SHA256
1
0
forked from pool/libX11

Accepting request 824349 from home:tiwai:branches:X11:XOrg

- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch:
  * Regression fix in previous XIM client head overflow fixes
    (CVE-2020-14344, bsc#1174628)

OBS-URL: https://build.opensuse.org/request/show/824349
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=57
This commit is contained in:
Egbert Eich 2020-08-04 16:17:04 +00:00 committed by Git OBS Bridge
parent f6fe37bced
commit 3034251b23
3 changed files with 60 additions and 0 deletions

View File

@ -0,0 +1,51 @@
From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
From: Yichao Yu <yyc1992@gmail.com>
Date: Sun, 2 Aug 2020 13:43:58 -0400
Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
The check here guards the read below.
For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
function and doesn't need to be checked.)
The old code here used the native datatype size instead of the wire protocol size causing
the check to always fail.
Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
despite the unused `CARD16` for `XimType_XIMStyles`.
[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
Fix #116
---
modules/im/ximcp/imRmAttr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 2491908e7091..919c5564718c 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -265,7 +265,7 @@ _XimAttributeToValue(
if (num > (USHRT_MAX / sizeof(XIMStyle)))
return False;
- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
return False;
alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
if (alloc_len < sizeof(XIMStyles))
@@ -379,7 +379,7 @@ _XimAttributeToValue(
if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
return False;
- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
return False;
alloc_len = sizeof(XIMHotKeyTriggers)
+ sizeof(XIMHotKeyTrigger) * num;
--
2.16.4

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Aug 4 16:33:45 CEST 2020 - tiwai@suse.de
- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch:
* Regression fix in previous XIM client head overflow fixes
(CVE-2020-14344, bsc#1174628)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com> Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>

View File

@ -38,6 +38,7 @@ Patch22: U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch
Patch23: U_003-FixMoreUncheckedLengths.patch Patch23: U_003-FixMoreUncheckedLengths.patch
Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
Patch25: U_005-ZeroOutBuffersInFunctions.patch Patch25: U_005-ZeroOutBuffersInFunctions.patch
Patch26: U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -146,6 +147,7 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
%patch23 -p1 %patch23 -p1
%patch24 -p1 %patch24 -p1
%patch25 -p1 %patch25 -p1
%patch26 -p1
%build %build
%configure \ %configure \