diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2016-09-25 21:30:03 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2016-09-28 18:04:42 +0200 |
commit | d9da580b46a28ab497de2e94fdc7b9ff953dab17 (patch) | |
tree | a54efa12778416e3296cb6a2353ab7095caf970e /man/XvStopVideo.man | |
parent | cf8cc328f1e370a548b71581bada7e1ee073c756 (diff) |
Protocol handling issues in libXv - CVE-2016-5407
The Xv query functions for adaptors and encodings suffer from out of
boundary accesses if a hostile X server sends a maliciously crafted
response.
A previous fix already checks the received length against fixed values
but ignores additional length specifications which are stored inside
the received data.
These lengths are accessed in a for-loop. The easiest way to guarantee
a correct processing is by validating all lengths against the
remaining size left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed
it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Diffstat (limited to 'man/XvStopVideo.man')
0 files changed, 0 insertions, 0 deletions