diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 21:11:16 -0800 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | c1225fe6451d7a5f3741ce0fff8f54e38e0a14da (patch) | |
tree | 17d97e36bcb0c57b66d9c9a6a75bfe036b818793 /nx-X11/lib/Xfixes | |
parent | 37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 (diff) | |
download | nx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.tar.gz nx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.tar.bz2 nx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.zip |
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
Diffstat (limited to 'nx-X11/lib/Xfixes')
0 files changed, 0 insertions, 0 deletions