Squashed 'import-layers/yocto-poky/' changes from dc8508f6099..67491b0c104

Yocto 2.2.2 (Morty)

Change-Id: Id9a452e28940d9f166957de243d9cb1d8818704e
git-subtree-dir: import-layers/yocto-poky
git-subtree-split: 67491b0c104101bb9f366d697edd23c895be4302
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

15 files changed, 815 insertions, 4 deletions

diff --git a/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc b/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc
index e4880ffed..525a2d54c 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc
+++ b/import-layers/yocto-poky/meta/recipes-graphics/mesa/mesa.inc
@@ -79,6 +79,9 @@ EXCLUDE_FROM_WORLD = "1"
 # Remove the mesa dependency on mesa-dev, as mesa is empty
 RDEPENDS_${PN}-dev = ""
 
+# Add dependency so that GLES3 header don't need to be added manually
+RDEPENDS_libgles2-mesa-dev += "libgles3-mesa-dev"
+
 PACKAGES =+ "libegl-mesa libegl-mesa-dev \
              libosmesa libosmesa-dev \
              libgl-mesa libgl-mesa-dev \
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb b/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb
index bda82e7ef..74212e7e5 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/ttf-fonts/liberation-fonts_1.04.bb
@@ -2,7 +2,7 @@ SUMMARY = "Liberation(tm) Fonts"
 DESCRIPTION = "The Liberation(tm) Fonts is a font family originally \
 created by Ascender(c) which aims at metric compatibility with \
 Arial, Times New Roman, Courier New."
-HOMEPAGE = "https://fedorahosted.org/liberation-fonts/"
+HOMEPAGE = "https://releases.pagure.org/liberation-fonts/"
 BUGTRACKER = "https://bugzilla.redhat.com/"
 
 RECIPE_NO_UPDATE_REASON = "2.x depends on fontforge package, which is not yet provided in oe-core"
@@ -17,7 +17,7 @@ inherit allarch fontcache
 
 FONT_PACKAGES = "${PN}"
 
-SRC_URI = "https://fedorahosted.org/releases/l/i/liberation-fonts/liberation-fonts-${PV}.tar.gz \
+SRC_URI = "https://releases.pagure.org/liberation-fonts/liberation-fonts-${PV}.tar.gz \
            file://30-liberation-aliases.conf"
 
