!25 Fix CVE-2023-43788, CVE-2023-43789

From: @fundawang Reviewed-by: @weigangli Signed-off-by: @weigangli
2023-10-07 08:57:33 +00:00 · 2023-10-07 08:57:33 +00:00 · f7a8acb220
commit f7a8acb220
parent 2f920920ac 61a77ff4b8
5 changed files with 395 additions and 1 deletions
--- a/backport-CVE-2023-43786.patch
+++ b/backport-CVE-2023-43786.patch
@ -0,0 +1,283 @@
 From 84fb14574c039f19ad7face87eb9acc31a50701c Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Wed, 6 Sep 2023 17:34:33 -0700
 Subject: [PATCH] Avoid CVE-2023-43786: stack exhaustion in XPutImage()
 This doesn't fix the CVE - that has to happen in libX11, this
 just tries to avoid triggering it from libXpm, and saves time
 in not pretending we can successfully create an X11 pixmap with
 dimensions larger than the unsigned 16-bit integers used in the
 X11 protocol for the dimensions.
 Reported by Yair Mizrahi of the JFrog Vulnerability Research team
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/CrPFrBuf.c | 28 +++++++++++++++++++++++-----
 src/CrPFrDat.c | 31 +++++++++++++++++++++++--------
 src/CrPFrI.c   | 10 +++++++++-
 src/RdFToP.c   | 28 +++++++++++++++++++++++-----
 src/XpmI.h     |  2 +-
 src/create.c   | 28 +++++++++++++++++++++++-----
 6 files changed, 102 insertions(+), 25 deletions(-)
 diff --git a/src/CrPFrBuf.c b/src/CrPFrBuf.c
 index 2c28a41..e9e2243 100644
 --- a/src/CrPFrBuf.c
 +++ b/src/CrPFrBuf.c
@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer(
     Pixmap		*shapemask_return,
     XpmAttributes	*attributes)
 {
 -    XImage *ximage, *shapeimage;
 +    XImage *ximage = NULL, *shapeimage = NULL;
     int ErrorStatus;
     /* initialize return values */
@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer(
 					   attributes);
     if (ErrorStatus < 0)		/* fatal error */
 -	return (ErrorStatus);
 +	goto cleanup;
     /* create the pixmaps and destroy images */
     if (pixmap_return && ximage) {
 -	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 -	XDestroyImage(ximage);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 +	if (ErrorStatus < 0)		/* fatal error */
 +	    goto cleanup;
     }
     if (shapemask_return && shapeimage) {
 -	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +    }
 +
 +  cleanup:
 +    if (ximage != NULL)
 +	XDestroyImage(ximage);
 +    if (shapeimage != NULL)
 	XDestroyImage(shapeimage);
 +    if (ErrorStatus < 0) {
 +	if (pixmap_return && *pixmap_return) {
 +	    XFreePixmap(display, *pixmap_return);
 +	    *pixmap_return = 0;
 +	}
 +	if (shapemask_return && *shapemask_return) {
 +	    XFreePixmap(display, *shapemask_return);
 +	    *shapemask_return = 0;
 +	}
     }
     return (ErrorStatus);
 }
 diff --git a/src/CrPFrDat.c b/src/CrPFrDat.c
 index b65771d..8622663 100644
 --- a/src/CrPFrDat.c
 +++ b/src/CrPFrDat.c
@@ -46,7 +46,7 @@ XpmCreatePixmapFromData(
     Pixmap		 *shapemask_return,
     XpmAttributes	 *attributes)
 {
 -    XImage *ximage, *shapeimage;
 +    XImage *ximage = NULL, *shapeimage = NULL;
     int ErrorStatus;
     /* initialize return values */
@@ -63,19 +63,34 @@ XpmCreatePixmapFromData(
 					 attributes);
     if (ErrorStatus != XpmSuccess)
 -	return (ErrorStatus);
 -
 -    if (ErrorStatus < 0)		/* fatal error */
 -	return (ErrorStatus);
 +	goto cleanup;
     /* create the pixmaps and destroy images */
     if (pixmap_return && ximage) {
 -	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 -	XDestroyImage(ximage);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 +	if (ErrorStatus < 0)		/* fatal error */
 +	    goto cleanup;
     }
     if (shapemask_return && shapeimage) {
 -	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +    }
 +
 +  cleanup:
 +    if (ximage != NULL)
 +	XDestroyImage(ximage);
 +    if (shapeimage != NULL)
 	XDestroyImage(shapeimage);
 +    if (ErrorStatus < 0) {
 +	if (pixmap_return && *pixmap_return) {
 +	    XFreePixmap(display, *pixmap_return);
 +	    *pixmap_return = 0;
 +	}
 +	if (shapemask_return && *shapemask_return) {
 +	    XFreePixmap(display, *shapemask_return);
 +	    *shapemask_return = 0;
 +	}
     }
     return (ErrorStatus);
