File U_0005-CVE-2023-43787-Integer-overflow-in-XCrea... of Package libX11

Overview Repositories Revisions Requests Users Attributes Meta

File U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch of Package libX11

From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:15:32 -0700
Subject: [PATCH libX11 5/5] CVE-2023-43787: Integer overflow in XCreateImage()
 leading to a heap overflow

When the format is `Pixmap` it calculates the size of the image data as:
    ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/ImUtil.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/ImUtil.c b/src/ImUtil.c
index 36f08a03..fbfad33e 100644
--- a/src/ImUtil.c
+++ b/src/ImUtil.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include <X11/Xlibint.h>
 #include <X11/Xutil.h>
 #include <stdio.h>
+#include <limits.h>
 #include "ImUtil.h"
 
 static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
 	/*
 	 * compute per line accelerator.
 	 */
-	{
-	if (format == ZPixmap)
+	if (format == ZPixmap) {
+	    if ((INT_MAX / bits_per_pixel) < width) {
+		Xfree(image);
+		return NULL;
+	    }
+
 	    min_bytes_per_line =
-	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
-	else
+		ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+	} else {
+	    if ((INT_MAX - offset) < width) {
+		Xfree(image);
+		return NULL;
+	    }
+
 	    min_bytes_per_line =
-	        ROUNDUP((width + offset), image->bitmap_pad);
+		ROUNDUP((width + offset), image->bitmap_pad);
 	}
 	if (image_bytes_per_line == 0) {
 	    image->bytes_per_line = min_bytes_per_line;
-- 
2.39.3

Places

File U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch of Package libX11

Places