summaryrefslogtreecommitdiff
path: root/src/XrrProviderProperty.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-12 21:44:59 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-04 21:44:31 -0700
commit0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 (patch)
treebc0a5a7d81ae6b7c82651e5d3046164ba6a0d457 /src/XrrProviderProperty.c
parent1c7ad6773ce6be00dcd6e51e9be08f203abe5071 (diff)
integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
rep.length is a CARD32, while rbytes was a signed int, so rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); could result in integer overflow, leading to an undersized malloc and reading data off the connection and writing it past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/XrrProviderProperty.c')
0 files changed, 0 insertions, 0 deletions