a3c0591d4a
Includes hardening for CVE-2023-43786 and CVE-2023-43787. Check X.Org Security Advisory [1] for more information. [1] https://lists.x.org/archives/xorg-announce/2023-October/003424.html Resolves: https://issues.redhat.com/browse/RHEL-12414
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
|
|
From: Yair Mizrahi <yairm@jfrog.com>
|
|
Date: Thu, 7 Sep 2023 16:59:07 -0700
|
|
Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)
|
|
|
|
This doesn't fix the CVE - that has to happen in libX11, this
|
|
just tries to avoid triggering it from libXpm, and saves time
|
|
in not pretending we can successfully create an X Image for
|
|
which the width * depth would overflow the signed int used to
|
|
store the bytes_per_line value.
|
|
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
---
|
|
src/create.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/src/create.c b/src/create.c
|
|
index ec562b2..b8c80d2 100644
|
|
--- a/src/create.c
|
|
+++ b/src/create.c
|
|
@@ -997,6 +997,11 @@ CreateXImage(
|
|
*image_return = NULL;
|
|
return XpmNoMemory;
|
|
}
|
|
+ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
|
|
+ XDestroyImage(*image_return);
|
|
+ *image_return = NULL;
|
|
+ return XpmNoMemory;
|
|
+ }
|
|
/* now that bytes_per_line must have been set properly alloc data */
|
|
if((*image_return)->bytes_per_line == 0 || height == 0) {
|
|
XDestroyImage(*image_return);
|
|
--
|
|
2.41.0
|
|
|