diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch new file mode 100644 index 0000000000..d35d96c4dc --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Thu, 7 Sep 2023 16:12:27 -0700 | ||
4 | Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for | ||
5 | out-of-range dimensions | ||
6 | |||
7 | The CreatePixmap request specifies height & width of the image as CARD16 | ||
8 | (unsigned 16-bit integer), so if either is larger than that, set it to 0 | ||
9 | so the X server returns a BadValue error as the protocol requires. | ||
10 | |||
11 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security | ||
14 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] | ||
15 | CVE: CVE-2023-43787 | ||
16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
17 | --- | ||
18 | src/CrPixmap.c | 11 +++++++++++ | ||
19 | 1 file changed, 11 insertions(+) | ||
20 | |||
21 | diff --git a/src/CrPixmap.c b/src/CrPixmap.c | ||
22 | index cdf31207..3cb2ca6d 100644 | ||
23 | --- a/src/CrPixmap.c | ||
24 | +++ b/src/CrPixmap.c | ||
25 | @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. | ||
26 | #include <config.h> | ||
27 | #endif | ||
28 | #include "Xlibint.h" | ||
29 | +#include <limits.h> | ||
30 | |||
31 | #ifdef USE_DYNAMIC_XCURSOR | ||
32 | void | ||
33 | @@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( | ||
34 | Pixmap pid; | ||
35 | register xCreatePixmapReq *req; | ||
36 | |||
37 | + /* | ||
38 | + * Force a BadValue X Error if the requested dimensions are larger | ||
39 | + * than the X11 protocol has room for, since that's how callers expect | ||
40 | + * to get notified of errors. | ||
41 | + */ | ||
42 | + if (width > USHRT_MAX) | ||
43 | + width = 0; | ||
44 | + if (height > USHRT_MAX) | ||
45 | + height = 0; | ||
46 | + | ||
47 | LockDisplay(dpy); | ||
48 | GetReq(CreatePixmap, req); | ||
49 | req->drawable = d; | ||
50 | -- | ||
51 | 2.39.3 | ||
52 | |||