.gitignore

@@ -1 +1 @@
-SOURCES/libX11-1.6.8.tar.bz2
+SOURCES/libX11-1.7.0.tar.bz2

.libX11.metadata

@@ -1 +1 @@
-f1ea96fe472a981d378b4f2eec90dcd063f9a407 SOURCES/libX11-1.6.8.tar.bz2
+48fd27a11572a7d3c1014368e1dc9f40a7b23e7d SOURCES/libX11-1.7.0.tar.bz2

SOURCES/0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch

@@ -1,166 +0,0 @@
-From 8c92ef59890c6d6e2be456658d3b9c145eda8629 Mon Sep 17 00:00:00 2001
-From: Keith Packard <keithp@keithp.com>
-Date: Sat, 7 Nov 2020 22:22:47 -0800
-Subject: [PATCH libX11] Avoid recursing through _XError due to sequence
- adjustment
-
-This patch is based on research done by Dmitry Osipenko to uncover the
-cause of a large class of Xlib lockups.
-
-_XError must unlock and re-lock the display around the call to the
-user error handler function. When re-locking the display, two
-functions are called to ensure that the display is ready to generate a request:
-
-    _XIDHandler(dpy);
-    _XSeqSyncFunction(dpy);
-
-The first ensures that there is at least one XID available to use
-(possibly calling _xcb_generate_id to do so). The second makes sure a
-reply is received at least every 65535 requests to keep sequence
-numbers in sync (possibly generating a GetInputFocus request and
-synchronously awaiting the reply).
-
-If the second of these does generate a GetInputFocus request and wait
-for the reply, then a pending error will cause recursion into _XError,
-which deadlocks the display.
-
-One seemingly easy fix is to have _XError avoid those calls by
-invoking InternalLockDisplay instead of LockDisplay. That function
-does everything that LockDisplay does *except* call those final two
-functions which may end up receiving an error.
-
-However, that doesn't protect the system from applications which call
-some legal Xlib function from within their error handler. Any Xlib
-function which cannot generate protocol or wait for events is valid,
-including many which invoke LockDisplay.
-
-What we need to do is make LockDisplay skip these two function calls
-precisely when it is called from within the _XError context for the
-same display.
-
-This patch accomplishes this by creating a list of threads in the
-display which are in _XError, and then having LockDisplay check the
-current thread against those list elements.
-
-Inspired-by: Dmitry Osipenko <digetx@gmail.com>
-Signed-off-by: Keith Packard <keithp@keithp.com>
-Tested-by: Dmitry Osipenko <digetx@gmail.com>
-Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
-(cherry picked from commit 30ccef3a48029bf4fc31d4abda2d2778d0ad6277)
----
- include/X11/Xlibint.h |  2 ++
- src/OpenDis.c         |  1 +
- src/XlibInt.c         | 10 ++++++++++
- src/locking.c         | 12 ++++++++++++
- src/locking.h         | 12 ++++++++++++
- 5 files changed, 37 insertions(+)
-
-diff --git a/include/X11/Xlibint.h b/include/X11/Xlibint.h
-index 6b95bcf7..09078e3f 100644
---- a/include/X11/Xlibint.h
-+++ b/include/X11/Xlibint.h
-@@ -202,6 +202,8 @@ struct _XDisplay
- 	unsigned long last_request_read_upper32bit;
- 	unsigned long request_upper32bit;
- #endif
-+
-+	struct _XErrorThreadInfo *error_threads;
- };
- 
- #define XAllocIDs(dpy,ids,n) (*(dpy)->idlist_alloc)(dpy,ids,n)
-diff --git a/src/OpenDis.c b/src/OpenDis.c
-index 82723578..85901168 100644
---- a/src/OpenDis.c
-+++ b/src/OpenDis.c
-@@ -201,6 +201,7 @@ XOpenDisplay (
- 	X_DPY_SET_LAST_REQUEST_READ(dpy, 0);
- 	dpy->default_screen = iscreen;  /* Value returned by ConnectDisplay */
- 	dpy->last_req = (char *)&_dummy_request;
-+	dpy->error_threads = NULL;
- 
- 	/* Initialize the display lock */
- 	if (InitDisplayLock(dpy) != 0) {
-diff --git a/src/XlibInt.c b/src/XlibInt.c
-index 4e45e62b..8771b791 100644
---- a/src/XlibInt.c
-+++ b/src/XlibInt.c
-@@ -1482,6 +1482,11 @@ int _XError (
-     if (_XErrorFunction != NULL) {
- 	int rtn_val;
- #ifdef XTHREADS
-+	struct _XErrorThreadInfo thread_info = {
-+		.error_thread = xthread_self(),
-+		.next = dpy->error_threads
-+	}, **prev;
-+	dpy->error_threads = &thread_info;
- 	if (dpy->lock)
- 	    (*dpy->lock->user_lock_display)(dpy);
- 	UnlockDisplay(dpy);
-@@ -1491,6 +1496,11 @@ int _XError (
- 	LockDisplay(dpy);
- 	if (dpy->lock)
- 	    (*dpy->lock->user_unlock_display)(dpy);
-+
-+	/* unlink thread_info from the list */
-+	for (prev = &dpy->error_threads; *prev != &thread_info; prev = &(*prev)->next)
-+		;
-+	*prev = thread_info.next;
- #endif
- 	return rtn_val;
-     } else {
-diff --git a/src/locking.c b/src/locking.c
-index 9f4fe067..bcadc857 100644
---- a/src/locking.c
-+++ b/src/locking.c
-@@ -453,6 +453,9 @@ static void _XLockDisplay(
-     XTHREADS_FILE_LINE_ARGS
-     )
- {
-+#ifdef XTHREADS
-+    struct _XErrorThreadInfo *ti;
-+#endif
- #ifdef XTHREADS_WARN
-     _XLockDisplayWarn(dpy, file, line);
- #else
-@@ -460,6 +463,15 @@ static void _XLockDisplay(
- #endif
-     if (dpy->lock->locking_level > 0)
- 	_XDisplayLockWait(dpy);
-+#ifdef XTHREADS
-+    /*
-+     * Skip the two function calls below which may generate requests
-+     * when LockDisplay is called from within _XError.
-+     */
-+    for (ti = dpy->error_threads; ti; ti = ti->next)
-+	    if (ti->error_thread == xthread_self())
-+		    return;
-+#endif
-     _XIDHandler(dpy);
-     _XSeqSyncFunction(dpy);
- }
-diff --git a/src/locking.h b/src/locking.h
-index 5251a60c..59fc866e 100644
---- a/src/locking.h
-+++ b/src/locking.h
-@@ -149,6 +149,18 @@ typedef struct _LockInfoRec {
- 	xmutex_t	lock;
- } LockInfoRec;
- 
-+/* A list of threads currently invoking error handlers on this display
-+ * LockDisplay operates differently for these threads, avoiding
-+ * generating any requests or reading any events as that can cause
-+ * recursion into the error handling code, which will deadlock the
-+ * thread.
-+ */
-+struct _XErrorThreadInfo
-+{
-+    struct _XErrorThreadInfo *next;
-+    xthread_t error_thread;
-+};
-+
- /* XOpenDis.c */
- extern int (*_XInitDisplayLock_fn)(Display *dpy);
- extern void (*_XFreeDisplayLock_fn)(Display *dpy);
--- 
-2.43.0
-

