38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
|
From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
|
Date: Thu, 7 Sep 2023 15:54:30 -0700
|
||
|
|
Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion
|
||
|
|
in PutSubImage()
|
||
|
|
|
||
|
|
When splitting a single line of pixels into chunks to send to the
|
||
|
|
X server, be sure to take into account the number of bits per pixel,
|
||
|
|
so we don't just loop forever trying to send more pixels than fit in
|
||
|
|
the given request size and not breaking them down into a small enough
|
||
|
|
chunk to fix.
|
||
|
|
|
||
|
|
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
|
||
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
|
---
|
||
|
|
src/PutImage.c | 5 +++--
|
||
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/PutImage.c b/src/PutImage.c
|
||
|
|
index 857ee916..a6db7b42 100644
|
||
|
|
--- a/src/PutImage.c
|
||
|
|
+++ b/src/PutImage.c
|
||
|
|
@@ -914,8 +914,9 @@ PutSubImage (
|
||
|
|
req_width, req_height - SubImageHeight,
|
||
|
|
dest_bits_per_pixel, dest_scanline_pad);
|
||
|
|
} else {
|
||
|
|
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
|
||
|
|
- * dest_scanline_pad) - left_pad;
|
||
|
|
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
|
||
|
|
+ * dest_scanline_pad) - left_pad)
|
||
|
|
+ / dest_bits_per_pixel;
|
||
|
|
|
||
|
|
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
|
||
|
|
(unsigned int) SubImageWidth, 1,
|
||
|
|
--
|
||
|
|
2.41.0
|
||
|
|
|