a3c0591d4a
Includes hardening for CVE-2023-43786 and CVE-2023-43787. Check X.Org Security Advisory [1] for more information. [1] https://lists.x.org/archives/xorg-announce/2023-October/003424.html Resolves: https://issues.redhat.com/browse/RHEL-12414
33 lines
1011 B
Diff
33 lines
1011 B
Diff
From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
|
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Date: Sat, 29 Apr 2023 17:50:39 -0700
|
|
Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
|
|
XpmCreateXpmImageFromBuffer
|
|
|
|
When the test case for CVE-2022-46285 was run with the Address Sanitizer
|
|
enabled, it found an out-of-bounds read in ParseComment() when reading
|
|
from a memory buffer instead of a file, as it continued to look for the
|
|
closing comment marker past the end of the buffer.
|
|
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
---
|
|
src/data.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/data.c b/src/data.c
|
|
index 7524e65..0b0f1f3 100644
|
|
--- a/src/data.c
|
|
+++ b/src/data.c
|
|
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
|
|
n++;
|
|
s2++;
|
|
} while (c == *s2 && *s2 != '\0' && c);
|
|
- if (*s2 == '\0') {
|
|
+ if (*s2 == '\0' || c == '\0') {
|
|
/* this is the end of the comment */
|
|
notend = 0;
|
|
data->cptr--;
|
|
--
|
|
2.41.0
|
|
|