diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 22:37:15 -0800 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
commit | ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 (patch) | |
tree | 37604d6c64ea88fd97a25c78d49d6d0a50ce99a8 /nxcomp/RenderChangePicture.h | |
parent | d4c76981f7fddb364166464c571ed8d3de3086cd (diff) | |
download | nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.gz nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.bz2 nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.zip |
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
Diffstat (limited to 'nxcomp/RenderChangePicture.h')
0 files changed, 0 insertions, 0 deletions