Fixes CVE-2023-3138: X servers could return values from XQueryExtension
that would cause Xlib to write entries out-of-bounds of the arrays to store them, though this would only overwrite other parts of the Display struct, not outside the bounds allocated for that structure.pull/1/head
parent
5c9a98ac12
commit
dbccd1baf8
|
@ -33,6 +33,18 @@ from The Open Group.
|
||||||
#include <X11/Xos.h>
|
#include <X11/Xos.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
|
||||||
|
/* The X11 protocol spec reserves events 64 through 127 for extensions */
|
||||||
|
#ifndef LastExtensionEvent
|
||||||
|
#define LastExtensionEvent 127
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* The X11 protocol spec reserves requests 128 through 255 for extensions */
|
||||||
|
#ifndef LastExtensionRequest
|
||||||
|
#define FirstExtensionRequest 128
|
||||||
|
#define LastExtensionRequest 255
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This routine is used to link a extension in so it will be called
|
* This routine is used to link a extension in so it will be called
|
||||||
* at appropriate times.
|
* at appropriate times.
|
||||||
|
@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
|
||||||
WireToEventType proc) /* routine to call when converting event */
|
WireToEventType proc) /* routine to call when converting event */
|
||||||
{
|
{
|
||||||
register WireToEventType oldproc;
|
register WireToEventType oldproc;
|
||||||
|
if (event_number < 0 ||
|
||||||
|
event_number > LastExtensionEvent) {
|
||||||
|
fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||||
|
event_number);
|
||||||
|
return (WireToEventType)_XUnknownWireEvent;
|
||||||
|
}
|
||||||
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
|
||||||
LockDisplay (dpy);
|
LockDisplay (dpy);
|
||||||
oldproc = dpy->event_vec[event_number];
|
oldproc = dpy->event_vec[event_number];
|
||||||
|
@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
WireToEventCookieType oldproc;
|
WireToEventCookieType oldproc;
|
||||||
|
if (extension < FirstExtensionRequest ||
|
||||||
|
extension > LastExtensionRequest) {
|
||||||
|
fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||||
|
extension);
|
||||||
|
return (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||||
|
}
|
||||||
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
if (proc == NULL) proc = (WireToEventCookieType)_XUnknownWireEventCookie;
|
||||||
LockDisplay (dpy);
|
LockDisplay (dpy);
|
||||||
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
oldproc = dpy->generic_event_vec[extension & 0x7F];
|
||||||
|
@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
CopyEventCookieType oldproc;
|
CopyEventCookieType oldproc;
|
||||||
|
if (extension < FirstExtensionRequest ||
|
||||||
|
extension > LastExtensionRequest) {
|
||||||
|
fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
|
||||||
|
extension);
|
||||||
|
return (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||||
|
}
|
||||||
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
|
||||||
LockDisplay (dpy);
|
LockDisplay (dpy);
|
||||||
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
|
||||||
|
@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
|
||||||
EventToWireType proc) /* routine to call when converting event */
|
EventToWireType proc) /* routine to call when converting event */
|
||||||
{
|
{
|
||||||
register EventToWireType oldproc;
|
register EventToWireType oldproc;
|
||||||
|
if (event_number < 0 ||
|
||||||
|
event_number > LastExtensionEvent) {
|
||||||
|
fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
|
||||||
|
event_number);
|
||||||
|
return (EventToWireType)_XUnknownNativeEvent;
|
||||||
|
}
|
||||||
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
|
||||||
LockDisplay (dpy);
|
LockDisplay (dpy);
|
||||||
oldproc = dpy->wire_vec[event_number];
|
oldproc = dpy->wire_vec[event_number];
|
||||||
|
@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
|
||||||
WireToErrorType proc) /* routine to call when converting error */
|
WireToErrorType proc) /* routine to call when converting error */
|
||||||
{
|
{
|
||||||
register WireToErrorType oldproc = NULL;
|
register WireToErrorType oldproc = NULL;
|
||||||
|
if (error_number < 0 ||
|
||||||
|
error_number > LastExtensionError) {
|
||||||
|
fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
|
||||||
|
error_number);
|
||||||
|
return (WireToErrorType)_XDefaultWireError;
|
||||||
|
}
|
||||||
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
if (proc == NULL) proc = (WireToErrorType)_XDefaultWireError;
|
||||||
LockDisplay (dpy);
|
LockDisplay (dpy);
|
||||||
if (!dpy->error_vec) {
|
if (!dpy->error_vec) {
|
||||||
|
|
Loading…
Reference in New Issue