diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-09 14:40:33 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-02 22:48:06 -0700 |
commit | dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649 (patch) | |
tree | 1e769bacd3f4f6399c4791adc07cf79ceca151a1 /configure.ac | |
parent | 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 (diff) | |
download | xorg-lib-libXext-dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649.tar.gz |
integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
If the number of counters or amount of data reported by the server is
large enough that it overflows when multiplied by the size of the
appropriate struct, then memory corruption can occur when more bytes
are read from the X server than the size of the buffers we allocated
to hold them.
V2: Make sure we don't walk past the end of the reply when converting
data from wire format to the structures returned to the caller.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'configure.ac')
0 files changed, 0 insertions, 0 deletions