File U_006-Fix-size-calculation-in-_XimAttributeToVa... of Package libX11.28098

Overview Repositories Revisions Requests Users Attributes Meta

File U_006-Fix-size-calculation-in-_XimAttributeToValue.patch of Package libX11.28098

From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
From: Yichao Yu <yyc1992@gmail.com>
Date: Sun, 2 Aug 2020 13:43:58 -0400
Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.

The check here guards the read below.
For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
function and doesn't need to be checked.)

The old code here used the native datatype size instead of the wire protocol size causing
the check to always fail.

Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
despite the unused `CARD16` for `XimType_XIMStyles`.

[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles

This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.

Fix #116
---
 modules/im/ximcp/imRmAttr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 2491908e7091..919c5564718c 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -265,7 +265,7 @@ _XimAttributeToValue(
 
 	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
 		return False;
-	    if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
 		return False;
 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
 	    if (alloc_len < sizeof(XIMStyles))
@@ -379,7 +379,7 @@ _XimAttributeToValue(
 
 	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
 		return False;
-	    if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
 		return False;
 	    alloc_len = sizeof(XIMHotKeyTriggers)
 		      + sizeof(XIMHotKeyTrigger) * num;
-- 
2.16.4

Places

File U_006-Fix-size-calculation-in-_XimAttributeToValue.patch of Package libX11.28098

Places