diff --git a/CVE-2021-31535.patch b/CVE-2021-31535.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5c1cbb00569c9ac6c695078444aadb87d4ff241b
--- /dev/null
+++ b/CVE-2021-31535.patch
@@ -0,0 +1,273 @@
+diff -uNr libX11-1.6.9.orig/src/Font.c libX11-1.6.9/src/Font.c
+--- libX11-1.6.9.orig/src/Font.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/Font.c	2021-06-11 13:48:47.678388017 +0800
+@@ -102,6 +102,8 @@
+     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
+ #endif
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return NULL;
+     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
+       return font_result;
+     LockDisplay(dpy);
+@@ -663,7 +665,7 @@
+     if (!name)
+ 	return 0;
+     l = strlen(name);
+-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
++    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
+ 	return 0;
+     charset = NULL;
+     /* next three lines stolen from _XkbGetCharset() */
+diff -uNr libX11-1.6.9.orig/src/FontInfo.c libX11-1.6.9/src/FontInfo.c
+--- libX11-1.6.9.orig/src/FontInfo.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/FontInfo.c	2021-06-11 13:49:17.654338074 +0800
+@@ -58,6 +58,9 @@
+     register xListFontsReq *req;
+     int j;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFontsWithInfo, req);
+     req->maxNames = maxNames;
+diff -uNr libX11-1.6.9.orig/src/FontNames.c libX11-1.6.9/src/FontNames.c
+--- libX11-1.6.9.orig/src/FontNames.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/FontNames.c	2021-06-11 13:49:54.374276759 +0800
+@@ -51,6 +51,9 @@
+     register xListFontsReq *req;
+     unsigned long rlen = 0;
+ 
++    if (strlen(pattern) >= USHRT_MAX)
++        return NULL;
++
+     LockDisplay(dpy);
+     GetReq(ListFonts, req);
+     req->maxNames = maxNames;
+diff -uNr libX11-1.6.9.orig/src/GetColor.c libX11-1.6.9/src/GetColor.c
+--- libX11-1.6.9.orig/src/GetColor.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/GetColor.c	2021-06-11 13:50:43.042195263 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -48,6 +49,9 @@
+     XcmsColor cmsColor_exact;
+     Status ret;
+ 
++    if (strlen(colorname) >= USHRT_MAX)
++        return (0);
++
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms and i18n approach to Parse Color
+diff -uNr libX11-1.6.9.orig/src/LoadFont.c libX11-1.6.9/src/LoadFont.c
+--- libX11-1.6.9.orig/src/LoadFont.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/LoadFont.c	2021-06-11 13:51:27.886119964 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include "Xlibint.h"
+ 
+ Font
+@@ -38,6 +39,9 @@
+     Font fid;
+     register xOpenFontReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return (0);
++
+     if (_XF86LoadQueryLocaleFont(dpy, name, (XFontStruct **)0, &fid))
+       return fid;
+ 
+diff -uNr libX11-1.6.9.orig/src/LookupCol.c libX11-1.6.9/src/LookupCol.c
+--- libX11-1.6.9.orig/src/LookupCol.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/LookupCol.c	2021-06-11 13:52:42.389994467 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,9 @@
+ 	XcmsCCC ccc;
+ 	XcmsColor cmsColor_exact;
+ 
++	n = (int) strlen (spec);
++	if (n >= USHRT_MAX)
++            return 0;
+ #ifdef XCMS
+ 	/*
+ 	 * Let's Attempt to use Xcms and i18n approach to Parse Color
+@@ -77,8 +81,6 @@
+ 	 * Xcms and i18n methods failed, so lets pass it to the server
+ 	 * for parsing.
