diff options
Diffstat (limited to '0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch')
| -rw-r--r-- | 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch b/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch new file mode 100644 index 0000000..30cf7f7 --- /dev/null +++ b/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch @@ -0,0 +1,37 @@ +From c6cd85b7d0a725552a7277748504a33f0fc3e121 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH libXpm 1/6] Fix CVE-2022-46285: Infinite loop on unclosed + comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.39.0 + |