4 changed files with 17 additions and 135 deletions
--- a/backport-CVE-2021-3782.patch
+++ b/backport-CVE-2021-3782.patch
@ -1,106 +0,0 @@
 From b19488c7154b902354cb26a27f11415d7799b0b2 Mon Sep 17 00:00:00 2001
 From: Derek Foreman <derek.foreman@collabora.com>
 Date: Fri, 28 Jan 2022 13:18:37 -0600
 Subject: [PATCH] util: Limit size of wl_map
 Since server IDs are basically indistinguishable from really big client
 IDs at many points in the source, it's theoretically possible to overflow
 a map and either overflow server IDs into the client ID space, or grow
 client IDs into the server ID space. This would currently take a massive
 amount of RAM, but the definition of massive changes yearly.
 Prevent this by placing a ridiculous but arbitrary upper bound on the
 number of items we can put in a map: 0xF00000, somewhere over 15 million.
 This should satisfy pathological clients without restriction, but stays
 well clear of the 0xFF000000 transition point between server and client
 IDs. It will still take an improbable amount of RAM to hit this, and a
 client could still exhaust all RAM in this way, but our goal is to prevent
 overflow and undefined behaviour.
 Fixes #224
 Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
 Conflict:NA
 Reference:https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2
 ---
 src/wayland-private.h |  1 +
 src/wayland-util.c    | 25 +++++++++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)
 diff --git a/src/wayland-private.h b/src/wayland-private.h
 index 210451e..9274f1b 100644
 --- a/src/wayland-private.h
 +++ b/src/wayland-private.h
@@ -45,6 +45,7 @@
 #define WL_MAP_SERVER_SIDE 0
 #define WL_MAP_CLIENT_SIDE 1
 #define WL_SERVER_ID_START 0xff000000
 +#define WL_MAP_MAX_OBJECTS 0x00f00000
 #define WL_CLOSURE_MAX_ARGS 20
 struct wl_object {
 diff --git a/src/wayland-util.c b/src/wayland-util.c
 index c89a67b..997a2c7 100644
 --- a/src/wayland-util.c
 +++ b/src/wayland-util.c
@@ -197,6 +197,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
 	union map_entry *start, *entry;
 	struct wl_array *entries;
 	uint32_t base;
 +	uint32_t count;
 	if (map->side == WL_MAP_CLIENT_SIDE) {
 		entries = &map->client_entries;
@@ -217,10 +218,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data)
 		start = entries->data;
 	}
 +	/* wl_array only grows, so if we have too many objects at
 +	 * this point there's no way to clean up. We could be more
 +	 * pro-active about trying to avoid this allocation, but
 +	 * it doesn't really matter because at this point there is
 +	 * nothing to be done but disconnect the client and delete
 +	 * the whole array either way.
 +	 */
 +	count = entry - start;
 +	if (count > WL_MAP_MAX_OBJECTS) {
 +		/* entry->data is freshly malloced garbage, so we'd
 +		 * better make it a NULL so wl_map_for_each doesn't
 +		 * dereference it later. */
 +		entry->data = NULL;
 +		return 0;
 +	}
 	entry->data = data;
 	entry->next |= (flags & 0x1) << 1;
 -	return (entry - start) + base;
 +	return count + base;
 }
 int
@@ -237,6 +253,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data)
 		i -= WL_SERVER_ID_START;
 	}
 +	if (i > WL_MAP_MAX_OBJECTS)
 +		return -1;
 +
 	count = entries->size / sizeof *start;
 	if (count < i)
 		return -1;
@@ -271,8 +290,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i)
 		i -= WL_SERVER_ID_START;
 	}
 -	count = entries->size / sizeof *start;
 +	if (i > WL_MAP_MAX_OBJECTS)
 +		return -1;
 +	count = entries->size / sizeof *start;
 	if (count < i)
 		return -1;
 -- 
 2.33.0
--- a/wayland-1.18.0.tar.xz
+++ b/wayland-1.18.0.tar.xz
--- a/wayland-1.20.0.tar.xz
+++ b/wayland-1.20.0.tar.xz
--- a/wayland.spec
+++ b/wayland.spec
@ -1,15 +1,13 @@
-Name:           wayland
+Name:		wayland
-Version:        1.20.0
+Version:	1.18.0
-Release:	6
+Release:	1
 Summary:	Wayland Compositor Infrastructure
 License:	MIT
 URL:		http://wayland.freedesktop.org/
 Source0:	http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz
-Patch6000:	backport-CVE-2021-3782.patch
+BuildRequires:	gcc chrpath docbook-style-xsl doxygen expat-devel  
-
+BuildRequires:  libxml2-devel libxslt pkgconfig(libffi) xmlto graphviz
 BuildRequires:  gcc gcc-c++ docbook-style-xsl doxygen expat-devel  
 BuildRequires:  libxml2-devel libxslt pkgconfig(libffi) xmlto graphviz meson
 Provides:       libwayland-client = %{version}-%{release} libwayland-cursor = %{version}-%{release}  
 Obsoletes:      libwayland-client < %{version}-%{release}  libwayland-cursor < %{version}-%{release}  
@ -61,14 +59,20 @@ developing applications that use %{name}.
 %autosetup -n %{name}-%{version} -p1
 %build
-%meson
+%configure  --disable-static --enable-documentation
-%meson_build
+%make_build
 %install
-%meson_install
+%make_install
 %delete_la
 chrpath -d %{buildroot}%{_libdir}/libwayland-cursor.so
 %check
-%meson_test
+mkdir -m 700 tests/run
 XDG_RUNTIME_DIR=$PWD/tests/run 
 make check || \
 { rc=$?; cat test-suite.log; exit $rc; }
 %files
 %defattr(-,root,root)
@ -88,28 +92,12 @@ developing applications that use %{name}.
 %files help
 %defattr(-,root,root)
-%doc README
+%doc README TODO
 %{_mandir}/man3/*.3*
 %{_datadir}/doc/wayland/
 %changelog
 * Wed Sep 14 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-6
 - fix CVE-2021-3782
 * Wed Aug 03 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-5
 - revert remove rpath
 * Thu Jun 16 2022 wangkerong <wangkerong@h-partners.com> - 1.20.0-4
 - CVE:NA
 - SUG:NA
 - DESC:remove rpath
 * Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 1.20.0-3
 - upgrade to 1.20.0-3
 * Sat Dec 04 2021 wangkerong <wangkerong@huawei.com> - 1.19.91-1
 - update to 1.19.91
 * Fri Jul 17 2020 chengguipeng <chenguipeng1@huawei.com> - 1.18.0-1
 - upgrade to 1.18.0-1