SOURCES/0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch

@@ -1,64 +0,0 @@
-From a515545065ce6e1924de4bc50aaae7ec9b48cfad Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Wed, 11 Dec 2019 11:53:11 -0500
-Subject: [PATCH libX11] Fix XTS regression in XCopyColormapAndFree
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-XCopyColormapAndFree/5 threw an assertion:
-
-    520|4 5 00014017 1 2|Assertion XCopyColormapAndFree-5.(A)
-    520|4 5 00014017 1 3|When a colourmap argument does not name a valid colourmap,
-    520|4 5 00014017 1 4|then a BadColor error occurs.
-    520|4 5 00014017 1 5|METH: Create a bad colourmap by creating and freeing a colourmap.
-    520|4 5 00014017 1 6|METH: Call test function using bad colourmap as the colourmap argument.
-    520|4 5 00014017 1 7|METH: Verify that a BadColor error occurs.
-    520|4 5 00014017 1 8|unexpected signal 6 (SIGABRT) received
-    220|4 5 2 15:05:53|UNRESOLVED
-    410|4 5 1 15:05:53|IC End
-    510|4|system 0: Abandoning testset: caught unexpected signal 11 (SIGSEGV)
-
-More specifically:
-
-    lt-XCopyColormapAndFree: xcb_io.c:533: _XAllocID: Assertion `ret != inval_id' failed.
-
-This bug was introduced (by following my advice, d'oh) in:
-
-    commit 99a2cf1aa0b58391078d5d3edf0a7dab18c7745d
-    Author: Tapani Pälli <tapani.palli@intel.com>
-    Date:   Mon May 13 08:29:49 2019 +0300
-
-        Protect colormap add/removal with display lock
-
-In that patch we moved the call to _XcmsCopyCmapRecAndFree inside the
-display lock. The problem is said routine has side effects, including
-trying to implicitly create a colormap in some cases. Since we don't run
-the XID handler until SyncHandle() we would see inconsistent internal
-xlib state, triggering the above assert.
-
-Fix this by dropping and re-taking the display lock before calling into
-XCMS.
----
- src/CopyCmap.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/CopyCmap.c b/src/CopyCmap.c
-index b4954b01..b37aba73 100644
---- a/src/CopyCmap.c
-+++ b/src/CopyCmap.c
-@@ -53,6 +53,11 @@ Colormap XCopyColormapAndFree(
-     mid = req->mid = XAllocID(dpy);
-     req->srcCmap = src_cmap;
- 
-+    /* re-lock the display to keep XID handling in sync */
-+    UnlockDisplay(dpy);
-+    SyncHandle();
-+    LockDisplay(dpy);
-+
- #if XCMS
-     _XcmsCopyCmapRecAndFree(dpy, src_cmap, mid);
- #endif
--- 
-2.23.0
-

