aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/RenderExtension.cpp
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 18:37:37 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit8468165ae6ec55c715721c6e1991f67902b30564 (patch)
tree2bc7e41aa8322aebed7755bd0295dbc297f74c3b /nxcomp/RenderExtension.cpp
parent00d7a2e5ba30ded2d3d9ecc696bf324586a380b0 (diff)
downloadnx-libs-8468165ae6ec55c715721c6e1991f67902b30564.tar.gz
nx-libs-8468165ae6ec55c715721c6e1991f67902b30564.tar.bz2
nx-libs-8468165ae6ec55c715721c6e1991f67902b30564.zip
integer truncation in _XimParseStringFile() [CVE-2013-1981 8/13]
Called from _XimCreateDefaultTree() which uses getenv("XCOMPOSEFILE") to specify filename. If the size of off_t is larger than the size of unsigned long (as in 32-bit builds with large file flags), a file larger than 4 gigs could have its size truncated, leading to data from that file being written past the end of the undersized buffer allocated for it. While configure.ac does not use AC_SYS_LARGEFILE to set large file mode, builders may have added the large file compilation flags to CFLAGS on their own. size is left limited to an int, because if your Xim file is larger than 2gb, you're doing it wrong. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nxcomp/RenderExtension.cpp')
0 files changed, 0 insertions, 0 deletions