Skip to content
Snippets Groups Projects
Commit b0b13c12 authored by Alan Coopersmith's avatar Alan Coopersmith
Browse files

integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8] 


If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.

v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either

Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: default avatarAlan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 5398ac07
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 24 additions and 7 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment