From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Thu, 7 Sep 2023 15:54:30 -0700 Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage() When splitting a single line of pixels into chunks to send to the X server, be sure to take into account the number of bits per pixel, so we don't just loop forever trying to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fix. Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 Signed-off-by: Alan Coopersmith Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch?h=ubuntu/focal-security Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] CVE: CVE-2023-43786 Signed-off-by: Vijay Anusuri --- src/PutImage.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/PutImage.c b/src/PutImage.c index 857ee916..a6db7b42 100644 --- a/src/PutImage.c +++ b/src/PutImage.c @@ -914,8 +914,9 @@ PutSubImage ( req_width, req_height - SubImageHeight, dest_bits_per_pixel, dest_scanline_pad); } else { - int SubImageWidth = (((Available << 3) / dest_scanline_pad) - * dest_scanline_pad) - left_pad; + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) + * dest_scanline_pad) - left_pad) + / dest_bits_per_pixel; PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, (unsigned int) SubImageWidth, 1, -- 2.39.3