SOURCES/0001-Fix-an-integer-overflow-in-init_om.patch

@@ -1,37 +0,0 @@
-From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Thu, 13 Aug 2020 18:02:58 +0200
-Subject: [PATCH] Fix an integer overflow in init_om()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2020-14363
-
-This can lead to a double free later, as reported by Jayden Rivers.
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-(cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d)
-Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
----
- modules/om/generic/omGeneric.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
-index 22f826ec..bcfb9ab8 100644
---- a/modules/om/generic/omGeneric.c
-+++ b/modules/om/generic/omGeneric.c
-@@ -1908,7 +1908,8 @@ init_om(
-     char **required_list;
-     XOrientation *orientation;
-     char **value, buf[BUFSIZ], *bufptr;
--    int count = 0, num = 0, length = 0;
-+    int count = 0, num = 0;
-+    unsigned int length = 0;
- 
-     _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count);
-     if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0)
--- 
-2.28.0
-

SOURCES/0001-Fix-poll_for_response-race-condition.patch

@@ -1,63 +0,0 @@
-From 77f8517710a724fa1f29de8ad806692782f962bd Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Wed, 29 Jan 2020 09:06:54 +0000
-Subject: [PATCH libX11] Fix poll_for_response race condition
-
-In poll_for_response is it possible that event replies are skipped
-and a more up to date message reply is returned.
-This will cause next poll_for_event call to fail aborting the program.
-
-This was proved using some slow ssh tunnel or using some program
-to slow down server replies (I used a combination of xtrace and strace).
-
-How the race happens:
-- program enters into poll_for_response;
-- poll_for_event is called but the server didn't still send the reply;
-- pending_requests is not NULL because we send a request (see call
-  to  append_pending_request in _XSend);
-- xcb_poll_for_reply64 is called from poll_for_response;
-- xcb_poll_for_reply64 will read from server, at this point
-  server reply with an event (say sequence N) and the reply to our
-  last request (say sequence N+1);
-- xcb_poll_for_reply64 returns the reply for the request we asked;
-- last_request_read is set to N+1 sequence in poll_for_response;
-- poll_for_response returns the response to the request;
-- poll_for_event is called (for instance from another poll_for_response);
-- event with sequence N is retrieved;
-- the N sequence is widen, however, as the "new" number computed from
-  last_request_read is less than N the number is widened to N + 2^32
-  (assuming last_request_read is still contained in 32 bit);
-- poll_for_event enters the nested if statement as req is NULL;
-- we compare the widen N (which now does not fit into 32 bit) with
-  request (which fits into 32 bit) hitting the throw_thread_fail_assert.
-
-I propose to change the widen to not go too far from the wide number
-instead of supposing the result is always bigger than the wide number
-passed.
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
----
- src/xcb_io.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/src/xcb_io.c b/src/xcb_io.c
-index 6a12d150..2aacbda3 100644
---- a/src/xcb_io.c
-+++ b/src/xcb_io.c
-@@ -201,12 +201,10 @@ static int handle_error(Display *dpy, xError *err, Bool in_XReply)
- }
- 
- /* Widen a 32-bit sequence number into a 64bit (uint64_t) sequence number.
-- * Treating the comparison as a 1 and shifting it avoids a conditional branch.
-  */
- static void widen(uint64_t *wide, unsigned int narrow)
- {
--	uint64_t new = (*wide & ~((uint64_t)0xFFFFFFFFUL)) | narrow;
--	*wide = new + (((uint64_t)(new < *wide)) << 32);
-+	*wide += (int32_t) (narrow - *wide);
- }
- 
- /* Thread-safety rules:
--- 
-2.23.0
-

SOURCES/0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch

@@ -1,40 +0,0 @@
-From 623b77d4f30b47258a40f89262e5aa5d25e95fa7 Mon Sep 17 00:00:00 2001
-From: Benno Schulenberg <bensberg@telfort.nl>
-Date: Mon, 14 Feb 2022 11:33:25 +0100
-Subject: [PATCH] imDefLkup: verify that a pointer isn't NULL before using it
-
-It is possible for _XimICOfXICID() to return NULL, so it is necessary
-to check this isn't actually the case before dereferencing the pointer.
-All other callers of _XimICOfXICID() do this check too.
-
-(The check itself is ugly, but it follows the style of the code in the
-rest of the module.)
-
-Fixes issue #45.
-
-Reported-by: Bhavi Dhingra
-
-Original-patch-by: Bhavi Dhingra
-
-Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
----
- modules/im/ximcp/imDefLkup.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/modules/im/ximcp/imDefLkup.c b/modules/im/ximcp/imDefLkup.c
-index dea7f66d..dd1adf53 100644
---- a/modules/im/ximcp/imDefLkup.c
-+++ b/modules/im/ximcp/imDefLkup.c
-@@ -88,7 +88,8 @@ _XimSetEventMaskCallback(
- 
-     if (imid == im->private.proto.imid) {
- 	if (icid) {
--	    ic = _XimICOfXICID(im, icid);
-+	    if (!(ic = _XimICOfXICID(im, icid)))
-+		return False;
- 	    _XimProcICSetEventMask(ic, (XPointer)&buf_s[2]);
- 	} else {
- 	    _XimProcIMSetEventMask(im, (XPointer)&buf_s[2]);
--- 
-2.46.0
-

