[PATCH 5/5] Xephyr: integer overflow in XF86DRIGetClientDriverName()
Julien Cristau
jcristau at debian.org
Sat Jun 1 03:27:12 PDT 2013
On Thu, May 23, 2013 at 09:27:30 -0700, Alan Coopersmith wrote:
> clientDriverNameLength is a CARD32 and needs to be bounds checked before
> adding one to it to come up with the total size to allocate, to avoid
> integer overflow leading to underallocation and writing data from the
> network past the end of the allocated buffer.
>
> Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
> hw/kdrive/ephyr/XF86dri.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Cheers,
Julien
More information about the xorg-devel
mailing list