forked from pool/libX11
Accepting request 824349 from home:tiwai:branches:X11:XOrg
- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch: * Regression fix in previous XIM client head overflow fixes (CVE-2020-14344, bsc#1174628) OBS-URL: https://build.opensuse.org/request/show/824349 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=57
This commit is contained in:
parent
f6fe37bced
commit
3034251b23
51
U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
Normal file
51
U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yichao Yu <yyc1992@gmail.com>
|
||||||
|
Date: Sun, 2 Aug 2020 13:43:58 -0400
|
||||||
|
Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
|
||||||
|
|
||||||
|
The check here guards the read below.
|
||||||
|
For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
|
||||||
|
these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
|
||||||
|
(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
|
||||||
|
function and doesn't need to be checked.)
|
||||||
|
|
||||||
|
The old code here used the native datatype size instead of the wire protocol size causing
|
||||||
|
the check to always fail.
|
||||||
|
|
||||||
|
Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
|
||||||
|
despite the unused `CARD16` for `XimType_XIMStyles`.
|
||||||
|
|
||||||
|
[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
|
||||||
|
|
||||||
|
This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
|
||||||
|
|
||||||
|
Fix #116
|
||||||
|
---
|
||||||
|
modules/im/ximcp/imRmAttr.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
|
||||||
|
index 2491908e7091..919c5564718c 100644
|
||||||
|
--- a/modules/im/ximcp/imRmAttr.c
|
||||||
|
+++ b/modules/im/ximcp/imRmAttr.c
|
||||||
|
@@ -265,7 +265,7 @@ _XimAttributeToValue(
|
||||||
|
|
||||||
|
if (num > (USHRT_MAX / sizeof(XIMStyle)))
|
||||||
|
return False;
|
||||||
|
- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
|
||||||
|
+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
|
||||||
|
return False;
|
||||||
|
alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
|
||||||
|
if (alloc_len < sizeof(XIMStyles))
|
||||||
|
@@ -379,7 +379,7 @@ _XimAttributeToValue(
|
||||||
|
|
||||||
|
if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
|
||||||
|
return False;
|
||||||
|
- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
|
||||||
|
+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
|
||||||
|
return False;
|
||||||
|
alloc_len = sizeof(XIMHotKeyTriggers)
|
||||||
|
+ sizeof(XIMHotKeyTrigger) * num;
|
||||||
|
--
|
||||||
|
2.16.4
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 4 16:33:45 CEST 2020 - tiwai@suse.de
|
||||||
|
|
||||||
|
- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch:
|
||||||
|
* Regression fix in previous XIM client head overflow fixes
|
||||||
|
(CVE-2020-14344, bsc#1174628)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
@ -38,6 +38,7 @@ Patch22: U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch
|
|||||||
Patch23: U_003-FixMoreUncheckedLengths.patch
|
Patch23: U_003-FixMoreUncheckedLengths.patch
|
||||||
Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
|
Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
|
||||||
Patch25: U_005-ZeroOutBuffersInFunctions.patch
|
Patch25: U_005-ZeroOutBuffersInFunctions.patch
|
||||||
|
Patch26: U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
@ -146,6 +147,7 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
|||||||
%patch23 -p1
|
%patch23 -p1
|
||||||
%patch24 -p1
|
%patch24 -p1
|
||||||
%patch25 -p1
|
%patch25 -p1
|
||||||
|
%patch26 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
|
Loading…
Reference in New Issue
Block a user