diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2016-12-08 17:07:55 +0100 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2016-12-12 22:49:54 +0100 |
commit | d1167418f0fd02a27f617ec5afd6db053afbe185 (patch) | |
tree | daca0ec07a076d061d461864dbe4921c29bd1305 /sxpm/sxpm.c | |
parent | 1ec33006a9e4214b390045b820464e24297dc6c0 (diff) |
Avoid OOB write when handling malicious XPM files.
libXpm uses unsigned int to store sizes, which fits size_t on 32 bit
systems, but leads to issues on 64 bit systems.
On 64 bit systems, it is possible to overflow 32 bit integers while
parsing XPM extensions in a file.
At first, it looks like a rather unimportant detail, because nobody
will seriously open a 4 GB file. But unfortunately XPM has support for
gzip compression out of the box. An attacker can therefore craft a
compressed file which is merely 4 MB in size, which makes an attack
much for feasable.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'sxpm/sxpm.c')
0 files changed, 0 insertions, 0 deletions