aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch')
-rw-r--r--meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch84
1 files changed, 84 insertions, 0 deletions
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
new file mode 100644
index 000000000..b7a5f297a
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
@@ -0,0 +1,84 @@
+From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 21 Jun 2022 10:53:01 +0530
+Subject: [PATCH] CVE-2022-24130
+
+Upstream-Status: Backport [https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
+CVE: CVE-2022-24130
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/graphics_sixel.c b/graphics_sixel.c
+index 00ba3ef..6a82295 100644
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const *context)
+ graphic->color_registers_used[context->background] = 1;
+ }
+
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+ const int mh = graphic->max_height;
+@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ ((color != COLOR_HOLE)
+ ? (unsigned) graphic->color_registers[color].b : 0U)));
+ for (pix = 0; pix < 6; pix++) {
+- if (context->col < mw && context->row + pix < mh) {
++ if (context->col >= 0 &&
++ context->col < mw &&
++ context->row + pix >= 0 &&
++ context->row + pix < mh) {
+ if (sixel & (1 << pix)) {
+ if (context->col + 1 > graphic->actual_width) {
+ graphic->actual_width = context->col + 1;
+@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ }
+ } else {
+ TRACE(("sixel pixel %d out of bounds\n", pix));
++ return False;
+ }
+ }
++ return True;
+ }
+
+ static void
+@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+ init_sixel_background(graphic, &context);
+ graphic->valid = 1;
+ }
+- set_sixel(graphic, &context, sixel);
++ if (!set_sixel(graphic, &context, sixel)) {
++ context.col = 0;
++ break;
++ }
+ context.col++;
+ } else if (ch == '$') { /* DECGCR */
+ /* ignore DECCRNLM in sixel mode */
+@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const *string)
+ graphic->valid = 1;
+ }
+ for (i = 0; i < Pcount; i++) {
+- set_sixel(graphic, &context, sixel);
+- context.col++;
++ if (set_sixel(graphic, &context, sixel)) {
++ context.col++;
++ } else {
++ context.col = 0;
++ break;
++ }
+ }
+ } else if (ch == '#') { /* DECGCI */
+ ANSI color_params;
+--
+2.25.1
+