diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 20:53:14 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | 36f1dae749acb065eaefca56d42d19ef6822a001 (patch) | |
tree | 81987135f66470a51c043d5b22b5e752ee340355 /nxcomp/GenericRequest.h | |
parent | f53f2474d5d33cca04c4c7744ecc50cec41ba94f (diff) | |
download | nx-libs-36f1dae749acb065eaefca56d42d19ef6822a001.tar.gz nx-libs-36f1dae749acb065eaefca56d42d19ef6822a001.tar.bz2 nx-libs-36f1dae749acb065eaefca56d42d19ef6822a001.zip |
CVE-2014-0209: integer overflow of realloc() size in lexAlias() from xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
Diffstat (limited to 'nxcomp/GenericRequest.h')
0 files changed, 0 insertions, 0 deletions