File U_0002-CVE-2023-43786-stack-exhaustion-from-inf... of Package libX11

Overview Repositories Revisions Requests Users Attributes Meta

File U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch of Package libX11

From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 7 Sep 2023 15:54:30 -0700
Subject: [PATCH libX11 2/5] CVE-2023-43786: stack exhaustion from infinite
 recursion in PutSubImage()

When splitting a single line of pixels into chunks to send to the
X server, be sure to take into account the number of bits per pixel,
so we don't just loop forever trying to send more pixels than fit in
the given request size and not breaking them down into a small enough
chunk to fix.

Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/PutImage.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Index: libX11-1.6.5/src/PutImage.c
===================================================================
--- libX11-1.6.5.orig/src/PutImage.c
+++ libX11-1.6.5/src/PutImage.c
@@ -913,8 +913,9 @@ PutSubImage (
 		    req_width, req_height - SubImageHeight,
 		    dest_bits_per_pixel, dest_scanline_pad);
     } else {
-	int SubImageWidth = (((Available << 3) / dest_scanline_pad)
-				* dest_scanline_pad) - left_pad;
+	int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+                              * dest_scanline_pad) - left_pad)
+                              / dest_bits_per_pixel;
 
 	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
 		    (unsigned int) SubImageWidth, 1,

Places

File U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch of Package libX11

Places