fix CVE-2020-14344

2020-09-11 21:08:34 +08:00 · 2020-09-11 21:08:34 +08:00 · 3d1f293f1a
commit 3d1f293f1a
parent bf31653f1a
2 changed files with 310 additions and 2 deletions
--- a/CVE-2020-14344.patch
+++ b/CVE-2020-14344.patch
@ -0,0 +1,302 @@
+From 9d1ac6f7ddbaa6036d999a2eccd7caaf92d0ea36 Mon Sep 17 00:00:00 2001
+Date: Tue, 8 Sep 2020 17:32:53 +0800
+Subject: [PATCH] fix CVE-2020-14344
+
+---
+ modules/im/ximcp/imDefIc.c  |  6 +++--
+ modules/im/ximcp/imDefIm.c  | 25 +++++++++++------
+ modules/im/ximcp/imRmAttr.c | 53 +++++++++++++++++++++++--------------
+ 3 files changed, 54 insertions(+), 30 deletions(-)
+
+diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
+index 7564dba..cf4b8fc 100644
+--- a/modules/im/ximcp/imDefIc.c
+++ b/modules/im/ximcp/imDefIc.c
+@@ -350,7 +350,7 @@ _XimProtoGetICValues(
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(2 + buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -708,6 +708,7 @@ _XimProtoSetICValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentICValues(ic, &ic_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE
+ 	+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
+@@ -730,7 +731,7 @@ _XimProtoSetICValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return tmp_name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -740,6 +741,7 @@ _XimProtoSetICValues(
+ 		Xfree(buf);
+ 		return tmp_name;
+ 	    }
+	    memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
+index cf922e4..bd43513 100644
+--- a/modules/im/ximcp/imDefIm.c
+++ b/modules/im/ximcp/imDefIm.c
+@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #include "XimTrInt.h"
+ #include "Ximint.h"
+ 
+#include <limits.h>
+ 
+ int
+ _XimCheckDataSize(
+@@ -807,12 +808,16 @@ _XimOpen(
+     int			 buf_size;
+     int			 ret_code;
+     char		*locale_name;
+    size_t               locale_len;
+ 
+     locale_name = im->private.proto.locale_name;
+-    len = strlen(locale_name);
+-    buf_b[0] = (BYTE)len;			   /* length of locale name */
+-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
+-    len += sizeof(BYTE);			   /* sizeof length */
+    locale_len = strlen(locale_name);
+    if (locale_len > UCHAR_MAX)
+      return False;
+    memset(buf32, 0, sizeof(buf32));
+    buf_b[0] = (BYTE)locale_len;                   /* length of locale name */
+    memcpy(&buf_b[1], locale_name, locale_len);	   /* locale name */
+    len = (INT16)(locale_len + sizeof(BYTE));	   /* sizeof length */
+     XIM_SET_PAD(buf_b, len);			   /* pad */
+ 
+     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
+@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
+ #endif /* XIM_CONNECTABLE */
+ 
+     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return arg->name;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
+ 		Xfree(buf);
+ 		return arg->name;
+ 	    }
+	    memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
+ 	     + sizeof(INT16)
+ 	     + XIM_PAD(buf_size);
+ 
+-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
+ 	return arg->name;
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+ 
+@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
+ 	+ sizeof(CARD16)
+ 	+ detail_len;
+ 
+-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
+    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
+ 	goto free_detail_ptr;
+ 
+     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
+@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
+     int			 ret_code;
+ 
+     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
+     buf = tmp_buf;
+     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
+     data_len = BUFSIZE - buf_size;
+@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
+ 
+ 	buf_size += ret_len;
+ 	if (buf == tmp_buf) {
+-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
+ 		return False;
+ 	    }
+ 	    memcpy(tmp, buf, buf_size);
+@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
+ 		Xfree(buf);
+ 		return False;
+ 	    }
+	    memset(&tmp[buf_size], 0, data_len);
+ 	    buf = tmp;
+ 	}
+     }
+diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
+index 9d4e462..cf491ea 100644
+--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
+@@ -29,6 +29,7 @@ PERFORMANCE OF THIS SOFTWARE.
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+#include <limits.h>
+ #include "Xlibint.h"
+ #include "Xlcint.h"
+ #include "Ximint.h"
+@@ -214,7 +215,7 @@ _XimAttributeToValue(
+     Xic			  ic,
+     XIMResourceList	  res,
+     CARD16		 *data,
+-    INT16		  data_len,
+    CARD16		  data_len,
+     XPointer		  value,
+     BITMASK32		  mode)
