libXpm: Changes to 'master'
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Oct 3 15:44:59 UTC 2023
src/CrPFrBuf.c | 28 +-
src/CrPFrDat.c | 31 +-
src/CrPFrI.c | 10
src/RdFToP.c | 28 +-
src/XpmI.h | 2
src/create.c | 33 ++
src/data.c | 6
test/pixmaps/README.md | 21 +
test/pixmaps/invalid/corrupt-colormap.xpm |binary
test/pixmaps/invalid/width-overflow.xpm | 31 ++
test/pixmaps/other/overflow-stackexhaustion.xpm | 277 ++++++++++++++++++++++++
11 files changed, 439 insertions(+), 28 deletions(-)
New commits:
commit 91f887b41bf75648df725a4ed3be036da02e911e
Author: Yair Mizrahi <yairm at jfrog.com>
Date: Thu Sep 7 16:59:07 2023 -0700
Avoid CVE-2023-43787 (integer overflow in XCreateImage)
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 00348988396c88150f6ddfea3d3195cbf01d60c2
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Thu Sep 7 16:55:25 2023 -0700
test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage)
Provided by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 84fb14574c039f19ad7face87eb9acc31a50701c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Sep 6 17:34:33 2023 -0700
Avoid CVE-2023-43786: stack exhaustion in XPutImage()
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X11 pixmap with
dimensions larger than the unsigned 16-bit integers used in the
X11 protocol for the dimensions.
Reported by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit edb97396620f019f8d2e707ad3fbaf6bbbd5ed36
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Tue Sep 5 17:01:58 2023 -0700
test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage)
Provided by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 29 18:30:34 2023 -0700
Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
Found with clang's libfuzzer
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit a21e7bcf0ca3d8c1605b2721a545440260870438
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 29 18:29:29 2023 -0700
test: Add test case for CVE-2023-43789 (corrupt colormap info)
Generated by clang's -fsanitize/libfuzzer
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 2fa554b01ef6079a9b35df9332bdc4f139ed67e0
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 29 17:50:39 2023 -0700
Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
When the test case for CVE-2022-46285 was run with the Address Sanitizer
enabled, it found an out-of-bounds read in ParseComment() when reading
from a memory buffer instead of a file, as it continued to look for the
closing comment marker past the end of the buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list