 }
 diff --git a/src/CrPFrI.c b/src/CrPFrI.c
 index 8f6f4aa..f6688c5 100644
 --- a/src/CrPFrI.c
 +++ b/src/CrPFrI.c
@@ -36,8 +36,9 @@
 #include <config.h>
 #endif
 #include "XpmI.h"
 +#include <stdint.h>
 -void
 +int
 xpmCreatePixmapFromImage(
     Display	*display,
     Drawable	 d,
@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage(
     GC gc;
     XGCValues values;
 +    /* X Pixmaps are limited to unsigned 16-bit height/width */
 +    if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) {
 +	return XpmNoMemory;
 +    }
 +
     *pixmap_return = XCreatePixmap(display, d, ximage->width,
 				   ximage->height, ximage->depth);
     /* set fg and bg in case we have an XYBitmap */
@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage(
 	      ximage->width, ximage->height);
     XFreeGC(display, gc);
 +
 +    return XpmSuccess;
 }
 diff --git a/src/RdFToP.c b/src/RdFToP.c
 index f829757..2c3e7f9 100644
 --- a/src/RdFToP.c
 +++ b/src/RdFToP.c
@@ -46,7 +46,7 @@ XpmReadFileToPixmap(
     Pixmap		*shapemask_return,
     XpmAttributes	*attributes)
 {
 -    XImage *ximage, *shapeimage;
 +    XImage *ximage = NULL, *shapeimage = NULL;
     int ErrorStatus;
     /* initialize return values */
@@ -62,16 +62,34 @@ XpmReadFileToPixmap(
 				     attributes);
     if (ErrorStatus < 0)		/* fatal error */
 -	return (ErrorStatus);
 +	goto cleanup;
     /* create the pixmaps and destroy images */
     if (pixmap_return && ximage) {
 -	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 -	XDestroyImage(ximage);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 +	if (ErrorStatus < 0)		/* fatal error */
 +	    goto cleanup;
     }
     if (shapemask_return && shapeimage) {
 -	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +    }
 +
 +  cleanup:
 +    if (ximage != NULL)
 +	XDestroyImage(ximage);
 +    if (shapeimage != NULL)
 	XDestroyImage(shapeimage);
 +    if (ErrorStatus < 0) {
 +	if (pixmap_return && *pixmap_return) {
 +	    XFreePixmap(display, *pixmap_return);
 +	    *pixmap_return = 0;
 +	}
 +	if (shapemask_return && *shapemask_return) {
 +	    XFreePixmap(display, *shapemask_return);
 +	    *shapemask_return = 0;
 +	}
     }
     return (ErrorStatus);
 }
 diff --git a/src/create.c b/src/create.c
 index 4921c7d..ec562b2 100644
 --- a/src/create.c
 +++ b/src/create.c
@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage(
     Pixmap		*shapemask_return,
     XpmAttributes	*attributes)
 {
 -    XImage *ximage, *shapeimage;
 +    XImage *ximage = NULL, *shapeimage = NULL;
     int ErrorStatus;
     /* initialize return values */
@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage(
 					      &shapeimage : NULL),
 					     attributes);
     if (ErrorStatus < 0)
 -	return (ErrorStatus);
 +	goto cleanup;
     /* create the pixmaps and destroy images */
     if (pixmap_return && ximage) {
 -	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 -	XDestroyImage(ximage);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
 +	if (ErrorStatus < 0)		/* fatal error */
 +	    goto cleanup;
     }
     if (shapemask_return && shapeimage) {
 -	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +	ErrorStatus =
 +	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
 +    }
 +
 +  cleanup:
 +    if (ximage != NULL)
 +	XDestroyImage(ximage);
 +    if (shapeimage != NULL)
 	XDestroyImage(shapeimage);
 +    if (ErrorStatus < 0) {
 +	if (pixmap_return && *pixmap_return) {
 +	    XFreePixmap(display, *pixmap_return);
 +	    *pixmap_return = 0;
 +	}
 +	if (shapemask_return && *shapemask_return) {
 +	    XFreePixmap(display, *shapemask_return);
 +	    *shapemask_return = 0;
 +	}
     }
     return (ErrorStatus);
 }
 diff --git a/src/XpmI.h b/src/XpmI.h
 index ab7a680..6691693 100644
 --- a/src/XpmI.h
 +++ b/src/XpmI.h
@@ -188,7 +188,7 @@
 			      XpmInfo *info));
 #if !defined(FOR_MSW) && !defined(AMIGA)
 -FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d,
 +FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d,
 				      XImage *ximage, Pixmap *pixmap_return));
 FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap,
