meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Tue, 21 Jun 2022 10:53:01 +0530
Subject: [PATCH] CVE-2022-24130

Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
CVE: CVE-2022-24130
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>

Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
 Check for out-of-bounds condition while drawing sixels, and quit that
 operation (report by Nick Black, CVE-2022-24130).
Bug-Debian: https://bugs.debian.org/1004689

---
 graphics_sixel.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/graphics_sixel.c b/graphics_sixel.c
index 00ba3ef..6a82295 100644
--- a/graphics_sixel.c
+++ b/graphics_sixel.c
@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context)
     graphic->color_registers_used[context->background] = 1;
 }
 
-static void
+static Boolean
 set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
 {
     const int mh = graphic->max_height;
@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
 	   ((color != COLOR_HOLE)
 	    ? (unsigned) graphic->color_registers[color].b : 0U)));
     for (pix = 0; pix < 6; pix++) {
-	if (context->col < mw && context->row + pix < mh) {
+	if (context->col >= 0 &&
+	    context->col < mw &&
+	    context->row + pix >= 0 &&
+	    context->row + pix < mh) {
 	    if (sixel & (1 << pix)) {
 		if (context->col + 1 > graphic->actual_width) {
 		    graphic->actual_width = context->col + 1;
@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
 	    }
 	} else {
 	    TRACE(("sixel pixel %d out of bounds\n", pix));
+	    return False;
 	}
     }
+    return True;
 }
 
 static void
@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
 		init_sixel_background(graphic, &context);
 		graphic->valid = 1;
 	    }
-	    set_sixel(graphic, &context, sixel);
+	    if (!set_sixel(graphic, &context, sixel)) {
+	      context.col = 0;
+	      break;
+	    }
 	    context.col++;
 	} else if (ch == '$') {	/* DECGCR */
 	    /* ignore DECCRNLM in sixel mode */
@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
 		graphic->valid = 1;
 	    }
 	    for (i = 0; i < Pcount; i++) {
-		set_sixel(graphic, &context, sixel);
-		context.col++;
+		if (set_sixel(graphic, &context, sixel)) {
+		  context.col++;
+		} else {
+		  context.col = 0;
+		  break;
+		}
 	    }
 	} else if (ch == '#') {	/* DECGCI */
 	    ANSI color_params;
-- 
2.25.1