diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-06-07 16:45:16 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-06-07 16:45:16 -0700 |
commit | 47ea85400b4ef036bd328e45b8fb9102ed2b9a53 (patch) | |
tree | a573081406fc119597fd2afe41e9047622216c59 | |
parent | 223f1dd3c5bf050daf390606c5804a509eddb8bf (diff) |
Tests for Xlib CVE-2023-3138 by returning out-of-range values for
the extension's first_event and first_error codes.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | tests/libXrandr/Makefile.am | 1 | ||||
-rw-r--r-- | tests/libXrandr/XRRQueryVersion.c | 77 |
2 files changed, 78 insertions, 0 deletions
diff --git a/tests/libXrandr/Makefile.am b/tests/libXrandr/Makefile.am index 1ae60f9..002e375 100644 --- a/tests/libXrandr/Makefile.am +++ b/tests/libXrandr/Makefile.am @@ -23,6 +23,7 @@ noinst_PROGRAMS = XRRGetOutputProperty noinst_PROGRAMS += XRRQueryOutputProperty +noinst_PROGRAMS += XRRQueryVersion if HAVE_XRANDR_14 noinst_PROGRAMS += XRRGetProviderInfo noinst_PROGRAMS += XRRGetProviderProperty diff --git a/tests/libXrandr/XRRQueryVersion.c b/tests/libXrandr/XRRQueryVersion.c new file mode 100644 index 0000000..f9e023d --- /dev/null +++ b/tests/libXrandr/XRRQueryVersion.c @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2013, 2023, Oracle and/or its affiliates. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include "xhiv.h" +#include <X11/Xlib.h> +#include <X11/Xlibint.h> +#include "xhiv-Xrandr.h" +#include <assert.h> +#include <stdio.h> +#include <limits.h> + +static void +testOverflowFields(void) +{ + const xQueryExtensionReply overflow_xrandr_qext_reply = { + .type = X_Reply, + .length = 0, + .present = xTrue, + .major_opcode = MY_XRANDR_EXT_CODE, + .first_event = 255, /* Only events < 128 are allowed in protocol */ + .first_error = 255 + }; + Display *dpy, *saved_dpy; + int major = MY_XRANDR_MAJOR_VERSION; + int minor = MY_XRANDR_MINOR_VERSION; + int status; + + xrandr_qext_response.response_data = &overflow_xrandr_qext_reply; + + dpy = XhivOpenDisplay(&xrandr_vers_response); + saved_dpy = calloc(1, sizeof(Display)); + assert(saved_dpy != NULL); + memcpy(saved_dpy, dpy, sizeof(Display)); + + printf("XRRQueryVersion: overflow event id test\n"); + status = XRRQueryVersion(dpy, &major, &minor); + assert(status != 0); + /* check that event_vec didn't overflow into wire_vec */ + for (int i = 0 ; i < 127; i++) { + assert(dpy->wire_vec[i] == saved_dpy->wire_vec[i]); + } + /* check that wire_vec didn't overflow into following field */ + assert(dpy->lock_meaning == saved_dpy->lock_meaning); + + XhivCloseDisplay(dpy); +} + +int +main(int argc, char **argv) +{ + testOverflowFields(); + printf("XRRQueryVersion: all tests passed\n"); + return 0; +} |