+ 	 */
+-
+-	n = strlen (spec);
+ 	LockDisplay(dpy);
+ 	GetReq (LookupColor, req);
+ 	req->cmap = cmap;
+diff -uNr libX11-1.6.9.orig/src/ParseCol.c libX11-1.6.9/src/ParseCol.c
+--- libX11-1.6.9.orig/src/ParseCol.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/ParseCol.c	2021-06-11 13:53:23.693914489 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -47,6 +48,8 @@
+ 
+         if (!spec) return(0);
+ 	n = strlen (spec);
++	if (n >= USHRT_MAX)
++            return(0);
+ 	if (*spec == '#') {
+ 	    /*
+ 	     * RGB
+diff -uNr libX11-1.6.9.orig/src/QuExt.c libX11-1.6.9/src/QuExt.c
+--- libX11-1.6.9.orig/src/QuExt.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/QuExt.c	2021-06-11 13:54:52.001642044 +0800
+@@ -27,6 +27,8 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
++#include <stdbool.h>
+ #include "Xlibint.h"
+ 
+ Bool
+@@ -40,6 +42,9 @@
+     xQueryExtensionReply rep;
+     register xQueryExtensionReq *req;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return false;
++
+     LockDisplay(dpy);
+     GetReq(QueryExtension, req);
+     req->nbytes = name ? strlen(name) : 0;
+diff -uNr libX11-1.6.9.orig/src/SetFPath.c libX11-1.6.9/src/SetFPath.c
+--- libX11-1.6.9.orig/src/SetFPath.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/SetFPath.c	2021-06-11 13:55:33.509519589 +0800
+@@ -26,6 +26,7 @@
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
++#include <limits.h>
+ #endif
+ #include "Xlibint.h"
+ 
+@@ -49,6 +50,11 @@
+ 	req->nFonts = ndirs;
+ 	for (i = 0; i < ndirs; i++) {
+ 		n += safestrlen (directories[i]) + 1;
++		if (n >= USHRT_MAX) {
++			UnlockDisplay(dpy);
++			SyncHandle();
++			return 0;
++		}
+ 	}
+ 	nbytes = (n + 3) & ~3;
+ 	req->length += nbytes >> 2;
+diff -uNr libX11-1.6.9.orig/src/SetHints.c libX11-1.6.9/src/SetHints.c
+--- libX11-1.6.9.orig/src/SetHints.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/SetHints.c	2021-06-11 13:56:58.105279661 +0800
+@@ -49,6 +49,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include "Xatomtype.h"
+@@ -214,6 +215,8 @@
+ 	register char *buf, *bp;
+ 	for (i = 0, nbytes = 0; i < argc; i++) {
+ 		nbytes += safestrlen(argv[i]) + 1;
++		if (nbytes >= USHRT_MAX)
++                    return 1;
+ 	}
+ 	if ((bp = buf = Xmalloc(nbytes))) {
+ 	    /* copy arguments into single buffer */
+@@ -256,6 +259,8 @@
+ 
+ 	if (name != NULL) XStoreName (dpy, w, name);
+ 
++        if (safestrlen(icon_string) >= USHRT_MAX)
++            return 1;
+ 	if (icon_string != NULL) {
+ 	    XChangeProperty (dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                              PropModeReplace,
+@@ -298,6 +303,8 @@
+ 
+ 	len_nm = safestrlen(classhint->res_name);
+ 	len_cl = safestrlen(classhint->res_class);
++        if (len_nm + len_cl >= USHRT_MAX)
++            return 1;
+ 	if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
+ 	    if (len_nm) {
+ 		strcpy(s, classhint->res_name);
+diff -uNr libX11-1.6.9.orig/src/StName.c libX11-1.6.9/src/StName.c
+--- libX11-1.6.9.orig/src/StName.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/StName.c	2021-06-11 13:58:50.124979044 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <X11/Xlibint.h>
+ #include <X11/Xatom.h>
+ 
+@@ -36,7 +37,9 @@
+     Window w,
+     _Xconst char *name)
+ {
+-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
++    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
+ 			   8, PropModeReplace, (_Xconst unsigned char *)name,
+ 			   name ? strlen(name) : 0);
+ }
+@@ -47,6 +50,8 @@
+     Window w,
+     _Xconst char *icon_name)
+ {
++    if (strlen(icon_name) >= USHRT_MAX)
++        return 0;
+     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
+                            PropModeReplace, (_Xconst unsigned char *)icon_name,
+ 			   icon_name ? strlen(icon_name) : 0);
+diff -uNr libX11-1.6.9.orig/src/StNColor.c libX11-1.6.9/src/StNColor.c
+--- libX11-1.6.9.orig/src/StNColor.c	2019-10-10 01:43:00.000000000 +0800
++++ libX11-1.6.9/src/StNColor.c	2021-06-11 13:57:38.745168537 +0800
+@@ -27,6 +27,7 @@
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
++#include <limits.h>
+ #include <stdio.h>
+ #include "Xlibint.h"
+ #include "Xcmsint.h"
+@@ -46,6 +47,8 @@
+     XcmsColor cmsColor_exact;
+     XColor scr_def;
+ 
++    if (strlen(name) >= USHRT_MAX)
++        return 0;
+ #ifdef XCMS
+     /*
+      * Let's Attempt to use Xcms approach to Parse Color
diff --git a/libX11.spec b/libX11.spec
index d127ad2ab7aec4d5deba4f258d36b493f7ca0e00..4db0e915d3275049df9aa23de55b7d708acbcb92 100644
--- a/libX11.spec
+++ b/libX11.spec
@@ -1,6 +1,6 @@
 Name:		libX11
 Version:	1.6.9
-Release:	4
+Release:	5
 Summary:	Core X11 protocol client library
 License:	MIT
 URL:		http://www.x.org
@@ -9,6 +9,7 @@ Source0:	https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.
 Patch1:         dont-forward-keycode-0.patch
 Patch2:         CVE-2020-14344.patch
 Patch3:         CVE-2020-14363.patch
+Patch4:         CVE-2021-31535.patch
 
 BuildRequires:	xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel
 BuildRequires:  libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4
@@ -75,6 +76,12 @@ make %{?_smp_mflags} check
 %{_mandir}/*/*
 
 %changelog
+* Fri Jun 11 2021 zhanglin <lin.zhang@turbolinux.com.cn> - 1.6.9-5
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2021-31535
+
 * Fri Sep 30 2020 chengguipeng<chenguipeng1@huawei.com> - 1.6.9-4
 - Type:bugfix
 - Id:NA