diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-12 21:44:59 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-04 21:44:31 -0700 |
commit | 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 (patch) | |
tree | bc0a5a7d81ae6b7c82651e5d3046164ba6a0d457 /COPYING | |
parent | 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 (diff) |
integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
rep.length is a CARD32, while rbytes was a signed int, so
rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
could result in integer overflow, leading to an undersized malloc
and reading data off the connection and writing it past the end of
the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions