diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-03-06 22:54:58 -0800 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-03-28 13:06:17 -0400 |
commit | 9f1b041e535c4da6ffbe95a706d46b3bfb5c0321 (patch) | |
tree | baa77fc555707be4fde1fbbf02dc587d8fdd534f /libXt | |
parent | de7bfbf0e61cdbe5e5c094d8a237cdc87e8b1fc3 (diff) | |
download | vcxsrv-9f1b041e535c4da6ffbe95a706d46b3bfb5c0321.tar.gz vcxsrv-9f1b041e535c4da6ffbe95a706d46b3bfb5c0321.tar.bz2 vcxsrv-9f1b041e535c4da6ffbe95a706d46b3bfb5c0321.zip |
bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)
Diffstat (limited to 'libXt')
0 files changed, 0 insertions, 0 deletions