From 30a89ecb0a6c5f321b825860b1fb303fa5811664 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Thu, 26 Oct 2023 11:03:01 +0200
Subject: [PATCH] xwayland 23.2.2

Resolves: #2246029
---
 ...x-handling-of-PropModeAppend-Prepend.patch | 81 -------------------
 sources                                       |  2 +-
 xorg-x11-server-Xwayland.spec                 |  9 ++-
 3 files changed, 6 insertions(+), 86 deletions(-)
 delete mode 100644 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch

diff --git a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
deleted file mode 100644
index f98f71d..0000000
--- a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001
-From: Peter Hutterer <peter.hutterer@who-t.net>
-Date: Tue, 3 Oct 2023 11:53:05 +1000
-Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend
-
-The handling of appending/prepending properties was incorrect, with at
-least two bugs: the property length was set to the length of the new
-part only, i.e. appending or prepending N elements to a property with P
-existing elements always resulted in the property having N elements
-instead of N + P.
-
-Second, when pre-pending a value to a property, the offset for the old
-values was incorrect, leaving the new property with potentially
-uninitalized values and/or resulting in OOB memory writes.
-For example, prepending a 3 element value to a 5 element property would
-result in this 8 value array:
-  [N, N, N, ?, ?, P, P, P ] P, P
-                            ^OOB write
-
-The XI2 code is a copy/paste of the RandR code, so the bug exists in
-both.
-
-CVE-2023-5367, ZDI-CAN-22153
-
-This vulnerability was discovered by:
-Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
-
-Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)
----
- Xi/xiproperty.c    | 4 ++--
- randr/rrproperty.c | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
-index 066ba21fba..d315f04d0e 100644
---- a/Xi/xiproperty.c
-+++ b/Xi/xiproperty.c
-@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
-                 XIDestroyDeviceProperty(prop);
-             return BadAlloc;
-         }
--        new_value.size = len;
-+        new_value.size = total_len;
-         new_value.type = type;
-         new_value.format = format;
- 
-@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
-         case PropModePrepend:
-             new_data = new_value.data;
-             old_data = (void *) (((char *) new_value.data) +
--                                  (prop_value->size * size_in_bytes));
-+                                  (len * size_in_bytes));
-             break;
-         }
-         if (new_data)
-diff --git a/randr/rrproperty.c b/randr/rrproperty.c
-index c2fb9585c6..25469f57b2 100644
---- a/randr/rrproperty.c
-+++ b/randr/rrproperty.c
-@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
-                 RRDestroyOutputProperty(prop);
-             return BadAlloc;
-         }
--        new_value.size = len;
-+        new_value.size = total_len;
-         new_value.type = type;
-         new_value.format = format;
- 
-@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
-         case PropModePrepend:
-             new_data = new_value.data;
-             old_data = (void *) (((char *) new_value.data) +
--                                  (prop_value->size * size_in_bytes));
-+                                  (len * size_in_bytes));
-             break;
-         }
-         if (new_data)
--- 
-2.41.0
-
diff --git a/sources b/sources
index 1d32e32..8f0a124 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (xwayland-23.2.1.tar.xz) = 8ea3061a175c9163166c69569a81dbee2cad605d140dd25d9b61219db555e775811ebe9716c38b6fa6c591299b7c1dfcd5248e797e341ee4cea49b998be89657
+SHA512 (xwayland-23.2.2.tar.xz) = f5b319fdace7d7c078544730ecd26afeb63b1a0c779fb097455147945df85af32d9e91501ebdb70209d48e8a3ead3b23be31e9d5118358ac17e699abb4b6ac07
diff --git a/xorg-x11-server-Xwayland.spec b/xorg-x11-server-Xwayland.spec
index fe3dece..cc83985 100644
--- a/xorg-x11-server-Xwayland.spec
+++ b/xorg-x11-server-Xwayland.spec
@@ -8,8 +8,8 @@
 
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
-Version:   23.2.1
-Release:   2%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Version:   23.2.2
+Release:   1%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
 
 URL:       http://www.x.org
 %if 0%{?gitdate}
@@ -18,8 +18,6 @@ Source0:   https://gitlab.freedesktop.org/xorg/%{pkgname}/-/archive/%{commit}/%{
 Source0:   https://www.x.org/pub/individual/xserver/%{pkgname}-%{version}.tar.xz
 %endif
 
-Patch01:   0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
-
 License:   MIT
 
 Requires: xorg-x11-server-common
@@ -137,6 +135,9 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
 %{_libdir}/pkgconfig/xwayland.pc
 
 %changelog
+* Thu Oct 26 2023 Olivier Fourdan <ofourdan@redhat.com> - 23.2.2-1
+- xwayland 23.2.2 - (#2246029)
+
 * Wed Oct 25 2023 Peter Hutterer <peter.hutterer@redhat.com> - 23.2.1-2
 - Fix for CVE-2023-5367