From 7b2a16600113f29d407c41c99f1740de149a893a Mon Sep 17 00:00:00 2001
From: zhangxingrong <zhangxingrong@uniontech.com>
Date: Thu, 1 Feb 2024 14:58:22 +0800
Subject: [PATCH 1/2] fix CVE-2023-6478

---
 0001-fix-CVE-2023-6478.patch  | 39 +++++++++++++++++++++++++++++++++++
 xorg-x11-server-xwayland.spec |  9 ++++++--
 2 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 0001-fix-CVE-2023-6478.patch

diff --git a/0001-fix-CVE-2023-6478.patch b/0001-fix-CVE-2023-6478.patch
new file mode 100644
index 0000000..4e93ed1
--- /dev/null
+++ b/0001-fix-CVE-2023-6478.patch
@@ -0,0 +1,39 @@
+From a4debd37a19776d883421516cc9f1a0f6ff7140b Mon Sep 17 00:00:00 2001
+From: zhangxingrong <zhangxingrong@uniontech.com>
+Date: Thu, 1 Feb 2024 14:27:27 +0800
+Subject: [PATCH] fix-CVE-2023-6478
+
+---
+ randr/rrproperty.c         | 2 +-
+ randr/rrproviderproperty.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb958..1fb89e6 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index b79c17f..90c5a9a 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr client)
+     char format, mode;
+     unsigned long len;
+     int sizeInBytes;
+-    int totalSize;
++    uint64_t totalSize;
+     int err;
+ 
+     REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
+-- 
+2.33.0
+
diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec
index 3715c04..098f4d8 100644
--- a/xorg-x11-server-xwayland.spec
+++ b/xorg-x11-server-xwayland.spec
@@ -4,7 +4,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   22.1.2
-Release:   2
+Release:   3
 License:   MIT 
 URL:       http://www.x.org
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
@@ -65,6 +65,8 @@ BuildRequires: pkgconfig(xcb-icccm)
 BuildRequires: pkgconfig(xcb-keysyms)
 BuildRequires: pkgconfig(xcb-renderutil)
  
+Patch01:	0001-fix-CVE-2023-6478.patch
+
 %description
 Xwayland is an X server for running X clients under Wayland.
  
@@ -77,7 +79,7 @@ The development package provides the developmental files which are
 necessary for developing Wayland compositors using Xwayland.
  
 %prep
-%autosetup -n %{pkgname}-%{version}
+%autosetup -n %{pkgname}-%{version} -p1
  
 %build
 %meson \
@@ -109,6 +111,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc
  
 %changelog
+* Thu Feb 1 2024 zhangxingrong <zhangxingrong@uni.com> - 22.1.2-3
+- fix cve:CVE-2023-6478
+
 * Fri Jun 24 2022 wangkerong <wangkerong@h-partners.com> - 22.1.2-2
 - rename packagename
 
-- 
Gitee


From 5ddb2e169822d01c1ff85293688915674111c3fa Mon Sep 17 00:00:00 2001
From: zhangxingrong <zhangxingrong@uniontech.com>
Date: Thu, 1 Feb 2024 15:15:45 +0800
Subject: [PATCH 2/2] fix CVE-2023-6377

---
 0002-fix-CVE-2023-6377.patch  | 68 +++++++++++++++++++++++++++++++++++
 xorg-x11-server-xwayland.spec |  6 +++-
 2 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 0002-fix-CVE-2023-6377.patch

diff --git a/0002-fix-CVE-2023-6377.patch b/0002-fix-CVE-2023-6377.patch
new file mode 100644
index 0000000..233a78c
--- /dev/null
+++ b/0002-fix-CVE-2023-6377.patch
@@ -0,0 +1,68 @@
+From b3352b012639e9505b01d62057b20790c1528470 Mon Sep 17 00:00:00 2001
+From: zhangxingrong <zhangxingrong@uniontech.com>
+Date: Thu, 1 Feb 2024 15:11:23 +0800
+Subject: [PATCH] fix CVE-2023-6377
+
+---
+ Xi/exevents.c | 16 ++++++++--------
+ dix/devices.c | 10 ++++++++++
+ 2 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 94b9983..1c226b6 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -611,14 +611,14 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+         }
+ 
+         if (from->button->xkb_acts) {
+-            if (!to->button->xkb_acts) {
+-                to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-                if (!to->button->xkb_acts)
+-                    FatalError("[Xi] not enough memory for xkb_acts.\n");
+-            }
+-            memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-                   sizeof(XkbAction));
+-        }
++            size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
++            to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++                                                   maxbuttons,
++                                                   sizeof(XkbAction));
++            memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
++	    memcpy(to->button->xkb_acts, from->button->xkb_acts,
++        	from->button->numButtons * sizeof(XkbAction));
++	}
+         else
+             free(to->button->xkb_acts);
+ 
+diff --git a/dix/devices.c b/dix/devices.c
+index 5bf956e..4190e2d 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2525,6 +2525,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+     if (master->button && master->button->numButtons != maxbuttons) {
+         int i;
++	int last_num_buttons = master->button->numButtons;
++
+         DeviceChangedEvent event = {
+             .header = ET_Internal,
+             .type = ET_DeviceChanged,
+@@ -2535,6 +2537,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+         };
+ 
+         master->button->numButtons = maxbuttons;
++        if (last_num_buttons < maxbuttons) {
++            master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
++                                                       maxbuttons,
++                                                       sizeof(XkbAction));
++            memset(&master->button->xkb_acts[last_num_buttons],
++                   0,
++                   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++        }
+ 
+         memcpy(&event.buttons.names, master->button->labels, maxbuttons *
+                sizeof(Atom));
+-- 
+2.33.0
+
diff --git a/xorg-x11-server-xwayland.spec b/xorg-x11-server-xwayland.spec
index 098f4d8..de3b173 100644
--- a/xorg-x11-server-xwayland.spec
+++ b/xorg-x11-server-xwayland.spec
@@ -4,7 +4,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   22.1.2
-Release:   3
+Release:   4
 License:   MIT 
 URL:       http://www.x.org
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
@@ -66,6 +66,7 @@ BuildRequires: pkgconfig(xcb-keysyms)
 BuildRequires: pkgconfig(xcb-renderutil)
  
 Patch01:	0001-fix-CVE-2023-6478.patch
+Patch02:	0002-fix-CVE-2023-6377.patch
 
 %description
 Xwayland is an X server for running X clients under Wayland.
@@ -111,6 +112,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc
  
 %changelog
+* Thu Feb 1 2024 zhangxingrong <zhangxingrong@uni.com> - 22.1.2-4
+- fix cve:CVE-2023-6377
+
 * Thu Feb 1 2024 zhangxingrong <zhangxingrong@uni.com> - 22.1.2-3
 - fix cve:CVE-2023-6478
 
-- 
Gitee