aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/ListFontsReply.cpp
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 21:11:16 -0800
committerMike DePaulo <mikedep333@gmail.com>2015-05-30 21:59:45 -0400
commit8623faa422c3659903bdb5d19eb8947579e6141f (patch)
treea35f36c3fa585b109f5571794a47b3b96ee6447e /nxcomp/ListFontsReply.cpp
parentc2298e0757106c03f2a9a95d5493102f33c3cfdb (diff)
downloadnx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.tar.gz
nx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.tar.bz2
nx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.zip
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
Diffstat (limited to 'nxcomp/ListFontsReply.cpp')
0 files changed, 0 insertions, 0 deletions