From ed928953ffa176da02a2459c95c79ae4e28bfb76 Mon Sep 17 00:00:00 2001
From: wangkerong <wangkerong@h-partners.com>
Date: Fri, 18 Nov 2022 06:06:52 +0000
Subject: [PATCH] rebase 2203-LTS-Next from master

---
 ...-shadowUpdatePacked-because-of-memcp.patch | 26 ++++++++
 ...sent_scmd_get_crtc-and-present_flush.patch | 24 ++++++++
 CVE-2022-3551.patch                           | 60 +++++++++++++++++++
 backport-0001-CVE-2022-2319.patch             | 30 +++++-----
 gitignore                                     |  1 +
 xorg-x11-server.spec                          | 24 +++++++-
 6 files changed, 146 insertions(+), 19 deletions(-)
 create mode 100644 0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
 create mode 100644 0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
 create mode 100644 CVE-2022-3551.patch

diff --git a/0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch b/0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
new file mode 100644
index 0000000..bcf68ca
--- /dev/null
+++ b/0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
@@ -0,0 +1,26 @@
+From de7b67924425b3aa540c19c8431ff0d7c5892608 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 24 May 2022 09:49:36 +0800
+Subject: [PATCH] Fix the crash in shadowUpdatePacked because of memcpy acts
+ randomly with overlapping areas.
+
+Signed-off-by: tangjie02 <tangjie02@kylinsec.com.cn>
+---
+ miext/shadow/shpacked.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/miext/shadow/shpacked.c b/miext/shadow/shpacked.c
+index 5220854..8b16a98 100644
+--- a/miext/shadow/shpacked.c
++++ b/miext/shadow/shpacked.c
+@@ -98,7 +98,7 @@ shadowUpdatePacked(ScreenPtr pScreen, shadowBufPtr pBuf)
+                     i = width;
+                 width -= i;
+                 scr += i;
+-                memcpy(win, sha, i * sizeof(FbBits));
++                memmove(win, sha, i * sizeof(FbBits));
+                 sha += i;
+             }
+             shaLine += shaStride;
+-- 
+2.33.0
diff --git a/0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch b/0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
new file mode 100644
index 0000000..a7e1362
--- /dev/null
+++ b/0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
@@ -0,0 +1,24 @@
+diff --git a/present/present_scmd.c b/present/present_scmd.c
+index da836ea6b..239055bc1 100644
+--- a/present/present_scmd.c
++++ b/present/present_scmd.c
+@@ -158,6 +158,9 @@ present_scmd_get_crtc(present_screen_priv_ptr screen_priv, WindowPtr window)
+     if (!screen_priv->info)
+         return NULL;
+ 
++    if (!screen_priv->info->get_crtc)
++        return NULL;
++
+     return (*screen_priv->info->get_crtc)(window);
+ }
+ 
+@@ -196,6 +199,9 @@ present_flush(WindowPtr window)
+     if (!screen_priv->info)
+         return;
+ 
++    if (!screen_priv->info->flush)
++        return;
++
+     (*screen_priv->info->flush) (window);
+ }
+ 
diff --git a/CVE-2022-3551.patch b/CVE-2022-3551.patch
new file mode 100644
index 0000000..6d7116f
--- /dev/null
+++ b/CVE-2022-3551.patch
@@ -0,0 +1,60 @@
+From d7ac1fb14657f278fcc32863aa99eb32a2069d58 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 24 Oct 2022 17:06:15 +0800
+Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName
+
+GetComponentByName returns an allocated string, so let's free that if we
+fail somewhere.
+
+Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
+---
+ xkb/xkb.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 4dccc62..123671a 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5936,19 +5936,35 @@ ProcXkbGetKbdByName(ClientPtr client)
+     xkb = dev->key->xkbInfo->desc;
+     status = Success;
+     str = (unsigned char *) &stuff[1];
+-    if (GetComponentSpec(&str, TRUE, &status))  /* keymap, unsupported */
+-        return BadMatch;
++    {
++        char *keymap = GetComponentSpec(&str, TRUE, &status);  /* keymap, unsupported */
++        if (keymap) {
++            free(keymap);
++            return BadMatch;
++        }
++    }
+     names.keycodes = GetComponentSpec(&str, TRUE, &status);
+     names.types = GetComponentSpec(&str, TRUE, &status);
+     names.compat = GetComponentSpec(&str, TRUE, &status);
+     names.symbols = GetComponentSpec(&str, TRUE, &status);
+     names.geometry = GetComponentSpec(&str, TRUE, &status);
+-    if (status != Success)
++    if (status == Success) {
++        len = str - ((unsigned char *) stuff);
++        if ((XkbPaddedSize(len) / 4) != stuff->length)
++            status = BadLength;
++    }
++
++    if (status != Success) {
++        free(names.keycodes);
++        free(names.types);
++        free(names.compat);
++        free(names.symbols);
++        free(names.geometry);
+         return status;
+     len = str - ((unsigned char *) stuff);
+     if ((XkbPaddedSize(len) / 4) != stuff->length)
+         return BadLength;
+-
++    }
+     CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask);
+     CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask);
+ 
+-- 
+2.33.0
+
diff --git a/backport-0001-CVE-2022-2319.patch b/backport-0001-CVE-2022-2319.patch
index ce6d921..7d6eee7 100644
--- a/backport-0001-CVE-2022-2319.patch
+++ b/backport-0001-CVE-2022-2319.patch
@@ -1,27 +1,23 @@
-From f1070c01d616c5f21f939d5ebc533738779451ac Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 5 Jul 2022 12:40:47 +1000
-Subject: [PATCH] xkb: switch to array index loops to moving pointers
-
-Most similar loops here use a pointer that advances with each loop
-iteration, let's do the same here for consistency.
+From 7b6db1b9ac7493163cb76898ac593dafc76988f6 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 22 Jul 2022 11:04:30 +0800
+Subject: [PATCH] xkb: switch to array index loops to moving pointers Most
+ similar loops here use a pointer that advances with each loop iteration,
+ let's do the same here for consistency.
 
