aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/include/cursor.h
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-06 23:30:14 -0800
committerMihai Moldovan <ionic@ionic.de>2015-02-16 05:58:21 +0100
commitb6b5b14e4190048fadbfbcf063d873d318127e81 (patch)
tree795a7219075f8163f0da81c91807a7c37ba7af8c /nx-X11/programs/Xserver/include/cursor.h
parent03a2922d9cc17af26bd91d4a471061c54db50789 (diff)
downloadnx-libs-b6b5b14e4190048fadbfbcf063d873d318127e81.tar.gz
nx-libs-b6b5b14e4190048fadbfbcf063d873d318127e81.tar.bz2
nx-libs-b6b5b14e4190048fadbfbcf063d873d318127e81.zip
dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]
GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
Diffstat (limited to 'nx-X11/programs/Xserver/include/cursor.h')
0 files changed, 0 insertions, 0 deletions