diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:19:21 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:19:21 +0000 |
| commit | 17835c5af459d8f2a2cd7e6429073ae106d8b918 (patch) | |
| tree | aa0eb02acde1e7773dba0e9714ed6f0c3bf9dd1c /0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch | |
| parent | 38b1e7abff8deff663879e1b2800b953c7c09316 (diff) | |
automatic import of libX11openeuler24.03_LTS
Diffstat (limited to '0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch')
| -rw-r--r-- | 0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch b/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch new file mode 100644 index 0000000..3468d6e --- /dev/null +++ b/0001-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch @@ -0,0 +1,59 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi <yairm@jfrog.com> +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to + a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a03..fbfad33e 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include <X11/Xlibint.h> + #include <X11/Xutil.h> + #include <stdio.h> ++#include <limits.h> + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.41.0 + |