 No functional changes.
 
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
-
-Conflict:NA
-Reference:https://github.com/freedesktop/xorg-xserver/commit/f1070c01d616c5f21f939d5ebc533738779451ac
 ---
  xkb/xkb.c | 20 ++++++++++----------
  1 file changed, 10 insertions(+), 10 deletions(-)
 
 diff --git a/xkb/xkb.c b/xkb/xkb.c
-index a29262c244..64e52611ee 100644
+index 68c59df..8b6aea8 100644
 --- a/xkb/xkb.c
 +++ b/xkb/xkb.c
-@@ -5368,16 +5368,16 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5369,16 +5369,16 @@ _CheckSetSections(XkbGeometryPtr geom,
              row->left = rWire->left;
              row->vertical = rWire->vertical;
              kWire = (xkbKeyWireDesc *) &rWire[1];
@@ -43,16 +39,16 @@ index a29262c244..64e52611ee 100644
                  if (key->shape_ndx >= geom->num_shapes) {
                      client->errorValue = _XkbErrCode3(0x10, key->shape_ndx,
                                                        geom->num_shapes);
-@@ -5389,7 +5389,7 @@ _CheckSetSections(XkbGeometryPtr geom,
+@@ -5390,7 +5390,7 @@ _CheckSetSections(XkbGeometryPtr geom,
                      return BadMatch;
                  }
              }
 -            rWire = (xkbRowWireDesc *) &kWire[rWire->nKeys];
-+            rWire = (xkbRowWireDesc *)kWire;
++		rWire = (xkbRowWireDesc *)kWire;
          }
          wire = (char *) rWire;
          if (sWire->nDoodads > 0) {
-@@ -5454,16 +5454,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
+@@ -5455,16 +5455,16 @@ _CheckSetShapes(XkbGeometryPtr geom,
                      return BadAlloc;
                  ol->corner_radius = olWire->cornerRadius;
                  ptWire = (xkbPointWireDesc *) &olWire[1];
@@ -69,8 +65,10 @@ index a29262c244..64e52611ee 100644
                  }
                  ol->num_points = olWire->nPoints;
 -                olWire = (xkbOutlineWireDesc *) (&ptWire[olWire->nPoints]);
-+                olWire = (xkbOutlineWireDesc *)ptWire;
++		olWire = (xkbOutlineWireDesc *)ptWire;
              }
              if (shapeWire->primaryNdx != XkbNoShape)
                  shape->primary = &shape->outlines[shapeWire->primaryNdx];
+-- 
+2.33.0
 
