Commit 8f677eae authored by Alan Coopersmith's avatar Alan Coopersmith

signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003]

When parsing cursor files, a user defined (e.g. through environment
variables) cursor file is opened and parsed.

The header is read in _XcursorReadFileHeader(), which reads an unsigned
int for the number of toc structures in the header, but it was being
passed to _XcursorFileHeaderCreate() as a signed int to allocate those
structures.  If the number was negative, it would pass the bounds check
and could overflow the calculation for how much memory to allocate to
store the data being read, leading to overflowing the buffer with the
data read from the user controlled file.
Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 1b98fd6a
......@@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader)
}
static XcursorFileHeader *
_XcursorFileHeaderCreate (int ntoc)
_XcursorFileHeaderCreate (XcursorUInt ntoc)
{
XcursorFileHeader *fileHeader;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment