!37 [sync] PR-34: Fix CVE-2022-44617 and CVE-2022-46285

From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
2024-10-25 06:27:12 +00:00 · 2024-10-25 06:27:12 +00:00 · 4065897d6f
commit 4065897d6f
parent e137e0c3da ae2c329f37
4 changed files with 243 additions and 1 deletions
--- a/CVE-2022-44617-1.patch
+++ b/CVE-2022-44617-1.patch
@ -0,0 +1,154 @@
+From f80fa6ae47ad4a5beacb287c0030c9913b046643 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 7 Jan 2023 12:44:28 -0800
+Subject: [PATCH] Fix CVE-2022-44617: Runaway loop with width of 0 and enormous
+ height
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+image has a width of 0 and a very large height, the ParsePixels() function
+will loop over the entire height calling getc() and ungetc() repeatedly,
+or in some circumstances, may loop seemingly forever, which may cause a
+denial of service to the calling program when given a small crafted XPM
+file to parse.
+
+Closes: #2
+
+Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Origin:
+https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb287c0030c9913b046643
+---
+ lib/Xm/Xpmdata.c  | 20 ++++++++++++++------
+ lib/Xm/Xpmparse.c | 31 +++++++++++++++++++++++++++----
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index d65ae57..45ccfae 100644
+--- a/lib/Xm/Xpmdata.c
+++ b/lib/Xm/Xpmdata.c
+@@ -189,19 +189,23 @@ xpmNextString(mdata)
+ 	register char c;
+ 
+ 	/* get to the end of the current string */
+-	if (mdata->Eos)
+-	    while ((c = *mdata->cptr++) && c != mdata->Eos);
+	if (mdata->Eos) {
+	    while ((c = *mdata->cptr++) && c != mdata->Eos && c != '\0');
+
+	    if (c == '\0')
+		return XpmFileInvalid;
+	}
+ 
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+ 	 */
+ 	if (mdata->Bos) {
+-	    while ((c = *mdata->cptr++) && c != mdata->Bos)
+	    while ((c = *mdata->cptr++) && c != mdata->Bos && c != '\0')
+ 		if (mdata->Bcmt && c == mdata->Bcmt[0])
+ 		    ParseComment(mdata);
+ 	} else if (mdata->Bcmt) {	/* XPM2 natural */
+-	    while ((c = *mdata->cptr++) == mdata->Bcmt[0])
+	    while (((c = *mdata->cptr++) == mdata->Bcmt[0]) && c != '\0')
+ 		ParseComment(mdata);
+ 	    mdata->cptr--;
+ 	}
+@@ -210,9 +214,13 @@ xpmNextString(mdata)
+ 	FILE *file = mdata->stream.file;
+ 
+ 	/* get to the end of the current string */
+-	if (mdata->Eos)
+	if (mdata->Eos) {
+ 	    while ((c = getc(file)) != mdata->Eos && c != EOF);
+ 
+	    if (c == EOF)
+		return XpmFileInvalid;
+        }
+
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+@@ -228,7 +236,7 @@ xpmNextString(mdata)
+ 	    ungetc(c, file);
+ 	}
+     }
+-    return 0;
+    return XpmSuccess;
+ }
+ 
+ 
+diff --git a/lib/Xm/Xpmparse.c b/lib/Xm/Xpmparse.c
+index a54bca9..da21dbb 100644
+--- a/lib/Xm/Xpmparse.c
+++ b/lib/Xm/Xpmparse.c
+@@ -523,6 +523,13 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels)
+ {
+     unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
+     unsigned int a, x, y;
+    int ErrorStatus;
+
+    if ((width == 0) && (height != 0))
+       return (XpmFileInvalid);
+
+    if ((height == 0) && (width != 0))
+       return (XpmFileInvalid);
+ 
+     if ((height > 0 && width >= UINT_MAX / height) ||
+ 	width * height >= UINT_MAX / sizeof(unsigned int)) 
+@@ -560,7 +567,11 @@ ParsePixels(data, width, height, ncolors, cpp, colorTable, hashtable, pixels)
+ 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
+		ErrorStatus = xpmNextString(data);
+		if (ErrorStatus != XpmSuccess) {
+		    XpmFree(iptr2);
+		    return (ErrorStatus);
+		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int c = xpmGetC(data);
+ 
+@@ -607,7 +618,11 @@ do \
+ 	    }
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
+		ErrorStatus = xpmNextString(data);
+		if (ErrorStatus != XpmSuccess) {
+		    XpmFree(iptr2);
+		    return (ErrorStatus);
+		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int cc1 = xpmGetC(data);
+ 		    if (cc1 > 0 && cc1 < 256) {
+@@ -646,7 +661,11 @@ do \
+ 		xpmHashAtom *slot;
+ 
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
+		    ErrorStatus = xpmNextString(data);
+		    if (ErrorStatus != XpmSuccess) {
