From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Thu, 7 Sep 2023 15:54:30 -0700 Subject: [PATCH] CVE-2023-43786: stack exhaustion from infinite recursion in PutSubImage() When splitting a single line of pixels into chunks to send to the X server, be sure to take into account the number of bits per pixel, so we don't just loop forever trying to send more pixels than fit in the given request size and not breaking them down into a small enough chunk to fix. Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 Signed-off-by: Alan Coopersmith Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] CVE: CVE-2023-43786 Signed-off-by: Siddharth Doshi --- src/PutImage.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/PutImage.c b/src/PutImage.c index 857ee91..a6db7b4 100644 --- a/src/PutImage.c +++ b/src/PutImage.c @@ -914,8 +914,9 @@ PutSubImage ( req_width, req_height - SubImageHeight, dest_bits_per_pixel, dest_scanline_pad); } else { - int SubImageWidth = (((Available << 3) / dest_scanline_pad) - * dest_scanline_pad) - left_pad; + int SubImageWidth = ((((Available << 3) / dest_scanline_pad) + * dest_scanline_pad) - left_pad) + / dest_bits_per_pixel; PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, (unsigned int) SubImageWidth, 1, -- 2.35.7