new file mode 100644
@@ -0,0 +1,63 @@
+From 036bc3ddcbb56f05c6ca76712a53b89dee1369e2 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] emulation: Restrict resize request to sane numbers
+
+Fixes: https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit fd5511f24b7269195a7083f409244e9787c705dc)
+
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vteseq.cc | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/vteseq.cc b/src/vteseq.cc
+index 2c5b1e128..5b3f398e2 100644
+--- a/src/vteseq.cc
++++ b/src/vteseq.cc
+@@ -213,9 +213,18 @@ Terminal::emit_bell()
+ /* Emit a "resize-window" signal. (Grid size.) */
+ void
+ Terminal::emit_resize_window(guint columns,
+- guint rows)
+-{
+- _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window'.\n");
++ guint rows)
++{
++ // Ignore resizes with excessive number of rows or columns,
++ // see https://gitlab.gnome.org/GNOME/vte/-/issues/2786
++ if (columns < VTE_MIN_GRID_WIDTH ||
++ columns > 511 ||
++ rows < VTE_MIN_GRID_HEIGHT ||
++ rows > 511)
++ return;
++
++ _vte_debug_print(VTE_DEBUG_SIGNALS, "Emitting `resize-window' %d columns %d rows.\n",
++ columns, rows);
+ g_signal_emit(m_terminal, signals[SIGNAL_RESIZE_WINDOW], 0, columns, rows);
+ }
+
+@@ -4467,8 +4476,6 @@ Terminal::DECSLPP(vte::parser::Sequence const& seq)
+ else if (param < 24)
+ return;
+
+- _vte_debug_print(VTE_DEBUG_EMULATION, "Resizing to %d rows.\n", param);
+-
+ emit_resize_window(m_column_count, param);
+ }
+
+@@ -8990,9 +8997,6 @@ Terminal::XTERM_WM(vte::parser::Sequence const& seq)
+ seq.collect(1, {&height, &width});
+
+ if (width != -1 && height != -1) {
+- _vte_debug_print(VTE_DEBUG_EMULATION,
+- "Resizing window to %d columns, %d rows.\n",
+- width, height);
+ emit_resize_window(width, height);
+ }
+ break;
+--
+GitLab
new file mode 100644
@@ -0,0 +1,85 @@
+From c313849c2e5133802e21b13fa0b141b360171d39 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@src.gnome.org>
+Date: Sun, 2 Jun 2024 19:19:35 +0200
+Subject: [PATCH] widget: Add safety limit to widget size requests
+
+https://gitlab.gnome.org/GNOME/vte/-/issues/2786
+(cherry picked from commit 1803ba866053a3d7840892b9d31fe2944a183eda)
+
+CVE: CVE-2024-37535
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/vtegtk.cc | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/src/vtegtk.cc b/src/vtegtk.cc
+index 24bdd7184..48cae79c1 100644
+--- a/src/vtegtk.cc
++++ b/src/vtegtk.cc
+@@ -91,6 +91,38 @@
+ template<typename T>
+ constexpr bool check_enum_value(T value) noexcept;
+
++static inline void
++sanitise_widget_size_request(int* minimum,
++ int* natural) noexcept
++{
++ // Overly large size requests will make gtk happily allocate
++ // a window size over the window system's limits (see
++ // e.g. https://gitlab.gnome.org/GNOME/vte/-/issues/2786),
++ // leading to aborting the whole process.
++ // The toolkit should be in a better position to know about
++ // these limits and not exceed them (which here is certainly
++ // possible since our minimum sizes are very small), let's
++ // limit the widget's size request to some large value
++ // that hopefully is within the absolute limits of
++ // the window system (assumed here to be int16 range,
++ // and leaving some space for the widgets that contain
++ // the terminal).
++ auto const limit = (1 << 15) - (1 << 12);
++
++ if (*minimum > limit || *natural > limit) {
++ static auto warned = false;
++
++ if (!warned) {
++ g_warning("Widget size request (minimum %d, natural %d) exceeds limits\n",
++ *minimum, *natural);
++ warned = true;
++ }
++ }
++
++ *minimum = std::min(*minimum, limit);
++ *natural = std::clamp(*natural, *minimum, limit);
++}
++
+ struct _VteTerminalClassPrivate {
+ GtkStyleProvider *style_provider;
+ };
+@@ -510,6 +542,7 @@ try
+ {
+ VteTerminal *terminal = VTE_TERMINAL(widget);
+ WIDGET(terminal)->get_preferred_width(minimum_width, natural_width);
++ sanitise_widget_size_request(minimum_width, natural_width);
+ }
+ catch (...)
+ {
+@@ -524,6 +557,7 @@ try
+ {
+ VteTerminal *terminal = VTE_TERMINAL(widget);
+ WIDGET(terminal)->get_preferred_height(minimum_height, natural_height);
++ sanitise_widget_size_request(minimum_height, natural_height);
+ }
+ catch (...)
+ {
+@@ -781,6 +815,7 @@ try
+ WIDGET(terminal)->measure(orientation, for_size,
+ minimum, natural,
+ minimum_baseline, natural_baseline);
++ sanitise_widget_size_request(minimum, natural);
+ }
+ catch (...)
+ {
+--
+GitLab
@@ -19,8 +19,13 @@ GIR_MESON_OPTION = 'gir'
inherit gnomebase gtk-doc features_check upstream-version-is-even gobject-introspection
# vapigen.m4 is required when vala is not present (but the one from vala should be used normally)
-SRC_URI += "file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
- file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch"
+SRC_URI += " \
+ file://0001-Add-W_EXITCODE-macro-for-non-glibc-systems.patch \
+ file://0001-Makefile.docs-correctly-substitute-gtkdoc-qemu-wrapp.patch \
+ file://CVE-2024-37535-0001.patch \
+ file://CVE-2024-37535-0002.patch \
+ "
+
SRC_URI[archive.sha256sum] = "e89974673a72a0a06edac6d17830b82bb124decf0cb3b52cebc92ec3ff04d976"
ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"