summaryrefslogtreecommitdiff
path: root/x11/libX11/patches/patch-regression
diff options
context:
space:
mode:
Diffstat (limited to 'x11/libX11/patches/patch-regression')
-rw-r--r--x11/libX11/patches/patch-regression45
1 files changed, 45 insertions, 0 deletions
diff --git a/x11/libX11/patches/patch-regression b/x11/libX11/patches/patch-regression
new file mode 100644
index 00000000000..b917641ca21
--- /dev/null
+++ b/x11/libX11/patches/patch-regression
@@ -0,0 +1,45 @@
+$NetBSD: patch-regression,v 1.2.2.2 2020/08/14 17:11:16 bsiegert Exp $
+
+From 93fce3f4e79cbc737d6468a4f68ba3de1b83953b Mon Sep 17 00:00:00 2001
+From: Yichao Yu <yyc1992@gmail.com>
+Date: Sun, 2 Aug 2020 13:43:58 -0400
+Subject: [PATCH] Fix size calculation in `_XimAttributeToValue`.
+
+The check here guards the read below.
+For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
+these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
+(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
+function and doesn't need to be checked.)
+
+The old code here used the native datatype size instead of the wire protocol size causing
+the check to always fail.
+
+Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
+despite the unused `CARD16` for `XimType_XIMStyles`.
+
+[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles
+
+This fixes a regression caused by 388b303c62aa35a245f1704211a023440ad2c488 in 1.6.10.
+
+Fix #116
+
+--- modules/im/ximcp/imRmAttr.c.orig
++++ modules/im/ximcp/imRmAttr.c
+@@ -265,7 +265,7 @@ _XimAttributeToValue(
+
+ if (num > (USHRT_MAX / sizeof(XIMStyle)))
+ return False;
+- if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
++ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+ return False;
+ alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+ if (alloc_len < sizeof(XIMStyles))
+@@ -379,7 +379,7 @@ _XimAttributeToValue(
+
+ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+ return False;
+- if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
++ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+ return False;
+ alloc_len = sizeof(XIMHotKeyTriggers)
+ + sizeof(XIMHotKeyTrigger) * num;
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-16 11:27:05 +0000