Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[xsrc/netbsd-8]: xsrc/external/mit/libX11/dist/src Apply patch (requested by ...
details: https://anonhg.NetBSD.org/xsrc/rev/c684815dc494
branches: netbsd-8
changeset: 7571:c684815dc494
user: snj <snj%NetBSD.org@localhost>
date: Tue Jun 20 23:00:39 2023 +0000
description:
Apply patch (requested by mrg in ticket #1826):
InitExt.c: Add bounds checks for extension request, event, & error codes
Fixes CVE-2023-3138: X servers could return values from XQueryExtension
that would cause Xlib to write entries out-of-bounds of the arrays to
store them, though this would only overwrite other parts of the Display
struct, not outside the bounds allocated for that structure.
diffstat:
external/mit/libX11/dist/src/InitExt.c | 42 ++++++++++++++++++++++++++++++++++
1 files changed, 42 insertions(+), 0 deletions(-)
diffs (87 lines):
diff -r 78ce8399a1d5 -r c684815dc494 external/mit/libX11/dist/src/InitExt.c
--- a/external/mit/libX11/dist/src/InitExt.c Sat Apr 01 15:36:27 2023 +0000
+++ b/external/mit/libX11/dist/src/InitExt.c Tue Jun 20 23:00:39 2023 +0000
@@ -33,6 +33,18 @@ from The Open Group.
#include <X11/Xos.h>
#include <stdio.h>
+/* The X11 protocol spec reserves events 64 through 127 for extensions */
+#ifndef LastExtensionEvent
+#define LastExtensionEvent 127
+#endif
+
+/* The X11 protocol spec reserves requests 128 through 255 for extensions */
+#ifndef LastExtensionRequest
+#define FirstExtensionRequest 128
+#define LastExtensionRequest 255
+#endif
+
+
/*
* This routine is used to link a extension in so it will be called
* at appropriate times.
@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
WireToEventType proc) /* routine to call when converting event */
{
register WireToEventType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (WireToEventType)_XUnknownWireEvent;
+ }
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
LockDisplay (dpy);
oldproc = dpy->event_vec[event_number];
@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCo
)
{
WireToEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (WireToEventCookieType)_XUnknownWireEventCookie;
+ }
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_vec[extension & 0x7F];
@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie
)
{
CopyEventCookieType oldproc;
+ if (extension < FirstExtensionRequest ||
+ extension > LastExtensionRequest) {
+ fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
+ extension);
+ return (CopyEventCookieType)_XUnknownCopyEventCookie;
+ }
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
LockDisplay (dpy);
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
EventToWireType proc) /* routine to call when converting event */
{
register EventToWireType oldproc;
+ if (event_number < 0 ||
+ event_number > LastExtensionEvent) {
+ fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
+ event_number);
+ return (EventToWireType)_XUnknownNativeEvent;
+ }
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
LockDisplay (dpy);
oldproc = dpy->wire_vec[event_number];
@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
WireToErrorType proc) /* routine to call when converting error */
{
register WireToErrorType oldproc = NULL;
+ if (error_number < 0 ||
+ error_number > LastExtensionError) {
+ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
+ error_number);
+ return (WireToErrorType)_XDefaultWireError;
+ }
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
LockDisplay (dpy);
if (!dpy->error_vec) {
Home |
Main Index |
Thread Index |
Old Index