aboutsummaryrefslogtreecommitdiff
path: root/nxcompext
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 21:05:27 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commitde2d3cb6b870f3d9b8e3e5779415aad079b20633 (patch)
treeeed9d097bacf4d18d85555f8548e25a3aa4f16f8 /nxcompext
parente8ada07fa7dbbc88298e88a07f4b8613ec055cd8 (diff)
downloadnx-libs-de2d3cb6b870f3d9b8e3e5779415aad079b20633.tar.gz
nx-libs-de2d3cb6b870f3d9b8e3e5779415aad079b20633.tar.bz2
nx-libs-de2d3cb6b870f3d9b8e3e5779415aad079b20633.zip
integer overflow in _XQueryFont() on 32-bit platforms [CVE-2013-1981 1/13]
If the CARD32 reply.nCharInfos * sizeof(XCharStruct) overflows an unsigned long, then too small of a buffer will be allocated for the data copied in from the reply. v2: Fix reply_left calculations, check calculated sizes fit in reply_left Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nxcompext')
0 files changed, 0 insertions, 0 deletions