File U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch of Package libX11.37667
From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 17 Sep 2023 14:19:40 -0700
Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
_XkbReadKeySyms()
Make sure we allocate enough memory in the first place, and
also handle error returns from _XkbReadBufferCopyKeySyms() when
it detects out-of-bounds issues.
Reported-by: Gregory James DUCK <gjduck@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xkb/XKBGetMap.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
Index: libX11-1.6.5/src/xkb/XKBGetMap.c
===================================================================
--- libX11-1.6.5.orig/src/xkb/XKBGetMap.c
+++ libX11-1.6.5/src/xkb/XKBGetMap.c
@@ -190,7 +190,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
register int sz;
KeySym *prev_syms = map->syms;
- sz = map->size_syms + 128;
+ sz = offset + newMap->nSyms;
+ sz = ((sz + (unsigned) 128) / 128) * 128;
map->syms = _XkbTypedRealloc(map->syms, sz, KeySym);
if (map->syms == NULL) {
_XkbFree(prev_syms);
@@ -200,8 +201,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
map->size_syms = sz;
}
if (newMap->nSyms > 0) {
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
- newMap->nSyms);
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+ newMap->nSyms) == 0)
+ return BadLength;
offset += newMap->nSyms;
}
else {
@@ -231,8 +233,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
if (newSyms == NULL)
return BadAlloc;
- if (newMap->nSyms > 0)
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+ if (newMap->nSyms > 0) {
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+ return BadLength;
+ }
else
newSyms[0] = NoSymbol;
oldMap->kt_index[0] = newMap->ktIndex[0];
