image);
+               return NULL;
+           }
+
+            min_bytes_per_line =
+-              ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+-       else
+               ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+       } else {
+           if ((INT_MAX - offset) < width) {
+               Xfree(image);
+               return NULL;
+           }
+
+            min_bytes_per_line =
+-               ROUNDUP((width + offset), image->bitmap_pad);
+               ROUNDUP((width + offset), image->bitmap_pad);
+        }
+        if (image_bytes_per_line == 0) {
+            image->bytes_per_line = min_bytes_per_line;
+-- 
+2.39.3

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch
@@ -0,0 +1,64 @@
	1	From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
	2	From: Yair Mizrahi <yairm@jfrog.com>
	3	Date: Thu, 7 Sep 2023 16:15:32 -0700
	4	Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
	5	leading to a heap overflow
	6
	7	When the format is `Pixmap` it calculates the size of the image data as:
	8	ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
	9	There is no validation on the `width` of the image, and so this
	10	calculation exceeds the capacity of a 4-byte integer, causing an overflow.
	11
	12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	13
	14	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
	15	Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
	16	CVE: CVE-2023-43787
	17	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	18	---
	19	src/ImUtil.c \| 20 +++++++++++++++-----
	20	1 file changed, 15 insertions(+), 5 deletions(-)
	21
	22	diff --git a/src/ImUtil.c b/src/ImUtil.c
	23	index 36f08a03..fbfad33e 100644
	24	--- a/src/ImUtil.c
	25	+++ b/src/ImUtil.c
	26	@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
	27	#include <X11/Xlibint.h>
	28	#include <X11/Xutil.h>
	29	#include <stdio.h>
	30	+#include <limits.h>
	31	#include "ImUtil.h"
	32
	33	static int _XDestroyImage(XImage *);
	34	@@ -361,13 +362,22 @@ XImage *XCreateImage (
	35	/*
	36	* compute per line accelerator.
	37	*/
	38	- {
	39	- if (format == ZPixmap)
	40	+ if (format == ZPixmap) {
	41	+ if ((INT_MAX / bits_per_pixel) < width) {
	42	+ Xfree(image);
	43	+ return NULL;
	44	+ }
	45	+
	46	min_bytes_per_line =
	47	- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
	48	- else
	49	+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
	50	+ } else {
	51	+ if ((INT_MAX - offset) < width) {
	52	+ Xfree(image);
	53	+ return NULL;
	54	+ }
	55	+
	56	min_bytes_per_line =
	57	- ROUNDUP((width + offset), image->bitmap_pad);
	58	+ ROUNDUP((width + offset), image->bitmap_pad);
	59	}
	60	if (image_bytes_per_line == 0) {
	61	image->bytes_per_line = min_bytes_per_line;
	62	--
	63	2.39.3
	64