From af0651eac5b4ced4bd5ccd28c3256a3c77685473 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 25 Oct 2023 16:31:58 +0200
Subject: [PATCH] Fix for CVE-2023-5367

Resolves: https://issues.redhat.com/browse/RHEL-13428
---
 ...x-handling-of-PropModeAppend-Prepend.patch | 81 +++++++++++++++++++
 xorg-x11-server-Xwayland.spec                 |  8 +-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch

diff --git a/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
new file mode 100644
index 0000000..f98f71d
--- /dev/null
+++ b/0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
@@ -0,0 +1,81 @@
+From 1e8478455458e998dd366d2cd23d2aeab2bdeee5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH xserver] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+                            ^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 541ab2ecd41d4d8689e71855d93e492bc554719a)
+---
+ Xi/xiproperty.c    | 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
++++ b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+                 XIDestroyDeviceProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
++++ b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+                 RRDestroyOutputProperty(prop);
+             return BadAlloc;
+         }
+-        new_value.size = len;
++        new_value.size = total_len;
+         new_value.type = type;
+         new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
+         case PropModePrepend:
+             new_data = new_value.data;
+             old_data = (void *) (((char *) new_value.data) +
+-                                  (prop_value->size * size_in_bytes));
++                                  (len * size_in_bytes));
+             break;
+         }
+         if (new_data)
+-- 
+2.41.0
+
diff --git a/xorg-x11-server-Xwayland.spec b/xorg-x11-server-Xwayland.spec
index 9592e1f..82af6b8 100644
--- a/xorg-x11-server-Xwayland.spec
+++ b/xorg-x11-server-Xwayland.spec
@@ -9,7 +9,7 @@
 Summary:   Xwayland
 Name:      xorg-x11-server-Xwayland
 Version:   21.1.3
-Release:   12%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
+Release:   13%{?gitdate:.%{gitdate}git%{shortcommit}}%{?dist}
 
 URL:       http://www.x.org
 %if 0%{?gitdate}
@@ -60,6 +60,9 @@ Patch10025: 0008-Xext-fix-invalid-event-type-mask-in-XTestSwapFakeInp.patch
 Patch10026: 0001-Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
 # CVE-2023-1393
 Patch10027: 0001-composite-Fix-use-after-free-of-the-COW.patch
+# CVE-2023-5367
+Patch10028:   0001-Xi-randr-fix-handling-of-PropModeAppend-Prepend.patch
+
 
 License:   MIT
 
@@ -167,6 +170,9 @@ rm -Rf $RPM_BUILD_ROOT%{_localstatedir}/lib/xkb
 %{_libdir}/pkgconfig/xwayland.pc
 
 %changelog
+* Wed Oct 25 2023 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-13
+- Fix for CVE-2023-5367
+
 * Tue Jun 13 2023 Olivier Fourdan <ofourdan@redhat.com> - 21.1.3-12
 - Backport fix for a deadlock with DRI3
   Resolves: rhbz#2212831