Module Name: xsrc
Committed By: martin
Date: Wed Oct 4 15:12:26 UTC 2023
Modified Files:
xsrc/external/mit/libX11/dist/src [netbsd-9]: CrPixmap.c ImUtil.c
PutImage.c
xsrc/external/mit/libX11/dist/src/xkb [netbsd-9]: XKBGetMap.c
xsrc/external/mit/libXpm/dist/src [netbsd-9]: CrPFrBuf.c CrPFrDat.c
CrPFrI.c RdFToP.c XpmI.h create.c data.c
Log Message:
Apply patch, requested by mrg in ticket #1744:
xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c (apply patch)
xsrc/external/mit/libXpm/dist/src/CrPFrDat.c (apply patch)
xsrc/external/mit/libXpm/dist/src/CrPFrI.c (apply patch)
xsrc/external/mit/libXpm/dist/src/RdFToP.c (apply patch)
xsrc/external/mit/libXpm/dist/src/XpmI.h (apply patch)
xsrc/external/mit/libXpm/dist/src/create.c (apply patch)
xsrc/external/mit/libXpm/dist/src/data.c (apply patch)
xsrc/external/mit/libX11/dist/src/CrPixmap.c (apply patch)
xsrc/external/mit/libX11/dist/src/ImUtil.c (apply patch)
xsrc/external/mit/libX11/dist/src/PutImage.c (apply patch)
xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c (apply patch)
Backport of upstream libX11 and libXpm 2023-10 security updates,
fixing: CVE-2023-43785, CVE-2023-43786, CVE-2023-43787, CVE-2023-43788,
CVE-2023-43789
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.18.1 \
xsrc/external/mit/libX11/dist/src/CrPixmap.c
cvs rdiff -u -r1.1.1.8 -r1.1.1.8.4.1 \
xsrc/external/mit/libX11/dist/src/ImUtil.c
cvs rdiff -u -r1.1.1.8 -r1.1.1.8.2.1 \
xsrc/external/mit/libX11/dist/src/PutImage.c
cvs rdiff -u -r1.1.1.7 -r1.1.1.7.2.1 \
xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.18.1 \
xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c \
xsrc/external/mit/libXpm/dist/src/CrPFrDat.c \
xsrc/external/mit/libXpm/dist/src/CrPFrI.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.10.1 \
xsrc/external/mit/libXpm/dist/src/RdFToP.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.12.1 \
xsrc/external/mit/libXpm/dist/src/XpmI.h
cvs rdiff -u -r1.3.4.1 -r1.3.4.2 xsrc/external/mit/libXpm/dist/src/create.c
cvs rdiff -u -r1.1.1.4.12.1 -r1.1.1.4.12.2 \
xsrc/external/mit/libXpm/dist/src/data.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libX11/dist/src/CrPixmap.c
diff -u xsrc/external/mit/libX11/dist/src/CrPixmap.c:1.1.1.2 xsrc/external/mit/libX11/dist/src/CrPixmap.c:1.1.1.2.18.1
--- xsrc/external/mit/libX11/dist/src/CrPixmap.c:1.1.1.2 Sat May 22 01:22:12 2010
+++ xsrc/external/mit/libX11/dist/src/CrPixmap.c Wed Oct 4 15:12:26 2023
@@ -28,6 +28,7 @@ in this Software without prior written a
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef USE_DYNAMIC_XCURSOR
void
@@ -47,6 +48,16 @@ Pixmap XCreatePixmap (
Pixmap pid;
register xCreatePixmapReq *req;
+ /*
+ * Force a BadValue X Error if the requested dimensions are larger
+ * than the X11 protocol has room for, since that's how callers expect
+ * to get notified of errors.
+ */
+ if (width > USHRT_MAX)
+ width = 0;
+ if (height > USHRT_MAX)
+ height = 0;
+
LockDisplay(dpy);
GetReq(CreatePixmap, req);
req->drawable = d;
Index: xsrc/external/mit/libX11/dist/src/ImUtil.c
diff -u xsrc/external/mit/libX11/dist/src/ImUtil.c:1.1.1.8 xsrc/external/mit/libX11/dist/src/ImUtil.c:1.1.1.8.4.1
--- xsrc/external/mit/libX11/dist/src/ImUtil.c:1.1.1.8 Sun Jul 19 08:08:36 2015
+++ xsrc/external/mit/libX11/dist/src/ImUtil.c Wed Oct 4 15:12:26 2023
@@ -30,6 +30,7 @@ in this Software without prior written a
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <stdio.h>
+#include <limits.h>
#include "ImUtil.h"
static int _XDestroyImage(XImage *);
@@ -361,13 +362,22 @@ XImage *XCreateImage (
/*
* compute per line accelerator.
