--- /dev/null
+From f64388ed036b6668686ad5448bc7d4f73b35e1c7 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Fri, 24 Jul 2020 21:09:10 +0200
+Subject: [PATCH] Fix CVE-2020-14344
+
+This is a squashed of below commit:
+
+commit 1 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+Change the data_len parameter of _XimAttributeToValue() to CARD16
+
+It's coming from a length in the protocol (unsigned) and passed
+to functions that expect unsigned int parameters (_XCopyToArg()
+and memcpy()).
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Todd Carson <toc@daybefore.net>
+
+commit 2 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+Zero out buffers in functions
+
+It looks like uninitialized stack or heap memory can leak
+out via padding bytes.
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 3 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+Fix more unchecked lengths
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 4 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+fix integer overflows in _XimAttributeToValue()
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 5 :-
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b
+Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+
+Upstream-Status: Backport
+[ https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1703b9f3435079d3c6021e1ee2ec34fd4978103d
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1a566c9e00e5f35c1f9e7f3d741a02e5170852b2
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/2fcfcc49f3b1be854bb9085993a01d17c62acf60
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/388b303c62aa35a245f1704211a023440ad2c488
+https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/93fce3f4e79cbc737d6468a4f68ba3de1b83953b ]
+CVE: CVE-2020-14344
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ modules/im/ximcp/imDefIc.c | 6 ++++--
+ modules/im/ximcp/imDefIm.c | 25 +++++++++++++++++--------
+ modules/im/ximcp/imRmAttr.c | 31 +++++++++++++++++++++++--------
+ 3 files changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
+index 7564dbad..d552aa9e 100644
+--- a/modules/im/ximcp/imDefIc.c
++++ b/modules/im/ximcp/imDefIc.c
+@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+ + sizeof(INT16)
+ + XIM_PAD(2 + buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -708,6 +708,7 @@ _XimProtoSetICValues(
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentICValues(ic, &ic_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE
+ + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@ _XimProtoSetICValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return tmp_name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@ _XimProtoSetICValues(
+ Xfree(buf);
+ return tmp_name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
+index cf922e48..d0329b54 100644
+--- a/modules/im/ximcp/imDefIm.c
++++ b/modules/im/ximcp/imDefIm.c
+@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+
++#include <limits.h>
+
+ int
+ _XimCheckDataSize(
+@@ -807,12 +808,16 @@ _XimOpen(
+ int buf_size;
+ int ret_code;
+ char *locale_name;
++ size_t locale_len;
+
+ locale_name = im->private.proto.locale_name;
+- len = strlen(locale_name);
+- buf_b[0] = (BYTE)len; /* length of locale name */
+- (void)strcpy((char *)&buf_b[1], locale_name); /* locale name */
+- len += sizeof(BYTE); /* sizeof length */
++ locale_len = strlen(locale_name);
++ if (locale_len > UCHAR_MAX)
++ return False;
++ memset(buf32, 0, sizeof(buf32));
++ buf_b[0] = (BYTE)locale_len; /* length of locale name */
++ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */
++ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */
+ XIM_SET_PAD(buf_b, len); /* pad */
+
+ _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
+ #endif /* XIM_CONNECTABLE */
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return arg->name;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
+ Xfree(buf);
+ return arg->name;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+ + sizeof(INT16)
+ + XIM_PAD(buf_size);
+
+- if (!(buf = Xmalloc(buf_size)))
++ if (!(buf = Xcalloc(buf_size, 1)))
+ return arg->name;
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+
+@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+ + sizeof(CARD16)
+ + detail_len;
+
+- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
++ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ goto free_detail_ptr;
+
+ buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
+ int ret_code;
+
+ _XimGetCurrentIMValues(im, &im_values);
++ memset(tmp_buf, 0, sizeof(tmp_buf32));
+ buf = tmp_buf;
+ buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+ data_len = BUFSIZE - buf_size;
+@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
+
+ buf_size += ret_len;
+ if (buf == tmp_buf) {
+- if (!(tmp = Xmalloc(buf_size + data_len))) {
++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ return False;
+ }
+ memcpy(tmp, buf, buf_size);
+@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
+ Xfree(buf);
+ return False;
+ }
++ memset(&tmp[buf_size], 0, data_len);
+ buf = tmp;
+ }
+ }
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 9d4e4625..118f191d 100644
+--- a/modules/im/ximcp/imRmAttr.c
++++ b/modules/im/ximcp/imRmAttr.c
+@@ -29,6 +29,8 @@ PERFORMANCE OF THIS SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +216,7 @@ _XimAttributeToValue(
+ Xic ic,
+ XIMResourceList res,
+ CARD16 *data,
+- INT16 data_len,
++ CARD16 data_len,
+ XPointer value,
+ BITMASK32 mode)
+ {
+@@ -250,18 +252,24 @@ _XimAttributeToValue(
+
+ case XimType_XIMStyles:
+ {
+- INT16 num = data[0];
++ CARD16 num = data[0];
+ register CARD32 *style_list = (CARD32 *)&data[2];
+ XIMStyle *style;
+ XIMStyles *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (USHRT_MAX / sizeof(XIMStyle)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
++ if (alloc_len < sizeof(XIMStyles))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+@@ -313,7 +321,7 @@ _XimAttributeToValue(
+
+ case XimType_XFontSet:
+ {
+- INT16 len = data[0];
++ CARD16 len = data[0];
+ char *base_name;
+ XFontSet rep = (XFontSet)NULL;
+ char **missing_list = NULL;
+@@ -324,11 +332,12 @@ _XimAttributeToValue(
+ return False;
+ if (!ic)
+ return False;
+-
++ if (len > data_len)
++ return False;
+ if (!(base_name = Xmalloc(len + 1)))
+ return False;
+
+- (void)strncpy(base_name, (char *)&data[1], (int)len);
++ (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ base_name[len] = '\0';
+
+ if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +366,25 @@ _XimAttributeToValue(
+
+ case XimType_XIMHotKeyTriggers:
+ {
+- INT32 num = *((CARD32 *)data);
++ CARD32 num = *((CARD32 *)data);
+ register CARD32 *key_list = (CARD32 *)&data[2];
+ XIMHotKeyTrigger *key;
+ XIMHotKeyTriggers *rep;
+ register int i;
+ char *p;
+- int alloc_len;
++ unsigned int alloc_len;
+
+ if (!(value))
+ return False;
+
++ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
++ return False;
++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
++ return False;
+ alloc_len = sizeof(XIMHotKeyTriggers)
+ + sizeof(XIMHotKeyTrigger) * num;
++ if (alloc_len < sizeof(XIMHotKeyTriggers))
++ return False;
+ if (!(p = Xmalloc(alloc_len)))
+ return False;
+
+--
+2.17.1
+