 SRC_URI[md5sum] = "4846797ef0fc70b0cbaede2514677c58"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch
new file mode 100644
index 000000000..6f5ad6652
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston/weston-1.11-config-option-for-no-input-device.patch
@@ -0,0 +1,123 @@
+From bbf2e6ebbd9c051775f43e1e3c3a2f41322342e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20D=C3=ADaz?= <daniel.diaz@linaro.org>
+Date: Fri, 21 Oct 2016 14:03:13 -0500
+Subject: [PATCH] Add configuration option for no input device.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Backported from master, 75b7197.]
+
+As it has been discussed in the past [1], running Weston
+without any input device at launch might be beneficial for
+some use cases.
+
+Certainly, it's best for the vast majority of users (and
+the project) to require an input device to be present, as
+to avoid frustration and hassle, but for those brave souls
+that so prefer, this patch lets them run without any input
+device at all.
+
+This introduces a simple configuration in weston.ini:
+  [core]
+  require-input=true
+
+True is the default, so no behavioral change is introduced.
+
+[1] https://lists.freedesktop.org/archives/wayland-devel/2015-November/025193.html
+
+Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
+---
+ man/weston.ini.man  | 5 +++++
+ src/compositor.h    | 4 ++++
+ src/libinput-seat.c | 6 ++++++
+ src/main.c          | 5 +++++
+ weston.ini.in       | 1 +
+ 5 files changed, 21 insertions(+)
+
+diff --git a/man/weston.ini.man b/man/weston.ini.man
+index d7c4a6f..c7d0f01 100644
+--- a/man/weston.ini.man
++++ b/man/weston.ini.man
+@@ -169,6 +169,11 @@ time, the one specified in the command-line will be used. On the other
+ hand, if none of these sets the value, default idle timeout will be
+ set to 300 seconds.
+ .RS
++.PP
++.RE
++.TP 7
++.BI "require-input=" true
++require an input device for launch
+ 
+ .SH "LIBINPUT SECTION"
+ The
+diff --git a/src/compositor.h b/src/compositor.h
+index 0bbf458..476b650 100644
+--- a/src/compositor.h
++++ b/src/compositor.h
+@@ -803,6 +803,10 @@ struct weston_compositor {
+ 
+ 	void *user_data;
+ 	void (*exit)(struct weston_compositor *c);
++
++	/* Whether to let the compositor run without any input device. */
++	bool require_input;
++
+ };
+ 
+ struct weston_buffer {
+diff --git a/src/libinput-seat.c b/src/libinput-seat.c
+index 8ce0ee0..e1fdcf0 100644
+--- a/src/libinput-seat.c
++++ b/src/libinput-seat.c
+@@ -255,6 +255,12 @@ udev_input_enable(struct udev_input *input)
+ 			devices_found = 1;
+ 	}
+ 
++	if (devices_found == 0 && !c->require_input) {
++		weston_log("warning: no input devices found, but none required "
++			   "as per configuration.\n");
++		return 0;
++	}
++
+ 	if (devices_found == 0) {
+ 		weston_log(
+ 			"warning: no input devices on entering Weston. "
+diff --git a/src/main.c b/src/main.c
+index 3279ac6..09905ea 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -1298,6 +1298,7 @@ int main(int argc, char *argv[])
+ 	struct wl_client *primary_client;
+ 	struct wl_listener primary_client_destroyed;
+ 	struct weston_seat *seat;
++	int require_input;
+ 
+ 	const struct weston_option core_options[] = {
+ 		{ WESTON_OPTION_STRING, "backend", 'B', &backend },
+@@ -1373,6 +1374,10 @@ int main(int argc, char *argv[])
+ 	if (weston_compositor_init_config(ec, config) < 0)
+ 		goto out;
+ 
++	weston_config_section_get_bool(section, "require-input",
++				       &require_input, true);
++	ec->require_input = require_input;
++
+ 	if (load_backend(ec, backend, &argc, argv, config) < 0) {
+ 		weston_log("fatal: failed to create compositor backend\n");
+ 		goto out;
+diff --git a/weston.ini.in b/weston.ini.in
+index 14a4c0c..d837fb5 100644
+--- a/weston.ini.in
++++ b/weston.ini.in
+@@ -2,6 +2,7 @@
+ #modules=xwayland.so,cms-colord.so
+ #shell=desktop-shell.so
+ #gbm-format=xrgb2101010
++#require-input=true
+ 
+ [shell]
+ background-image=/usr/share/backgrounds/gnome/Aqua.jpg
+-- 
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb
index 3ad309dab..9740ce9c9 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/wayland/weston_1.11.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \
            file://xwayland.weston-start \
            file://make-weston-launch-exit-for-unrecognized-option.patch \
            file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \
+           file://weston-1.11-config-option-for-no-input-device.patch \
 "
 SRC_URI[md5sum] = "bc6f90a2039163804aecfa663b69c4c2"
 SRC_URI[sha256sum] = "05e086e9f186a06843b9f7a5e1abf19347b1a6e4be26d7e74927abc17b6b7125"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb
index a453e2487..737bc9de4 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontdir_1.0.7.bb
@@ -11,6 +11,9 @@ files."
 PE = "1"
 PR = "${INC_PR}.0"
 
+DEPENDS = "util-macros-native"
+REQUIRED_DISTRO_FEATURES_class-native = ""
+
 RDEPENDS_${PN} += "mkfontscale"
 RDEPENDS_${PN}_class-native += "mkfontscale-native"
 
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb
index 31cf18676..d1aa9b361 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-app/mkfontscale_1.1.2.bb
@@ -10,6 +10,8 @@ is used by the mkfontdir program."
 
