libXv: Changes to 'master'
Matthieu Herrb
herrb at kemper.freedesktop.org
Tue Oct 4 13:55:26 UTC 2016
src/Xv.c | 46 +++++++++++++++++++++++++++++-----------------
1 file changed, 29 insertions(+), 17 deletions(-)
New commits:
commit d9da580b46a28ab497de2e94fdc7b9ff953dab17
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Sep 25 21:30:03 2016 +0200
Protocol handling issues in libXv - CVE-2016-5407
The Xv query functions for adaptors and encodings suffer from out of
boundary accesses if a hostile X server sends a maliciously crafted
response.
A previous fix already checks the received length against fixed values
but ignores additional length specifications which are stored inside
the received data.
These lengths are accessed in a for-loop. The easiest way to guarantee
a correct processing is by validating all lengths against the
remaining size left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed
it.
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
More information about the xorg-commit
mailing list