summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2017-11-28 21:38:07 +0100
committerPekka Paalanen <pekka.paalanen@collabora.co.uk>2017-11-29 09:45:10 +0200
commit5d201df72f3d4f4cb8b8f75f980169b03507da38 (patch)
treeadd592e4f349cdd7d7cb585e167525b718cf14bb
parent242005636d0897db166215ed09cf3832217df008 (diff)
cursor: Fix heap overflows when parsing malicious files.
It is possible to trigger heap overflows due to an integer overflow while parsing images. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> [Pekka: add link to the corresponding libXcursor commit] Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
-rw-r--r--cursor/xcursor.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/cursor/xcursor.c b/cursor/xcursor.c
index ca41c4a..689c702 100644
--- a/cursor/xcursor.c
+++ b/cursor/xcursor.c
@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
{
XcursorImage *image;
+ if (width < 0 || height < 0)
+ return NULL;
+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return NULL;
/* sanity check data */
- if (head.width >= 0x10000 || head.height > 0x10000)
+ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
+ head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
if (head.width == 0 || head.height == 0)
return NULL;