summaryrefslogtreecommitdiff
path: root/sxpm/sxpm.c
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2016-12-08 17:07:55 +0100
committerMatthieu Herrb <matthieu@herrb.eu>2016-12-12 22:49:54 +0100
commitd1167418f0fd02a27f617ec5afd6db053afbe185 (patch)
treedaca0ec07a076d061d461864dbe4921c29bd1305 /sxpm/sxpm.c
parent1ec33006a9e4214b390045b820464e24297dc6c0 (diff)
Avoid OOB write when handling malicious XPM files.
libXpm uses unsigned int to store sizes, which fits size_t on 32 bit systems, but leads to issues on 64 bit systems. On 64 bit systems, it is possible to overflow 32 bit integers while parsing XPM extensions in a file. At first, it looks like a rather unimportant detail, because nobody will seriously open a 4 GB file. But unfortunately XPM has support for gzip compression out of the box. An attacker can therefore craft a compressed file which is merely 4 MB in size, which makes an attack much for feasable. Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'sxpm/sxpm.c')
0 files changed, 0 insertions, 0 deletions