diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 21:11:16 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-08 18:09:46 -0800 |
commit | eeae42d60bf3d5663ea088581f6c28a82cd17829 (patch) | |
tree | 8ea21c65aa6ee2a0d9acb6e31f04435a3867c467 /include | |
parent | 90cc925c5991fcb203f72d00b04419cd754a9b2c (diff) |
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions