forked from pool/libX11
Accepting request 824349 from home:tiwai:branches:X11:XOrg
- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch: * Regression fix in previous XIM client head overflow fixes (CVE-2020-14344, bsc#1174628) OBS-URL: https://build.opensuse.org/request/show/824349 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=57
This commit is contained in:
parent
f6fe37bced
commit
3034251b23
51
U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
Normal file
51
U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
|
||||
From: Yichao Yu <yyc1992@gmail.com>
|
||||
Date: Sun, 2 Aug 2020 13:43:58 -0400
|
||||
Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
|
||||
|
||||
The check here guards the read below.
|
||||
For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
|
||||
these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
|
||||
(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
|
||||
function and doesn't need to be checked.)
|
||||
|
||||
The old code here used the native datatype size instead of the wire protocol size causing
|
||||
the check to always fail.
|
||||
|
||||
Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
|
||||
despite the unused `CARD16` for `XimType_XIMStyles`.
|
||||
|
||||
[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
|
||||
|
||||
This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
|
||||
|
||||
Fix #116
|
||||
---
|
||||
modules/im/ximcp/imRmAttr.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
|
||||
index 2491908e7091..919c5564718c 100644
|
||||
--- a/modules/im/ximcp/imRmAttr.c
|
||||
+++ b/modules/im/ximcp/imRmAttr.c
|
||||
@@ -265,7 +265,7 @@ _XimAttributeToValue(
|
||||
|
||||
if (num > (USHRT_MAX / sizeof(XIMStyle)))
|
||||
return False;
|
||||
- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
|
||||
+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
|
||||
return False;
|
||||
alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
|
||||
if (alloc_len < sizeof(XIMStyles))
|
||||
@@ -379,7 +379,7 @@ _XimAttributeToValue(
|
||||
|
||||
if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
|
||||
return False;
|
||||
- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
|
||||
+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
|
||||
return False;
|
||||
alloc_len = sizeof(XIMHotKeyTriggers)
|
||||
+ sizeof(XIMHotKeyTrigger) * num;
|
||||
--
|
||||
2.16.4
|
||||
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 4 16:33:45 CEST 2020 - tiwai@suse.de
|
||||
|
||||
- U_006-Fix-size-calculation-in-_XimAttributeToValue.patch:
|
||||
* Regression fix in previous XIM client head overflow fixes
|
||||
(CVE-2020-14344, bsc#1174628)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 31 20:23:05 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||
|
||||
|
@ -38,6 +38,7 @@ Patch22: U_002-FixIntegerOverflowsIn_XimAttributeToValue.patch
|
||||
Patch23: U_003-FixMoreUncheckedLengths.patch
|
||||
Patch24: U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch
|
||||
Patch25: U_005-ZeroOutBuffersInFunctions.patch
|
||||
Patch26: U_006-Fix-size-calculation-in-_XimAttributeToValue.patch
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkgconfig
|
||||
@ -146,6 +147,7 @@ test -f nls/ja.S90/XLC_LOCALE.pre && exit 1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
|
Loading…
Reference in New Issue
Block a user