SOURCES/0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch

@@ -0,0 +1,43 @@
+From e92efc63acd7b377faa9e534f4bf52aaa86be2a9 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 27 Jul 2021 11:46:19 +1000
+Subject: [PATCH libX11] makekeys: handle the new _EVDEVK xorgproto symbols
+
+These keys are all defined through a macro in the form:
+   #define XF86XK_BrightnessAuto		_EVDEVK(0x0F4)
+
+The _EVDEVK macro is simply an offset of 0x10081000.
+Let's parse these lines correctly so those keysyms end up in our
+hashtables.
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/util/makekeys.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/util/makekeys.c b/src/util/makekeys.c
+index e847ef4c..4896cc53 100644
+--- a/src/util/makekeys.c
++++ b/src/util/makekeys.c
+@@ -78,6 +78,18 @@ parse_line(const char *buf, char *key, KeySym *val, char *prefix)
+         return 1;
+     }
+ 
++    /* See if we can parse one of the _EVDEVK symbols */
++    i = sscanf(buf, "#define %127s _EVDEVK(0x%lx)", key, val);
++    if (i == 2 && (tmp = strstr(key, "XK_"))) {
++        memcpy(prefix, key, (size_t)(tmp - key));
++        prefix[tmp - key] = '\0';
++        tmp += 3;
++        memmove(key, tmp, strlen(tmp) + 1);
++
++        *val += 0x10081000;
++        return 1;
++    }
++
+     /* Now try to catch alias (XK_foo XK_bar) definitions, and resolve them
+      * immediately: if the target is in the form XF86XK_foo, we need to
+      * canonicalise this to XF86foo before we do the lookup. */
+-- 
+2.31.1
+

