libX11/SOURCES/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch

60 lines
1.7 KiB
Diff
Raw Normal View History

2024-05-22 13:37:22 +00:00
From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:15:32 -0700
Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to
a heap overflow
When the format is `Pixmap` it calculates the size of the image data as:
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/ImUtil.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/ImUtil.c b/src/ImUtil.c
index 36f08a03..fbfad33e 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <stdio.h>
+#include <limits.h>
#include "ImUtil.h"
static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
/*
* compute per line accelerator.
*/
- {
- if (format == ZPixmap)
+ if (format == ZPixmap) {
+ if ((INT_MAX / bits_per_pixel) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
- else
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ } else {
+ if ((INT_MAX - offset) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((width + offset), image->bitmap_pad);
+ ROUNDUP((width + offset), image->bitmap_pad);
}
if (image_bytes_per_line == 0) {
image->bytes_per_line = min_bytes_per_line;
--
2.41.0