diff --git a/gitignore b/gitignore
index 524cfc6..cd3b1d2 100644
--- a/gitignore
+++ b/gitignore
@@ -283,6 +283,7 @@ include/xkb-config.h
 include/xorg-config.h
 include/xorg-server.h
 include/xwin-config.h
+include/dix-config.h
 mfb/mfbbltC.c
 mfb/mfbbltCI.c
 mfb/mfbbltG.c
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 6614f21..d350091 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -16,7 +16,7 @@
 
 Name:           xorg-x11-server
 Version:        1.20.11
-Release:        7
+Release:        10
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@@ -76,7 +76,10 @@ Patch0025: 0021-xwayland-Fix-emulated-modes-not-being-removed-when-s.patch
 Patch0026: 0022-xwayland-Call-xwl_window_check_resolution_change_emu.patch
 Patch0027: 0023-xwayland-Fix-setting-of-_XWAYLAND_RANDR_EMU_MONITOR_.patch
 Patch0028: 0024-xwayland-Remove-unnecessary-xwl_window_is_toplevel-c.patch
- 
+
+Patch0100: 0001-Fix-the-crash-in-shadowUpdatePacked-because-of-memcp.patch
+Patch0101: 0002-present-Crash-in-present_scmd_get_crtc-and-present_flush.patch
+
 Patch0029: xorg-s11-server-CVE-2018-20839.patch
 Patch6000: backport-CVE-2021-4008.patch
 Patch6001: backport-CVE-2021-4009.patch
@@ -86,6 +89,7 @@ Patch6004: backport-rename-bool-to-boolean.patch
 Patch6005: backport-0001-CVE-2022-2319.patch
 Patch6006: backport-0002-CVE-2022-2319.patch
 Patch6007: backport-CVE-2022-2320.patch
+Patch6008: CVE-2022-3551.patch
 
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex git gcc 
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@@ -429,9 +433,23 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_mandir}/man*/*
 
 %changelog
-* Wed Aug 03 2022 wangkerong<wangkerong@h-partners.com> - 1.20.11-7
+* Mon Oct 24 2022 qz_cx <wangqingzheng@kylinos.cn> - 1.20.11-10
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC: fix CVE-2022-3551
+
+* Wed Aug 03 2022 wangkerong<wangkerong@h-partners.com> - 1.20.11-9
 - fix CVE-2022-2319,CVE-2022-2320
 
+* Fri Jul 22 2022 baiguo<baiguo@kylinos.cn> - 1.20.11-8
+- xkb: switch to array index loops to moving pointers
+- fix CVE-2022-2319
+ 
+* Fri Jul 22 2022 ouyangminxiang<ouyangminxiang@kylinsec.com.cn> - 1.20.11-7
+- Fix the crash in shadowUpdatePacked because of memcpy acts randomly with overlapping areas.
+- Fix the problem of black screen after entering the login interface
+
 * Fri Jun 24 2022 wangkerong<wangkerong@h-partners.com> - 1.20.11-6
 - disable Xwayland provide by xorg-x11-server-Xwayland
 - delete the same files of common and help
-- 
Gitee