 DEPENDS = "util-macros-native zlib libfontenc freetype xproto"
 
+REQUIRED_DISTRO_FEATURES_class-native = ""
+
 BBCLASSEXTEND = "native"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=2e0d129d05305176d1a790e0ac1acb7f"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc b/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc
index d5267f59a..da20ab9b5 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-font/xorg-font-common.inc
@@ -18,6 +18,7 @@ inherit autotools pkgconfig distro_features_check
 
 # The mkfontscale-native requires x11 in DISTRO_FEATURES
 REQUIRED_DISTRO_FEATURES = "x11"
+REQUIRED_DISTRO_FEATURES_class-native = ""
 
 EXTRA_OEMAKE += "FCCACHE=/bin/true UTIL_DIR=${STAGING_DIR_TARGET}\$\(MAPFILES_PATH\)"
 
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
new file mode 100644
index 000000000..f5b4d69d4
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: Validation of server responses in XGetImage()
+
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+
+CVE: CVE-2016-7942
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
++++ b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+ 	char *data;
+ 	unsigned long nbytes;
+ 	XImage *image;
++	int planes;
+ 	LockDisplay(dpy);
+ 	GetReq (GetImage, req);
+ 	/*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+ 	    return (XImage *) NULL;
+ 	}
+         _XReadPad (dpy, data, nbytes);
+-        if (format == XYPixmap)
+-	   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+-		  Ones (plane_mask &
+-			(((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+-		  format, 0, data, width, height, dpy->bitmap_pad, 0);
+-	else /* format == ZPixmap */
+-           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+-		 rep.depth, ZPixmap, 0, data, width, height,
+-		  _XGetScanlinePad(dpy, (int) rep.depth), 0);
++        if (format == XYPixmap) {
++	    image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
++		Ones (plane_mask &
++		    (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
++		format, 0, data, width, height, dpy->bitmap_pad, 0);
++	    planes = image->depth;
++	} else { /* format == ZPixmap */
++            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
++		rep.depth, ZPixmap, 0, data, width, height,
++		    _XGetScanlinePad(dpy, (int) rep.depth), 0);
++	    planes = 1;
++	}
+ 
+ 	if (!image)
+ 	    Xfree(data);
++	if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
++	    INT_MAX / image->height <= image->bytes_per_line ||
++	    INT_MAX / planes <= image->height * image->bytes_per_line ||
++	    nbytes < planes * image->height * image->bytes_per_line) {
++	    XDestroyImage(image);
++	    image = NULL;
++	}
+ 	UnlockDisplay(dpy);
+ 	SyncHandle();
+ 	return (image);
+-- 
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
new file mode 100644
index 000000000..50024236d
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
@@ -0,0 +1,103 @@
+From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:22:57 +0200
+Subject: The validation of server responses avoids out of boundary accesses.
+
+v2: FontNames.c  return a NULL list whenever a single
+length field from the server is incohent.
+
+CVE: CVE-2016-7943
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 21dcafe..e55f338 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */
+ 
+     if (rep.nFonts) {
+ 	flist = Xmalloc (rep.nFonts * sizeof(char *));
+-	if (rep.length < (INT_MAX >> 2)) {
++	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ 	    rlen = rep.length << 2;
+ 	    ch = Xmalloc(rlen + 1);
+ 	    /* +1 to leave room for last null-terminator */
+@@ -93,11 +93,22 @@ int *actualCount)	/* RETURN */
+ 	    if (ch + length < chend) {
+ 		flist[i] = ch + 1;  /* skip over length */
+ 		ch += length + 1;  /* find next length ... */
+-		length = *(unsigned char *)ch;
+-		*ch = '\0';  /* and replace with null-termination */
+-		count++;
+-	    } else
+-		flist[i] = NULL;
++		if (ch <= chend) {
++		    length = *(unsigned char *)ch;
++		    *ch = '\0';  /* and replace with null-termination */
++		    count++;
++		} else {
++                    Xfree(flist);
++                    flist = NULL;
++                    count = 0;
++                    break;
++		}
++	    } else {
++                Xfree(flist);
++                flist = NULL;
++                count = 0;
++                break;
++            }
+ 	}
+     }
+     *actualCount = count;
+diff --git a/src/ListExt.c b/src/ListExt.c
+index be6b989..0516e45 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -55,7 +55,7 @@ char **XListExtensions(
+ 
+ 	if (rep.nExtensions) {
+ 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
+-	    if (rep.length < (INT_MAX >> 2)) {
++	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ 		rlen = rep.length << 2;
+ 		ch = Xmalloc (rlen + 1);
+                 /* +1 to leave room for last null-terminator */
+@@ -80,9 +80,13 @@ char **XListExtensions(
+ 		if (ch + length < chend) {
+ 		    list[i] = ch+1;  /* skip over length */
+ 		    ch += length + 1; /* find next length ... */
+-		    length = *ch;
+-		    *ch = '\0'; /* and replace with null-termination */
+-		    count++;
++		    if (ch <= chend) {
++			length = *ch;
++			*ch = '\0'; /* and replace with null-termination */
++			count++;
++		    } else {
++			list[i] = NULL;
++		    }
+ 		} else
+ 		    list[i] = NULL;
+ 	    }
+diff --git a/src/ModMap.c b/src/ModMap.c
+index a809aa2..49a5d08 100644
+--- a/src/ModMap.c
++++ b/src/ModMap.c
+@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
+     GetEmptyReq(GetModifierMapping, req);
+     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
+ 
+-    if (rep.length < (INT_MAX >> 2)) {
++    if (rep.length < (INT_MAX >> 2) &&
++	(rep.length >> 1) == rep.numKeyPerModifier) {
+ 	nbytes = (unsigned long)rep.length << 2;
+ 	res = Xmalloc(sizeof (XModifierKeymap));
+ 	if (res)
+-- 
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
index 8e531c745..23a77891e 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,8 @@ BBCLASSEXTEND = "native nativesdk"
 