SOURCES/CVE-2021-31535.patch

@@ -1,411 +0,0 @@
-From 2714e4478c1262c94de6295cce605c14572968d3 Mon Sep 17 00:00:00 2001
-From: Matthieu Herrb <matthieu@herrb.eu>
-Date: Fri, 19 Feb 2021 15:30:39 +0100
-Subject: [PATCH libX11] Reject string longer than USHRT_MAX before sending
- them on the wire
-
-The X protocol uses CARD16 values to represent the length so
-this would overflow.
-
-CVE-2021-31535
-
-Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
-
-[mustard: backported 10 1.6.8 by merging the warning fixes from
-upstream commimt 84427130 first - ajax]
----
- src/Font.c      | 10 ++++++----
- src/FontInfo.c  |  5 ++++-
- src/FontNames.c |  5 ++++-
- src/GetColor.c  |  6 +++++-
- src/LoadFont.c  |  6 +++++-
- src/LookupCol.c |  6 ++++--
- src/ParseCol.c  |  7 +++++--
- src/QuExt.c     |  7 ++++++-
- src/SetFPath.c  | 12 +++++++++---
- src/SetHints.c  |  9 ++++++++-
- src/StNColor.c  |  5 ++++-
- src/StName.c    | 11 ++++++++---
- 12 files changed, 68 insertions(+), 21 deletions(-)
-
-diff --git a/src/Font.c b/src/Font.c
-index 09d2ae91..1cd89cca 100644
---- a/src/Font.c
-+++ b/src/Font.c
-@@ -102,12 +102,14 @@ XFontStruct *XLoadQueryFont(
-     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
- #endif
- 
-+    if (strlen(name) >= USHRT_MAX)
-+        return NULL;
-     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
-       return font_result;
-     LockDisplay(dpy);
-     GetReq(OpenFont, req);
-     seq = dpy->request; /* Can't use extended sequence number here */
--    nbytes = req->nbytes  = name ? strlen(name) : 0;
-+    nbytes = req->nbytes = (CARD16) (name ? strlen(name) : 0);
-     req->fid = fid = XAllocID(dpy);
-     req->length += (nbytes+3)>>2;
-     Data (dpy, name, nbytes);
-@@ -662,8 +664,8 @@ int _XF86LoadQueryLocaleFont(
- 
-     if (!name)
- 	return 0;
--    l = strlen(name);
--    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
-+    l = (int) strlen(name);
-+    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
- 	return 0;
-     charset = NULL;
-     /* next three lines stolen from _XkbGetCharset() */
-@@ -679,7 +681,7 @@ int _XF86LoadQueryLocaleFont(
- 	return 0;
-     if (_XlcNCompareISOLatin1(name + l - 2 - (p - charset), charset, p - charset))
- 	return 0;
--    if (strlen(p + 1) + l - 1 >= sizeof(buf) - 1)
-+    if (strlen(p + 1) + (size_t) l - 1 >= sizeof(buf) - 1)
- 	return 0;
-     strcpy(buf, name);
-     strcpy(buf + l - 1, p + 1);
-diff --git a/src/FontInfo.c b/src/FontInfo.c
-index f870e431..6644b3fa 100644
---- a/src/FontInfo.c
-+++ b/src/FontInfo.c
-@@ -58,10 +58,13 @@ XFontStruct **info)	/* RETURN */
-     register xListFontsReq *req;
-     int j;
- 
-+    if (strlen(pattern) >= USHRT_MAX)
-+        return NULL;
-+
-     LockDisplay(dpy);
-     GetReq(ListFontsWithInfo, req);
-     req->maxNames = maxNames;
--    nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
-+    nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
-     req->length += (nbytes + 3) >> 2;
-     _XSend (dpy, pattern, nbytes);
-     /* use _XSend instead of Data, since subsequent _XReply will flush buffer */
-diff --git a/src/FontNames.c b/src/FontNames.c
-index b78792d6..458d80c9 100644
---- a/src/FontNames.c
-+++ b/src/FontNames.c
-@@ -51,10 +51,13 @@ int *actualCount)	/* RETURN */
-     register xListFontsReq *req;
-     unsigned long rlen = 0;
- 
-+    if (strlen(pattern) >= USHRT_MAX)
-+        return NULL;
-+
-     LockDisplay(dpy);
-     GetReq(ListFonts, req);
-     req->maxNames = maxNames;
--    nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
-+    nbytes = req->nbytes = pattern ? (CARD16) strlen (pattern) : 0;
-     req->length += (nbytes + 3) >> 2;
-     _XSend (dpy, pattern, nbytes);
-     /* use _XSend instead of Data, since following _XReply will flush buffer */
-diff --git a/src/GetColor.c b/src/GetColor.c
-index cd0eb9f6..c8178067 100644
---- a/src/GetColor.c
-+++ b/src/GetColor.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <stdio.h>
- #include "Xlibint.h"
- #include "Xcmsint.h"
-@@ -48,6 +49,9 @@ XColor *exact_def) /* RETURN */
-     XcmsColor cmsColor_exact;
-     Status ret;
- 
-+    if (strlen(colorname) >= USHRT_MAX)
-+        return (0);
-+
- #ifdef XCMS
-     /*
-      * Let's Attempt to use Xcms and i18n approach to Parse Color
-@@ -83,7 +87,7 @@ XColor *exact_def) /* RETURN */
-     GetReq(AllocNamedColor, req);
- 
-     req->cmap = cmap;
--    nbytes = req->nbytes = strlen(colorname);
-+    nbytes = req->nbytes = (CARD16) strlen(colorname);
-     req->length += (nbytes + 3) >> 2; /* round up to mult of 4 */
- 
-     _XSend(dpy, colorname, nbytes);
-diff --git a/src/LoadFont.c b/src/LoadFont.c
-index f547976b..3996436f 100644
---- a/src/LoadFont.c
-+++ b/src/LoadFont.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include "Xlibint.h"
- 
- Font
-@@ -38,12 +39,15 @@ XLoadFont (
-     Font fid;
-     register xOpenFontReq *req;
- 
-+    if (strlen(name) >= USHRT_MAX)
-+        return (0);
-+
-     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
-       return fid;
- 
-     LockDisplay(dpy);
-     GetReq(OpenFont, req);
--    nbytes = req->nbytes = name ? strlen(name) : 0;
-+    nbytes = req->nbytes = name ? (CARD16) strlen(name) : 0;
-     req->fid = fid = XAllocID(dpy);
-     req->length += (nbytes+3)>>2;
-     Data (dpy, name, nbytes);
-diff --git a/src/LookupCol.c b/src/LookupCol.c
-index f7f969f5..cd9b1368 100644
---- a/src/LookupCol.c
-+++ b/src/LookupCol.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <stdio.h>
- #include "Xlibint.h"
- #include "Xcmsint.h"
-@@ -46,6 +47,9 @@ XLookupColor (
- 	XcmsCCC ccc;
- 	XcmsColor cmsColor_exact;
- 
-+	n = (int) strlen (spec);
-+	if (n >= USHRT_MAX)
-+            return 0;
- #ifdef XCMS
- 	/*
- 	 * Let's Attempt to use Xcms and i18n approach to Parse Color
-@@ -77,8 +81,6 @@ XLookupColor (
- 	 * Xcms and i18n methods failed, so lets pass it to the server
- 	 * for parsing.
- 	 */
--
--	n = strlen (spec);
- 	LockDisplay(dpy);
- 	GetReq (LookupColor, req);
