Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[xsrc/netbsd-7-1]: xsrc/external/mit/libX11/dist/src Apply patch, requested b...



details:   https://anonhg.NetBSD.org/xsrc/rev/b4afb13c1b1d
branches:  netbsd-7-1
changeset: 9995:b4afb13c1b1d
user:      martin <martin%NetBSD.org@localhost>
date:      Wed Aug 29 07:55:08 2018 +0000

description:
Apply patch, requested by mrg in ticket #1635:

        xsrc/external/mit/libX11/dist/src/FontNames.c
        xsrc/external/mit/libX11/dist/src/GetFPath.c
        xsrc/external/mit/libX11/dist/src/LiHosts.c
        xsrc/external/mit/libX11/dist/src/ListExt.c

Apply fixes from libX11 1.6.5 for the following vulnerabilities:
Fixed off-by-one writes (CVE-2018-14599)
Validation of server response in XListHosts
Fixed out of boundary write (CVE-2018-14600)
Fixed crash on invalid reply (CVE-2018-14598)
(Backport of upstream git commits b469da1430cdcee06e31c6251b83aede072a1ff0,
 d81da209fd4d0c2c9ad0596a8078e58864479d0d,
 dbf72805fd9d7b1846fe9a11b46f3994bfc27fea,
 e83722768fd5c467ef61fa159e8c6278770b45c2 resp)

diffstat:

 external/mit/libX11/dist/src/FontNames.c |  15 ++++-----------
 external/mit/libX11/dist/src/GetFPath.c  |  11 ++++++++---
 external/mit/libX11/dist/src/LiHosts.c   |  19 +++++++++++++------
 external/mit/libX11/dist/src/ListExt.c   |  19 ++++++++++---------
 4 files changed, 35 insertions(+), 29 deletions(-)

diffs (136 lines):

diff -r 26904f34d2d7 -r b4afb13c1b1d external/mit/libX11/dist/src/FontNames.c
--- a/external/mit/libX11/dist/src/FontNames.c  Sat Jun 30 11:35:28 2018 +0000
+++ b/external/mit/libX11/dist/src/FontNames.c  Wed Aug 29 07:55:08 2018 +0000
@@ -86,23 +86,16 @@
        /*
         * unpack into null terminated strings.
         */
-       chend = ch + (rlen + 1);
+       chend = ch + rlen;
        length = *(unsigned char *)ch;
        *ch = 1; /* make sure it is non-zero for XFreeFontNames */
        for (i = 0; i < rep.nFonts; i++) {
            if (ch + length < chend) {
                flist[i] = ch + 1;  /* skip over length */
                ch += length + 1;  /* find next length ... */
-               if (ch <= chend) {
-                   length = *(unsigned char *)ch;
-                   *ch = '\0';  /* and replace with null-termination */
-                   count++;
-               } else {
-                    Xfree(flist);
-                    flist = NULL;
-                    count = 0;
-                    break;
-               }
+               length = *(unsigned char *)ch;
+               *ch = '\0';  /* and replace with null-termination */
+               count++;
            } else {
                 Xfree(flist);
                 flist = NULL;
diff -r 26904f34d2d7 -r b4afb13c1b1d external/mit/libX11/dist/src/GetFPath.c
--- a/external/mit/libX11/dist/src/GetFPath.c   Sat Jun 30 11:35:28 2018 +0000
+++ b/external/mit/libX11/dist/src/GetFPath.c   Wed Aug 29 07:55:08 2018 +0000
@@ -69,15 +69,20 @@
            /*
             * unpack into null terminated strings.
             */
-           chend = ch + (nbytes + 1);
-           length = *ch;
+           chend = ch + nbytes;
+           length = *(unsigned char *)ch;
            for (i = 0; i < rep.nPaths; i++) {
                if (ch + length < chend) {
                    flist[i] = ch+1;  /* skip over length */
                    ch += length + 1; /* find next length ... */
-                   length = *ch;
+                   length = *(unsigned char *)ch;
                    *ch = '\0'; /* and replace with null-termination */
                    count++;
+               } else if (i == 0) {
+                   Xfree(flist);
+                   Xfree(ch);
+                   flist = NULL;
+                   break;
                } else
                    flist[i] = NULL;
            }
diff -r 26904f34d2d7 -r b4afb13c1b1d external/mit/libX11/dist/src/LiHosts.c
--- a/external/mit/libX11/dist/src/LiHosts.c    Sat Jun 30 11:35:28 2018 +0000
+++ b/external/mit/libX11/dist/src/LiHosts.c    Wed Aug 29 07:55:08 2018 +0000
@@ -119,11 +119,16 @@
        _XRead (dpy, (char *) buf, nbytes);
 
        for (i = 0; i < reply.nHosts; i++) {
+           if (bp > buf + nbytes - SIZEOF(xHostEntry))
+               goto fail;
            op->family = ((xHostEntry *) bp)->family;
            op->length =((xHostEntry *) bp)->length;
            if (op->family == FamilyServerInterpreted) {
                char *tp = (char *) (bp + SIZEOF(xHostEntry));
-               char *vp = memchr(tp, 0, op->length);
+               char *vp;
+               if (tp > (char *) (buf + nbytes - op->length))
+                   goto fail;
+               vp = memchr(tp, 0, op->length);
 
                if (vp != NULL) {
                    sip->type = tp;
@@ -138,6 +143,8 @@
                sip++;
            } else {
                op->address = (char *) (bp + SIZEOF(xHostEntry));
+               if (op->address > (char *) (buf + nbytes - op->length))
+                   goto fail;
            }
            bp += SIZEOF(xHostEntry) + (((op->length + 3) >> 2) << 2);
            op++;
@@ -149,9 +156,9 @@
     UnlockDisplay(dpy);
     SyncHandle();
     return (outbuf);
+fail:
+    *enabled = reply.enabled;
+    *nhosts = 0;
+    Xfree(outbuf);
+    return (NULL);
 }
-
-
-
-
-
diff -r 26904f34d2d7 -r b4afb13c1b1d external/mit/libX11/dist/src/ListExt.c
--- a/external/mit/libX11/dist/src/ListExt.c    Sat Jun 30 11:35:28 2018 +0000
+++ b/external/mit/libX11/dist/src/ListExt.c    Wed Aug 29 07:55:08 2018 +0000
@@ -74,19 +74,20 @@
            /*
             * unpack into null terminated strings.
             */
-           chend = ch + (rlen + 1);
-           length = *ch;
+           chend = ch + rlen;
+           length = *(unsigned char *)ch;
            for (i = 0; i < rep.nExtensions; i++) {
                if (ch + length < chend) {
                    list[i] = ch+1;  /* skip over length */
                    ch += length + 1; /* find next length ... */
-                   if (ch <= chend) {
-                       length = *ch;
-                       *ch = '\0'; /* and replace with null-termination */
-                       count++;
-                   } else {
-                       list[i] = NULL;
-                   }
+                   length = *(unsigned char *)ch;
+                   *ch = '\0'; /* and replace with null-termination */
+                   count++;
+               } else if (i == 0) {
+                   Xfree(list);
+                   Xfree(ch);
+                   list = NULL;
+                   break;
                } else
                    list[i] = NULL;
            }



Home | Main Index | Thread Index | Old Index