summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 00:50:02 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-26 15:50:08 -0700
commit5fd871e5f878810f8f8837725d548e07e89577ab (patch)
tree788c4cf55ee261b925e66ac40a76d2a83ecc9d5e /include
parent478d4e5873eeee2ebdce6673e4e3469816ab63b8 (diff)
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting by 2 bits to come up with the total size to allocate, though in these cases, no buffer overflow should occur here, since the XRead call is passed the same rep.length << 2 length argument, but the *priv_count returned to the caller could be interpreted or used to calculate a larger buffer size than was actually allocated, leading them to go out of bounds. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions