From 8f677eaea05290531d007d1fec2768119926088d Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 12 Apr 2013 21:17:28 -0700 Subject: signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003] When parsing cursor files, a user defined (e.g. through environment variables) cursor file is opened and parsed. The header is read in _XcursorReadFileHeader(), which reads an unsigned int for the number of toc structures in the header, but it was being passed to _XcursorFileHeaderCreate() as a signed int to allocate those structures. If the number was negative, it would pass the bounds check and could overflow the calculation for how much memory to allocate to store the data being read, leading to overflowing the buffer with the data read from the user controlled file. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/file.c b/src/file.c index efe6d4b..ce9de78 100644 --- a/src/file.c +++ b/src/file.c @@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader) } static XcursorFileHeader * -_XcursorFileHeaderCreate (int ntoc) +_XcursorFileHeaderCreate (XcursorUInt ntoc) { XcursorFileHeader *fileHeader; -- cgit v1.2.3