libX11: Changes to 'master'
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Oct 3 15:45:02 UTC 2023
src/CrPixmap.c | 11 +++++++++++
src/ImUtil.c | 20 +++++++++++++++-----
src/PutImage.c | 10 ++++++++--
src/xkb/XKBGetMap.c | 14 +++++++++-----
4 files changed, 43 insertions(+), 12 deletions(-)
New commits:
commit 7916869d16bdd115ac5be30a67c3749907aea6a0
Author: Yair Mizrahi <yairm at jfrog.com>
Date: Thu Sep 7 16:15:32 2023 -0700
CVE-2023-43787: Integer overflow in XCreateImage() leading to a heap overflow
When the format is `Pixmap` it calculates the size of the image data as:
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit b4031fc023816aca07fbd592ed97010b9b48784b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Thu Sep 7 16:12:27 2023 -0700
XCreatePixmap: trigger BadValue error for out-of-range dimensions
The CreatePixmap request specifies height & width of the image as CARD16
(unsigned 16-bit integer), so if either is larger than that, set it to 0
so the X server returns a BadValue error as the protocol requires.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 73a37d5f2fcadd6540159b432a70d80f442ddf4a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Thu Sep 7 15:55:04 2023 -0700
XPutImage: clip images to maximum height & width allowed by protocol
The PutImage request specifies height & width of the image as CARD16
(unsigned 16-bit integer), same as the maximum dimensions of an X11
Drawable, which the image is being copied to.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 204c3393c4c90a29ed6bef64e43849536e863a86
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Thu Sep 7 15:54:30 2023 -0700
CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage()
When splitting a single line of pixels into chunks to send to the
X server, be sure to take into account the number of bits per pixel,
so we don't just loop forever trying to send more pixels than fit in
the given request size and not breaking them down into a small enough
chunk to fix.
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Sep 17 14:19:40 2023 -0700
CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
Make sure we allocate enough memory in the first place, and
also handle error returns from _XkbReadBufferCopyKeySyms() when
it detects out-of-bounds issues.
Reported-by: Gregory James DUCK <gjduck at gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list