- 	req->cmap = cmap;
-diff --git a/src/ParseCol.c b/src/ParseCol.c
-index e997b1b8..7a84a17b 100644
---- a/src/ParseCol.c
-+++ b/src/ParseCol.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <stdio.h>
- #include "Xlibint.h"
- #include "Xcmsint.h"
-@@ -46,7 +47,9 @@ XParseColor (
- 	XcmsColor cmsColor;
- 
-         if (!spec) return(0);
--	n = strlen (spec);
-+	n = (int) strlen (spec);
-+	if (n >= USHRT_MAX)
-+            return(0);
- 	if (*spec == '#') {
- 	    /*
- 	     * RGB
-@@ -119,7 +122,7 @@ XParseColor (
- 	    LockDisplay(dpy);
- 	    GetReq (LookupColor, req);
- 	    req->cmap = cmap;
--	    req->nbytes = n = strlen(spec);
-+	    req->nbytes = (CARD16) (n = (int) strlen(spec));
- 	    req->length += (n + 3) >> 2;
- 	    Data (dpy, spec, (long)n);
- 	    if (!_XReply (dpy, (xReply *) &reply, 0, xTrue)) {
-diff --git a/src/QuExt.c b/src/QuExt.c
-index 4e230e77..4cb99fcf 100644
---- a/src/QuExt.c
-+++ b/src/QuExt.c
-@@ -27,6 +27,8 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
-+#include <stdbool.h>
- #include "Xlibint.h"
- 
- Bool
-@@ -40,9 +42,12 @@ XQueryExtension(
-     xQueryExtensionReply rep;
-     register xQueryExtensionReq *req;
- 
-+    if (strlen(name) >= USHRT_MAX)
-+        return false;
-+
-     LockDisplay(dpy);
-     GetReq(QueryExtension, req);
--    req->nbytes = name ? strlen(name) : 0;
-+    req->nbytes = name ? (CARD16) strlen(name) : 0;
-     req->length += (req->nbytes+(unsigned)3)>>2;
-     _XSend(dpy, name, (long)req->nbytes);
-     (void) _XReply (dpy, (xReply *)&rep, 0, xTrue);
-diff --git a/src/SetFPath.c b/src/SetFPath.c
-index 60aaef01..13fce49e 100644
---- a/src/SetFPath.c
-+++ b/src/SetFPath.c
-@@ -26,6 +26,7 @@ in this Software without prior written authorization from The Open Group.
- 
- #ifdef HAVE_CONFIG_H
- #include <config.h>
-+#include <limits.h>
- #endif
- #include "Xlibint.h"
- 
-@@ -48,7 +49,12 @@ XSetFontPath (
- 	GetReq (SetFontPath, req);
- 	req->nFonts = ndirs;
- 	for (i = 0; i < ndirs; i++) {
--		n += safestrlen (directories[i]) + 1;
-+		n = (int) ((size_t) n + (safestrlen (directories[i]) + 1));
-+		if (n >= USHRT_MAX) {
-+			UnlockDisplay(dpy);
-+			SyncHandle();
-+			return 0;
-+		}
- 	}
- 	nbytes = (n + 3) & ~3;
- 	req->length += nbytes >> 2;
-@@ -59,9 +65,9 @@ XSetFontPath (
- 		char	*tmp = p;
- 
- 		for (i = 0; i < ndirs; i++) {
--			register int length = safestrlen (directories[i]);
-+			register int length = (int) safestrlen (directories[i]);
- 			*p = length;
--			memcpy (p + 1, directories[i], length);
-+			memcpy (p + 1, directories[i], (size_t)length);
- 			p += length + 1;
- 		}
- 		Data (dpy, tmp, nbytes);
-diff --git a/src/SetHints.c b/src/SetHints.c
-index bc46498a..61cb0684 100644
---- a/src/SetHints.c
-+++ b/src/SetHints.c
-@@ -49,6 +49,7 @@ SOFTWARE.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <X11/Xlibint.h>
- #include <X11/Xutil.h>
- #include "Xatomtype.h"
-@@ -214,6 +215,8 @@ XSetCommand (
- 	register char *buf, *bp;
- 	for (i = 0, nbytes = 0; i < argc; i++) {
- 		nbytes += safestrlen(argv[i]) + 1;
-+		if (nbytes >= USHRT_MAX)
-+                    return 1;
- 	}
- 	if ((bp = buf = Xmalloc(nbytes))) {
- 	    /* copy arguments into single buffer */
-@@ -256,11 +259,13 @@ XSetStandardProperties (
- 
- 	if (name != NULL) XStoreName (dpy, w, name);
- 
-+        if (safestrlen(icon_string) >= USHRT_MAX)
-+            return 1;
- 	if (icon_string != NULL) {
- 	    XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
-                              PropModeReplace,
-                              (_Xconst unsigned char *)icon_string,
--                             safestrlen(icon_string));
-+                             (int)safestrlen(icon_string));
- 		}
- 
- 	if (icon_pixmap != None) {
-@@ -298,6 +303,8 @@ XSetClassHint(
- 
- 	len_nm = safestrlen(classhint->res_name);
- 	len_cl = safestrlen(classhint->res_class);
-+        if (len_nm + len_cl >= USHRT_MAX)
-+            return 1;
- 	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
- 	    if (len_nm) {
- 		strcpy(s, classhint->res_name);
-diff --git a/src/StNColor.c b/src/StNColor.c
-index 8b821c3e..16dc9cbc 100644
---- a/src/StNColor.c
-+++ b/src/StNColor.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <stdio.h>
- #include "Xlibint.h"
- #include "Xcmsint.h"
-@@ -46,6 +47,8 @@ int flags)  /* DoRed, DoGreen, DoBlue */
-     XcmsColor cmsColor_exact;
-     XColor scr_def;
- 
-+    if (strlen(name) >= USHRT_MAX)
-+        return 0;
- #ifdef XCMS
-     /*
-      * Let's Attempt to use Xcms approach to Parse Color
-@@ -76,7 +79,7 @@ int flags)  /* DoRed, DoGreen, DoBlue */
-     req->cmap = cmap;
-     req->flags = flags;
-     req->pixel = pixel;
--    req->nbytes = nbytes = strlen(name);
-+    req->nbytes = (CARD16) (nbytes = (unsigned) strlen(name));
-     req->length += (nbytes + 3) >> 2; /* round up to multiple of 4 */
-     Data(dpy, name, (long)nbytes);
-     UnlockDisplay(dpy);
-diff --git a/src/StName.c b/src/StName.c
-index b4048bff..04bb3aa6 100644
---- a/src/StName.c
-+++ b/src/StName.c
-@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
-+#include <limits.h>
- #include <X11/Xlibint.h>
- #include <X11/Xatom.h>
- 
-@@ -36,9 +37,11 @@ XStoreName (
-     Window w,
-     _Xconst char *name)
- {
--    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
-+    if (strlen(name) >= USHRT_MAX)
-+        return 0;
-+    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
- 			   8, PropModeReplace, (_Xconst unsigned char *)name,
--			   name ? strlen(name) : 0);
-+			   name ? (int) strlen(name) : 0);
- }
- 
- int
-@@ -47,7 +50,9 @@ XSetIconName (
-     Window w,
-     _Xconst char *icon_name)
- {
-+    if (strlen(icon_name) >= USHRT_MAX)
-+        return 0;
-     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
-                            PropModeReplace, (_Xconst unsigned char *)icon_name,
--			   icon_name ? strlen(icon_name) : 0);
-+			   icon_name ? (int) strlen(icon_name) : 0);
- }
--- 
-2.30.1
-

