From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:59:07 -0700
Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)

This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/create.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/create.c b/src/create.c
index ec562b2..b8c80d2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -997,6 +997,11 @@ CreateXImage(
 	*image_return = NULL;
 	return XpmNoMemory;
     }
+    if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
+	XDestroyImage(*image_return);
+	*image_return = NULL;
+	return XpmNoMemory;
+    }
     /* now that bytes_per_line must have been set properly alloc data */
     if((*image_return)->bytes_per_line == 0 ||  height == 0) {
 	XDestroyImage(*image_return);
-- 
GitLab