e9927e694f
Check X.Org Security Advisory [1] for more information. [1] https://lists.x.org/archives/xorg-announce/2023-October/003424.html Resolves: https://issues.redhat.com/browse/RHEL-12416
59 lines
2.4 KiB
Diff
59 lines
2.4 KiB
Diff
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Date: Sun, 17 Sep 2023 14:19:40 -0700
|
|
Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in
|
|
_XkbReadKeySyms()
|
|
|
|
Make sure we allocate enough memory in the first place, and
|
|
also handle error returns from _XkbReadBufferCopyKeySyms() when
|
|
it detects out-of-bounds issues.
|
|
|
|
Reported-by: Gregory James DUCK <gjduck@gmail.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
---
|
|
src/xkb/XKBGetMap.c | 14 +++++++++-----
|
|
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
|
|
index 2891d21e..31199e4a 100644
|
|
--- a/src/xkb/XKBGetMap.c
|
|
+++ b/src/xkb/XKBGetMap.c
|
|
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
|
if (offset + newMap->nSyms >= map->size_syms) {
|
|
register int sz;
|
|
|
|
- sz = map->size_syms + 128;
|
|
+ sz = offset + newMap->nSyms;
|
|
+ sz = ((sz + (unsigned) 128) / 128) * 128;
|
|
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
|
|
if (map->syms == NULL) {
|
|
map->size_syms = 0;
|
|
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
|
map->size_syms = sz;
|
|
}
|
|
if (newMap->nSyms > 0) {
|
|
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
|
- newMap->nSyms);
|
|
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
|
|
+ newMap->nSyms) == 0)
|
|
+ return BadLength;
|
|
offset += newMap->nSyms;
|
|
}
|
|
else {
|
|
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep)
|
|
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
|
|
if (newSyms == NULL)
|
|
return BadAlloc;
|
|
- if (newMap->nSyms > 0)
|
|
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
|
|
+ if (newMap->nSyms > 0) {
|
|
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
|
|
+ return BadLength;
|
|
+ }
|
|
else
|
|
newSyms[0] = NoSymbol;
|
|
oldMap->kt_index[0] = newMap->ktIndex[0];
|
|
--
|
|
2.41.0
|
|
|