From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 16:12:27 -0700
Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
 out-of-range dimensions

The CreatePixmap request specifies height & width of the image as CARD16
(unsigned 16-bit integer), so if either is larger than that, set it to 0
so the X server returns a BadValue error as the protocol requires.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
CVE: CVE-2023-43787
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/CrPixmap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/CrPixmap.c b/src/CrPixmap.c
index cdf31207..3cb2ca6d 100644
--- a/src/CrPixmap.c
+++ b/src/CrPixmap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
 
 #ifdef USE_DYNAMIC_XCURSOR
 void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
     Pixmap pid;
     register xCreatePixmapReq *req;
 
+    /*
+     * Force a BadValue X Error if the requested dimensions are larger
+     * than the X11 protocol has room for, since that's how callers expect
+     * to get notified of errors.
+     */
+    if (width > USHRT_MAX)
+        width = 0;
+    if (height > USHRT_MAX)
+        height = 0;
+
     LockDisplay(dpy);
     GetReq(CreatePixmap, req);
     req->drawable = d;
-- 
2.39.3