Rebase to 1.8.10

Resolves: https://issues.redhat.com/browse/RHEL-70185
2024-12-06 10:07:53 +01:00 · 2024-12-06 10:07:53 +01:00 · 773dc997dc
commit 773dc997dc
parent 398d91bbd6
14 changed files with 99 additions and 625 deletions
--- a/0001-Close-xcb-connection-after-freeing-display-structure.patch
+++ b/0001-Close-xcb-connection-after-freeing-display-structure.patch
@ -0,0 +1,82 @@
 From f3d6ebac35301d4ad068e307f0fbe6aa12ccbccb Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 9 Aug 2024 09:21:31 +0200
 Subject: [PATCH libX11] Close xcb connection after freeing display structure
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Commit 1472048b7 to fix a colormap threading issue added a display
 lock/unlock and a call to SyncHandle() to _XcmsFreeClientCmaps().
 When running synchronized, that means calling XSync().
 _XcmsFreeClientCmaps() is called from _XFreeDisplayStructure() via
 XCloseDisplay() after the xcb connection is closed.
 So when running synchronized, we may end up calling XSync() after the
 xcb connection to the display is closed, which will generate a spurious
 XIO error:
  | #0 in _XDefaultIOError () at /lib64/libX11.so.6
  | #1 in _XIOError () at /lib64/libX11.so.6
  | #2 in _XReply () at /lib64/libX11.so.6
  | #3 in XSync () at /lib64/libX11.so.6
  | #4 in _XSyncFunction () at /lib64/libX11.so.6
  | 8#5 in _XFreeDisplayStructure () at /lib64/libX11.so.6
  | 8#6 in XCloseDisplay () at /lib64/libX11.so.6
 To avoid that issue, closed the xcb connection to the display last.
 v2: And same in OutOfMemory() as well (José Expósito)
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Reviewed-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264>
 ---
 src/ClDisplay.c | 4 +++-
 src/OpenDis.c   | 7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)
 diff --git a/src/ClDisplay.c b/src/ClDisplay.c
 index aa904e51..31d3a841 100644
 --- a/src/ClDisplay.c
 +++ b/src/ClDisplay.c
@@ -47,6 +47,7 @@ XCloseDisplay (
 {
 	register _XExtension *ext;
 	register int i;
 +	xcb_connection_t *connection;
 	if (!(dpy->flags & XlibDisplayClosing))
 	{
@@ -68,7 +69,8 @@ XCloseDisplay (
 	    if (X_DPY_GET_REQUEST(dpy) != X_DPY_GET_LAST_REQUEST_READ(dpy))
 		XSync(dpy, 1);
 	}
 -	xcb_disconnect(dpy->xcb->connection);
 +	connection = dpy->xcb->connection;
 	_XFreeDisplayStructure (dpy);
 +	xcb_disconnect(connection);
 	return 0;
 }
 diff --git a/src/OpenDis.c b/src/OpenDis.c
 index 89a0ebdf..6cc43ba3 100644
 --- a/src/OpenDis.c
 +++ b/src/OpenDis.c
@@ -709,7 +709,10 @@ void _XFreeDisplayStructure(Display *dpy)
 static void OutOfMemory(Display *dpy)
 {
 -    if(dpy->xcb->connection)
 -	xcb_disconnect(dpy->xcb->connection);
 +    xcb_connection_t *connection = dpy->xcb->connection;
 +
     _XFreeDisplayStructure (dpy);
 +
 +    if(connection)
 +	xcb_disconnect(connection);
 }
 -- 
 2.47.1
--- a/0001-Fix-deadlock-in-XRebindKeysym.patch
+++ b/0001-Fix-deadlock-in-XRebindKeysym.patch
@ -1,52 +0,0 @@
 From 751fbc59c30604980fdd19cb4b333d3cf2eccb24 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 21 Jun 2024 14:37:24 +0200
 Subject: [PATCH] Fix deadlock in XRebindKeysym()
 Xlib is now built with threading support enabled from the constructor
 by default.
