integer overflow in XFixesGetCursorImage() [CVE-2013-1983]

If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

0 files changed, 0 insertions, 0 deletions