*/
- {
- if (format == ZPixmap)
+ if (format == ZPixmap) {
+ if ((INT_MAX / bits_per_pixel) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
- else
+ ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
+ } else {
+ if ((INT_MAX - offset) < width) {
+ Xfree(image);
+ return NULL;
+ }
+
min_bytes_per_line =
- ROUNDUP((width + offset), image->bitmap_pad);
+ ROUNDUP((width + offset), image->bitmap_pad);
}
if (image_bytes_per_line == 0) {
image->bytes_per_line = min_bytes_per_line;
Index: xsrc/external/mit/libX11/dist/src/PutImage.c
diff -u xsrc/external/mit/libX11/dist/src/PutImage.c:1.1.1.8 xsrc/external/mit/libX11/dist/src/PutImage.c:1.1.1.8.2.1
--- xsrc/external/mit/libX11/dist/src/PutImage.c:1.1.1.8 Mon Jul 8 22:58:27 2019
+++ xsrc/external/mit/libX11/dist/src/PutImage.c Wed Oct 4 15:12:26 2023
@@ -30,6 +30,7 @@ in this Software without prior written a
#include "Xlibint.h"
#include "Xutil.h"
#include <stdio.h>
+#include <limits.h>
#include "Cr.h"
#include "ImUtil.h"
#include "reallocarray.h"
@@ -914,8 +915,9 @@ PutSubImage (
req_width, req_height - SubImageHeight,
dest_bits_per_pixel, dest_scanline_pad);
} else {
- int SubImageWidth = (((Available << 3) / dest_scanline_pad)
- * dest_scanline_pad) - left_pad;
+ int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+ * dest_scanline_pad) - left_pad)
+ / dest_bits_per_pixel;
PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
(unsigned int) SubImageWidth, 1,
@@ -961,6 +963,10 @@ XPutImage (
height = image->height - req_yoffset;
if ((width <= 0) || (height <= 0))
return 0;
+ if (width > USHRT_MAX)
+ width = USHRT_MAX;
+ if (height > USHRT_MAX)
+ height = USHRT_MAX;
if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) {
dest_bits_per_pixel = 1;
Index: xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c
diff -u xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.7 xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.7.2.1
--- xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c:1.1.1.7 Mon Jul 8 22:58:28 2019
+++ xsrc/external/mit/libX11/dist/src/xkb/XKBGetMap.c Wed Oct 4 15:12:26 2023
@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
if (offset + newMap->nSyms >= map->size_syms) {
register int sz;
- sz = map->size_syms + 128;
+ sz = offset + newMap->nSyms;
+ sz = ((sz + (unsigned) 128) / 128) * 128;
_XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
if (map->syms == NULL) {
map->size_syms = 0;
@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
map->size_syms = sz;
}
if (newMap->nSyms > 0) {
- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
- newMap->nSyms);
+ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset],
+ newMap->nSyms) == 0)
+ return BadLength;
offset += newMap->nSyms;
}
else {
@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, Xk
newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
if (newSyms == NULL)
return BadAlloc;
- if (newMap->nSyms > 0)
- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
+ if (newMap->nSyms > 0) {
+ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0)
+ return BadLength;
+ }
else
newSyms[0] = NoSymbol;
oldMap->kt_index[0] = newMap->ktIndex[0];
Index: xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c
diff -u xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c:1.1.1.2 xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c:1.1.1.2.18.1
--- xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c:1.1.1.2 Sun Nov 8 09:43:21 2009
+++ xsrc/external/mit/libXpm/dist/src/CrPFrBuf.c Wed Oct 4 15:12:26 2023
@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer(
attributes);
if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
Index: xsrc/external/mit/libXpm/dist/src/CrPFrDat.c
diff -u xsrc/external/mit/libXpm/dist/src/CrPFrDat.c:1.1.1.2 xsrc/external/mit/libXpm/dist/src/CrPFrDat.c:1.1.1.2.18.1
--- xsrc/external/mit/libXpm/dist/src/CrPFrDat.c:1.1.1.2 Sun Nov 8 09:43:21 2009
+++ xsrc/external/mit/libXpm/dist/src/CrPFrDat.c Wed Oct 4 15:12:26 2023
@@ -46,7 +46,7 @@ XpmCreatePixmapFromData(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -63,19 +63,34 @@ XpmCreatePixmapFromData(
attributes);
if (ErrorStatus != XpmSuccess)
- return (ErrorStatus);
