File u_out-of-boundary-write-in-XListExtensions.patch of Package libX11.16223

From 7ca52a28d0423642b6640b15fb150cac3eef7177 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Mon, 23 Jul 2018 14:30:54 +0200
Subject: [PATCH] out of boundary write in XListExtensions
References: bsc#1102068 CVE-2018-14600

The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).

Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 src/ListExt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ListExt.c b/src/ListExt.c
index 8f344ac0..6537c4dc 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -75,12 +75,12 @@ char **XListExtensions(
 	     * unpack into null terminated strings.
 	     */
 	    chend = ch + rlen;
-	    length = *ch;
+	    length = (unsigned char) *ch;
 	    for (i = 0; i < rep.nExtensions; i++) {
 		if (ch + length < chend) {
 		    list[i] = ch+1;  /* skip over length */
 		    ch += length + 1; /* find next length ... */
-		    length = *ch;
+		    length = (unsigned char) *ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
 		} else
-- 
2.16.4
openSUSE Build Service is sponsored by