SecBSD/xenocara
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix several input validation errors in libX11 and libXpm. CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789

Browse source
This commit is contained in:
purplerain 2023-10-04 03:57:45 +00:00
parent 21df3bcb54
commit e1ec829e63
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
11 changed files with 153 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/libX11/src/PutImage.c
View file

@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include "Xutil.h"
#include <stdio.h>
#include <limits.h>
#include "Cr.h"
#include "ImUtil.h"
#include "reallocarray.h"
@ -914,8 +915,9 @@ PutSubImage (
req_width, req_height - SubImageHeight,
dest_bits_per_pixel, dest_scanline_pad);
} else {
int SubImageWidth = (((Available << 3) / dest_scanline_pad)
* dest_scanline_pad) - left_pad;
int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
* dest_scanline_pad) - left_pad)
/ dest_bits_per_pixel;
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
(unsigned int) SubImageWidth, 1,
@ -961,6 +963,10 @@ XPutImage (
height = image->height - req_yoffset;
if ((width <= 0) || (height <= 0))
return 0;
if (width > USHRT_MAX)
width = USHRT_MAX;
if (height > USHRT_MAX)
height = USHRT_MAX;
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
dest_bits_per_pixel = 1;