 -- 
 GitLab
--- a/backport-CVE-2023-43787.patch
+++ b/backport-CVE-2023-43787.patch
@ -0,0 +1,35 @@
 From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
 From: Yair Mizrahi <yairm@jfrog.com>
 Date: Thu, 7 Sep 2023 16:59:07 -0700
 Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)
 This doesn't fix the CVE - that has to happen in libX11, this
 just tries to avoid triggering it from libXpm, and saves time
 in not pretending we can successfully create an X Image for
 which the width * depth would overflow the signed int used to
 store the bytes_per_line value.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/create.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/create.c b/src/create.c
 index ec562b2..b8c80d2 100644
 --- a/src/create.c
 +++ b/src/create.c
@@ -997,6 +997,11 @@ CreateXImage(
 	*image_return = NULL;
 	return XpmNoMemory;
     }
 +    if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
 +	XDestroyImage(*image_return);
 +	*image_return = NULL;
 +	return XpmNoMemory;
 +    }
     /* now that bytes_per_line must have been set properly alloc data */
     if((*image_return)->bytes_per_line == 0 ||  height == 0) {
 	XDestroyImage(*image_return);
 -- 
 GitLab
--- a/backport-CVE-2023-43788.patch
+++ b/backport-CVE-2023-43788.patch
@ -0,0 +1,32 @@
 From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 29 Apr 2023 17:50:39 -0700
 Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
 XpmCreateXpmImageFromBuffer
 When the test case for CVE-2022-46285 was run with the Address Sanitizer
 enabled, it found an out-of-bounds read in ParseComment() when reading
 from a memory buffer instead of a file, as it continued to look for the
 closing comment marker past the end of the buffer.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/data.c b/src/data.c
 index 7524e65..0b0f1f3 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
 		n++;
 		s2++;
 	    } while (c == *s2 && *s2 != '\0' && c);
 -	    if (*s2 == '\0') {
 +	    if (*s2 == '\0' || c == '\0') {
 		/* this is the end of the comment */
 		notend = 0;
 		data->cptr--;
 -- 
 GitLab
--- a/backport-CVE-2023-43789.patch
+++ b/backport-CVE-2023-43789.patch
@ -0,0 +1,36 @@
 From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 29 Apr 2023 18:30:34 -0700
 Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
 colormap
 Found with clang's libfuzzer
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/data.c b/src/data.c
 index 0b0f1f3..6e87455 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -259,13 +259,13 @@ xpmNextWord(
     int c;
     if (!data->type || data->type == XPMBUFFER) {
 -	while (isspace(c = *data->cptr) && c != data->Eos)
 +	while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
 	    data->cptr++;
 	do {
 	    c = *data->cptr++;
 	    *buf++ = c;
 	    n++;
 -	} while (!isspace(c) && c != data->Eos && n < buflen);
 +	} while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
 	n--;
 	data->cptr--;
     } else {
 -- 
 GitLab
--- a/libXpm.spec
+++ b/libXpm.spec
@ -1,6 +1,6 @@
 Name:           libXpm
 Version:        3.5.13
-Release:        4
+Release:        5
 License:        MIT
 Summary:        X.Org X11 libXpm runtime library
 URL:            https://www.x.org
@ -12,6 +12,10 @@ Patch6002:      backport-CVE-2022-46285.patch
 Patch6003:      backport-0001-CVE-2022-4883.patch
 Patch6004:      backport-0002-CVE-2022-4883.patch
 Patch6005:      backport-0003-CVE-2022-4883.patch
 Patch6006:	backport-CVE-2023-43786.patch
 Patch6007:	backport-CVE-2023-43787.patch
 Patch6008:	backport-CVE-2023-43788.patch
 Patch6009:	backport-CVE-2023-43789.patch
 BuildRequires:  xorg-x11-util-macros autoconf automake libtool
 BuildRequires:  gettext libXau-devel libXext-devel libXt-devel
@ -63,6 +67,10 @@ autoreconf -ivf
 %{_mandir}/man1/*.1*
 %changelog
 * Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 3.5.13-5
 - Add patches harden CVE-2023-43786, CVE-2023-43787
 - Fix CVE-2023-43788, CVE-2023-43789
 * Wed Feb 01 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 3.5.13-4
 - fix CVE-2022-44617,CVE-2022-46285,CVE-2022-4883