meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:15:32 -0700
Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
 leading to a heap overflow

When the format is `Pixmap` it calculates the size of the image data as:
    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]
CVE: CVE-2023-43787
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/ImUtil.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/ImUtil.c b/src/ImUtil.c
index 36f08a03..fbfad33e 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include <X11/Xlibint.h>
 #include <X11/Xutil.h>
 #include <stdio.h>
+#include <limits.h>
 #include "ImUtil.h"
 
 static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
 	/*
 	 * compute per line accelerator.
 	 */
-	{
-	if (format == ZPixmap)
+	if (format == ZPixmap) {
+	    if ((INT_MAX / bits_per_pixel) < width) {
+		Xfree(image);
+		return NULL;
+	    }
+
 	    min_bytes_per_line =
-	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
-	else
+		ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+	} else {
+	    if ((INT_MAX - offset) < width) {
+		Xfree(image);
+		return NULL;
+	    }
+
 	    min_bytes_per_line =
-	        ROUNDUP((width + offset), image->bitmap_pad);
+		ROUNDUP((width + offset), image->bitmap_pad);
 	}
 	if (image_bytes_per_line == 0) {
 	    image->bytes_per_line = min_bytes_per_line;
-- 
2.39.3