 XRebindKeysym() acquires the display lock, then calls:
 | XRebindKeysym()
 |  LockDisplay()
 |  ComputeMaskFromKeytrans()
 |    -> XkbKeysymToModifiers()
 |        -> _XkbLoadDpy()
 |            -> XkbGetMap()
 |                -> XkbGetUpdatedMap()
 |                   LockDisplay()
 And the dead lock:
 | Xlib ERROR: XKBGetMap.c line 575 thread 1fc6e580: locking display already
 | locked at KeyBind.c line 937
 To avoid the issue, call ComputeMaskFromKeytrans() from outside the display
 lock.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 Closes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/216
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/256>
 ---
 src/KeyBind.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/KeyBind.c b/src/KeyBind.c
 index a8181b91..a5e22131 100644
 --- a/src/KeyBind.c
 +++ b/src/KeyBind.c
@@ -958,8 +958,9 @@ XRebindKeysym (
     memcpy ((char *) p->modifiers, (char *) mlist, (size_t) nb);
     p->key = keysym;
     p->mlen = nm;
 -    ComputeMaskFromKeytrans(dpy, p);
     UnlockDisplay(dpy);
 +    ComputeMaskFromKeytrans(dpy, p);
 +
     return 0;
 }
 -- 
 2.45.2
--- a/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
+++ b/0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
@ -1,49 +0,0 @@
 From 4f5541193dd5a004ed5ea44c12fc25e227113c9b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:37:21 +0200
 Subject: [PATCH 1/6] Fix use of uninitialized variable in _XimTriggerNotify
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 `_XimRead()` is being called with `reply` as target buffer instead of
 using `preply`, accessing uninitialized memory a few lines later.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: alloc_fn:
      Calling "malloc" which returns uninitialized memory.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:561: assign:
      Assigning: "preply" = "malloc((size_t)((len == 0) ? 1 : len))",
      which points to uninitialized data.
    libX11-1.8.7/modules/im/ximcp/imDefLkup.c:573: uninit_use:
      Using uninitialized value "*((CARD8 *)preply)".
    #  571|       }
    #  572|       buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
    #  573|->     if (*((CARD8 *)preply) == XIM_ERROR) {
    #  574|           _XimProcError(im, 0, (XPointer)&buf_s[3]);
    #  575|           if(reply != preply)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imDefLkup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
 index 2e53ab23..8ccaee26 100644
 --- a/modules/im/ximcp/imDefLkup.c
 +++ b/modules/im/ximcp/imDefLkup.c
@@ -635,7 +635,7 @@ _XimTriggerNotify(
 	} else {
 	    buf_size = len;
 	    preply = Xmalloc(len);
 -	    ret_code = _XimRead(im, &len, (XPointer)reply, buf_size,
 +	    ret_code = _XimRead(im, &len, preply, buf_size,
 				_XimTriggerNotifyCheck, (XPointer)ic);
 	    if(ret_code != XIM_TRUE) {
 		Xfree(preply);
 -- 
 2.45.2
--- a/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
+++ b/0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
@ -1,34 +0,0 @@
 From 5dfedaf4aa1a032ea6cb4e871abd2e065f798129 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Thu, 6 Jun 2024 16:25:26 +0200
 Subject: [PATCH 1/3] Revert "Fix XTS regression in XCopyColormapAndFree"
 This change was to fix the next change that we are to revert as well.
 This reverts commit 68c72a7341b114277ab232f2499ee3bd035af8a0.
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/CopyCmap.c | 5 -----
 1 file changed, 5 deletions(-)
 diff --git a/src/CopyCmap.c b/src/CopyCmap.c
 index b37aba73..b4954b01 100644
 --- a/src/CopyCmap.c
 +++ b/src/CopyCmap.c
@@ -53,11 +53,6 @@ Colormap XCopyColormapAndFree(
     mid = req->mid = XAllocID(dpy);
     req->srcCmap = src_cmap;
 -    /* re-lock the display to keep XID handling in sync */
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -    LockDisplay(dpy);
 -
 #if XCMS
     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
 #endif
 -- 
 2.45.2
--- a/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
+++ b/0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
@ -1,49 +0,0 @@
 From eaad761e24722b1743d3edee3383294bfb4947d6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:41:40 +0200
 Subject: [PATCH 2/6] Fix use of uninitialized variable in _XimExtension
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 `_XimRead()` is being called with `reply` as target buffer instead of
 using `preply`, accessing uninitialized memory a few lines later.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imExten.c:468: alloc_fn:
      Calling "malloc" which returns uninitialized memory.
