CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage()

When splitting a single line of pixels into chunks to send to the X server, be sure to take into account the number of bits per pixel, so we don't just loop forever trying to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fix. Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2023-09-07 15:54:30 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2023-09-22 15:12:03 -0700
commit: 204c3393c4c90a29ed6bef64e43849536e863a86 (patch)
tree: 0fadbd91c88f07599cdf733e5d5583b7a918560b
parent: 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/PutImage.c b/src/PutImage.c
index 857ee916..a6db7b42 100644
--- a/src/PutImage.c
+++ b/src/PutImage.c
@@ -914,8 +914,9 @@ PutSubImage (
 		    req_width, req_height - SubImageHeight,
 		    dest_bits_per_pixel, dest_scanline_pad);
     } else {
-	int SubImageWidth = (((Available << 3) / dest_scanline_pad)
-				* dest_scanline_pad) - left_pad;
+	int SubImageWidth = ((((Available << 3) / dest_scanline_pad)
+                              * dest_scanline_pad) - left_pad)
+                              / dest_bits_per_pixel;
 
 	PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y,
 		    (unsigned int) SubImageWidth, 1,
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2023-09-07 15:54:30 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2023-09-22 15:12:03 -0700
commit	204c3393c4c90a29ed6bef64e43849536e863a86 (patch)
tree	0fadbd91c88f07599cdf733e5d5583b7a918560b
parent	6858d468d9ca55fb4c5fd70b223dbc78a3358a7f (diff)