+ {
+@@ -250,18 +251,23 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMStyles:
+ 	{
+-	    INT16		 num = data[0];
+	    CARD16               num = data[0];
+ 	    register CARD32	*style_list = (CARD32 *)&data[2];
+ 	    XIMStyle		*style;
+ 	    XIMStyles		*rep;
+ 	    register int	 i;
+ 	    char		*p;
+-	    int			 alloc_len;
+	    unsigned int         alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+-
+            if (num > (USHRT_MAX / sizeof(XIMStyle)))
+	        return False;
+	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+	        return False;
+ 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+	    if (alloc_len < sizeof(XIMStyles))
+	        return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+@@ -313,7 +319,7 @@ _XimAttributeToValue(
+ 
+     case XimType_XFontSet:
+ 	{
+-	    INT16	 len = data[0];
+	    CARD16       len = data[0];
+ 	    char	*base_name;
+ 	    XFontSet	 rep = (XFontSet)NULL;
+ 	    char	**missing_list = NULL;
+@@ -324,11 +330,12 @@ _XimAttributeToValue(
+ 		return False;
+ 	    if (!ic)
+ 		return False;
+-
+            if (len > data_len)
+		return False;
+ 	    if (!(base_name = Xmalloc(len + 1)))
+ 		return False;
+ 
+-	    (void)strncpy(base_name, (char *)&data[1], (int)len);
+	    (void)strncpy(base_name, (char *)&data[1], (size_t)len);
+ 	    base_name[len] = '\0';
+ 
+ 	    if (mode & XIM_PREEDIT_ATTR) {
+@@ -357,19 +364,24 @@ _XimAttributeToValue(
+ 
+     case XimType_XIMHotKeyTriggers:
+ 	{
+-	    INT32			 num = *((CARD32 *)data);
+	    CARD32                       num = *((CARD32 *)data);
+ 	    register CARD32		*key_list = (CARD32 *)&data[2];
+ 	    XIMHotKeyTrigger		*key;
+ 	    XIMHotKeyTriggers		*rep;
+ 	    register int		 i;
+ 	    char			*p;
+-	    int				 alloc_len;
+	    unsigned int                 alloc_len;
+ 
+ 	    if (!(value))
+ 		return False;
+-
+            if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+                return False;
+	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+	        return False;
+ 	    alloc_len = sizeof(XIMHotKeyTriggers)
+ 		      + sizeof(XIMHotKeyTrigger) * num;
+	    if (alloc_len < sizeof(XIMHotKeyTriggers))
+	        return False;
+ 	    if (!(p = Xmalloc(alloc_len)))
+ 		return False;
+ 
+@@ -1378,13 +1390,13 @@ _XimEncodeSavedICATTRIBUTE(
+ 
+ static unsigned int
+ _XimCountNumberOfAttr(
+-    INT16	 total,
+-    CARD16	*attr,
+-    int		*names_len)
+    CARD16          total,
+    CARD16	   *attr,
+    unsigned int   *names_len)
+ {
+     unsigned int n;
+-    INT16	 len;
+-    INT16	 min_len = sizeof(CARD16)	/* sizeof attribute ID */
+    CARD16       len;
+    CARD16       min_len = sizeof(CARD16)	/* sizeof attribute ID */
+ 			 + sizeof(CARD16)	/* sizeof type of value */
+ 			 + sizeof(INT16);	/* sizeof length of attribute */
+ 
+@@ -1392,6 +1404,9 @@ _XimCountNumberOfAttr(
+     *names_len = 0;
+     while (total > min_len) {
+ 	len = attr[2];
+	if (len >= (total - min_len)) {
+	    return 0;
+	}
+ 	*names_len += (len + 1);
+ 	len += (min_len + XIM_PAD(len + 2));
+ 	total -= len;
+@@ -1406,17 +1421,15 @@ _XimGetAttributeID(
+     Xim			  im,
+     CARD16		 *buf)
+ {
+-    unsigned int	  n;
+    unsigned int	  n, names_len, values_len;
+     XIMResourceList	  res;
+     char		 *names;
+-    int			  names_len;
+     XPointer		  tmp;
+     XIMValuesList	 *values_list;
+     char		**values;
+-    int			  values_len;
+     register int	  i;
+-    INT16		  len;
+-    INT16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
+    CARD16		  len;
+    CARD16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
+ 				  + sizeof(CARD16) /* sizeof type of value */
+ 				  + sizeof(INT16); /* sizeof length of attr */
+     /*
+-- 
+2.23.0
+
--- a/libX11.spec
+++ b/libX11.spec
@ -1,13 +1,13 @@
 Name:		libX11
 Version:	1.6.9
-Release:	2
+Release:	3
 Summary:	Core X11 protocol client library
 License:	MIT
 URL:		http://www.x.org
 Source0:	https://xorg.freedesktop.org/archive/individual/lib/%{name}-%{version}.tar.bz2

 Patch1:         dont-forward-keycode-0.patch
-
+Patch2:         CVE-2020-14344.patch
 BuildRequires:	xorg-x11-util-macros >= 1.11 xorg-x11-proto-devel perl-Pod-Usage libXau-devel
 BuildRequires:  libxcb-devel >= 1.2 libXdmcp-devel xorg-x11-xtrans-devel >= 1.0.3-4

@ -73,6 +73,12 @@ make %{?_smp_mflags} check
 %{_mandir}/*/*

 %changelog
+* Tue Sep 8 2020 zhanghua <zhanghua40@huawei.com> - 1.6.9-3
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2020-14344
+
 * Mon Nov 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.6.9-2
 - Type:bugfix
 - Id:NA