    libX11-1.8.7/modules/im/ximcp/imExten.c:468: assign:
      Assigning: "preply" = "malloc((size_t)((buf_size == 0) ? 1 : buf_size))",
      which points to uninitialized data.
    libX11-1.8.7/modules/im/ximcp/imExten.c:479: uninit_use:
      Using uninitialized value "*((CARD8 *)preply)".
    #  477|           return False;
    #  478|       buf_s = (CARD16 *)((char *)preply + XIM_HEADER_SIZE);
    #  479|->     if (*((CARD8 *)preply) == XIM_ERROR) {
    #  480|           _XimProcError(im, 0, (XPointer)&buf_s[3]);
    #  481|               if(reply != preply)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imExten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/im/ximcp/imExten.c b/modules/im/ximcp/imExten.c
 index c2e48a89..a25f00d0 100644
 --- a/modules/im/ximcp/imExten.c
 +++ b/modules/im/ximcp/imExten.c
@@ -466,7 +466,7 @@ _XimExtension(
     	} else {
     	    buf_size = len;
 	    preply = Xmalloc(buf_size);
 -    	    ret_code = _XimRead(im, &len, reply, buf_size,
 +    	    ret_code = _XimRead(im, &len, preply, buf_size,
     					_XimQueryExtensionCheck, 0);
     	    if(ret_code != XIM_TRUE) {
 		Xfree(preply);
 -- 
 2.45.2
--- a/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
+++ b/0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
@ -1,92 +0,0 @@
 From 739fce4c12c7aa39112353d80c8a3bf25bdd5274 Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 7 Jun 2024 09:07:39 +0200
 Subject: [PATCH 2/3] Revert "Protect colormap add/removal with display lock"
 That commit 99a2cf1aa was moving the calls to the _Xcms*CmapRec*()
 family of functions within a display lock to make the XCMS colormap
 functions thread safe.
 Unfortunately, that causes a deadlock in XCopyColormapAndFree(), because
 _XcmsCopyCmapRecAndFree() calls CmapRecForColormap() which calls
 XGetVisualInfo() which also tries to acquire the display lock.
 So, instead of moving the entire functions within the display lock,
 let's try to make the functions themselves thread safe in the following
 commit, and revert this change which causes a deadlock.
 This reverts commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d.
 Fixes: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/CopyCmap.c | 6 +++---
 src/CrCmap.c   | 6 +++---
 src/FreeCmap.c | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)
 diff --git a/src/CopyCmap.c b/src/CopyCmap.c
 index b4954b01..5444550c 100644
 --- a/src/CopyCmap.c
 +++ b/src/CopyCmap.c
@@ -53,12 +53,12 @@ Colormap XCopyColormapAndFree(
     mid = req->mid = XAllocID(dpy);
     req->srcCmap = src_cmap;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #if XCMS
     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return(mid);
 }
 diff --git a/src/CrCmap.c b/src/CrCmap.c
 index 1b18a15b..9904c7dd 100644
 --- a/src/CrCmap.c
 +++ b/src/CrCmap.c
@@ -48,12 +48,12 @@ Colormap XCreateColormap(
     if (visual == CopyFromParent) req->visual = CopyFromParent;
     else req->visual = visual->visualid;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #ifdef XCMS
     _XcmsAddCmapRec(dpy, mid, w, visual);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return(mid);
 }
 diff --git a/src/FreeCmap.c b/src/FreeCmap.c
 index 68496dd8..e2b76fa6 100644
 --- a/src/FreeCmap.c
 +++ b/src/FreeCmap.c
@@ -41,12 +41,12 @@ XFreeColormap(
     LockDisplay(dpy);
     GetResReq(FreeColormap, cmap, req);
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 +
 #ifdef XCMS
     _XcmsDeleteCmapRec(dpy, cmap);
 #endif
 -    UnlockDisplay(dpy);
 -    SyncHandle();
 -
     return 1;
 }
 -- 
 2.45.2
--- a/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
+++ b/0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
@ -1,47 +0,0 @@
 From 836a8f2cf5e930c8a56b512273fdf9890282ba04 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 16:49:26 +0200
 Subject: [PATCH 3/6] Fix use of uninitialized variable in
 _XimEncodeICATTRIBUTE
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 In the `res->resource_size == XimType_NEST` code path, if
 `res->xrm_name != pre_quark` and `res->xrm_name != sts_quark`, `len` can
 be used uninitialized.
