diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-09-07 15:54:30 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-09-22 15:12:03 -0700 |
commit | 204c3393c4c90a29ed6bef64e43849536e863a86 (patch) | |
tree | 0fadbd91c88f07599cdf733e5d5583b7a918560b | |
parent | 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f (diff) |
CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage()
When splitting a single line of pixels into chunks to send to the
X server, be sure to take into account the number of bits per pixel,
so we don't just loop forever trying to send more pixels than fit in
the given request size and not breaking them down into a small enough
chunk to fix.
Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/PutImage.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/PutImage.c b/src/PutImage.c index 857ee916..a6db7b42 100644 --- a/src/PutImage.c +++ b/src/PutImage.c @@ -914,8 +914,9 @@ PutSubImage ( req_width, req_height - SubImageHeight, dest_bits_per_pixel, dest_scanline_pad); } else { - int SubImageWidth = (((Available << 3) / dest_scanline_pad) - * dest_scanline_pad) - left_pad; + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) + * dest_scanline_pad) - left_pad) + / dest_bits_per_pixel; PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, (unsigned int) SubImageWidth, 1, |