From d067e996a529518ec7b15797741a1ac1dd1b8c91 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Dec 07 2021 17:17:06 +0000
Subject: import xorg-x11-server-1.20.11-5.el9


---

diff --git a/SOURCES/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch b/SOURCES/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch
new file mode 100644
index 0000000..a7bf744
--- /dev/null
+++ b/SOURCES/0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch
@@ -0,0 +1,118 @@
+From 36bcef5e5fd175e95ed4e0a014f6b1d8598b719d Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Mon, 4 Oct 2021 14:27:54 -0400
+Subject: [PATCH] xkb: Drop check for XkbSetMapResizeTypes
+
+Commit 446ff2d3177087b8173fa779fa5b77a2a128988b added checks to
+prevalidate the size of incoming SetMap requests.
+
+That commit checks for the XkbSetMapResizeTypes flag to be set before
+allowing key types data to be processed.
+
+key types data can be changed or even just sent wholesale unchanged
+without the number of key types changing, however. The check for
+XkbSetMapResizeTypes rejects those legitimate requests. In particular,
+XkbChangeMap never sets XkbSetMapResizeTypes and so always fails now
+any time XkbKeyTypesMask is in the changed mask.
+
+This commit drops the check for XkbSetMapResizeTypes in flags when
+prevalidating the request length.
+---
+ xkb/xkb.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 183d6ffa1..62dee9cb6 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -2378,75 +2378,73 @@ SetVirtualModMap(XkbSrvInfoPtr xkbi,
+         }
+         changes->map.first_vmodmap_key = first;
+         changes->map.num_vmodmap_keys = (last - first) + 1;
+     }
+     return (char *) wire;
+ }
+ 
+ #define _add_check_len(new) \
+     if (len > UINT32_MAX - (new) || len > req_len - (new)) goto bad; \
+     else len += new
+ 
+ /**
+  * Check the length of the SetMap request
+  */
+ static int
+ _XkbSetMapCheckLength(xkbSetMapReq *req)
+ {
+     size_t len = sz_xkbSetMapReq, req_len = req->length << 2;
+     xkbKeyTypeWireDesc *keytype;
+     xkbSymMapWireDesc *symmap;
+     BOOL preserve;
+     int i, map_count, nSyms;
+ 
+     if (req_len < len)
+         goto bad;
+     /* types */
+     if (req->present & XkbKeyTypesMask) {
+         keytype = (xkbKeyTypeWireDesc *)(req + 1);
+         for (i = 0; i < req->nTypes; i++) {
+             _add_check_len(XkbPaddedSize(sz_xkbKeyTypeWireDesc));
+-            if (req->flags & XkbSetMapResizeTypes) {
+-                _add_check_len(keytype->nMapEntries
+-                               * sz_xkbKTSetMapEntryWireDesc);
+-                preserve = keytype->preserve;
+-                map_count = keytype->nMapEntries;
+-                if (preserve) {
+-                    _add_check_len(map_count * sz_xkbModsWireDesc);
+-                }
+-                keytype += 1;
+-                keytype = (xkbKeyTypeWireDesc *)
+-                          ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
+-                if (preserve)
+-                    keytype = (xkbKeyTypeWireDesc *)
+-                              ((xkbModsWireDesc *)keytype + map_count);
++            _add_check_len(keytype->nMapEntries
++                           * sz_xkbKTSetMapEntryWireDesc);
++            preserve = keytype->preserve;
++            map_count = keytype->nMapEntries;
++            if (preserve) {
++                _add_check_len(map_count * sz_xkbModsWireDesc);
+             }
++            keytype += 1;
++            keytype = (xkbKeyTypeWireDesc *)
++                      ((xkbKTSetMapEntryWireDesc *)keytype + map_count);
++            if (preserve)
++                keytype = (xkbKeyTypeWireDesc *)
++                          ((xkbModsWireDesc *)keytype + map_count);
+         }
+     }
+     /* syms */
+     if (req->present & XkbKeySymsMask) {
+         symmap = (xkbSymMapWireDesc *)((char *)req + len);
+         for (i = 0; i < req->nKeySyms; i++) {
+             _add_check_len(sz_xkbSymMapWireDesc);
+             nSyms = symmap->nSyms;
+             _add_check_len(nSyms*sizeof(CARD32));
+             symmap += 1;
+             symmap = (xkbSymMapWireDesc *)((CARD32 *)symmap + nSyms);
+         }
+     }
+     /* actions */
+     if (req->present & XkbKeyActionsMask) {
+         _add_check_len(req->totalActs * sz_xkbActionWireDesc 
+                        + XkbPaddedSize(req->nKeyActs));
+     }
+     /* behaviours */
+     if (req->present & XkbKeyBehaviorsMask) {
+         _add_check_len(req->totalKeyBehaviors * sz_xkbBehaviorWireDesc);
+     }
+     /* vmods */
+     if (req->present & XkbVirtualModsMask) {
+         _add_check_len(XkbPaddedSize(Ones(req->virtualMods)));
+     }
+     /* explicit */
+     if (req->present & XkbExplicitComponentsMask) {
+         /* two bytes per non-zero explicit componen */
+         _add_check_len(XkbPaddedSize(req->totalKeyExplicit * sizeof(CARD16)));
+-- 
+2.32.0
+
diff --git a/SPECS/xorg-x11-server.spec b/SPECS/xorg-x11-server.spec
index 787cf56..20dbc46 100644
--- a/SPECS/xorg-x11-server.spec
+++ b/SPECS/xorg-x11-server.spec
@@ -46,7 +46,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.20.11
-Release:   4%{?gitdate:.%{gitdate}}%{?dist}
+Release:   5%{?gitdate:.%{gitdate}}%{?dist}
 URL:       http://www.x.org
 License:   MIT
 
@@ -92,9 +92,12 @@ Patch5: 0001-autobind-GPUs-to-the-screen.patch
 # because the display-managers are not ready yet, do not upstream
 Patch6: 0001-Fedora-hack-Make-the-suid-root-wrapper-always-start-.patch
 
+# https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/761
+Patch7: 0001-xkb-Drop-check-for-XkbSetMapResizeTypes.patch
+
 # 1988922 - [Hyper-V]Installation failed with: 'x or window manager startup failed' when the VM was created with GEN1
 
-Patch7: 0001-mustard-xfree86-Only-call-the-driver-s-platformProbe.patch
+Patch8: 0001-mustard-xfree86-Only-call-the-driver-s-platformProbe.patch
 
 # Backports from current stable "server-1.20-branch":
 # <empty>
@@ -516,9 +519,14 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 
 
 %changelog
-* Fri Oct 01 2021 Adam Jackson <ajax@redhat.com> - 1.20.11-4
+* Tue Nov  9 2021 Adam Jackson <ajax@redhat.com> - 1.20.11-5
 - Disable non-platform video driver probe, it should never be needed and the
   PCI probe code interferes with the (default) platform path.
+  Resolves: #2000921
+
+* Tue Oct 26 2021 Ray Strode <rstrode@redhat.com> - 1.20.11-4
+- Fix XkbChangeMap
+  Resolves: #2009928
 
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.20.11-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags