Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[xsrc/netbsd-8]: xsrc/external/mit/libX11/dist/src Apply patch, requested by ...
details: https://anonhg.NetBSD.org/xsrc/rev/1b6e01b0b15e
branches: netbsd-8
changeset: 9994:1b6e01b0b15e
user: martin <martin%NetBSD.org@localhost>
date: Tue Aug 28 13:27:24 2018 +0000
description:
Apply patch, requested by mrg in ticket #995:
xsrc/external/mit/libX11/dist/src/FontNames.c
xsrc/external/mit/libX11/dist/src/GetFPath.c
xsrc/external/mit/libX11/dist/src/LiHosts.c
xsrc/external/mit/libX11/dist/src/ListExt.c
Apply fixes from libX11 1.6.5 for the following vulnerabilities:
Fixed off-by-one writes (CVE-2018-14599)
Validation of server response in XListHosts
Fixed out of boundary write (CVE-2018-14600)
Fixed crash on invalid reply (CVE-2018-14598)
(Backport of upstream git commits b469da1430cdcee06e31c6251b83aede072a1ff0,
d81da209fd4d0c2c9ad0596a8078e58864479d0d,
dbf72805fd9d7b1846fe9a11b46f3994bfc27fea,
e83722768fd5c467ef61fa159e8c6278770b45c2 resp)
diffstat:
external/mit/libX11/dist/src/FontNames.c | 16 ++++------------
external/mit/libX11/dist/src/GetFPath.c | 11 ++++++++---
external/mit/libX11/dist/src/LiHosts.c | 19 +++++++++++++------
external/mit/libX11/dist/src/ListExt.c | 19 ++++++++++---------
4 files changed, 35 insertions(+), 30 deletions(-)
diffs (137 lines):
diff -r 959f77f9333b -r 1b6e01b0b15e external/mit/libX11/dist/src/FontNames.c
--- a/external/mit/libX11/dist/src/FontNames.c Fri Dec 01 09:47:54 2017 +0000
+++ b/external/mit/libX11/dist/src/FontNames.c Tue Aug 28 13:27:24 2018 +0000
@@ -88,24 +88,16 @@
* unpack into null terminated strings.
*/
chstart = ch;
- chend = ch + (rlen + 1);
+ chend = ch + rlen;
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
for (i = 0; i < rep.nFonts; i++) {
if (ch + length < chend) {
flist[i] = ch + 1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- Xfree(chstart);
- Xfree(flist);
- flist = NULL;
- count = 0;
- break;
- }
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
} else {
Xfree(chstart);
Xfree(flist);
diff -r 959f77f9333b -r 1b6e01b0b15e external/mit/libX11/dist/src/GetFPath.c
--- a/external/mit/libX11/dist/src/GetFPath.c Fri Dec 01 09:47:54 2017 +0000
+++ b/external/mit/libX11/dist/src/GetFPath.c Tue Aug 28 13:27:24 2018 +0000
@@ -69,15 +69,20 @@
/*
* unpack into null terminated strings.
*/
- chend = ch + (nbytes + 1);
- length = *ch;
+ chend = ch + nbytes;
+ length = *(unsigned char *)ch;
for (i = 0; i < rep.nPaths; i++) {
if (ch + length < chend) {
flist[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- length = *ch;
+ length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
+ } else if (i == 0) {
+ Xfree(flist);
+ Xfree(ch);
+ flist = NULL;
+ break;
} else
flist[i] = NULL;
}
diff -r 959f77f9333b -r 1b6e01b0b15e external/mit/libX11/dist/src/LiHosts.c
--- a/external/mit/libX11/dist/src/LiHosts.c Fri Dec 01 09:47:54 2017 +0000
+++ b/external/mit/libX11/dist/src/LiHosts.c Tue Aug 28 13:27:24 2018 +0000
@@ -119,11 +119,16 @@
_XRead (dpy, (char *) buf, nbytes);
for (i = 0; i < reply.nHosts; i++) {
+ if (bp > buf + nbytes - SIZEOF(xHostEntry))
+ goto fail;
op->family = ((xHostEntry *) bp)->family;
op->length =((xHostEntry *) bp)->length;
if (op->family == FamilyServerInterpreted) {
char *tp = (char *) (bp + SIZEOF(xHostEntry));
- char *vp = memchr(tp, 0, op->length);
+ char *vp;
+ if (tp > (char *) (buf + nbytes - op->length))
+ goto fail;
+ vp = memchr(tp, 0, op->length);
if (vp != NULL) {
sip->type = tp;
@@ -138,6 +143,8 @@
sip++;
} else {
op->address = (char *) (bp + SIZEOF(xHostEntry));
+ if (op->address > (char *) (buf + nbytes - op->length))
+ goto fail;
}
bp += SIZEOF(xHostEntry) + (((op->length + 3) >> 2) << 2);
op++;
@@ -149,9 +156,9 @@
UnlockDisplay(dpy);
SyncHandle();
return (outbuf);
+fail:
+ *enabled = reply.enabled;
+ *nhosts = 0;
+ Xfree(outbuf);
+ return (NULL);
}
-
-
-
-
-
diff -r 959f77f9333b -r 1b6e01b0b15e external/mit/libX11/dist/src/ListExt.c
--- a/external/mit/libX11/dist/src/ListExt.c Fri Dec 01 09:47:54 2017 +0000
+++ b/external/mit/libX11/dist/src/ListExt.c Tue Aug 28 13:27:24 2018 +0000
@@ -74,19 +74,20 @@
/*
* unpack into null terminated strings.
*/
- chend = ch + (rlen + 1);
- length = *ch;
+ chend = ch + rlen;
+ length = *(unsigned char *)ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
- if (ch <= chend) {
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
- count++;
- } else {
- list[i] = NULL;
- }
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else if (i == 0) {
+ Xfree(list);
+ Xfree(ch);
+ list = NULL;
+ break;
} else
list[i] = NULL;
}
Home |
Main Index |
Thread Index |
Old Index