summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch')
-rw-r--r--meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch52
1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
new file mode 100644
index 0000000000..d35d96c4dc
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
@@ -0,0 +1,52 @@
+From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 7 Sep 2023 16:12:27 -0700
+Subject: [PATCH libX11 4/5] XCreatePixmap: trigger BadValue error for
+ out-of-range dimensions
+
+The CreatePixmap request specifies height & width of the image as CARD16
+(unsigned 16-bit integer), so if either is larger than that, set it to 0
+so the X server returns a BadValue error as the protocol requires.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b]
+CVE: CVE-2023-43787
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/CrPixmap.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/CrPixmap.c b/src/CrPixmap.c
+index cdf31207..3cb2ca6d 100644
+--- a/src/CrPixmap.c
++++ b/src/CrPixmap.c
+@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <config.h>
+ #endif
+ #include "Xlibint.h"
++#include <limits.h>
+
+ #ifdef USE_DYNAMIC_XCURSOR
+ void
+@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
+ Pixmap pid;
+ register xCreatePixmapReq *req;
+
++ /*
++ * Force a BadValue X Error if the requested dimensions are larger
++ * than the X11 protocol has room for, since that's how callers expect
++ * to get notified of errors.
++ */
++ if (width > USHRT_MAX)
++ width = 0;
++ if (height > USHRT_MAX)
++ height = 0;
++
+ LockDisplay(dpy);
+ GetReq(CreatePixmap, req);
+ req->drawable = d;
+--
+2.39.3
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-02 21:01:24 +0000