1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
new file mode 100644
index 0000000000..a3b977aac9
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
+From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sun, 4 Dec 2022 17:44:00 +0000
+Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
+CVE: CVE-2022-3551
+Signed-off-by:Minjae Kim <flowergom@gmail.com>
+---
+ xkb/xkb.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index bf8aaa3..f79d306 100644
+--- a/xkb/xkb.c
+++ b/xkb/xkb.c
+@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
+    {
+        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
+        if (keymap) {
+            free(keymap);
+            return BadMatch;
+        }
+    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
+-        return status;
+-    len = str - ((unsigned char *) stuff);
+-    if ((XkbPaddedSize(len) / 4) != stuff->length)
+-        return BadLength;
+    if (status == Success) {
+        len = str - ((unsigned char *) stuff);
+        if ((XkbPaddedSize(len) / 4) != stuff->length)
+            status = BadLength;
+    }
+ 
+    if (status != Success) {
+        free(names.keycodes);
+        free(names.types);
+        free(names.compat);
+        free(names.symbols);
+        free(names.geometry);
+    }
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+ 
+-- 
+2.17.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch new file mode 100644 index 0000000000..a3b977aac9 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-3551.patch
@@ -0,0 +1,64 @@
	1	From d3787290f56165f5656ddd2123dbf676a32d0a68 Mon Sep 17 00:00:00 2001
	2	From: Peter Hutterer <peter.hutterer@who-t.net>
	3	Date: Sun, 4 Dec 2022 17:44:00 +0000
	4	Subject: [PATCH 2/3] xkb: fix some possible memleaks in XkbGetKbdByName
	5
	6	GetComponentByName returns an allocated string, so let's free that if we
	7	fail somewhere.
	8
	9	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	10
	11	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=18f91b950e22c2a342a4fbc55e9ddf7534a707d2]
	12	CVE: CVE-2022-3551
	13	Signed-off-by:Minjae Kim <flowergom@gmail.com>
	14
	15	---
	16	xkb/xkb.c \| 26 +++++++++++++++++++-------
	17	1 file changed, 19 insertions(+), 7 deletions(-)
	18
	19	diff --git a/xkb/xkb.c b/xkb/xkb.c
	20	index bf8aaa3..f79d306 100644
	21	--- a/xkb/xkb.c
	22	+++ b/xkb/xkb.c
	23	@@ -5908,19 +5908,31 @@ ProcXkbGetKbdByName(ClientPtr client)
	24	xkb = dev->key->xkbInfo->desc;
	25	status = Success;
	26	str = (unsigned char *) &stuff[1];
	27	- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */
	28	- return BadMatch;
	29	+ {
	30	+ char keymap = GetComponentSpec(&str, TRUE, &status); / keymap, unsupported */
	31	+ if (keymap) {
	32	+ free(keymap);
	33	+ return BadMatch;
	34	+ }
	35	+ }
	36	names.keycodes = GetComponentSpec(&str, TRUE, &status);
	37	names.types = GetComponentSpec(&str, TRUE, &status);
	38	names.compat = GetComponentSpec(&str, TRUE, &status);
	39	names.symbols = GetComponentSpec(&str, TRUE, &status);
	40	names.geometry = GetComponentSpec(&str, TRUE, &status);
	41	- if (status != Success)
	42	- return status;
	43	- len = str - ((unsigned char *) stuff);
	44	- if ((XkbPaddedSize(len) / 4) != stuff->length)
	45	- return BadLength;
	46	+ if (status == Success) {
	47	+ len = str - ((unsigned char *) stuff);
	48	+ if ((XkbPaddedSize(len) / 4) != stuff->length)
	49	+ status = BadLength;
	50	+ }
	51
	52	+ if (status != Success) {
	53	+ free(names.keycodes);
	54	+ free(names.types);
	55	+ free(names.compat);
	56	+ free(names.symbols);
	57	+ free(names.geometry);
	58	+ }
	59	CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
	60	CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
	61
	62	--
	63	2.17.1
	64