 SRC_URI += "file://disable_tests.patch \
             file://libX11-Add-missing-NULL-check.patch \
+            file://CVE-2016-7942.patch \
+            file://CVE-2016-7943.patch \
            "
 
 SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
new file mode 100644
index 000000000..a9b3dbc65
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
@@ -0,0 +1,439 @@
+From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:21:40 +0200
+Subject: Avoid out of boundary accesses on illegal responses
+
+The responses of the connected X server have to be properly checked
+to avoid out of boundary accesses that could otherwise be triggered
+by a malicious server.
+
+CVE: CVE-2016-7947
+libXrandr: Insufficient validation of server responses result in Integer overflows
+
+CVE: CVE-2016-7948
+libXrandr: Insufficient validation of server responses result in various data mishandlings
+
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/XrrConfig.c b/src/XrrConfig.c
+index 2f0282b..e68c45a 100644
+--- a/src/XrrConfig.c
++++ b/src/XrrConfig.c
+@@ -29,6 +29,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
+ 	rep.rate = 0;
+ 	rep.nrateEnts = 0;
+     }
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytes = (long) rep.length << 2;
++	nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
++			    ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
+ 
+-    nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
+-			 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	rbytes = sizeof (XRRScreenConfiguration) +
++	  (rep.nSizes * sizeof (XRRScreenSize) +
++	   rep.nrateEnts * sizeof (int));
+ 
+-    rbytes = sizeof (XRRScreenConfiguration) +
+-      (rep.nSizes * sizeof (XRRScreenSize) +
+-       rep.nrateEnts * sizeof (int));
++	scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	scp = NULL;
++    }
+ 
+-    scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
+     if (scp == NULL) {
+ 	_XEatData (dpy, (unsigned long) nbytes);
+ 	return NULL;
+diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
+index 5ae35c5..6665092 100644
+--- a/src/XrrCrtc.c
++++ b/src/XrrCrtc.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
+ 	return NULL;
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2)
++    {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nOutput * 4 +
+-			 rep.nPossibleOutput * 4);
++	nbytesRead = (long) (rep.nOutput * 4 +
++			     rep.nPossibleOutput * 4);
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
+ 
+-    rbytes = (sizeof (XRRCrtcInfo) +
+-	      rep.nOutput * sizeof (RROutput) +
+-	      rep.nPossibleOutput * sizeof (RROutput));
++	rbytes = (sizeof (XRRCrtcInfo) +
++		  rep.nOutput * sizeof (RROutput) +
++		  rep.nPossibleOutput * sizeof (RROutput));
++
++	xci = (XRRCrtcInfo *) Xmalloc(rbytes);
++    }
++    else
++    {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xci = NULL;
++    }
+ 
+-    xci = (XRRCrtcInfo *) Xmalloc(rbytes);
+     if (xci == NULL) {
+ 	_XEatDataWords (dpy, rep.length);
+ 	UnlockDisplay (dpy);
+@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
+     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
+ 	goto out;
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2)
++    {
++	nbytes = (long) rep.length << 2;
+ 
+-    /* three channels of CARD16 data */
+-    nbytesRead = (rep.size * 2 * 3);
++	/* three channels of CARD16 data */
++	nbytesRead = (rep.size * 2 * 3);
+ 
+-    crtc_gamma = XRRAllocGamma (rep.size);
++	crtc_gamma = XRRAllocGamma (rep.size);
++    }
++    else
++    {
++	nbytes = 0;
++	nbytesRead = 0;
++	crtc_gamma = NULL;
++    }
+ 
+     if (!crtc_gamma)
+     {
+@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display	*dpy,
