1 files changed, 0 insertions, 38 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
deleted file mode 100644
index 6f862e82f9..0000000000
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-CVE: CVE-2022-3550
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 5 Jul 2022 12:06:20 +1000
-Subject: [PATCH] xkb: proof GetCountedString against request length attacks
-GetCountedString did a check for the whole string to be within the
-request buffer but not for the initial 2 bytes that contain the length
-field. A swapped client could send a malformed request to trigger a
-swaps() on those bytes, writing into random memory.
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
- xkb/xkb.c | 5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/xkb/xkb.c b/xkb/xkb.c
-index f42f59ef3..1841cff26 100644
--- a/xkb/xkb.c
-+++ b/xkb/xkb.c
-@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str)
-     CARD16 len;
- 
-     wire = *wire_inout;
-+
-+    if (client->req_len <
-+        bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
-+        return BadValue;
-+
-     len = *(CARD16 *) wire;
-     if (client->swapped) {
-         swaps(&len);
-- 
-2.34.1

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch deleted file mode 100644 index 6f862e82f9..0000000000 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch +++ /dev/null
@@ -1,38 +0,0 @@
1	CVE: CVE-2022-3550
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001
6	From: Peter Hutterer <peter.hutterer@who-t.net>
7	Date: Tue, 5 Jul 2022 12:06:20 +1000
8	Subject: [PATCH] xkb: proof GetCountedString against request length attacks
9
10	GetCountedString did a check for the whole string to be within the
11	request buffer but not for the initial 2 bytes that contain the length
12	field. A swapped client could send a malformed request to trigger a
13	swaps() on those bytes, writing into random memory.
14
15	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
16	---
17	xkb/xkb.c \| 5 +++++
18	1 file changed, 5 insertions(+)
19
20	diff --git a/xkb/xkb.c b/xkb/xkb.c
21	index f42f59ef3..1841cff26 100644
22	--- a/xkb/xkb.c
23	+++ b/xkb/xkb.c
24	@@ -5137,6 +5137,11 @@ _GetCountedString(char wire_inout, ClientPtr client, char str)
25	CARD16 len;
26
27	wire = *wire_inout;
28	+
29	+ if (client->req_len <
30	+ bytes_to_int32(wire + 2 - (char *) client->requestBuffer))
31	+ return BadValue;
32	+
33	len = (CARD16 ) wire;
34	if (client->swapped) {
35	swaps(&len);
36	--
37	2.34.1
38