diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-09 22:55:23 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-23 08:13:26 -0700 |
commit | 528419b9ef437e7eeafb41bf45e8ff7d818bd845 (patch) | |
tree | d3cb5f094541bbfd954790eb05a3469b608d1627 /src/XGetDProp.c | |
parent | 242f92b490a695fbab244af5bad11b71f897c732 (diff) |
integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'src/XGetDProp.c')
0 files changed, 0 insertions, 0 deletions