+     xRRGetCrtcTransformReq	*req;
+     int				major_version, minor_version;
+     XRRCrtcTransformAttributes	*attr;
+-    char			*extra = NULL, *e;
++    char			*extra = NULL, *end = NULL, *e;
+     int				p;
+ 
+     *attributes = NULL;
+@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display	*dpy,
+ 	else
+ 	{
+ 	    int extraBytes = rep.length * 4 - CrtcTransformExtra;
+-	    extra = Xmalloc (extraBytes);
++	    if (rep.length < INT_MAX / 4 &&
++		rep.length * 4 >= CrtcTransformExtra) {
++		extra = Xmalloc (extraBytes);
++		end = extra + extraBytes;
++	    } else
++		extra = NULL;
+ 	    if (!extra) {
+-		_XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++		if (rep.length > (CrtcTransformExtra >> 2))
++		    _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++		else
++		    _XEatDataWords (dpy, rep.length);
+ 		UnlockDisplay (dpy);
+ 		SyncHandle ();
+ 		return False;
+@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display	*dpy,
+ 
+     e = extra;
+ 
++    if (e + rep.pendingNbytesFilter > end) {
++	XFree (extra);
++	return False;
++    }
+     memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
+     attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
+     e += (rep.pendingNbytesFilter + 3) & ~3;
+     for (p = 0; p < rep.pendingNparamsFilter; p++) {
+ 	INT32	f;
++	if (e + 4 > end) {
++	    XFree (extra);
++	    return False;
++	}
+ 	memcpy (&f, e, 4);
+ 	e += 4;
+ 	attr->pendingParams[p] = (XFixed) f;
+     }
+     attr->pendingNparams = rep.pendingNparamsFilter;
+ 
++    if (e + rep.currentNbytesFilter > end) {
++	XFree (extra);
++	return False;
++    }
+     memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
+     attr->currentFilter[rep.currentNbytesFilter] = '\0';
+     e += (rep.currentNbytesFilter + 3) & ~3;
+     for (p = 0; p < rep.currentNparamsFilter; p++) {
+ 	INT32	f;
++	if (e + 4 > end) {
++	    XFree (extra);
++	    return False;
++	}
+ 	memcpy (&f, e, 4);
+ 	e += 4;
+ 	attr->currentParams[p] = (XFixed) f;
+diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
+index a9eaa7b..adc5330 100644
+--- a/src/XrrMonitor.c
++++ b/src/XrrMonitor.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 ||
++	rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
++	rep.noutputs > INT_MAX / 4 ||
++	rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
++	_XEatData (dpy, rep.length);
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
+     nbytes = (long) rep.length << 2;
+     nmon = rep.nmonitors;
+     noutput = rep.noutputs;
+@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ 	    mon[m].outputs = output;
+ 	    buf += SIZEOF (xRRMonitorInfo);
+ 	    xoutput = (CARD32 *) buf;
++	    if (xmon->noutput > rep.noutputs) {
++	        Xfree(buf);
++	        Xfree(mon);
++	        UnlockDisplay (dpy);
++	        SyncHandle ();
++	        return NULL;
++	    }
++	    rep.noutputs -= xmon->noutput;
+ 	    for (o = 0; o < xmon->noutput; o++)
+ 		output[o] = xoutput[o];
+ 	    output += xmon->noutput;
+diff --git a/src/XrrOutput.c b/src/XrrOutput.c
+index 85f0b6e..30f3d40 100644
+--- a/src/XrrOutput.c
++++ b/src/XrrOutput.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
++    {
++        if (rep.length > (OutputInfoExtra >> 2))
++	    _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
++	else
++	    _XEatDataWords (dpy, rep.length);
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
+     nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
+ 
+     nbytesRead = (long) (rep.nCrtcs * 4 +
+diff --git a/src/XrrProvider.c b/src/XrrProvider.c
+index 9e620c7..d796cd0 100644
+--- a/src/XrrProvider.c
