From 12b170c37f7d650c3c7012c77c18f33f413234ea79bc6805e1e97021e8250d02 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Tue, 26 Jun 2018 08:57:59 +0000
Subject: [PATCH] Accepting request 619114 from
 home:michalsrb:branches:bnc1099113:X11:XOrg

- U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
  * Fix heap overflow caused by unexpected optimization, which was
    possible because of relying on undefined behavior.
    (boo#1099113)

OBS-URL: https://build.opensuse.org/request/show/619114
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=706
---
 ...verflow-caused-by-optimized-away-min.patch | 60 +++++++++++++++++++
 xorg-x11-server.changes                       |  8 +++
 xorg-x11-server.spec                          |  2 +
 3 files changed, 70 insertions(+)
 create mode 100644 U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch

diff --git a/U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch b/U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
new file mode 100644
index 0000000..bb9098a
--- /dev/null
+++ b/U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
@@ -0,0 +1,60 @@
+Git-commit: ba1e6eaea84b73e6ccd5f73acb93110eadb1a640
+Author: Michal Srb <msrb@suse.com>
+Subject: xkb: Fix heap overflow caused by optimized away min.
+Patch-mainline: Upstream
+References: boo#1099113
+
+Calling strlen on char[4] that does not need to contain '\0' is wrong and X
+server may end up running into invalid memory.
+
+In addition GCC 8 is clever enough that it knows that strlen on char[4] can
+return 0, 1, 2, 3 or cause undefined behavior. With this knowledge it can
+optimize away the min(..., 4). When the undefined behavior happens, any long
+value can be passed as size to the memcpy which will overflow the destination
+buffer.
+
+Fixes: 83913de25d35 (xkb: Silence some compiler warnings)
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86259
+---
+ xkb/XKBGAlloc.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c
+index 8958b0c52..f0cda24fe 100644
+--- a/xkb/XKBGAlloc.c
++++ b/xkb/XKBGAlloc.c
+@@ -588,8 +588,7 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
+          i++, alias++) {
+         if (strncmp(alias->alias, aliasStr, XkbKeyNameLength) == 0) {
+             memset(alias->real, 0, XkbKeyNameLength);
+-            memcpy(alias->real, realStr,
+-                   min(XkbKeyNameLength, strlen(realStr)));
++            memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
+             return alias;
+         }
+     }
+@@ -599,8 +598,8 @@ XkbAddGeomKeyAlias(XkbGeometryPtr geom, char *aliasStr, char *realStr)
+     }
+     alias = &geom->key_aliases[geom->num_key_aliases];
+     memset(alias, 0, sizeof(XkbKeyAliasRec));
+-    memcpy(alias->alias, aliasStr, min(XkbKeyNameLength, strlen(aliasStr)));
+-    memcpy(alias->real, realStr, min(XkbKeyNameLength, strlen(realStr)));
++    memcpy(alias->alias, aliasStr, strnlen(aliasStr, XkbKeyNameLength));
++    memcpy(alias->real, realStr, strnlen(realStr, XkbKeyNameLength));
+     geom->num_key_aliases++;
+     return alias;
+ }
+@@ -815,8 +814,8 @@ XkbAddGeomOverlayKey(XkbOverlayPtr overlay,
+         (_XkbAllocOverlayKeys(row, 1) != Success))
+         return NULL;
+     key = &row->keys[row->num_keys];
+-    memcpy(key->under.name, under, min(XkbKeyNameLength, strlen(under)));
+-    memcpy(key->over.name, over, min(XkbKeyNameLength, strlen(over)));
++    memcpy(key->under.name, under, strnlen(under, XkbKeyNameLength));
++    memcpy(key->over.name, over, strnlen(over, XkbKeyNameLength));
+     row->num_keys++;
+     return key;
+ }
+-- 
+2.13.6
+
diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes
index 3a27b49..04fde32 100644
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jun 26 07:51:15 UTC 2018 - msrb@suse.com
+
+- U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
+  * Fix heap overflow caused by unexpected optimization, which was
+    possible because of relying on undefined behavior.
+    (boo#1099113)
+
 -------------------------------------------------------------------
 Wed Jun 20 15:40:58 UTC 2018 - sndirsch@suse.com
 
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 6401bdc..50a0651 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -224,6 +224,7 @@ Patch1222:      b_sync-fix.patch
 Patch1401:      u_randr-Do-not-crash-if-slave-screen-does-not-have-pro.patch
 
 Patch1500:      U_Xext-shm-Refuse-to-work-for-remote-clients.patch
+Patch1501:      U_xkb-Fix-heap-overflow-caused-by-optimized-away-min.patch
 
 %description
 This package contains the X.Org Server.
@@ -365,6 +366,7 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch1401 -p1
 
 %patch1500 -p1
+%patch1501 -p1
 
 %build
 test -e source-file-list || \