Mesa/u_mesa-CVE-2023-45919.patch
Stefan Dirsch 2fb7449ee5 - u_mesa-CVE-2023-45913.patch
* NULL pointer dereference via dri2GetGlxDrawableFromXDrawableId()
    (CVE-2023-45913, bsc#1222040)
- u_mesa-CVE-2023-45919.patch
  * buffer over-read in glXQueryServerString() 
    (CVE-2023-45919, bsc#1222041)
- u_mesa-CVE-2023-45922.patch
  * segmentation violation in __glXGetDrawableAttribute()
    (CVE-2023-45922, bsc#1222042)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/Mesa?expand=0&rev=1335
2024-10-01 12:22:57 +00:00

32 lines
1.2 KiB
Diff

src/glx/glx_query.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/src/glx/glx_query.c
+++ b/src/glx/glx_query.c
@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_query_server_string_string_length(reply);
+ /* Allow a max of 64kb string length */
+ size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_query_server_string_string(reply), len);
free(reply);
@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode
/* The spec doesn't mention this, but the Xorg server replies with
* a string already terminated with '\0'. */
uint32_t len = xcb_glx_get_string_string_length(reply);
+ size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+ if (reply_len + 1 != len)
+ {
+ free(reply);
+ return(NULL);
+ }
char *buf = malloc(len);
memcpy(buf, xcb_glx_get_string_string(reply), len);
free(reply);