-
- if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
Index: xsrc/external/mit/libXpm/dist/src/CrPFrI.c
diff -u xsrc/external/mit/libXpm/dist/src/CrPFrI.c:1.1.1.2 xsrc/external/mit/libXpm/dist/src/CrPFrI.c:1.1.1.2.18.1
--- xsrc/external/mit/libXpm/dist/src/CrPFrI.c:1.1.1.2 Sun Nov 8 09:43:21 2009
+++ xsrc/external/mit/libXpm/dist/src/CrPFrI.c Wed Oct 4 15:12:26 2023
@@ -36,8 +36,9 @@
#include <config.h>
#endif
#include "XpmI.h"
+#include <stdint.h>
-void
+int
xpmCreatePixmapFromImage(
Display *display,
Drawable d,
@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage(
GC gc;
XGCValues values;
+ /* X Pixmaps are limited to unsigned 16-bit height/width */
+ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) {
+ return XpmNoMemory;
+ }
+
*pixmap_return = XCreatePixmap(display, d, ximage->width,
ximage->height, ximage->depth);
/* set fg and bg in case we have an XYBitmap */
@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage(
ximage->width, ximage->height);
XFreeGC(display, gc);
+
+ return XpmSuccess;
}
Index: xsrc/external/mit/libXpm/dist/src/RdFToP.c
diff -u xsrc/external/mit/libXpm/dist/src/RdFToP.c:1.1.1.3 xsrc/external/mit/libXpm/dist/src/RdFToP.c:1.1.1.3.10.1
--- xsrc/external/mit/libXpm/dist/src/RdFToP.c:1.1.1.3 Sun Mar 16 22:20:04 2014
+++ xsrc/external/mit/libXpm/dist/src/RdFToP.c Wed Oct 4 15:12:26 2023
@@ -46,7 +46,7 @@ XpmReadFileToPixmap(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -62,16 +62,34 @@ XpmReadFileToPixmap(
attributes);
if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
Index: xsrc/external/mit/libXpm/dist/src/XpmI.h
diff -u xsrc/external/mit/libXpm/dist/src/XpmI.h:1.1.1.3 xsrc/external/mit/libXpm/dist/src/XpmI.h:1.1.1.3.12.1
--- xsrc/external/mit/libXpm/dist/src/XpmI.h:1.1.1.3 Fri May 31 01:09:03 2013
+++ xsrc/external/mit/libXpm/dist/src/XpmI.h Wed Oct 4 15:12:26 2023
@@ -188,8 +188,8 @@ FUNC(xpmSetAttributes, void, (XpmAttribu
XpmInfo *info));
#if !defined(FOR_MSW) && !defined(AMIGA)
-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d,
- XImage *ximage, Pixmap *pixmap_return));
+FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d,
+ XImage *ximage, Pixmap *pixmap_return));
FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap,
XImage **ximage_return,
Index: xsrc/external/mit/libXpm/dist/src/create.c
diff -u xsrc/external/mit/libXpm/dist/src/create.c:1.3.4.1 xsrc/external/mit/libXpm/dist/src/create.c:1.3.4.2
--- xsrc/external/mit/libXpm/dist/src/create.c:1.3.4.1 Mon Jan 23 13:40:00 2023
+++ xsrc/external/mit/libXpm/dist/src/create.c Wed Oct 4 15:12:26 2023
@@ -997,6 +997,11 @@ CreateXImage(
*image_return = NULL;
return XpmNoMemory;
}
+ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
+ XDestroyImage(*image_return);
+ *image_return = NULL;
+ return XpmNoMemory;
+ }
/* now that bytes_per_line must have been set properly alloc data */
if((*image_return)->bytes_per_line == 0 || height == 0) {
XDestroyImage(*image_return);
@@ -1652,7 +1657,7 @@ XpmCreatePixmapFromXpmImage(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -1668,16 +1673,34 @@ XpmCreatePixmapFromXpmImage(
&shapeimage : NULL),
attributes);
if (ErrorStatus < 0)
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
Index: xsrc/external/mit/libXpm/dist/src/data.c
diff -u xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4.12.1 xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4.12.2
--- xsrc/external/mit/libXpm/dist/src/data.c:1.1.1.4.12.1 Mon Jan 23 13:40:00 2023
+++ xsrc/external/mit/libXpm/dist/src/data.c Wed Oct 4 15:12:26 2023
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
n++;
s2++;
} while (c == *s2 && *s2 != '\0' && c);
- if (*s2 == '\0') {
+ if (*s2 == '\0' || c == '\0') {
/* this is the end of the comment */
notend = 0;
data->cptr--;
@@ -259,13 +259,13 @@ xpmNextWord(
int c;
if (!data->type || data->type == XPMBUFFER) {
- while (isspace(c = *data->cptr) && c != data->Eos)
+ while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
data->cptr++;
do {
c = *data->cptr++;
*buf++ = c;
n++;
- } while (!isspace(c) && c != data->Eos && n < buflen);
+ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
n--;
data->cptr--;
} else {
