From 17835c5af459d8f2a2cd7e6429073ae106d8b918 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Tue, 6 Aug 2024 02:19:21 +0000 Subject: automatic import of libX11 --- ...786-stack-exhaustion-from-infinite-recurs.patch | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch (limited to '0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch') diff --git a/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch b/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch new file mode 100644 index 0000000..8f6a446 --- /dev/null +++ b/0001-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch @@ -0,0 +1,37 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH 1/3] CVE-2023-43786: stack exhaustion from infinite recursion + in PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee916..a6db7b42 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.41.0 + -- cgit v1.2.3