 This error has been found by a static analysis tool. This is the report:
    Error: UNINIT (CWE-457):
    libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1106: var_decl:
      Declaring variable "len" without initializer.
    libX11-1.8.7/modules/im/ximcp/imRmAttr.c:1179: uninit_use:
      Using uninitialized value "len".
    # 1177|           }
    # 1178|
    # 1179|->         if (len == 0) {
    # 1180|               continue;
    # 1181|           } else if (len < 0) {
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imRmAttr.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
 index 709e64ab..c56bd62e 100644
 --- a/modules/im/ximcp/imRmAttr.c
 +++ b/modules/im/ximcp/imRmAttr.c
@@ -1115,6 +1115,7 @@ _XimEncodeICATTRIBUTE(
     *ret_len = 0;
     for (p = arg; p && p->name; p++) {
 +	len = 0;
 	buf_s = (CARD16 *)buf;
 	if (!(res = _XimGetResourceListRec(res_list, res_num, p->name))) {
 	    if (_XimSetInnerICAttributes(ic, top, p, mode))
 -- 
 2.45.2
--- a/0003-Make-colormap-private-interfaces-thread-safe.patch
+++ b/0003-Make-colormap-private-interfaces-thread-safe.patch
@ -1,92 +0,0 @@
 From 1472048b7a02d1b7fc25cfeda761db23fba21eac Mon Sep 17 00:00:00 2001
 From: Olivier Fourdan <ofourdan@redhat.com>
 Date: Fri, 7 Jun 2024 09:05:55 +0200
 Subject: [PATCH 3/3] Make colormap private interfaces thread safe.
 Protect access to the dpy structure by a display lock, so that these can
 be called outside of a global display lock.
 That allows the XCMS colormap functions to be thread safe without having
 the whole functions within a display lock, to avoid deadlocks.
 Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/215
 See-also: https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/94
 Reviewed-by: Adam Jackson <ajax@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/254>
 ---
 src/xcms/cmsCmap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 diff --git a/src/xcms/cmsCmap.c b/src/xcms/cmsCmap.c
 index c7087ecb..4b229477 100644
 --- a/src/xcms/cmsCmap.c
 +++ b/src/xcms/cmsCmap.c
@@ -87,12 +87,17 @@ CmapRecForColormap(
     _XAsyncHandler async;
     _XAsyncErrorState async_state;
 +    LockDisplay(dpy);
     for (pRec = (XcmsCmapRec *)dpy->cms.clientCmaps; pRec != NULL;
 	    pRec = pRec->pNext) {
 	if (pRec->cmapID == cmap) {
 +            UnlockDisplay(dpy);
 +            SyncHandle();
 	    return(pRec);
 	}
     }
 +    UnlockDisplay(dpy);
 +    SyncHandle();
     /*
      * Can't find an XcmsCmapRec associated with cmap in our records.
