libX11: Changes to 'master'

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Oct 3 15:45:02 UTC 2023 

 src/CrPixmap.c      |   11 +++++++++++
 src/ImUtil.c        |   20 +++++++++++++++-----
 src/PutImage.c      |   10 ++++++++--
 src/xkb/XKBGetMap.c |   14 +++++++++-----
 4 files changed, 43 insertions(+), 12 deletions(-)

New commits:
commit 7916869d16bdd115ac5be30a67c3749907aea6a0
Author: Yair Mizrahi <yairm at jfrog.com>
Date:   Thu Sep 7 16:15:32 2023 -0700

    CVE-2023-43787: Integer overflow in XCreateImage() leading to a heap overflow
    
    When the format is `Pixmap` it calculates the size of the image data as:
        ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
    There is no validation on the `width` of the image, and so this
    calculation exceeds the capacity of a 4-byte integer, causing an overflow.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit b4031fc023816aca07fbd592ed97010b9b48784b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Thu Sep 7 16:12:27 2023 -0700

    XCreatePixmap: trigger BadValue error for out-of-range dimensions
    
    The CreatePixmap request specifies height & width of the image as CARD16
    (unsigned 16-bit integer), so if either is larger than that, set it to 0
    so the X server returns a BadValue error as the protocol requires.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 73a37d5f2fcadd6540159b432a70d80f442ddf4a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Thu Sep 7 15:55:04 2023 -0700

    XPutImage: clip images to maximum height & width allowed by protocol
    
    The PutImage request specifies height & width of the image as CARD16
    (unsigned 16-bit integer), same as the maximum dimensions of an X11
    Drawable, which the image is being copied to.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 204c3393c4c90a29ed6bef64e43849536e863a86
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Thu Sep 7 15:54:30 2023 -0700

    CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage()
    
    When splitting a single line of pixels into chunks to send to the
    X server, be sure to take into account the number of bits per pixel,
    so we don't just loop forever trying to send more pixels than fit in
    the given request size and not breaking them down into a small enough
    chunk to fix.
    
    Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sun Sep 17 14:19:40 2023 -0700

    CVE-2023-43785: out-of-bounds memory access in _XkbReadKeySyms()
    
    Make sure we allocate enough memory in the first place, and
    also handle error returns from _XkbReadBufferCopyKeySyms() when
    it detects out-of-bounds issues.
    
    Reported-by: Gregory James DUCK <gjduck at gmail.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list