diff options
author | Yair Mizrahi <yairm@jfrog.com> | 2023-09-07 16:59:07 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-10-03 08:29:01 -0700 |
commit | 91f887b41bf75648df725a4ed3be036da02e911e (patch) | |
tree | e2bba4e2a4a7d278ae1b96ffa93f6b7ca8c3adee /src | |
parent | 00348988396c88150f6ddfea3d3195cbf01d60c2 (diff) |
Avoid CVE-2023-43787 (integer overflow in XCreateImage)
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/create.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/create.c b/src/create.c index ec562b2..b8c80d2 100644 --- a/src/create.c +++ b/src/create.c @@ -997,6 +997,11 @@ CreateXImage( *image_return = NULL; return XpmNoMemory; } + if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { + XDestroyImage(*image_return); + *image_return = NULL; + return XpmNoMemory; + } /* now that bytes_per_line must have been set properly alloc data */ if((*image_return)->bytes_per_line == 0 || height == 0) { XDestroyImage(*image_return); |