diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch new file mode 100644 index 0000000000..110bd445df --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yair Mizrahi <yairm@jfrog.com> | ||
3 | Date: Thu, 7 Sep 2023 16:15:32 -0700 | ||
4 | Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage() | ||
5 | leading to a heap overflow | ||
6 | |||
7 | When the format is `Pixmap` it calculates the size of the image data as: | ||
8 | ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
9 | There is no validation on the `width` of the image, and so this | ||
10 | calculation exceeds the capacity of a 4-byte integer, causing an overflow. | ||
11 | |||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security | ||
15 | Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] | ||
16 | CVE: CVE-2023-43787 | ||
17 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
18 | --- | ||
19 | src/ImUtil.c | 20 +++++++++++++++----- | ||
20 | 1 file changed, 15 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/src/ImUtil.c b/src/ImUtil.c | ||
23 | index 36f08a03..fbfad33e 100644 | ||
24 | --- a/src/ImUtil.c | ||
25 | +++ b/src/ImUtil.c | ||
26 | @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. | ||
27 | #include <X11/Xlibint.h> | ||
28 | #include <X11/Xutil.h> | ||
29 | #include <stdio.h> | ||
30 | +#include <limits.h> | ||
31 | #include "ImUtil.h" | ||
32 | |||
33 | static int _XDestroyImage(XImage *); | ||
34 | @@ -361,13 +362,22 @@ XImage *XCreateImage ( | ||
35 | /* | ||
36 | * compute per line accelerator. | ||
37 | */ | ||
38 | - { | ||
39 | - if (format == ZPixmap) | ||
40 | + if (format == ZPixmap) { | ||
41 | + if ((INT_MAX / bits_per_pixel) < width) { | ||
42 | + Xfree(image); | ||
43 | + return NULL; | ||
44 | + } | ||
45 | + | ||
46 | min_bytes_per_line = | ||
47 | - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
48 | - else | ||
49 | + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); | ||
50 | + } else { | ||
51 | + if ((INT_MAX - offset) < width) { | ||
52 | + Xfree(image); | ||
53 | + return NULL; | ||
54 | + } | ||
55 | + | ||
56 | min_bytes_per_line = | ||
57 | - ROUNDUP((width + offset), image->bitmap_pad); | ||
58 | + ROUNDUP((width + offset), image->bitmap_pad); | ||
59 | } | ||
60 | if (image_bytes_per_line == 0) { | ||
61 | image->bytes_per_line = min_bytes_per_line; | ||
62 | -- | ||
63 | 2.39.3 | ||
64 | |||