Accepting request 824349 from home:tiwai:branches:X11:XOrg

- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch: * Regression fix in previous XIM client head overflow fixes (CVE-2020-14344, bsc#1174628) OBS-URL: https://build.opensuse.org/request/show/824349 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=57
2020-08-04 16:17:04 +00:00 · 2020-08-04 16:17:04 +00:00 · 3034251b23
commit 3034251b23
parent f6fe37bced
3 changed files with 60 additions and 0 deletions
--- a/U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
+++ b/U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
@ -0,0 +1,51 @@
+From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
+From: Yichao Yu <yyc1992@gmail.com>
+Date: Sun, 2 Aug 2020 13:43:58 -0400
+Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+---
+ modules/im/ximcp/imRmAttr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 2491908e7091..919c5564718c 100644
+--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
+@@ -265,7 +265,7 @@ _XimAttributeToValue(
+ 
+ 	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
+ 		return False;
+-	    if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+ 		return False;
+ 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+ 	    if (alloc_len < sizeof(XIMStyles))
+@@ -379,7 +379,7 @@ _XimAttributeToValue(
+ 
+ 	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+ 		return False;
+-	    if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+ 		return False;
+ 	    alloc_len = sizeof(XIMHotKeyTriggers)
+ 		      + sizeof(XIMHotKeyTrigger) * num;
+-- 
+2.16.4
+
--- a/libX11.changes
+++ b/libX11.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug  4 16:33:45 CEST 2020 - tiwai@suse.de
+
+- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch:
+  * Regression fix in previous XIM client head overflow fixes
+    (CVE-2020-14344, bsc#1174628)
+
 -------------------------------------------------------------------
 Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>

--- a/libX11.spec
+++ b/libX11.spec
@ -38,6 +38,7 @@ Patch22:        U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch
 Patch23:        U_003-FixMoreUncheckedLengths.patch
 Patch24:        U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
 Patch25:        U_005-ZeroOutBuffersInFunctions.patch
+Patch26:        U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
 BuildRequires:  fdupes
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -146,6 +147,7 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
+%patch26 -p1

 %build
 %configure \