SPECS/libX11.spec

@@ -4,10 +4,9 @@
 
 Summary: Core X11 protocol client library
 Name: libX11
-Version: 1.6.8
+Version: 1.7.0
 Release: 9%{?gitdate:.%{gitdate}git%{gitversion}}%{?dist}
 License: MIT
-Group: System Environment/Libraries
 URL: http://www.x.org
 
 %if 0%{?gitdate}
@@ -19,32 +18,22 @@ Source0: https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
 %endif
 
 Patch2: dont-forward-keycode-0.patch
-Patch3: 0001-Fix-XTS-regression-in-XCopyColormapAndFree.patch
+Patch3: 0001-makekeys-handle-the-new-_EVDEVK-xorgproto-symbols.patch
-Patch4: 0001-Fix-poll_for_response-race-condition.patch
-
-# CVE-2020-14363
-Patch5: 0001-Fix-an-integer-overflow-in-init_om.patch
-Patch6: CVE-2021-31535.patch
 # CVE-2023-3138
-Patch7: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
+Patch4: 0001-InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
 
 # CVE-2023-43785
-Patch8: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
+Patch5: 0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
 
 # CVE-2023-43786
-Patch9: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
+Patch6: 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
-Patch10: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
+Patch7: 0002-XPutImage-clip-images-to-maximum-height-width-allowe.patch
-Patch11: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
+Patch8: 0003-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
 
 # CVE-2023-43787
-Patch12: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
+Patch9: 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
-
-# RHEL-23452
-Patch13: 0001-Avoid-recursing-through-_XError-due-to-sequence-adju.patch
-
-# https://issues.redhat.com/browse/RHEL-58444
-Patch14: 0001-imDefLkup-verify-that-a-pointer-isn-t-NULL-before-us.patch
 
+BuildRequires: make
 BuildRequires: xorg-x11-util-macros >= 1.11
 BuildRequires: pkgconfig(xproto) >= 7.0.15
 BuildRequires: xorg-x11-xtrans-devel >= 1.0.3-4
@@ -59,7 +48,6 @@ Core X11 protocol client library.
 
 %package common
 Summary: Common data for libX11
-Group: System Environment/Libraries
 BuildArch: noarch
 
 %description common
@@ -67,7 +55,6 @@ libX11 common data
 
 %package devel
 Summary: Development files for %{name}
-Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-xcb = %{version}-%{release}
 
@@ -76,27 +63,13 @@ X.Org X11 libX11 development package
 
 %package xcb
 Summary: XCB interop for libX11
-Group: System Environment/Libraries
 Conflicts: %{name} < %{version}-%{release}
 