++++ b/src/XrrProvider.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
+       return NULL;
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nProviders * 4);
++	nbytesRead = (long) (rep.nProviders * 4);
+ 
+-    rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
+-    xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++	rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
++		  sizeof(RRProvider));
++	xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xrpr = NULL;
++    }
+ 
+     if (xrpr == NULL) {
+        _XEatDataWords (dpy, rep.length);
+@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
+ 	return NULL;
+     }
+ 
++    if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
++    {
++	if (rep.length < ProviderInfoExtra >> 2)
++	    _XEatDataWords (dpy, rep.length);
++	else
++	    _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
++	UnlockDisplay (dpy);
++	SyncHandle ();
++	return NULL;
++    }
++
+     nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
+ 
+     nbytesRead = (long)(rep.nCrtcs * 4 +
+diff --git a/src/XrrScreen.c b/src/XrrScreen.c
+index b8ce7e5..1f7ffe6 100644
+--- a/src/XrrScreen.c
++++ b/src/XrrScreen.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+ 	xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
+     }
+ 
+-    nbytes = (long) rep.length << 2;
++    if (rep.length < INT_MAX >> 2) {
++	nbytes = (long) rep.length << 2;
+ 
+-    nbytesRead = (long) (rep.nCrtcs * 4 +
+-			 rep.nOutputs * 4 +
+-			 rep.nModes * SIZEOF (xRRModeInfo) +
+-			 ((rep.nbytesNames + 3) & ~3));
++	nbytesRead = (long) (rep.nCrtcs * 4 +
++			     rep.nOutputs * 4 +
++			     rep.nModes * SIZEOF (xRRModeInfo) +
++			     ((rep.nbytesNames + 3) & ~3));
+ 
+-    /*
+-     * first we must compute how much space to allocate for
+-     * randr library's use; we'll allocate the structures in a single
+-     * allocation, on cleanlyness grounds.
+-     */
++	/*
++	 * first we must compute how much space to allocate for
++	 * randr library's use; we'll allocate the structures in a single
++	 * allocation, on cleanlyness grounds.
++	 */
++
++	rbytes = (sizeof (XRRScreenResources) +
++		  rep.nCrtcs * sizeof (RRCrtc) +
++		  rep.nOutputs * sizeof (RROutput) +
++		  rep.nModes * sizeof (XRRModeInfo) +
++		  rep.nbytesNames + rep.nModes);    /* '\0' terminate names */
+ 
+-    rbytes = (sizeof (XRRScreenResources) +
+-	      rep.nCrtcs * sizeof (RRCrtc) +
+-	      rep.nOutputs * sizeof (RROutput) +
+-	      rep.nModes * sizeof (XRRModeInfo) +
+-	      rep.nbytesNames + rep.nModes);	/* '\0' terminate names */
++	xrsr = (XRRScreenResources *) Xmalloc(rbytes);
++	wire_names = (char *) Xmalloc (rep.nbytesNames);
++    } else {
++	nbytes = 0;
++	nbytesRead = 0;
++	rbytes = 0;
++	xrsr = NULL;
++	wire_names = NULL;
++    }
+ 
+-    xrsr = (XRRScreenResources *) Xmalloc(rbytes);
+-    wire_names = (char *) Xmalloc (rep.nbytesNames);
+     if (xrsr == NULL || wire_names == NULL) {
+ 	Xfree (xrsr);
+ 	Xfree (wire_names);
+@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+     wire_name = wire_names;
+     for (i = 0; i < rep.nModes; i++)  {
+ 	xrsr->modes[i].name = names;
++	if (xrsr->modes[i].nameLength > rep.nbytesNames) {
++	    Xfree (xrsr);
++	    Xfree (wire_names);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return NULL;
++	}
++	rep.nbytesNames -= xrsr->modes[i].nameLength;
+ 	memcpy (names, wire_name, xrsr->modes[i].nameLength);
+ 	names[xrsr->modes[i].nameLength] = '\0';
+ 	names += xrsr->modes[i].nameLength + 1;
+-- 
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
index abbbae552..35c60b419 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrandr"
 
