Re: Yet another Xpm vulnerability

Thu, 10 Mar 2005 15:40:08 -0800 

On Thu, Mar 10, 2005 at 03:25:00PM +0000, Matthias Scheler wrote:
>       Hello,
>
>this should probably be fixed in the XFree86 repository before the 4.5.0
>release:
>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0605

How about the attached patch?

What is the mechanism for getting the bad data into the privileged
program to start with?  Perhaps sanity checks would be advisable
elsewhere (like Xlib, if it's coming via a connection to a hacked
X server).

David

Index: create.c
===================================================================
RCS file: /home/x-cvs/xc/extras/Xpm/lib/create.c,v
retrieving revision 1.8
diff -u -r1.8 create.c
--- create.c    17 Dec 2004 16:38:03 -0000      1.8
+++ create.c    10 Mar 2005 23:35:55 -0000
@@ -995,6 +995,9 @@
     if (!*image_return)
        return (XpmNoMemory);
 
+    if ((*image_return)->bitmap_unit < 0 || (*image_return)->bitmap_unit > 32)
+       return (XpmNoMemory);
+
 #if !defined(FOR_MSW) && !defined(AMIGA)
     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
        XDestroyImage(*image_return);
@@ -1215,7 +1218,8 @@
     register char *src;
     register char *dst;
     register unsigned int *iptr;
-    register unsigned int x, y, i;
+    register unsigned int x, y;
+    int i;
     register char *data;
     Pixel pixel, px;
     int nbytes, depth, ibu, ibpp;
Index: scan.c
===================================================================
RCS file: /home/x-cvs/xc/extras/Xpm/lib/scan.c,v
retrieving revision 1.6
diff -u -r1.6 scan.c
--- scan.c      17 Dec 2004 16:38:03 -0000      1.6
+++ scan.c      10 Mar 2005 22:51:15 -0000
@@ -279,6 +279,12 @@
      */
 
     if (image) {
+       if (image->depth < 0 || image->depth > 32)
+           return (XpmNoMemory);
+       if (image->bits_per_pixel < 0 || image->bits_per_pixel > 32)
+           return (XpmNoMemory);
+       if (image->bitmap_unit < 0 || image->bitmap_unit > 32)
+           return (XpmNoMemory);
 #ifndef FOR_MSW
 # ifndef AMIGA
        if (((image->bits_per_pixel | image->depth) == 1)  &&
@@ -621,7 +627,8 @@
     char *dst;
     unsigned int *iptr;
     char *data;
-    unsigned int x, y, i;
+    unsigned int x, y;
+    int i;
     int bits, depth, ibu, ibpp, offset;
     unsigned long lbt;
     Pixel pixel, px;

Reply via email to