integer overflow in _xvmc_create_*()

rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

0 files changed, 0 insertions, 0 deletions