[Git][xorg-team/app/xterm][debian-buster] Cherry-pick sixel graphics fixes from xterm 370d and 370f

Sven Joachim pushed to branch debian-buster at X Strike Force / app / xterm

Commits:

9e3a2f22

by Sven Joachim at 2022-02-02T20:08:11+01:00

Cherry-pick sixel graphics fixes from xterm 370d and 370f

Check for out-of-bounds condition while drawing sixels, and quit that
operation (report by Nick Black, CVE-2022-24130).

3 changed files:

debian/changelog
+ debian/patches/CVE-2022-24130.diff
debian/patches/series

Changes:

debian/changelog

 +xterm (344-1+deb10u2) UNRELEASED; urgency=medium
++
 +  * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
 +    - Check for out-of-bounds condition while drawing sixels, and quit
 +      that operation (report by Nick Black (CVE-2022-24130),
 +      Closes: #1004689).
++
 + -- Sven Joachim <svenjoac@gmx.de>  Wed, 02 Feb 2022 20:08:03 +0100
++
  xterm (344-1+deb10u1) buster; urgency=medium
    * Apply upstream fix from xterm 366 for CVE-2021-27135.

debian/patches/CVE-2022-24130.diff

 +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
 + Check for out-of-bounds condition while drawing sixels, and quit that
 + operation (report by Nick Black, CVE-2022-24130).
 +Bug-Debian: https://bugs.debian.org/1004689
++
 +---
 + graphics_sixel.c |   31 +++++++++++++++++++++++++------
 + 1 file changed, 25 insertions(+), 6 deletions(-)
++
 +--- a/graphics_sixel.c
 ++++ b/graphics_sixel.c
 +@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic,
 +     graphic->color_registers_used[context->background] = 1;
 + }
++
 +-static void
 ++static Boolean
 + set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
 + {
 +     const int mh = graphic->max_height;
 +@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext
 + 	   ((color != COLOR_HOLE)
 + 	    ? (unsigned) graphic->color_registers[color].b : 0U)));
 +     for (pix = 0; pix < 6; pix++) {
 +-	if (context->col < mw && context->row + pix < mh) {
 ++	if (context->col >= 0 &&
 ++	    context->col < mw &&
 ++	    context->row + pix >= 0 &&
 ++	    context->row + pix < mh) {
 + 	    if (sixel & (1 << pix)) {
 + 		if (context->col + 1 > graphic->actual_width) {
 + 		    graphic->actual_width = context->col + 1;
 +@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext
 + 	    }
 + 	} else {
 + 	    TRACE(("sixel pixel %d out of bounds\n", pix));
 ++	    return False;
 + 	}
 +     }
 ++    return True;
 + }
++
 + static void
 +@@ -451,7 +456,12 @@ parse_sixel(XtermWidget xw, ANSI *params
 + 		init_sixel_background(graphic, &context);
 + 		graphic->valid = 1;
 + 	    }
 +-	    set_sixel(graphic, &context, sixel);
 ++	    if (sixel) {
 ++		if (!set_sixel(graphic, &context, sixel)) {
 ++		    context.col = 0;
 ++		    break;
 ++		}
 ++	    }
 + 	    context.col++;
 + 	} else if (ch == '$') {	/* DECGCR */
 + 	    /* ignore DECCRNLM in sixel mode */
 +@@ -528,9 +538,18 @@ parse_sixel(XtermWidget xw, ANSI *params
 + 		init_sixel_background(graphic, &context);
 + 		graphic->valid = 1;
 + 	    }
 +-	    for (i = 0; i < Pcount; i++) {
 +-		set_sixel(graphic, &context, sixel);
 +-		context.col++;
 ++	    if (sixel) {
 ++		int i;
 ++		for (i = 0; i < Pcount; i++) {
 ++		    if (set_sixel(graphic, &context, sixel)) {
 ++			context.col++;
 ++		    } else {
 ++			context.col = 0;
 ++			break;
 ++		    }
 ++		}
 ++	    } else {
 ++		context.col += Pcount;
 + 	    }
 + 	} else if (ch == '#') {	/* DECGCI */
 + 	    ANSI color_params;

debian/patches/series

@@ -2,3 +2,4 @@
 _windowops.diff
 _fontops.diff
  CVE-2021-27135.diff
 +CVE-2022-24130.diff