blob: 4800bedf411dd6d421ee7798e1c81f6590b9b4e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:55:04 -0700
Subject: [PATCH libX11 3/5] XPutImage: clip images to maximum height & width
allowed by protocol
The PutImage request specifies height & width of the image as CARD16
(unsigned 16-bit integer), same as the maximum dimensions of an X11
Drawable, which the image is being copied to.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a]
CVE: CVE-2023-43786
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
src/PutImage.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/PutImage.c b/src/PutImage.c
index a6db7b42..ba411e36 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include "Xutil.h"
#include <stdio.h>
+#include <limits.h>
#include "Cr.h"
#include "ImUtil.h"
#include "reallocarray.h"
@@ -962,6 +963,10 @@ XPutImage (
height = image->height - req_yoffset;
if ((width <= 0) || (height <= 0))
return 0;
+ if (width > USHRT_MAX)
+ width = USHRT_MAX;
+ if (height > USHRT_MAX)
+ height = USHRT_MAX;
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
dest_bits_per_pixel = 1;
--
2.39.3
|