@@ -258,9 +263,12 @@ _XcmsAddCmapRec(
     pNew->dpy = dpy;
     pNew->windowID = windowID;
     pNew->visual = visual;
 +    LockDisplay(dpy);
     pNew->pNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
     dpy->cms.clientCmaps = (XPointer)pNew;
     dpy->free_funcs->clientCmaps = _XcmsFreeClientCmaps;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
     /*
      * Note, we don't create the XcmsCCC for pNew->ccc here because
@@ -342,6 +350,7 @@ _XcmsDeleteCmapRec(
     }
     /* search for it in the list */
 +    LockDisplay(dpy);
     pPrevPtr = (XcmsCmapRec **)&dpy->cms.clientCmaps;
     while ((pRec = *pPrevPtr) && (pRec->cmapID != cmap)) {
 	pPrevPtr = &pRec->pNext;
@@ -354,6 +363,8 @@ _XcmsDeleteCmapRec(
 	*pPrevPtr = pRec->pNext;
 	Xfree(pRec);
     }
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 }
@@ -378,6 +389,7 @@ _XcmsFreeClientCmaps(
 {
     XcmsCmapRec *pRecNext, *pRecFree;
 +    LockDisplay(dpy);
     pRecNext = (XcmsCmapRec *)dpy->cms.clientCmaps;
     while (pRecNext != NULL) {
 	pRecFree = pRecNext;
@@ -390,6 +402,8 @@ _XcmsFreeClientCmaps(
 	Xfree(pRecFree);
     }
     dpy->cms.clientCmaps = (XPointer)NULL;
 +    UnlockDisplay(dpy);
 +    SyncHandle();
 }
 -- 
 2.45.2
--- a/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
+++ b/0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
@ -1,62 +0,0 @@
 From af1312d2873d2ce49b18708a5029895aed477392 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 17:37:39 +0200
 Subject: [PATCH 4/6] XKBMAlloc: Check that needed is >= 0 in
 XkbResizeKeyActions
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Passing a negative value in `needed` to the `XkbResizeKeyActions()`
 function can create a `newActs` array of an unespected size.
 Check the value and return if it is invalid.
 This error has been found by a static analysis tool. This is the report:
    Error: OVERRUN (CWE-119):
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: cond_const:
      Checking "xkb->server->size_acts == 0" implies that
      "xkb->server->size_acts" is 0 on the true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: buffer_alloc:
      "calloc" allocates 8 bytes dictated by parameters
      "(size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts)"
      and "8UL".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:811: var_assign:
      Assigning: "newActs" = "calloc((size_t)((xkb->server->size_acts == 0) ? 1 : xkb->server->size_acts), 8UL)".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:815: assignment:
      Assigning: "nActs" = "1".
    libX11-1.8.7/src/xkb/XKBMAlloc.c:829: cond_at_least:
      Checking "nCopy > 0" implies that "nCopy" is at least 1 on the
      true branch.
    libX11-1.8.7/src/xkb/XKBMAlloc.c:830: overrun-buffer-arg:
      Overrunning buffer pointed to by "&newActs[nActs]" of 8 bytes by
      passing it to a function which accesses it at byte offset 15
      using argument "nCopy * 8UL" (which evaluates to 8).
    #  828|
    #  829|           if (nCopy > 0)
    #  830|->             memcpy(&newActs[nActs], XkbKeyActionsPtr(xkb, i),
    #  831|                      nCopy * sizeof(XkbAction));
    #  832|           if (nCopy < nKeyActs)
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 src/xkb/XKBMAlloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/xkb/XKBMAlloc.c b/src/xkb/XKBMAlloc.c
 index 8b3be303..0563a688 100644
 --- a/src/xkb/XKBMAlloc.c
 +++ b/src/xkb/XKBMAlloc.c
@@ -795,7 +795,7 @@ XkbResizeKeyActions(XkbDescPtr xkb, int key, int needed)
     register int i, nActs;
     XkbAction *newActs;
 -    if (needed == 0) {
 +    if (needed <= 0) {
         xkb->server->key_acts[key] = 0;
         return NULL;
     }
 -- 
 2.45.2
--- a/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
+++ b/0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
@ -1,64 +0,0 @@
 From f67a87dad40141f50f4da35b28a92a974bfdf7e1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 18:04:35 +0200
 Subject: [PATCH 5/6] Fix memory leak in _XimProtoSetIMValues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This error has been found by a static analysis tool. This is the report:
    Error: RESOURCE_LEAK (CWE-772):
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: alloc_fn:
      Storage is returned from allocation function "calloc".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1316: var_assign:
      Assigning: "tmp" = storage returned from
      "calloc((size_t)((buf_size + data_len == 0) ? 1 : (buf_size + data_len)), 1UL)".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1319: noescape:
      Resource "tmp" is not freed or pointed-to in "memcpy".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1320: var_assign:
      Assigning: "buf" = "tmp".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1302: var_assign:
      Assigning: "data" = "buf".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1303: noescape:
      Resource "data" is not freed or pointed-to in
      "_XimEncodeIMATTRIBUTE".
