File U_0001-CVE-2023-43785-out-of-bounds-memory-acce... of Package libX11

Overview Repositories Revisions Requests Users Attributes Meta

File U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch of Package libX11

From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 17 Sep 2023 14:19:40 -0700
Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
 _XkbReadKeySyms()

Make sure we allocate enough memory in the first place, and
also handle error returns from _XkbReadBufferCopyKeySyms() when
it detects out-of-bounds issues.

Reported-by: Gregory James DUCK <gjduck@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/xkb/XKBGetMap.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

Index: libX11-1.6.5/src/xkb/XKBGetMap.c
===================================================================
--- libX11-1.6.5.orig/src/xkb/XKBGetMap.c
+++ libX11-1.6.5/src/xkb/XKBGetMap.c
@@ -190,7 +190,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
                 register int sz;
                 KeySym *prev_syms = map->syms;
 
-                sz = map->size_syms + 128;
+		sz = offset + newMap->nSyms;
+		sz = ((sz + (unsigned) 128) / 128) * 128;
                 map->syms = _XkbTypedRealloc(map->syms, sz, KeySym);
                 if (map->syms == NULL) {
                     _XkbFree(prev_syms);
@@ -200,8 +201,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
                 map->size_syms = sz;
             }
             if (newMap->nSyms > 0) {
-                _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
-                                          newMap->nSyms);
+                if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+                                              newMap->nSyms) == 0)
+                    return BadLength;
                 offset += newMap->nSyms;
             }
             else {
@@ -231,8 +233,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
             newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
             if (newSyms == NULL)
                 return BadAlloc;
-            if (newMap->nSyms > 0)
-                _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+            if (newMap->nSyms > 0) {
+                if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+                    return BadLength;
+            }
             else
                 newSyms[0] = NoSymbol;
             oldMap->kt_index[0] = newMap->ktIndex[0];

Places

File U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch of Package libX11

Places