 %description xcb
 libX11/libxcb interoperability library
 
 %prep
-%setup -q -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
+%autosetup -p1 -n %{tarball}-%{?gitdate:%{gitdate}}%{!?gitdate:%{version}}
-%patch2 -p1 -b .dont-forward-keycode-0
-%patch3 -p1 -b .copycolormapandfree
-%patch4 -p1 -b .race
-%patch5 -p1 -b .fix-an-integer-overflow-in-init_om
-%patch6 -p1 -b .cve-2021-31535
-%patch7 -p1 -b .cve-2023-3138
-%patch8 -p1 -b .cve-2023-43785
-%patch9 -p1 -b .cve-2023-43786
-%patch10 -p1 -b .xputimage-clip-images-to-maximum-height-width-allowe
-%patch11 -p1 -b .xcreatepixmap-trigger-badvalue-error-for-out-of-rang
-%patch12 -p1 -b .cve-2023-43787
-%patch13 -p1 -b .rhel-23452
-%patch14 -p1 -b .rhel-58444
 
 %build
 autoreconf -v --install --force
@@ -127,7 +100,7 @@ make %{?_smp_mflags} check
 
 %files
 %{_libdir}/libX11.so.6
-%{_libdir}/libX11.so.6.3.0
+%{_libdir}/libX11.so.6.4.0
 
 %files xcb
 %{_libdir}/libX11-xcb.so.1
@@ -153,6 +126,7 @@ make %{?_smp_mflags} check
 %{_includedir}/X11/Xresource.h
 %{_includedir}/X11/Xutil.h
 %{_includedir}/X11/cursorfont.h
+%{_includedir}/X11/extensions/XKBgeom.h
 %{_libdir}/libX11.so
 %{_libdir}/libX11-xcb.so
 %{_libdir}/pkgconfig/x11.pc
@@ -161,39 +135,79 @@ make %{?_smp_mflags} check
 %{_mandir}/man5/*.5*
 
 %changelog
-* Fri Sep 13 2024 José Expósito <jexposit@redhat.com> - 1.6.8-9
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.7.0-9
-- Backport NULL check to avoid a crash
-  Resolves: https://issues.redhat.com/browse/RHEL-58444
-
-* Tue Jan 30 2024 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-8
-- Backport fix for Xlib lockups due to recursive XError (RHEL-23452)
-
-* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 1.6.8-7
 - Fix CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
 - Fix CVE-2023-43786: stack exhaustion from infinite recursion in
   PutSubImage()
 - Fix CVE-2023-43787: integer overflow in XCreateImage() leading to
   a heap overflow
 
-* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.6.8-6
+* Wed Jul 05 2023 Olivier Fourdan <ofourdan@redhat.com> - 1.7.0-8
 - CVE fix for: CVE-2023-3138
-  Resolve: rhbz#2213762
+  Resolve: rhbz#2213763
 
-* Thu Aug 12 2021 Adam Jackson <ajax@redhat.com> - 1.6.8-5
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-7
-- Fix CVE-2021-31535 (#1962439)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Nov  3 2020 Michel Dänzer <mdaenzer@redhat.com> - 1.6.8-4
+* Tue Aug 03 2021 Peter Hutterer <peter.hutterer@redhat.com> - 1.7.0-6
-- Fix CVE-2020-14363 (#1873923)
+- Parse the EVDEVK keysyms (#1988944)
 
-* Mon Feb 24 2020 Adam Jackson <ajax@redhat.com> - 1.6.8-3
+* Tue May 04 2021 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-5
-- Fix race condition in poll_for_reponse
+- Rebuild to pick up the new xorgproto keysyms (#1954345)
 
-* Fri Dec 13 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-2
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.0-4
-- Fix assertion on error in XCopyColormapAndFree
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Tue Nov 19 2019 Adam Jackson <ajax@redhat.com> - 1.6.8-1
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-2
+- libX11 1.7.0 (with the tarball this time)
+
+* Tue Dec 01 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.7.0-1
+- libX11 1.7.0
+- switch to using the autosetup rpm macro
+
+* Mon Nov 09 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-3
+- Fix a race-condition in poll_for_response (#1758384)
+
+* Thu Nov  5 11:12:56 AEST 2020 Peter Hutterer <peter.hutterer@redhat.com> - 1.6.12-2
+- Add BuildRequires for make
+
+* Wed Aug 26 2020 Peter Hutterer <peter.hutterer@redhat.com> 1.6.12-1
+- libX11 1.6.12 (CVE-2020-14363, CVE 2020-14344)
+
+* Fri Jul 31 2020 Adam Jackson <ajax@redhat.com> - 1.6.9-5
+- Fix server reply validation issue in XIM (CVE 2020-14344)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Dec 11 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.9-2
+- handle ssharp in XConvertCase
+
+* Wed Oct 09 2019 Adam Jackson <ajax@redhat.com> - 1.6.9-1
+- libX11 1.6.9
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-2
+- rebuild to pick up the new xorgproto keysyms
+
+* Thu Jun 20 2019 Peter Hutterer <peter.hutterer@redhat.com> 1.6.8-1
 - libX11 1.6.8
 
+* Thu Mar 21 2019 Adam Jackson <ajax@redhat.com> - 1.6.7-3
+- Rebuild for xtrans 1.4.0
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
 * Tue Oct 09 2018 Adam Jackson <ajax@redhat.com> - 1.6.7-1
 - libX11 1.6.7