 BBCLASSEXTEND = "native nativesdk"
 
+SRC_URI += "file://CVE-2016-7947_CVE-2016-7948.patch \
+	"
+
 SRC_URI[md5sum] = "309762867e41c6fd813da880d8a1bc93"
 SRC_URI[sha256sum] = "6f864959b7fc35db11754b270d71106ef5b5cf363426aa58589cb8ac8266de58"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
new file mode 100644
index 000000000..73315b108
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,59 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+CVE: CVE-2016-7949
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ 	screen->subpixel = SubPixelUnknown;
+ 	xDepth = (xPictDepth *) (xScreen + 1);
++	if (screen->ndepths > rep.numDepths) {
++	    Xfree (xri);
++	    Xfree (xData);
++	    _XEatDataWords (dpy, rep.length);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return 0;
++	}
++	rep.numDepths -= screen->ndepths;
+ 	for (nd = 0; nd < screen->ndepths; nd++)
+ 	{
+ 	    depth->depth = xDepth->depth;
+ 	    depth->nvisuals = xDepth->nPictVisuals;
+ 	    depth->visuals = visual;
+ 	    xVisual = (xPictVisual *) (xDepth + 1);
++	    if (depth->nvisuals > rep.numVisuals) {
++		Xfree (xri);
++		Xfree (xData);
++		_XEatDataWords (dpy, rep.length);
++		UnlockDisplay (dpy);
++		SyncHandle ();
++		return 0;
++	    }
++	    rep.numVisuals -= depth->nvisuals;
+ 	    for (nv = 0; nv < depth->nvisuals; nv++)
+ 	    {
+ 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+-- 
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
index 44cb2e0eb..eac367906 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
 
 BBCLASSEXTEND = "native nativesdk"
 
+SRC_URI += "file://CVE-2016-7949.patch \
+        "
+
 SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
 SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
index 1b0bcf391..31ea4392d 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
@@ -16,5 +16,5 @@ PE = "1"
 
 XORG_PN = "libXtst"
 
-SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59"
-SRC_URI[sha256sum] = "ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9"
+SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca"
+SRC_URI[sha256sum] = "4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204"