[PATCH] render: Fix out of boundary heap access

Adam Jackson ajax at nwnk.net
Mon Mar 13 20:58:38 UTC 2017


On Mon, 2017-03-13 at 19:13 +0100, Tobias Stoeckmann wrote:
> ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
> be protected against an integer overflow during length check. This is
> already included in ProcRenderCreateLinearGradient since the fix for
> CVE-2008-2362.
> 
> This can only be successfully exploited on a 32 bit system for an
> out of boundary read later on. Validated by using ASAN.

remote: I: patch #143811 updated using rev ac15d4cecca377c5c31ab852c39bbd554ca48fe2.
remote: I: 1 patch(es) updated to state Accepted.
To ssh://git.freedesktop.org/git/xorg/xserver
   0c1574d..ac15d4c  master -> master

- ajax


More information about the xorg-devel mailing list