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "data" going out of scope leaks the storage it points to.
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "buf" going out of scope leaks the storage it points to.
    libX11-1.8.7/modules/im/ximcp/imDefIm.c:1333: leaked_storage:
      Variable "tmp" going out of scope leaks the storage it points to.
    # 1331|
    # 1332|       if (!total)
    # 1333|->         return (char *)NULL;
    # 1334|
    # 1335|       buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/im/ximcp/imDefIm.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
 index a12d2970..e3075398 100644
 --- a/modules/im/ximcp/imDefIm.c
 +++ b/modules/im/ximcp/imDefIm.c
@@ -1327,8 +1327,11 @@ _XimProtoSetIMValues(
     }
     _XimSetCurrentIMValues(im, &im_values);
 -    if (!total)
 -	return (char *)NULL;
 +    if (!total) {
 +        if (buf != tmp_buf)
 +	    Xfree(buf);
 +        return (char *)NULL;
 +    }
     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
     buf_s[0] = im->private.proto.imid;
 -- 
 2.45.2
--- a/0006-Fix-buffer-overrun-in-parse_omit_name.patch
+++ b/0006-Fix-buffer-overrun-in-parse_omit_name.patch
@ -1,57 +0,0 @@
 From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
 Date: Tue, 30 Apr 2024 18:21:08 +0200
 Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 When `num_fields == 12`, if the last character of the pattern is '-',
 the `buf` array is overrun.
 This error has been found by a static analysis tool. This is the report:
    Error: OVERRUN (CWE-119):
    libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
      Checking "length > 255" implies that "length" may be up to 255 on
      the false branch.
    libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
      Assigning: "last" = "buf + length - 1". "last" may now point to as
      high as byte 254 of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
      Incrementing "last". "last" may now point to as high as byte 255
      of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
      Incrementing "last". "last" may now point to as high as byte 256
      of "buf" (which consists of 256 bytes).
    libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
      Overrunning array of 256 bytes at byte offset 256 by
      dereferencing pointer "++last".
    #  718|               *++last = '*';
    #  719|
    #  720|->         *++last = '-';
    #  721|           break;
    #  722|       case 13:
 Signed-off-by: José Expósito <jexposit@redhat.com>
 Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
 ---
 modules/om/generic/omGeneric.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
 index 406cec93..370072f3 100644
 --- a/modules/om/generic/omGeneric.c
 +++ b/modules/om/generic/omGeneric.c
@@ -688,7 +688,7 @@ parse_omit_name(
     length = strlen (pattern);
 -    if (length > XLFD_MAX_LEN)
 +    if (length > XLFD_MAX_LEN - 1)
 	return -1;
     strcpy(buf, pattern);
 -- 
 2.45.2
--- a/dont-forward-keycode-0.patch
+++ b/dont-forward-keycode-0.patch
@ -1,19 +1,19 @@
 diff -up libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx libX11-1.6.3/modules/im/ximcp/imDefFlt.c
 --- libX11-1.6.3/modules/im/ximcp/imDefFlt.c.jx	2015-03-09 18:28:45.000000000 -0400
 +++ libX11-1.6.3/modules/im/ximcp/imDefFlt.c	2015-03-10 12:32:31.912149644 -0400
-@@ -142,7 +142,7 @@ _XimProtoKeypressFilter(
+@@ -143,7 +143,7 @@ _XimProtoKeypressFilter(
 {
     Xim		im = (Xim)ic->core.im;
-    if (IS_FABRICATED(im)) {
