os: color: fix possible buffer overflow vulnerability

Browse Source

The old approach of builtin color lookup used a binary search of strings
within text blocks (their start offsets defined in the color array).

This could potentially lead to buffer overflow, if the requested color
name far outreaches the text block (eg. same prefix as some entry near to
the end, but really huge). This alone wouldn't allow remote memory readout
(just comparing), but could possibly trigger page faults (sigsegv) or used
as a building block for some more complex attack.

OTOH, the old approach is also hard to maintain, ugly programming style:
on each change, all the offset need to be carefully recounted, which is
pretty error-prone.

Both problems are solved by moving to simple, per-entry, char* pointers,
instead of the one large text block.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1313>

...

This commit is contained in:

Enrico Weigelt, metux IT consult 2024-02-19 15:12:00 +01:00 committed by Marge Bot

parent 7a010beefe

commit 8c4a015cc2

1 changed files with 806 additions and 1585 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2381

os/oscolor.c

View File

File diff suppressed because it is too large Load Diff