+			XpmFree(iptr2);
+			return (ErrorStatus);
+		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++)
+ 			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
+@@ -660,7 +679,11 @@ do \
+ 		}
+ 	    } else {
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
+		    ErrorStatus = xpmNextString(data);
+		    if (ErrorStatus != XpmSuccess) {
+			XpmFree(iptr2);
+			return (ErrorStatus);
+		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++)
+ 			    *s = xpmGetC(data); /* int assigned to char, not a problem here */
+-- 
+2.46.0
+
--- a/CVE-2022-44617-2.patch
+++ b/CVE-2022-44617-2.patch
@ -0,0 +1,43 @@
+From c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Jan 2023 15:05:39 +1000
+Subject: [PATCH] Prevent a double free in the error code path
+
+xpmParseDataAndCreate() calls XDestroyImage() in the error path.
+Reproducible with sxpm "zero-width.xpm", that file is in the test/
+directory.
+
+The same approach is needed in the bytes_per_line == 0 condition though
+here it just plugs a memory leak.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Origin:
+https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d2135dbebe9a367c5f0
+---
+ lib/Xm/Xpmcreate.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Xm/Xpmcreate.c b/lib/Xm/Xpmcreate.c
+index d0f3c3b..01c5d1a 100644
+--- a/lib/Xm/Xpmcreate.c
+++ b/lib/Xm/Xpmcreate.c
+@@ -954,10 +954,14 @@ CreateXImage(display, visual, depth, format, width, height, image_return)
+ #ifndef FOR_MSW
+     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+   	XDestroyImage(*image_return);
+  	*image_return = NULL;
+         return (XpmNoMemory);
+     }
+-    if((*image_return)->bytes_per_line == 0 ||  height == 0)
+    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
+        XDestroyImage(*image_return);
+        *image_return = NULL;
+         return XpmNoMemory;
+    }
+     /* now that bytes_per_line must have been set properly alloc data */
+     (*image_return)->data =
+ 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
+-- 
+2.46.0
+
--- a/CVE-2022-46285.patch
+++ b/CVE-2022-46285.patch
@ -0,0 +1,39 @@
+From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 17 Dec 2022 12:23:45 -0800
+Subject: Fix CVE-2022-46285: Infinite loop on unclosed  comments
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+comment in the file is not closed (i.e. a C-style comment starts with
+"/*" and is missing the closing "*/"), the ParseComment() function will
+loop forever calling getc() to try to read the rest of the comment,
+failing to notice that it has returned EOF, which may cause a denial of
+service to the calling program.
+
+Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Origin:
+https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d765014816c566c63165c63ca8
+---
+ lib/Xm/Xpmdata.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index d65ae57..9c53f90 100644
+--- a/lib/Xm/Xpmdata.c
+++ b/lib/Xm/Xpmdata.c
+@@ -171,6 +171,10 @@ ParseComment(mdata)
+ 		notend = 0;
+ 		ungetc(*s, file);
+ 	    }
+	    else if (c == EOF) {
+		/* hit end of file before the end of the comment */
+		return XpmFileInvalid;
+	    }
+ 	}
+ 	return 0;
+     }
+-- 
+2.46.0
+
--- a/motif.spec
+++ b/motif.spec
@ -1,6 +1,6 @@
 Name:          motif
 Version:       2.3.8
-Release:       5
+Release:       6
 Summary:       Run-time libraries and programs
 License:       LGPLv2+
 URL:           https://motif.ics.com/
@ -16,6 +16,9 @@ Conflicts:     lesstif <= 0.92.32-6

 Patch0:	       0001-fix-motif-no-autogen.patch
 Patch1:        Fix-issues-with-Werror-format-security.patch
+Patch2:        CVE-2022-44617-1.patch
+Patch3:        CVE-2022-44617-2.patch
+Patch4:        CVE-2022-46285.patch

 %description
 This module is motif run-time environment, which includes the motif shared libraries.
@ -88,6 +91,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_mandir}/man*/*

 %changelog
+* Fri Oct 25 2024 yaoxin <yao_xin001@hoperun.com> - 2.3.8-6
+- Fix CVE-2022-44617 and CVE-2022-46285
+
 * Fri Aug 25 2023 xu_ping <707078654@qq.com> - 2.3.8-5
 - Fix issues with Werror format security