+-    if (_XimIsFabricatedSerial(im, ev)) {
-+    if ((ev->keycode == 0) || IS_FABRICATED(im)) {
+    if ((ev->keycode == 0) || _XimIsFabricatedSerial(im, ev)) {
 	_XimPendingFilter(ic);
- 	UNMARK_FABRICATED(im);
+ 	_XimUnfabricateSerial(im, ic, ev);
 	return NOTFILTERD;
 diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/ximcp/imDefLkup.c
 --- libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx	2015-03-09 18:28:45.000000000 -0400
 +++ libX11-1.6.3/modules/im/ximcp/imDefLkup.c	2015-03-10 12:32:31.911149637 -0400
-@@ -332,6 +332,17 @@ _XimForwardEvent(
+@@ -333,6 +333,17 @@ _XimForwardEvent(
     XEvent	*ev,
     Bool	 sync)
 {
@ -31,9 +31,9 @@ diff -up libX11-1.6.3/modules/im/ximcp/imDefLkup.c.jx libX11-1.6.3/modules/im/xi
 #ifdef EXT_FORWARD
     if (((ev->type == KeyPress) || (ev->type == KeyRelease)))
 	if (_XimExtForwardKeyEvent(ic, (XKeyEvent *)ev, sync))
-@@ -604,6 +615,19 @@ _XimUnregCommitInfo(
+@@ -703,6 +714,19 @@ _XimUnregRealCommitInfo(
-     Xfree(info->keysym);
+     else
-     ic->private.proto.commit_info = info->next;
+ 	ic->private.proto.commit_info = info->next;
     Xfree(info);
 +
 +    /*
--- a/libX11.spec
+++ b/libX11.spec
@ -4,8 +4,8 @@
 Summary: Core X11 protocol client library
 Name: libX11
-Version: 1.8.7
+Version: 1.8.10
-Release: 8%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
+Release: 1%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT AND X11
 URL: http://www.x.org
@ -19,22 +19,8 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
 Patch02: dont-forward-keycode-0.patch
-
+# https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/264
-# https://issues.redhat.com/browse/RHEL-40132
+Patch03: 0001-Close-xcb-connection-after-freeing-display-structure.patch
 Patch03: 0001-Revert-Fix-XTS-regression-in-XCopyColormapAndFree.patch
 Patch04: 0002-Revert-Protect-colormap-add-removal-with-display-loc.patch
 Patch05: 0003-Make-colormap-private-interfaces-thread-safe.patch
 # https://issues.redhat.com/browse/RHEL-34918
 Patch06: 0001-Fix-use-of-uninitialized-variable-in-_XimTriggerNoti.patch
 Patch07: 0002-Fix-use-of-uninitialized-variable-in-_XimExtension.patch
 Patch08: 0003-Fix-use-of-uninitialized-variable-in-_XimEncodeICATT.patch
 Patch09: 0004-XKBMAlloc-Check-that-needed-is-0-in-XkbResizeKeyActi.patch
 Patch10: 0005-Fix-memory-leak-in-_XimProtoSetIMValues.patch
 Patch11: 0006-Fix-buffer-overrun-in-parse_omit_name.patch
 # https://issues.redhat.com/browse/RHEL-45855
 Patch12: 0001-Fix-deadlock-in-XRebindKeysym.patch
 BuildRequires: libtool
 BuildRequires: make
@ -139,6 +125,10 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 %changelog
 * Thu Dec 05 2024 Olivier Fourdan <ofourdan@redhat.com>  - 1.8.10-1
 - Rebase to 1.8.10
  Resolves: https://issues.redhat.com/browse/RHEL-70185
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.8.7-8
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libX11-1.8.7.tar.xz) = d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6
+SHA512 (libX11-1.8.10.tar.xz) = f801f5b77cbc55074f73dc95b29fff7b5e1b13b99641f6e397788ad9f31a29793ed4e8e5bd373122c790ef90627e8f9d6d5e271051c1767a479a85c55cd82bc1
`@ -1 +1 @@`
	`SHA512 (libX11-1.8.7.tar.xz) = d53bfc18f38d339a6a695b09835b2ae96b323881678bfe7ddca697605e3bdf4102ff49cc3078880a6c55b5977fcdd0aadaf5429086132de3a5bda302f79a2fa6`	`SHA512 (libX11-1.8.10.tar.xz) = f801f5b77cbc55074f73dc95b29fff7b5e1b13b99641f6e397788ad9f31a29793ed4e8e5bd373122c790ef90627e8f9d6d5e271051c1767a479a85c55cd82bc1`