summaryrefslogtreecommitdiff
path: root/man/XvStopVideo.man
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2016-09-25 21:30:03 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2016-09-28 18:04:42 +0200
commitd9da580b46a28ab497de2e94fdc7b9ff953dab17 (patch)
treea54efa12778416e3296cb6a2353ab7095caf970e /man/XvStopVideo.man
parentcf8cc328f1e370a548b71581bada7e1ee073c756 (diff)
Protocol handling issues in libXv - CVE-2016-5407
The Xv query functions for adaptors and encodings suffer from out of boundary accesses if a hostile X server sends a maliciously crafted response. A previous fix already checks the received length against fixed values but ignores additional length specifications which are stored inside the received data. These lengths are accessed in a for-loop. The easiest way to guarantee a correct processing is by validating all lengths against the remaining size left before accessing referenced memory. This makes the previously applied check obsolete, therefore I removed it. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'man/XvStopVideo.man')
0 files changed, 0 insertions, 0 deletions