diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..dbdf096fc8 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Sun, 17 Sep 2023 14:19:40 -0700 | ||
4 | Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in | ||
5 | _XkbReadKeySyms() | ||
6 | |||
7 | Make sure we allocate enough memory in the first place, and | ||
8 | also handle error returns from _XkbReadBufferCopyKeySyms() when | ||
9 | it detects out-of-bounds issues. | ||
10 | |||
11 | Reported-by: Gregory James DUCK <gjduck@gmail.com> | ||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] | ||
16 | CVE: CVE-2023-43785 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/xkb/XKBGetMap.c | 14 +++++++++----- | ||
20 | 1 file changed, 9 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c | ||
23 | index 2891d21e..31199e4a 100644 | ||
24 | --- a/src/xkb/XKBGetMap.c | ||
25 | +++ b/src/xkb/XKBGetMap.c | ||
26 | @@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
27 | if (offset + newMap->nSyms >= map->size_syms) { | ||
28 | register int sz; | ||
29 | |||
30 | - sz = map->size_syms + 128; | ||
31 | + sz = offset + newMap->nSyms; | ||
32 | + sz = ((sz + (unsigned) 128) / 128) * 128; | ||
33 | _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); | ||
34 | if (map->syms == NULL) { | ||
35 | map->size_syms = 0; | ||
36 | @@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
37 | map->size_syms = sz; | ||
38 | } | ||
39 | if (newMap->nSyms > 0) { | ||
40 | - _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
41 | - newMap->nSyms); | ||
42 | + if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], | ||
43 | + newMap->nSyms) == 0) | ||
44 | + return BadLength; | ||
45 | offset += newMap->nSyms; | ||
46 | } | ||
47 | else { | ||
48 | @@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) | ||
49 | newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); | ||
50 | if (newSyms == NULL) | ||
51 | return BadAlloc; | ||
52 | - if (newMap->nSyms > 0) | ||
53 | - _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); | ||
54 | + if (newMap->nSyms > 0) { | ||
55 | + if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) | ||
56 | + return BadLength; | ||
57 | + } | ||
58 | else | ||
59 | newSyms[0] = NoSymbol; | ||
60 | oldMap->kt_index[0] = newMap->ktIndex[0]; | ||
61 | -- | ||
62 | 2.39.3 | ||
63 | |||