aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch')
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
new file mode 100644
index 000000000..937b2176a
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2021-27135.patch
@@ -0,0 +1,68 @@
+Description: Fix for CVE-2021-27135 from xterm 366
+ Correct upper-limit for selection buffer, accounting for
+ combining characters (report by Tavis Ormandy).
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/x/xterm/344-1%2Bdeb10u1/debian/patches/CVE-2021-27135.diff
+CVE: CVE-2021-27135
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ button.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+Index: xterm-353/button.c
+===================================================================
+--- xterm-353.orig/button.c
++++ xterm-353/button.c
+@@ -3928,6 +3928,7 @@ SaltTextAway(XtermWidget xw,
+ int i;
+ int eol;
+ int need = 0;
++ size_t have = 0;
+ Char *line;
+ Char *lp;
+ CELL first = *cellc;
+@@ -3962,7 +3963,11 @@ SaltTextAway(XtermWidget xw,
+
+ /* UTF-8 may require more space */
+ if_OPT_WIDE_CHARS(screen, {
+- need *= 4;
++ if (need > 0) {
++ if (screen->max_combining > 0)
++ need += screen->max_combining;
++ need *= 6;
++ }
+ });
+
+ /* now get some memory to save it in */
+@@ -4000,10 +4005,26 @@ SaltTextAway(XtermWidget xw,
+ }
+ *lp = '\0'; /* make sure we have end marked */
+
+- TRACE(("Salted TEXT:%u:%s\n", (unsigned) (lp - line),
+- visibleChars(line, (unsigned) (lp - line))));
++ have = (size_t) (lp - line);
++ /*
++ * Scanning the buffer twice is unnecessary. Discard unwanted memory if
++ * the estimate is too-far off.
++ */
++ if ((have * 2) < (size_t) need) {
++ Char *next;
++ scp->data_limit = have + 1;
++ next = realloc(line, scp->data_limit);
++ if (next == NULL) {
++ free(line);
++ scp->data_length = 0;
++ scp->data_limit = 0;
++ }
++ scp->data_buffer = next;
++ }
++ scp->data_length = have;
+
+- scp->data_length = (size_t) (lp - line);
++ TRACE(("Salted TEXT:%u:%s\n", (unsigned) have,
++ visibleChars(scp->data_buffer, (unsigned) have)));
+ }
+
+ #if OPT_PASTE64