Skip to content
Snippets Groups Projects
Commit eeae42d6 authored by Alan Coopersmith's avatar Alan Coopersmith
Browse files

dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4] 


ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).

The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).

Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: default avatarAlan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 90cc925c
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 3 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment