1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
Description: Fix for CVE-2021-27135 from xterm 366
Correct upper-limit for selection buffer, accounting for
combining characters (report by Tavis Ormandy).
Upstream-Status: Backport
https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
CVE: CVE-2021-27135
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
button.c | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)
Index: xterm-353/button.c
===================================================================
--- xterm-353.orig/button.c
+++ xterm-353/button.c
@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
int i;
int eol;
int need = 0;
+ size_t have = 0;
Char *line;
Char *lp;
CELL first = *cellc;
@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
/* UTF-8 may require more space */
if_OPT_WIDE_CHARS(screen, {
- need *= 4;
+ if (need > 0) {
+ if (screen->max_combining > 0)
+ need += screen->max_combining;
+ need *= 6;
+ }
});
/* now get some memory to save it in */
@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
}
*lp = '\0'; /* make sure we have end marked */
- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
- visibleChars(line, (unsigned) (lp - line))));
+ have = (size_t) (lp - line);
+ /*
+ * Scanning the buffer twice is unnecessary. Discard unwanted memory if
+ * the estimate is too-far off.
+ */
+ if ((have * 2) < (size_t) need) {
+ Char *next;
+ scp->data_limit = have + 1;
+ next = realloc(line, scp->data_limit);
+ if (next == NULL) {
+ free(line);
+ scp->data_length = 0;
+ scp->data_limit = 0;
+ }
+ scp->data_buffer = next;
+ }
+ scp->data_length = have;
- scp->data_length = (size_t) (lp - line);
+ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
+ visibleChars(scp->data_buffer, (unsigned) have)));
}
#if OPT_PASTE64
|