os: color: fix possible buffer overflow vulnerability

Browse Source

The old approach of builtin color lookup used a binary search of strings
within text blocks (their start offsets defined in the color array).

This could potentially lead to buffer overflow, if the requested color
name far outreaches the text block (eg. same prefix as some entry near to
the end, but really huge). This alone wouldn't allow remote memory readout
(just comparing), but could possibly trigger page faults (sigsegv) or used
as a building block for some more complex attack.

OTOH, the old approach is also hard to maintain, ugly programming style:
on each change, all the offset need to be carefully recounted, which is
pretty error-prone.

Both problems are solved by moving to simple, per-entry, char* pointers,
instead of the one large text block.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>
(cherry picked from commit 8c4a015cc2)

...

This commit is contained in:

Enrico Weigelt, metux IT consult

2024-02-19 15:12:00 +01:00

committed by Alan Coopersmith

parent a24bad63f0

commit 768333d2ff

1 changed files with 806 additions and 1585 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

2391

os/oscolor.c

File diff suppressed because it is too large Load Diff