26c6b983e8
Upstream merge request: https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250 Resolves: https://issues.redhat.com/browse/RHEL-34918
58 lines
2.1 KiB
Diff
58 lines
2.1 KiB
Diff
From 97fb5bda3d0777380cd4b964f48771a82ef3f2a7 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
|
|
Date: Tue, 30 Apr 2024 18:21:08 +0200
|
|
Subject: [PATCH 6/6] Fix buffer overrun in parse_omit_name
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
When `num_fields == 12`, if the last character of the pattern is '-',
|
|
the `buf` array is overrun.
|
|
|
|
This error has been found by a static analysis tool. This is the report:
|
|
|
|
Error: OVERRUN (CWE-119):
|
|
libX11-1.8.7/modules/om/generic/omGeneric.c:691: cond_at_most:
|
|
Checking "length > 255" implies that "length" may be up to 255 on
|
|
the false branch.
|
|
libX11-1.8.7/modules/om/generic/omGeneric.c:695: alias:
|
|
Assigning: "last" = "buf + length - 1". "last" may now point to as
|
|
high as byte 254 of "buf" (which consists of 256 bytes).
|
|
libX11-1.8.7/modules/om/generic/omGeneric.c:718: ptr_incr:
|
|
Incrementing "last". "last" may now point to as high as byte 255
|
|
of "buf" (which consists of 256 bytes).
|
|
libX11-1.8.7/modules/om/generic/omGeneric.c:720: ptr_incr:
|
|
Incrementing "last". "last" may now point to as high as byte 256
|
|
of "buf" (which consists of 256 bytes).
|
|
libX11-1.8.7/modules/om/generic/omGeneric.c:720: overrun-local:
|
|
Overrunning array of 256 bytes at byte offset 256 by
|
|
dereferencing pointer "++last".
|
|
# 718| *++last = '*';
|
|
# 719|
|
|
# 720|-> *++last = '-';
|
|
# 721| break;
|
|
# 722| case 13:
|
|
|
|
Signed-off-by: José Expósito <jexposit@redhat.com>
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libx11/-/merge_requests/250>
|
|
---
|
|
modules/om/generic/omGeneric.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c
|
|
index 406cec93..370072f3 100644
|
|
--- a/modules/om/generic/omGeneric.c
|
|
+++ b/modules/om/generic/omGeneric.c
|
|
@@ -688,7 +688,7 @@ parse_omit_name(
|
|
|
|
length = strlen (pattern);
|
|
|
|
- if (length > XLFD_MAX_LEN)
|
|
+ if (length > XLFD_MAX_LEN - 1)
|
|
return -1;
|
|
|
|
strcpy(buf, pattern);
|
|
--
|
|
2.45.2
|
|
|