Skip to content
Snippets Groups Projects
Commit ac15d4ce authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Adam Jackson
Browse files

render: Fix out of boundary heap access 


ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.

This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.

Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
parent 0c1574d9
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment