diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 00:50:02 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 15:50:08 -0700 |
commit | 5fd871e5f878810f8f8837725d548e07e89577ab (patch) | |
tree | 788c4cf55ee261b925e66ac40a76d2a83ecc9d5e /include | |
parent | 478d4e5873eeee2ebdce6673e4e3469816ab63b8 (diff) |
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions