summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2023-06-07 16:45:16 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2023-06-07 16:45:16 -0700
commit47ea85400b4ef036bd328e45b8fb9102ed2b9a53 (patch)
treea573081406fc119597fd2afe41e9047622216c59
parent223f1dd3c5bf050daf390606c5804a509eddb8bf (diff)
XRRQueryVersion: add test for XQueryExtension overflowHEADmaster
Tests for Xlib CVE-2023-3138 by returning out-of-range values for the extension's first_event and first_error codes. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--tests/libXrandr/Makefile.am1
-rw-r--r--tests/libXrandr/XRRQueryVersion.c77
2 files changed, 78 insertions, 0 deletions
diff --git a/tests/libXrandr/Makefile.am b/tests/libXrandr/Makefile.am
index 1ae60f9..002e375 100644
--- a/tests/libXrandr/Makefile.am
+++ b/tests/libXrandr/Makefile.am
@@ -23,6 +23,7 @@
noinst_PROGRAMS = XRRGetOutputProperty
noinst_PROGRAMS += XRRQueryOutputProperty
+noinst_PROGRAMS += XRRQueryVersion
if HAVE_XRANDR_14
noinst_PROGRAMS += XRRGetProviderInfo
noinst_PROGRAMS += XRRGetProviderProperty
diff --git a/tests/libXrandr/XRRQueryVersion.c b/tests/libXrandr/XRRQueryVersion.c
new file mode 100644
index 0000000..f9e023d
--- /dev/null
+++ b/tests/libXrandr/XRRQueryVersion.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2013, 2023, Oracle and/or its affiliates.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "xhiv.h"
+#include <X11/Xlib.h>
+#include <X11/Xlibint.h>
+#include "xhiv-Xrandr.h"
+#include <assert.h>
+#include <stdio.h>
+#include <limits.h>
+
+static void
+testOverflowFields(void)
+{
+ const xQueryExtensionReply overflow_xrandr_qext_reply = {
+ .type = X_Reply,
+ .length = 0,
+ .present = xTrue,
+ .major_opcode = MY_XRANDR_EXT_CODE,
+ .first_event = 255, /* Only events < 128 are allowed in protocol */
+ .first_error = 255
+ };
+ Display *dpy, *saved_dpy;
+ int major = MY_XRANDR_MAJOR_VERSION;
+ int minor = MY_XRANDR_MINOR_VERSION;
+ int status;
+
+ xrandr_qext_response.response_data = &overflow_xrandr_qext_reply;
+
+ dpy = XhivOpenDisplay(&xrandr_vers_response);
+ saved_dpy = calloc(1, sizeof(Display));
+ assert(saved_dpy != NULL);
+ memcpy(saved_dpy, dpy, sizeof(Display));
+
+ printf("XRRQueryVersion: overflow event id test\n");
+ status = XRRQueryVersion(dpy, &major, &minor);
+ assert(status != 0);
+ /* check that event_vec didn't overflow into wire_vec */
+ for (int i = 0 ; i < 127; i++) {
+ assert(dpy->wire_vec[i] == saved_dpy->wire_vec[i]);
+ }
+ /* check that wire_vec didn't overflow into following field */
+ assert(dpy->lock_meaning == saved_dpy->lock_meaning);
+
+ XhivCloseDisplay(dpy);
+}
+
+int
+main(int argc, char **argv)
+{
+ testOverflowFields();
+ printf("XRRQueryVersion: all tests passed\n");
+ return 0;
+}