libXfixes: Changes to 'master'
Matthieu Herrb
herrb at kemper.freedesktop.org
Tue Oct 4 13:54:45 UTC 2016
src/Region.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
New commits:
commit 61c1039ee23a2d1de712843bed3480654d7ef42e
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Sep 25 22:38:44 2016 +0200
Integer overflow on illegal server response
The 32 bit field "rep.length" is not checked for validity, which allows
an integer overflow on 32 bit systems.
A malicious server could send INT_MAX as length, which gets multiplied
by the size of XRectangle. In that case the client won't read the whole
data from server, getting out of sync.
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
More information about the xorg-commit
mailing list