wok-current view xorg-server/stuff/CVE-2023-5367.patch @ rev 25634
Mass update, new toolchain gcc 8.3.0, glibc 2.28.0
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Sun Jan 14 08:12:37 2024 +0000 (20 months ago) |
| parents | |
| children |
line source
1 From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
2 From: Peter Hutterer <peter.hutterer@who-t.net>
3 Date: Tue, 3 Oct 2023 11:53:05 +1000
4 Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
6 The handling of appending/prepending properties was incorrect, with at
7 least two bugs: the property length was set to the length of the new
8 part only, i.e. appending or prepending N elements to a property with P
9 existing elements always resulted in the property having N elements
10 instead of N + P.
12 Second, when pre-pending a value to a property, the offset for the old
13 values was incorrect, leaving the new property with potentially
14 uninitalized values and/or resulting in OOB memory writes.
15 For example, prepending a 3 element value to a 5 element property would
16 result in this 8 value array:
17 [N, N, N, ?, ?, P, P, P ] P, P
18 ^OOB write
20 The XI2 code is a copy/paste of the RandR code, so the bug exists in
21 both.
23 CVE-2023-5367, ZDI-CAN-22153
25 This vulnerability was discovered by:
26 Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
28 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
29 ---
30 Xi/xiproperty.c | 4 ++--
31 randr/rrproperty.c | 4 ++--
32 2 files changed, 4 insertions(+), 4 deletions(-)
34 diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
35 index 066ba21fba..d315f04d0e 100644
36 --- a/Xi/xiproperty.c
37 +++ b/Xi/xiproperty.c
38 @@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
39 XIDestroyDeviceProperty(prop);
40 return BadAlloc;
41 }
42 - new_value.size = len;
43 + new_value.size = total_len;
44 new_value.type = type;
45 new_value.format = format;
47 @@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type,
48 case PropModePrepend:
49 new_data = new_value.data;
50 old_data = (void *) (((char *) new_value.data) +
51 - (prop_value->size * size_in_bytes));
52 + (len * size_in_bytes));
53 break;
54 }
55 if (new_data)
56 diff --git a/randr/rrproperty.c b/randr/rrproperty.c
57 index c2fb9585c6..25469f57b2 100644
58 --- a/randr/rrproperty.c
59 +++ b/randr/rrproperty.c
60 @@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
61 RRDestroyOutputProperty(prop);
62 return BadAlloc;
63 }
64 - new_value.size = len;
65 + new_value.size = total_len;
66 new_value.type = type;
67 new_value.format = format;
69 @@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type,
70 case PropModePrepend:
71 new_data = new_value.data;
72 old_data = (void *) (((char *) new_value.data) +
73 - (prop_value->size * size_in_bytes));
74 + (len * size_in_bytes));
75 break;
76 }
77 if (new_data)
78 --
79 GitLab