Mercurial Mercurial > upstream > oracle > x-cons > x-s12-clone / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
25433554 problem in X11/LIBRARIES s12_117
authorNiveditha Rau <Niveditha.Rau@Oracle.COM>
Mon, 23 Jan 2017 12:28:51 -0800
changeset 1691 770d008d1b3b
parent 1690 bdb0f93c6216
child 1692 80245a8a8dbc
25433554 problem in X11/LIBRARIES
open-src/lib/libXpm/25433554.patch file | annotate | diff | comparison | revisions
open-src/lib/libXpm/Makefile file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/lib/libXpm/25433554.patch	Mon Jan 23 12:28:51 2017 -0800
@@ -0,0 +1,113 @@
+From d1167418f0fd02a27f617ec5afd6db053afbe185 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <[email protected]>
+Date: Thu, 8 Dec 2016 17:07:55 +0100
+Subject: Avoid OOB write when handling malicious XPM files.
+
+libXpm uses unsigned int to store sizes, which fits size_t on 32 bit
+systems, but leads to issues on 64 bit systems.
+
+On 64 bit systems, it is possible to overflow 32 bit integers while
+parsing XPM extensions in a file.
+
+At first, it looks like a rather unimportant detail, because nobody
+will seriously open a 4 GB file. But unfortunately XPM has support for
+gzip compression out of the box. An attacker can therefore craft a
+compressed file which is merely 4 MB in size, which makes an attack
+much for feasable.
+
+Signed-off-by: Matthieu Herrb <[email protected]>
+Reviewed-by: Matthieu Herrb <[email protected]>
+
+diff --git a/src/CrDatFrI.c b/src/CrDatFrI.c
+index 0dacf51..6735bfc 100644
+--- a/src/CrDatFrI.c
++++ b/src/CrDatFrI.c
+@@ -48,7 +48,7 @@ LFUNC(CreatePixels, void, (char **dataptr, unsigned int data_size,
+ 			   unsigned int height, unsigned int cpp,
+ 			   unsigned int *pixels, XpmColor *colors));
+ 
+-LFUNC(CountExtensions, void, (XpmExtension *ext, unsigned int num,
++LFUNC(CountExtensions, int, (XpmExtension *ext, unsigned int num,
+ 			      unsigned int *ext_size,
+ 			      unsigned int *ext_nlines));
+ 
+@@ -122,8 +122,9 @@ XpmCreateDataFromXpmImage(
+ 
+     /* compute the number of extensions lines and size */
+     if (extensions)
+-	CountExtensions(info->extensions, info->nextensions,
+-			&ext_size, &ext_nlines);
++	if (CountExtensions(info->extensions, info->nextensions,
++			&ext_size, &ext_nlines))
++	    return(XpmNoMemory);
+ 
+     /*
+      * alloc a temporary array of char pointer for the header section which
+@@ -187,7 +188,8 @@ XpmCreateDataFromXpmImage(
+     if(offset <= image->width || offset <= image->cpp)
+ 	RETURN(XpmNoMemory);
+ 
+-    if( (image->height + ext_nlines) >= UINT_MAX / sizeof(char *))
++    if (image->height > UINT_MAX - ext_nlines ||
++	image->height + ext_nlines >= UINT_MAX / sizeof(char *))
+ 	RETURN(XpmNoMemory);
+     data_size = (image->height + ext_nlines) * sizeof(char *);
+ 
+@@ -196,7 +198,8 @@ XpmCreateDataFromXpmImage(
+ 	RETURN(XpmNoMemory);
+     data_size += image->height * offset;
+ 
+-    if( (header_size + ext_size) >= (UINT_MAX - data_size) )
++    if (header_size > UINT_MAX - ext_size ||
++	header_size + ext_size >= (UINT_MAX - data_size) )
+ 	RETURN(XpmNoMemory);
+     data_size += header_size + ext_size;
+ 
+@@ -343,13 +346,14 @@ CreatePixels(
+     *s = '\0';
+ }
+ 
+-static void
++static int
+ CountExtensions(
+     XpmExtension	*ext,
+     unsigned int	 num,
+     unsigned int	*ext_size,
+     unsigned int	*ext_nlines)
+ {
++    size_t len;
+     unsigned int x, y, a, size, nlines;
+     char **line;
+ 
+@@ -357,16 +361,28 @@ CountExtensions(
+     nlines = 0;
+     for (x = 0; x < num; x++, ext++) {
+ 	/* 1 for the name */
++	if (ext->nlines == UINT_MAX || nlines > UINT_MAX - ext->nlines - 1)
++	    return (1);
+ 	nlines += ext->nlines + 1;
+ 	/* 8 = 7 (for "XPMEXT ") + 1 (for 0) */
+-	size += strlen(ext->name) + 8;
++	len = strlen(ext->name) + 8;
++	if (len > UINT_MAX - size)
++	    return (1);
++	size += len;
+ 	a = ext->nlines;
+-	for (y = 0, line = ext->lines; y < a; y++, line++)
+-	    size += strlen(*line) + 1;
++	for (y = 0, line = ext->lines; y < a; y++, line++) {
++	    len = strlen(*line) + 1;
++	    if (len > UINT_MAX - size)
++		return (1);
++	    size += len;
++	}
+     }
++    if (size > UINT_MAX - 10 || nlines > UINT_MAX - 1)
++	return (1);
+     /* 10 and 1 are for the ending "XPMENDEXT" */
+     *ext_size = size + 10;
+     *ext_nlines = nlines + 1;
++    return (0);
+ }
+ 
+ static void
--- a/open-src/lib/libXpm/Makefile	Sun Jan 22 18:50:37 2017 -0800
+++ b/open-src/lib/libXpm/Makefile	Mon Jan 23 12:28:51 2017 -0800
@@ -2,7 +2,7 @@
 #
 # libXpm - library for handling XPM format images
 #
-# Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -37,7 +37,8 @@
 TARBALL_SHA256= c5bdafa51d1ae30086fac01ab83be8d47fe117b238d3437f8e965434090e041c
 
 # Patches to apply to source after unpacking, in order
-SOURCE_PATCHES = setuid.patch
+SOURCE_PATCHES = setuid.patch \
+		 25433554.patch,-p1
 
 # ARC cases that covered this module
 MODULE_ARC_CASES = PSARC/2001/060
upstream/oracle/x-cons/x-s12-clone