diff options
| author | Yair Mizrahi <yairm@jfrog.com> | 2023-09-07 16:15:32 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-09-22 15:15:34 -0700 |
| commit | 7916869d16bdd115ac5be30a67c3749907aea6a0 (patch) | |
| tree | 82917a0b68200af2d5b58d5eb574714d8dcad265 | |
| parent | b4031fc023816aca07fbd592ed97010b9b48784b (diff) | |
CVE-2023-43787: Integer overflow in XCreateImage() leading to a heap overflow
When the format is `Pixmap` it calculates the size of the image data as:
ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
There is no validation on the `width` of the image, and so this
calculation exceeds the capacity of a 4-byte integer, causing an overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | src/ImUtil.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/ImUtil.c b/src/ImUtil.c index 36f08a03..fbfad33e 100644 --- a/src/ImUtil.c +++ b/src/ImUtil.c @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. #include <X11/Xlibint.h> #include <X11/Xutil.h> #include <stdio.h> +#include <limits.h> #include "ImUtil.h" static int _XDestroyImage(XImage *); @@ -361,13 +362,22 @@ XImage *XCreateImage ( /* * compute per line accelerator. */ - { - if (format == ZPixmap) + if (format == ZPixmap) { + if ((INT_MAX / bits_per_pixel) < width) { + Xfree(image); + return NULL; + } + min_bytes_per_line = - ROUNDUP((bits_per_pixel * width), image->bitmap_pad); - else + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); + } else { + if ((INT_MAX - offset) < width) { + Xfree(image); + return NULL; + } + min_bytes_per_line = - ROUNDUP((width + offset), image->bitmap_pad); + ROUNDUP((width + offset), image->bitmap_pad); } if (image_bytes_per_line == 0) { image->bytes_per_line = min_bytes_per_line; |